write command during the test has failed to complete. this may be due to a memory....

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TekNoGeek, Oct 11, 2012.

  1. TekNoGeek

    TekNoGeek Private E-2

    After Googling for freeware to backup a BluRay dvd, the web site I went to nailed me. I started getting the following message in multiple message boxes:

    "A write command during the test has failed to complete. This may be due to a memory reference to an invalid system memory address. It is highly recommended to run a complete hard drive scan to prevent loss of personal files."

    I recognized this type of message format as some kind of virus/malware and disconnected from the web site. When I rebooted my PC, all of my DeskTop icons were gone, there were no entries under the Start->All Programs Menu and the above message boxes began to again display. Then the PC automatically rebooted.

    I also get a popup in the system tray that I need to activate Windows because a lot of my hardware has changed since last activation. It has been activated for years and it is current on my Authentication/Genuine Advantage. There have been NO hardware changes made in years, so I know that this is a bogus (virus) msg.

    Since my PC was unstable in normal mode, I rebooted into safe mode. After launching Explorer (from Start->Run), I found that all of my directories and files were flagged as Hidden. So I used the DOS command Attrib *.* -H /s/d to unhide everything. So now I had all of my icons back. No files were apparently deleted. I then reviewed the Windows registry and found the SOB program listed in the RUN key:
    HKLM->Software->Microsoft->Windows->CurrentVersion->Run
    I did not delete it, but the below downloaded software took care of it.

    From my other PC, I googled the above err message and found your web site. Here's what I've done, per your site's guidance on the infected PC (in safe mode):
    #1. Download:
    ... (a) RogueKiller - to desktop
    ... (b) Malwarebytes - to C:\_Malwarebytes\
    ... (c) TDSSKiller - to desktop
    ... (d) HitmanPro - to desktop
    ... (e) MGtools - to C:\

    #2. Run the program:
    ... (a) RogueKiller - from the desktop. I Did not fix anything, per your instructions.
    ... (b) Malwarebytes - following your instructions.
    ... (c) TDSSKiller - does not launch. Tried several times.
    ... (d) HitmanPro - from desktop following your instructions.
    ... (e) MGtools - from C:\

    #3. Logs attached: (contained in uploaded ZIP file)
    ... (a) RogueKiller - RKreport[1].txt
    ... (b) Malwarebytes - mbam-log-2012-10-09 (09-47-05).txt
    ... (c) TDSSKiller - No Log. Pgm did not launch.
    ... (d) HitmanPro - HitmanPro_20121009_1132.log
    ... (e) MGtools - MGlogs.zip
    ... (f) HiJackThis - hijackthis 2012-10-11 @ 1130am.log


    Subsequently I've run the following:
    #4. I then ran my Symantec AV client software. It found 5 trojans in the RECYCLER directory:
    ... (a) Trojan.Zeroaccess.B - Removal declared as "Partial"
    ... (b) Trojan.Zeroaccess.C (2 occurrences) - Removal declared as "Cleaned by deletion"
    ... (c) Trojan.Gen - Removal declared as "Quarantined"
    ... (d) Trojan.Gen.2 - Removal declared as "Quarantined"
    However, when I re-ran an AV scan on just the RECYCLER folder, I got the same results again.

    #5. I then Ran MSFT Malitious Software Removal Tool. It found 0 problems.

    #6. I then ran HiJackThis and have attached its log. There are some entries in here that to me are a red flag on the track!:
    ... (a) RUNNING PROCESS: C:\Documents and Settings\HowardM\amsgujxeivwjhcfjjoxlbceph.exe
    ... (b) There are also some BHO Java entries that look suspicious to me.
    I also confirmed that Item (a) is currently running as a Process under Windows Task Manager (and I'm running in Safe Mode).
    ... (c) I also noticed 2 suspicious files in C:\Documents and Settings\HowardM
    ...... #1 amsgujxeivwjhcfjjoxlbceph.exe
    ......... (a) which showed up in HiJackThis
    ......... (b) which also currently resides in C:\Windows\System32
    ...... #2 gbitpbfbosoe.exe This file name did not show up in any of your logs.
    However, I found it in my registry under the following keys:
    ...HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Session Manager
    ...... Name: PendingFileRenameOperations
    ...... Type: REG_MULTI_SZ
    ...... Data: \??\C:\Documents and Settings\HowardM\gbitpbfbosoe.exe
    It was also found under: ControlSet001
    I'll wait until I here from you on how to proceed.

    TMI?

    All of my logs are contianed in the uploaded ZIP file.
    After reviewing my logs, please let me know how to proceed.

    Thanks for the assist.
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    None of the requested logs attached I'm afraid.
     
  3. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    I probably forgot to click the upload button after I browsed for the ZIP file. I'll try it again.

    Attached should be file
    ====> MajorGeeks_Upload_Logs.zip
    This ZIP file should contain the following logs:
    ... (a) RogueKiller - RKreport[1].txt
    ... (b) Malwarebytes - mbam-log-2012-10-09 (09-47-05).txt
    ... (c) TDSSKiller - No Log. Pgm did not launch.
    ... (d) HitmanPro - HitmanPro_20121009_1132.log
    ... (e) MGtools - MGlogs.zip
    ... (f) HiJackThis - hijackthis 2012-10-11 @ 1130am.log
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
  5. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    I am currently running in safe mode because of the virus/viruses. I am afraid to startup in normal mode. The PC has been on for a couple of days now, rather than restart and possibly propogate the virus further and particularly since I have a boot sector virus too. (I ran an MBRCheck yesterday, just to see.)

    TDSSKiller does not launch.

    But if you would like me to startup in normal mode & try to run TDSSKiller from there, I will.

    I just reran the MBRCheck from a DOS prompt and have attached a screen image print for you. Both my C: & D: have a boot sector virus.

    Thanks for the assist.

    P.S.

    Although I unhid all of my files, almost all of the program links are gone in the Start->Programs listings, . However, I found them safely tucked away in the directory
    • C:\Temp\SMPT\1\ and in
    • C:\Temp\SMPT\2\

    I've not returned them to their proper location yet. I'm waiting to resolve the virus issue first.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    You got an MBR infection. Do you have you XP boot CD?
     
  7. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Yes I do.

    I'm running Win-XP @ SP3.

    I have 2 CDs:
    1. XP-SP2
    2. Slipstream XP-SP3
    U pick.

    Will the XP CD also fix the bootsector virus on the D: drive as well?

    Tx.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    Use the XP SP2 CD.

    You need to use your Windows XP CD to boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command then boot back to normal mode Windows and try running MBRCheck again now. Then attach the log. Also explain if you are still having any malware problems.
     
  9. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    1. I ran FIXMBR from the recovery console
    2. Booted into "normal mode" and ran MBRcheck. Boot virus still there.
    3. Launching IE to MG's web site spawned a new browser instance to AMAZON.COM
    4. After approx 2 minutes, PC rebooted itself.
    The PC's network card activity light was blinking like it was on steroids. Apparently my PC is being used as a zombie spammer, as recent E-mail has bounced back as undeliverable because blocked using zen.spamhaus.org .

    Rebooted into safe mode. boot sector virus is back. So some things obviously didn't get deleted from running the recommended pgms.

    Ran your programs again. It deleted some things. Network card activity light now stable.

    But I still have some undesireable/virus files hanging around. See the logs.

    The folowing logs/files are contained in the uploaded ZIP file:
    1. HitmanPro_20121013_2108.log
    2. mbam-log-2012-10-13 (19-09-06).txt
    3. MBRcheck Screen Shot 2012-10-13 @ 1833.JPG (After repair & boot to normal mode)
    4. MBRCheck_10.13.12_18.33.14.txt (After repair & boot to normal mode)
    5. MGlogs 2012-10-13 @ 2158.zip
    6. RKreport[2].txt
    What now sayest thou?

    Tx.
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    When you run Hitman what option does it give you with this entry?

    • Win32/Bootkit

    You can have it delete everything else that it finds to but let me know about that one entry.

    Yes there's more to do but we'll deal with this bit first.
     
  11. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    [Sorry it took so long for me to get back to you. I've been doing a lot of research. I'm sure you appreciated your time away from me as there are sooo many others also clammoring for help.]

    I don't see that entry Win32/Bootkit anywhere. Am I overlooking something. Where/when should I expect to see it?

    That FAKED mbr just won't go away & the MSFT CDs don't fix it! (My MSFT CDs are originals issued by MSFT.)

    ====================================
    MY ACTIVITY NOTES - SUNDAY 2012-10-14
    ====================================

    I am currently running in safe mode. PC was left on since yesterday.

    I mentioned prevoiusly that my network card activity light was no longer on steroids. Well, I left the PC connected to the internet, and when I returned to the PC a few hours later, the light was back on steroids. so I disconnected the data cable.

    Ran HitmanPro
    --->select action Delete C:\WINDOWS\msisear.exe .(This file is not found on my good PC.)

    REGEDIT - (search for MSISEAR)
    ...Find #1 in key: HKLM\Software\msisear.exe
    ......string value = GUID,
    ......Value Data = 30a7b26e5b432934b5192a6f4fcd7ebd
    ...Find #2 in key: HKLM\System\ControlSet003\Services\W32serv (msisear & w32serv not found in registry on good PC.)
    ...the above Data Value 30a7b... was not found anywhere else in registry.

    DID NOT YET REBOOT.
    found these two highly suspicious files still hanging around:
    [1] \%profile%\foculnyzisyadbilqbv.exe
    [2] \%profile%\wqeknfettfdildk.exe
    Renamed them to XX_(filename)
    (FYI: Symantec AV Corp Edition does not yet recognize these as a virus.)

    REGEDIT (Search for above 2 base file names):
    File [1] was not found in the registry
    File [2] was found in:
    ...HKLM\System\ControlSet001\Control\Session Manager
    .....String Value = PendingFileRenameOperations
    .....Type = REG_MULTI_SZ
    .....Value Data = \??\C:\Documents and Settings\HowardM\wqeknfettfdildk.exe
    So I Blanked out the Value Data and created:
    .....String Value XX_PendingFileRenameOperations
    .....with the original Value Data,
    Did this for documentation purposes.
    REGEDIT then automatically created a dup of my new string (XX_...) under
    ...HKLM\System\ControlSet\Control\Session Manager
    No more occurences of the base file name found in the registry.

    I renamed the file
    ...C:\WINDOWS\TEMP\Temp36.exe to XX_Temp36.exe
    This file was not found the current malware scans but still exists. File is not found in the registry. (I had changed my %TEMP% & %TMP% dir to C:\Temp years ago. So if there's anything in the \Windows\Temp dir, it doesn't belong there.)

    Deleted files in C:\Windows\Prefetch

    Confirmed that the virus had not re-created any more funny file names in the same locations.

    Reboot with Windows CD (XP-Pro incl SvcPk2) to run FIXMBR under Recovery Console. Ran it 2X just because...

    Immediately rebooted again with same Windows CD to run FIXMBR under Recovery Console. Reviewed results.

    Boot into Safe Mode W/ Networking to review the situation.
    ...Ran MBRcheck.
    ...Reviewed services running in Task Manager.
    ...Looked for funny file names in previously known locations.
    ...Connected to internet & watched the PC's network activity light. Normal (so far)
    ...Browse to MG web site and observe for any redirection or new browser instances being automatically launched. None.


    Uploaded are the following files for your review:
    [1] MajorGeeks Upload 5 Logs.zip
    Containing the following 5 logs:
    ...[A]HitmanPro_2012-10-14_2048.log
    ...mbam-log-2012-10-14 @ 2012.txt
    ...[C]MGlogs 2012-10-14 @ 2108.zip
    ...[D]RKreport[1] 2012-10-14 @ 2002.txt
    ...[E]MBRCheck_10.15.12_16.22.44.txt

    [2] MSFT WinXP Process Explorer 2012-10-14 @ 2222.JPG
    Interesting... I think there's an extra SVCHOST running that I didn't notice on my good PC in safe mode.


    ====================================
    MY ACTIVITY NOTES - MONDAY 2012-10-15
    ====================================

    Booted into Recovery Console from MSFT's original CD = Win-XP Pro No SvcPk included, since FIXMBR from my MSFT CD w/ SP2 does not fix the faked MBR.
    Ran FIXMBR twice
    Booted into Recovery Console this time using MSFT's original CD = Win-XP Pro SP3
    Ran FIXMBR twice
    Booted into Safe Mode
    Ran MBRCHECK.EXE - Bootsector still FAKED! (SO8, &!%$(* & $hi!)

    Booted into Normal Mode - OpSys takes > 10 minutes to almost settle down then utomatically reboots itself. Tried this 2X.
    Boot into Safe Mode w/ Networking.
    Ran MBRCHECK.EXE
    Boot sector on both C: & D: still faked!
    :cry
    PC's network activity lite is back on steroids! :cry So I am either a zombie spammer or they are uploading all of my files to th mother ship. ("mother" is one of two words!)

    This is one VERY STUBBORN MBR virus! What else is in your bag of tricks to try to fix that MBR?

    I eagerly await your wisdom.

    Tx for taking the time to assist. :wave
     
  12. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Sorry. I again forgot to click the UPLOAD button after browsing for the files. :-o

    They should attach to this msg.
     

    Attached Files:

  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 2 detections:

    • [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\61883 (system32\DRIVERS\61883.sys) -> FOUND
    • [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\61883 (system32\DRIVERS\61883.sys) -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    and the same for Files/Folders tab.

    • [ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\n --> FOUND
    • [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\n --> FOUND
    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\@ --> FOUND
    • [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\L --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Reboot the machine and re run RogueKiller just a scan and attach log.
    Sane for MBRCheck.
     
  14. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    WOW! Your post was at 6AM. Do you ever sleep, stop to eat, stop to breathe??? :-D

    Thanx for your prompt response to my last post. Really appreciate your devotion. :wave

    RogueKiller
    ...Registry Tab
    ===>Deleted the 2 registry entries
    ...Files Tab
    ===>Deleted the 9 requested entries
    ``````(there were no boxes to check so I selectively highlighted the requested ones & pressed the DELETE button.)
    ===>Eyeballs went bonkers with tose hex strings!

    Attaching RK log
    ...RKreport 2012-10-16 @ 1155.txt

    PC left on, no reboot yet.

    I was wondering if I sh copy the file 61883.SYS from my good PC to repl the one on the infected PC?

    Here's the file stats on 61883.SYS :
    FILE SIZE: same on both PCs = 48,128 bytes
    MOD DATE: same on both PCs = 4/14/2012
    CREATE DATE: Bad PC = 1/10/2012 Good PC = 12/7/2010

    I was wondering if I sh copy 61883.SYS from my good PC to my infected PC. Cause if it's infected, I'll just be back in the ditch again when I reboot. Or don't viruses infect .SYS files?

    Tx again.
     

    Attached Files:

  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    I shouldn't have included the sys file in my deletion script. I'm sorry. Can it be dequarantined - check the RogueKiller Quarantine folder.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Also I had asked you to re run MBRCheck again. Do that now, and Can you attach that log? :)
    I'm in UK.
     
  16. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    I didn't delete the 61886.SYS file. I had RK delete the registry entry. Is it the registry entry that you want me to undo from the quarantine folder? (See attached file RK Quarantine Folder Screen Image.JPG)

    TDSSKiller does not run on my infected PC in Safe Mode. When the infected PC is brought up in normal mode, the PC will automatically reboot before it finishes initializing. And you requested me not to reboot my infected PC just yet (or so that's what I thought you meant).

    Your instructions here are not very clear.
    First you say to not reboot, then immediately after you say to reboot. That's why I did not reboot after running RK. I assumed you wanted to first review my uploaded info before rebooting. You wanted me to run MBRcheck after rebooting. I don't know that anything was done to fix the MBR so it made no sense to attach a new MBRcheck Log as it is the same as prev. I'm still waiting to reboot. Are you getting me confused with the others that you are assisting? Or am I confused?

    I was waiting for clearer instructions after your review of my last post. Please see attached.

    Unanswered Question:
    I was wondering if I sh copy the file 61883.SYS from my good PC to repl the one on the infected PC? Cause if the file is infected, I'll just be back in the ditch again when I reboot. Or don't viruses infect .SYS files? (See my prev post for file attribute difference between good & infected PC.)

    Files & Thumbnails Attached:
    1. MBRcheck Screen Image 2012-10-16 @ 2230.JPG
    2. MBRCheck_10.16.12_22.28.57.txt
    3. RK Quarantine Folder Screen Image.JPG
     

    Attached Files:

  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    No, not getting confused with others. I am going to have to have a word with colleagues never the less as I don't know why my instructions in post #8 to have you fix the MBR failed. You could try those steps again whilst I seek advice.
     
  18. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    I appreciate your continuing efforts on this. :)

    I used to be a TechHead :major in my network integration & support services daze (er, days). I retired 5 years ago. In my 15 years of client support, I never had to deal with the MBR. So I'm a bit shy & rusty. That's why I'm here.

    I have a Q. What's the difference in FIXMBR and FIXBOOT in the MSFT recovery console?

    I found on my software shelf a retail copy of Norton Partition Magic v8 which supports XP. Would that help? (It's still in the shrink wrap.)

    Is there a reason that you don't use other software in your arsenal to fix the MBR? (I'm thursty for knowledge.) I'm sure you have good reasons, which is why I've not gone rogue but rather await your support advice. I trust this forum & its staff.

    TX :wave
     
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    No problem, we'll get to the bottom of it.
    FIXMBR is used to repair the Master Boot Record (MBR) of a harddisk. FIXBOOT is used to repair the boot records of a partition.
    Not sure yet. Let's see what my colleagues say. Also I want to see if Combofix finds anything nasty, so can we try running that?

    Please download Combofix to your desktop. Please refer to these instructions prior to running.

    Attach the log once done.
     
  20. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Running in Safe Mode I ran Combofix. When I came back an hour later, it had locked up. (Remember, TDSSKiller does not run in safe mode either.) So I had to reboot.

    Since I had to reboot, I used my XP CD to go into the Recovery console and ran FIXMBR.

    Rebooted into Normal Mode and, as before, windows will auto re-boot before everything finished initializing.

    Booted back into Safe Mode With Networking. Ran MBRcheck. Boot sector stilll faked.:cry Connected network cable and after a few minutes, the net card's activity lite went bonkers! Disconendted the cable.

    Ran your software again. Logs attached. Everything looks clean except for the MBR (OK, I didn't look at MGT logs).

    I decided to check my Network Connections under Control Panel. When trying to display the Connection Status window, it shows me the Connection Properties window! So that ^%@$ virus got me there too. Will look into that later.

    An additional GOTCHA from that virus is that it corrupted my Windows Firewall by changing/deleting registry entries. It would not launch. So I ran a .REG file from MSFT KB920074. That got the Windows Firewall operational, but I lost all of my settings (like for my HP scanner). I was able to copy the needed registry entries from my good PC to the problem PC. So the firewall settings now match that of my good PC. However, when I click on the firewall's Advance tab, I get "The network connection settings have become corrupted..." I found a download from another support forum that fixed this for another user. I will try that tomorrow. My brain has now turned to mush. :zzz

    Just wanted to give you an update.

    A couple of Q's for you please...
    1. Why do you choose to not use the option in MBRCHECK or RogueKiller to repair the MBR? I'm sure you have your tried & true reasons. Just curious.
    2. I'm sure you noticed in the Hitman log that there's a hook in the ATAPI.SYS. Is that where the virus is hiding? I may be in a catch-22 scenerio here. I clean the boot sector virus, but when I startup windows, the disk driver hook puts it back?


    PS
    Because my PC is out of commission, I had to MANUALLY write a check today! My first time in years & years. Oh the horror! :cry
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    I've been reading here and I see some incorrect things being mentioned. You do not have a boot sector virus and you do not have an MBR infection. You have a partition infection. A fake partition carrying an infection was added to your Windows boot drive and this partition has been made the active partition. Fixing the MBR will thus do nothing to resolve the problem. You need to remove the infected partition and then make the real Windows partition the active boot partition. Before we get to this, I have to request a few things.
    • Please stop doing things on your own as stated in the READ & RUN ME. Only run what we ask you to run and nothing else. The situation has actually gotten worse. Things that used to be working/running are now broken. Like some Windows Services including WMI and others. The infection has to be fixed properly. Incorrect fixes will only make it worse and could render the PC unbootable. Hopefully we can still avoid this.
    • Only attach the logs we ask for and attach the exact log. For example, do not make your own MGlogs 2012-10-18 @ 1221.zip type zip files. Attach the C:\MGlogs.zip file that is requested. There is no need to change the name or save them on your own. It updates all by itself and any previous logs can always be found in older messages.
    Please download the gparted-live ISO file (about 132 MB at last check)

    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]


    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 10.38 MiB (10.33 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 1.82 TB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.


    Now reboot from the Windows XP Recovery Console CD and execute the following commands pressing ENTER after each:
    • fixmbr
    • fixboot
    • exit
    Allow your PC to boot back into normal Windows. Hopefully it works okay. ;)

    Be patient while doing the below. The fixes can sometimes take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  22. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Yes, Boss! :-D

    The other things that I ran, I did not think were related to the MBR that we were trying to fix. So I though I could do those concurrently and not have to post a separate plea in the software (or other forum). However, I did want to give you the FULL visibility of anything else I did on my own. As a former TechHead, I recognize the importance of this. So I don't mind you barking orders or reprimands at me. :-o

    I always did attach the files requested. I just added the date-time to the file name so that I can keep them for historical purposes, instead of having them overwritten. That way it's easier for me to refer back to them instead of having to scroll thru the thread. However, I do understand that it is all about your desire/need for conformity (which lends itself to your expediency) and will comply from now on or in future forum requests. :)

    PARTIAL STATUS UPDATE:
    I am at the point where gparted-live is currently running as instructed. It's been 50 minutes now. Will get back to you later with results and the requested log.

    This is my first time on your forum, but I've read posts over the years which have helped me solve numerous problems. I am very impressed with the professionalism and breadth of knowledge of the Gurus. I also love your editor which allows for numerous formatting capabilities. This is very valuable in making posts more readable.

    Thanks for your dedication to professionalism. :wave

    Will post results soon.
     
  23. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Ran everything as instructed (Windows normal mode). Your instructions were very explicit. Tx.

    FYI: Windows Repair took 55 minutes to run.

    Rebooted back to normal mode. Startup was very sluggish.
    My AV autoscan at startup found:
    ==>Trojan.Zeroaccess.C (action performed = cleaned)
    ==>Trojan.Zeroaccess.C (action performed = cleaned)
    ==>Trojan.Gen (action performed = quarantined)
    ==>Trojan.Gen2 (action performed = quarantined)
    But the "location" column where it was found it was blank.

    So I rebooted again. Windows initialized a little faster this time, but still way too long. Noticed that CPU usage took a long time to settle down (Searchindexer & searchfilterhost are hogs)

    Rebooted again, this time things are a little better. Here's my log notes of startup events (Normal Mode):
    14:44:35 --> Windows startup logo displays
    14:46:36 --> Screen goes black. Disk activity light very active.
    14:48:30 --> Blue background screen displays
    14:48:56 --> Login screen appears
    14:49:10 --> Press [Enter] on login screen
    14:50:00 --> Desktop icons display w/ full personality, then disappear
    14:50:23 --> Desktop icons re-display w/ full personality
    14:51:00 --> Press [CTRL]+[ALT]+[DEL] & wait for Task Manager
    14:51:30 --> Task Manager Displays. CPU utilization < 40%
    -----------> System Idle process pops in & out, sometimes @ 40%
    -----------> JQS.EXE pops in & out @ < 25%
    -----------> Searchindexer pops in & out
    14:53:55 --> CPU utilization reaches 0% for first time in this boot-up sequence.

    That boot up took ~ 8½ minutes. Grrrrrrrrrr :(

    I don't know if I should disable the search index feature, and at what penalty?

    STATUS FINDINGS:
    1. I looked at my Windows Firewall. All functionality appears to be back (including Advanced tab, and my HP scanner entries are still there.
    2. I looked at my Network Connections. Displays properly & I can now Dbl-Clk and see the Connection Status screen
    3. Tested load times of key application programs. Seems acceptable.
    4. The PC no longer automatically reboots when in Normal Mode.
    5. The PC's net card activity light is now normal.
    6. When I launch my browser (IE 8.0.6001.18702), I noticed in the status bar that about:blank will momentarilly display. I know that used to be a virus, but I'm sure I don't have it.
    7. Checked out functionality of scanning to my PC, AOK

    Ran C:\MGtools\GetLogs.bat, as instructed. Attached is the (unrenamed :-D) log file MGlogs.zip

    Did I miss anything?

    What now sayest thou :wave :) :) :) :) :) :)
    .
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    It appears that took care of your partition infection. Your logs look good.

    Slow start may be due to updates for programs being downloaded. The infection may have been stopping previous updates.
    Also Symantec can be a pig.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    Almost forgot.... you can experiement with disabling the SearchIndexer service to see if it helps.

    http://www.howtogeek.com/howto/28450/what-is-searchindexer.exe-and-why-is-it-running/


    Sometimes just disabling the .XML file extension from being indexed in the Indexing Options control panel can improve things, but ususally this was related to when iTunes is being used.
     
    Last edited: Oct 20, 2012
  26. TekNoGeek

    TekNoGeek Private E-2

    Re: write command during the test has failed to complete. this may be due to a memory

    Thanx, CHASLANG & Kestrel13! for taking such good care of my prob.

    Although it took awhile to get to the root cause, I had time because I had another good functioning PC. I learned much from this episode and also from your forum over the years.

    I will do your recommended final cleanup sometime next week.

    I disabled my indexing. No more oversexed hard drive activity light. I'm thinking that because of the massive registry fixes performed, indexing was starting over from scratch and re-indexing everything. I also noticed that a lot of file extensions called for the file contents to be indexed too. Perhaps if I waited a week, everything would have finally been indexed and the problem would have gone away. (Just guessing around.)

    I salute you and thanx for providing a place for us less fortunate to turn to.

    BTW: Where's the link to make a contrubition to the MG cause de celeb? I remember seeing one somewhere. It won't be much 'cause I'm retired. But I think it's only fair to do so.
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: write command during the test has failed to complete. this may be due to a memory

    You're welcome.

    Not necessary, and we don't have one. Just share your exerience with others and do your downloading from Major Geeks home page file system ( www.majorgeeks.com ). Send your friends there too. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds