Moneypak lockout won't allow boot or safe mode

[Bubbles]

Ok. I think I may be pooched here.

I use an off lease laptop with oem XP.

When booting, the System32/system/config file is missing. It offers me to restart and press r. As it's off lease, you guessed it, I have no system disk.

When I try to go into any safe mode, the OEM system recovery (IBM) kicks in and only offers to system recover (wipe out), reboot pr shut down. There is an exit option but that, x-ing out or hitting reboot all cause a reboot and stops me from getting to safe mode.

Since I can't bring the system up, system restore to an earlier point is not an option.

Is there any way to get past this?

Perhaps when booting, if I can boot from an external device- not sure what that would require.

Finally, if I just pulled the hard drive and used it in another IBM unit, would the drive transfer the virus to the bios on the board? Would it boot?

 

[Bubbles]

In further searches in this forum it appears the bios could be flashed...

 

[Bubbles]

System : IBM Thinkpad T60
Using XP Professional - 32bit

We got an FBI Moneypak virus.

Issues and Actions taken :
After being locked out, got momentary access to Windows and tried to do system restore, however system, locked and would not load the program and it posted the screen again. We did a hard reset and got the screen again and cut out of system restore application again. System went into shut down and it was erasing and loading files. (I suspect this was it covering it's tracks.) Following that I tried to boot it again and began getting the message :

"
Windows could not start because the following file is missing or corrupt :
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attampt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.
"
The system we have is an off-lease laptop and we have no Setup CD-Rom to try this option out. In looking at the IBM support sites there are downloads but I do not know what download, if any would be the correct one for this as I do not find this exact name on any download name or description.

When I try to go into any safe mode, the OEM system recovery (IBM) kicks in and only offers to system recover (ie. wipe out everything), reboot or shut down. There is an exit option but exiting, x-ing out the screen prompt or hitting reboot all cause a reboot and stops me from getting to safe mode. So I either wipe it out or reboot.

Since I can't bring the system up, system restore to an earlier point is not an option. I do have many restore points assuming the are not corrupted.

In the hopes that this was not the only solution I downloaded HitmanPro 3.7 and used kickstart on USB but no resolution yet :

Got the same message on booting using options 1, 2 and 3 :
"
Windows could not start because the following file is missing or corrupt :
\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attampt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.
"

Got the following response when I tried to use hitman Pro 3.7 to force into any of the safemode options :

STOP: c0000139 {Entry Point Not found}
The procedure entry point rtlExtendHeap could not be located in the dynamic link library ntdll.dll.

Without the Setup CD-Rom I think I am running out of options but can't find it on IBM/Lenovo and would not be sure I can trust my good system to download from another site.

Next Steps: (?)
I have Hiren's Boot CD 15.2 as well, not sure if that will make any difference?
If the Admins can provide a safe link to get the CD-Rom I could try that.
Would removing the HDD and putting it into a docking station potentially infect my system? At least then some projects and spreadsheets could be saved.

Any help you can provide would be greatly appreciated.

 

[kuttus]

Hi Bubbles, and welcome to the malwaretips.com forums!

Sorry for the late response.

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Download List Parts and save it to the flash drive also.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
• Next click List Parts and then click Scan
• It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

 

[Bubbles]

Hi Bubbles, and welcome to the malwaretips.com forums!

Sorry for the late response.

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Download List Parts and save it to the flash drive also.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
• Next click List Parts and then click Scan
• It will make a log Results.txt on the flash drive. Please copy and paste it to your reply.

Ok.
I am using a second thinkpad T60 and I have downloaded the files and applied the last two to the USB. However the ImgBurn doesn;t seem to be loading onto the CD-R. Formatted it and it only partly loaded.

Is this supposed to take a long time to burn? Also, will this ImgBurn be able to load when the Sytem32 file is corrupt/missing?

...Bubbles.

 

[Bubbles]

Third time lucky. All files are loaded and I will try to run the boot loader.

 

[Bubbles]

Kuttus, I really appreciate your help here. This is great.

Reatogo loaded but sorry to say that my relief was short lived....

when I tried to execute the FRST file from USB I got the following BSOD message and predicatbly the keyboard is locked :

"
A problem has been detected and windows has been shut down to prevent damage to your computer.

BAD_POOL_CALLER

If this is the first time you;ve seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware or software is propberly installed. If this is a new installation, ask yourhardware or software manufacturerfor any windows updates you might need.
If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe mode.
Technical information :
*** STOP: 0x000000c2 (oxoooooo43, 0xD6F65000, 0x00000000, 0x00000000)
"

Not sure what is causing the BSOD or if I should try to boot again or not. Looking forward to your reply!

P.s. I have my wireless manually turned off (hard external switch) on the machine we are working on.

 

[kuttus]

Try to boot up once more from FRST

 

[Bubbles]

You mean boot in REATOGO-X-PE and then into FRST?
(Just being uber careful / paranoid here)

 

[kuttus]

Yes please try it again...

 

[Bubbles]

Downloaded the FRST file again and using the new one just in case - this worked ther third time around for the OLTPENet.

Scanning with All whitelist option boxes (Registy, Services, Drivers, Processes, KnownDLLs, Internet) checked off (default setting) but still haven't touched the optional list (List BCD, Drivers MDS, Addition.txt)

Just got the identical failure message.

...On the bright side, the OLTPENet got me through where HitmanPro didn't...

Ok. Ready when you are.
Perhaps we can apply a scan for the malware or is that too early?

 

[kuttus]

If it is loaded properly start a scan

 

[Bubbles]

REATOGO-X-PE loaded properly. However, running Scan on FRST from the USB always results in the BSOD and BAD_POOL_CALLER failure notice above.

What's our next option? Wondering if running HitmanPro 3.7 or Malwarebytes or similar?

 

[kuttus]

Do you try to start the computer Normally this time?

Lets create a bootable HitmanPro Rescue Disk and run a scan:
STEP 1: Create a HitmanPro.Kickstart USB flash drive
<ol>
<li>While you are using a "clean" (non-infected) computer, <>download HitmanPro</> from the below link.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Insert your USB flash drive into your computer and then follow the instructions from the below video:
<iframe src="http://www.youtube.com/embed/aBS902Qr0oc?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>
STEP 2: Remove infection with HitmanPro.Kickstart
<ol>
<li>After you have create the HitmanPro.Kickstart USB flash drive, you can <>insert this USB drive into the infected machine</> and start your computer</li>
<li>Once the computer starts <>repeatedly tap the F11 key </>(on some machines its <em>F10</em> or <em>F2</em>),which should bring up the Boot Menu, from there you can select to boot from your USB.
Next,you'll need to <>perform a system scan with HitmanPro</> as see in the below video:
<iframe src="http://www.youtube.com/embed/lUNHidkYsDQ?rel=0" frameborder="0" width="640" height="360"></iframe></li>
</ol>

<hr />

 

[Bubbles]

Ok. So I assume we are skipping the FRST and List scans at least for now.

HitmanPro 3.7 on CD (originally tried to boot from this before coming to you but it resulted in a notice that the sys config file was missing or corrupt). I will make the boot disk right now - please stay with me!

 

[Bubbles]

Ok. Hitman Pro is on the USB - however I need you to clarify something...

I tried hitmanPro before talking with you and got the error message so do I run the REATOGO-X-PE and then plug in the hitmanPro? I did try the hitmanPro boot on it's own and still got the sysconfig corrupt/missing error.

Loading REATOGO-X-PE again.

 

[kuttus]

Do you have the CD for your Windows XP?

 

[Bubbles]

No. This is an IBM Thinkpad T60 and didn't ship with a System Set up CD-Rom.

From what i have reseearched, the OEM version may be different to the MS XP version and i can;t find a download for it from IBM.

 

[kuttus]

Okay.. Please try to create one OTL Disk from any other computer.

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

1. 
   
   • Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2
   • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
   • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
2. Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
   
   
   
   
   
   
3. Please also decompress eeepcfr to your systemroot (usually C:\).
4. Empty the flash drive you want to install OTLPE on.
5. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
6. Press any key when asked to in the black window that opens.
7. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
   For Drive Label: type in OTLPE.
   Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
   Finally check Enable File Copy.
   
8. Click on Start, accept the disclaimers and wait for the program to finish.

• Reboot your system using the bootable flash drive you just created.
• Note : If you do not know how to set your computer to boot from Flash drive follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location.
• Ensure the box "Automatically Load All Remaining Users" is checked
• and press OK
• OTL should now start.
• Select the Windows folder of the infected drive if it asks for a location.
• When asked Do you wish to load the remote registry, select Yes.
• When asked Do you wish to load remote user profile(s) for scanning, select Yes.
• Ensure the box Automatically Load All Remaining Users is checked and press OK.
• OTL should now start
• Check the boxes beside LOP Check and Purity Check
• Press the Run Scan button
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to a USB drive if you do not have internet connection on the system.
• Please attach the content of OTL.txt in your next reply.

 

[Bubbles]

First OLTPE Mirror says page cannot be found.
Second OLTPE Mirror says server cannot be found.
Other links to OLTPE force download to CD.
Writing to CD to pull OLTPE.iso from CD.