Ransomeware leads to endless boot loop

[geezermetal]

Sorry, no way to run the mandatory scans stuck in this boot loop - didn't look like I could explain that above - didn't mean to fib in the OTL checkbox.

From reading the threads here it looks like perhaps I should use a Kaspersky Rescue Disk, but I also saw you all start a similar problem with a different method (sorry can't find that thread today for some reason). Since my DIY moves thus far have not been good I would greatly appreciate some help tackling this.

As a little background, this is an HP 1050y. I am not 100% confident it is 64 bit but pretty sure. And I am sure this machine has been infected for a long time with something due to its slow, erratic behavior and the excessive disk accesses I can hear. I have always updated the OS and run Symantec faithfully on this machine so a follow-up question will be - "Why wasn't that enough?" In any case, this is the first "unhidden" problem I have had on this machine.

Thank You

 

[Fiery]

Hi geezermetal and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• Wait for the CD to detect your hardware and load the operating system
• Your system should now display a Reatogo desktop
  Note : as you are running from CD it is not exactly speedy
• Insert the USB with FRST
• Locate the flash drive with FRST and double click
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

[geezermetal]

Fiery,
Thank you very much for the help. FRST scan log attached.

 

[Fiery]

Fiery,
Thank you very much for the help. FRST scan log attached.

Hi,

Hmm, your hard-drive isn't detected. Please try this instead.

While in OTLPE, double click the OTLPE icon.

• Select the Windows folder of the infected drive if it asks for a location.
• When asked Do you wish to load the remote registry, select Yes.
• When asked Do you wish to load remote user profile(s) for scanning, select Yes.
• Ensure the box Automatically Load All Remaining Users is checked and press OK.
• OTL should now start
• Check the boxes beside LOP Check and Purity Check
• Press the Run Scan button
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to a USB drive if you do not have internet connection on the system.
• Please attach the content of OTL.txt in your next reply.

If the above doesn't work, create a Kaspersky Resuce Disk with the instructions here: http://malwaretips.com/Announcement-Computer-won-t-boot-up-Hard-to-remove-malware-Learn-how-to-create-and-use-a-Kaspersky-Rescue-Disk

 

[geezermetal]

Tried OTLPE, it could not see my C drive. Consistent with trying to look for it in "My Computer" from the Reatogo desktop - it see's my recovery partition OK (formerly D drive) and sees what is probably my C drive (labels it "Y") with no size indicated. When I click on Y Drive it it says it can't read because it is corrupted.

So I booted from the Kaspersky disk (after a bit of a scare - said it couldn't boot in graphical mode, re-booted and it came up OK). Did the update and am ready to do the objects scan. On the list of objects to scan are, "Disk boot sectors", "Hidden startup objects", "sda1", "sda2". I assume sda 1 & 2 are my hard drive partitions C, and D. Neither box was automatically checked for scanning in Kaspersky. Should I check them and begin the scan?

 

[Fiery]

Yes, check all the possible scan areas for a thorough scan

 

[geezermetal]

Yes, check all the possible scan areas for a thorough scan

Scan ran last night and found the ransomware - pasted below is the scan report from Kaspersky. I was surprised that nothing else was detected given the sluggish response I commented on in my initial post.

Since I can now see my files in Kaspersky I am copying any data that wasn't previously backed up before I try to reboot to Windows. Given that this malware seems to have wiped out recognition of my hard drive, I assume the boot-up won't work. Is there a way to repair this or is my OS officially dead?

Thanks for the help so far, at least I can rescue my data!



Objects Scan: completed 4 minutes ago (events: 24, objects: 544947, time: 10:05:43)
5/10/13 11:43 PM Task started
5/11/13 12:00 AM Detected: not-a-virus:AdWare.Win32.MyWay.j sda1/I386/Apps/APP16269/src/HPSummer2005.exe/WiseSFXDropper/WISE0016.BIN
5/11/13 12:00 AM Untreated: not-a-virus:AdWare.Win32.MyWay.j sda1/I386/Apps/APP16269/src/HPSummer2005.exe/WiseSFXDropper/WISE0016.BIN Postponed
5/11/13 12:07 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/84ra.dat
5/11/13 12:07 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/0vtor.dat
5/11/13 12:07 AM Untreated: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/0vtor.dat Postponed
5/11/13 12:07 AM Untreated: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/84ra.dat Postponed
5/11/13 12:14 AM Detected: Trojan.Win32.Agent.hwml sda2/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/APQA.tmp
5/11/13 12:14 AM Untreated: Trojan.Win32.Agent.hwml sda2/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/APQA.tmp Postponed
5/11/13 12:23 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/HP_Owner/Local Settings/Temp/WX7Y39F.exe
5/11/13 12:24 AM Untreated: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/HP_Owner/Local Settings/Temp/WX7Y39F.exe Postponed
5/11/13 1:27 AM Processing error sda2/Documents and Settings/HP_Owner/My Documents/Downloads/X17-75238.exe/officesuitewwsp1-x-none.msp Read error
5/11/13 1:27 AM Processing error sda2/Documents and Settings/HP_Owner/My Documents/Downloads/X17-75238.exe Read error
5/11/13 2:25 AM Detected: not-a-virus:AdWare.Win32.MyWay.j sda1/I386/Apps/APP16269/src/HPSummer2005.exe/WiseSFXDropper/WISE0016.BIN
5/11/13 9:45 AM Deleted: not-a-virus:AdWare.Win32.MyWay.j sda1/I386/Apps/APP16269/src/HPSummer2005.exe
5/11/13 9:45 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/0vtor.dat
5/11/13 9:48 AM Deleted: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/0vtor.dat
5/11/13 9:48 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/84ra.dat
5/11/13 9:48 AM Deleted: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/All Users/Application Data/84ra.dat
5/11/13 9:48 AM Detected: Trojan.Win32.Agent.hwml sda2/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/APQA.tmp
5/11/13 9:49 AM Deleted: Trojan.Win32.Agent.hwml sda2/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/APQA.tmp
5/11/13 9:49 AM Detected: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/HP_Owner/Local Settings/Temp/WX7Y39F.exe
5/11/13 9:49 AM Deleted: Trojan-Ransom.Win32.Foreign.chay sda2/Documents and Settings/HP_Owner/Local Settings/Temp/WX7Y39F.exe
5/11/13 9:49 AM Task completed

 

[Fiery]

Hi,

We can try to repair it.

Open notepad and copy & paste the following:

CMD: bootrec /FixMbr
CMD: bcdedit /RebuildBcd

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

See if that works. If not, I would suggest you reformat your PC.

 

[geezermetal]

Not sure I understand "boot to system recovery" correctly. If I power up the PC, in my case hit F10 for "System Recovery" then it says it is ready to recover from my partition and will erase all of my data. Don't see how to run FRST before that happens. I probably misunderstand how you want me to start up?

 

[Fiery]

Oops, apologies for the confusion.

I meant boot into OTLPE, plug in your USB with FRST and the fixlist.txt

 

[geezermetal]

No problem, my fault. Thanks for the clarification. Done - I'm guessing this isn't good - log attached.

 

[Fiery]

Not looking good.

I would say reformat your PC since you got your important files backed up.

 

[geezermetal]

OK, I had resigned myself to that possibility. Two questions before I do: Is there nothing else to try? While I did get my data there are programs that I will loose I hate to give up on. Second - to go the reformat route, is the best approach to go ahead and do "System Recovery" from the PC's boot menu, or from the original recovery disks I made when I bought the computer, or some other approach?

 

[Fiery]

Is there nothing else to try? While I did get my data there are programs that I will loose I hate to give up on.

Does your PC have Recovery Console installed? (When you start your PC, there should be a black screen that let you choose whether to boot into XP or Recovery console. Usually the screen disappears after 5 seconds)

Also, do you have the XP installation Disk? If so, try this.

http://mypchell.com/guides/77-fix-a-unbootable-windows-xp

Also, give this a try. This may be complicated but it's worth a shot.

http://rudd-o.com/linux-and-free-software/repairing-unbootable-windows-xp-systems-with-one-command

 

[geezermetal]

I do have recovery console - but when I try to use it it ends in the BSOD.
I do not have the XP disks.
So I have loaded Insert - but it looks very different than the instruction page in your link. Those screen shots imply a command line like interface, but I have a windowed style interface and I can't tell what to do or how to execute the "ntfsfix" command?

 

[geezermetal]

OK - I may have figured out Insert. I found a window that looked like a command prompt screen and typed in "ntfsfix /dev/sda2". Cant figure out how to save the results to attach so here is the response: it tries to mount sda2, fails, repairs, then says it's OK. Try the same command again and this time it says everything is OK. However, when I then power down and try to boot windows normally I get back to the same endless boot cycle as I started with. Just for fun I tried recovery console again - same BSOD. Tried all three safe modes - it lists out a page of information then power cycles again. Not sure I am using Insert correctly but other than an error there ... is there any more hope? Thanks!

 

[Fiery]

Do you have a friend who may have the XP installation disk you can borrow?

 

[geezermetal]

I will try to find someone who has them. I'll be offline for four days but will get back to the thread when I return, hopefully with the Install disks. Thanks again for all of the help.

 

[Fiery]

Ok, thanks for letting me know

 

[geezermetal]

Ok, thanks for letting me know

Hello Fiery, I am back. I borrowed a copy of XP installation disks and tried to load the "ntldr" and the "ntdetect.com" files from the CD onto the C drive - but the CD (Set-up - repair screen) could not read the hard drive, it came up with a BSOD when I tried the copy command to the c drive. I tried doing a simple "dir' on C an it said "error during drive enumeration" though it did at least get as far as connecting to the root I think.

It made me wonder if perhaps I could use the Kaspersky disk (the only one that allows me to see files on the c drive) to search for the ntlrd and ntdetect.com files then replace them with the ones from the CD. Not sure I can actually read the XP CD and copy files from it while running Kaspersky.

What should I try next? Thanks