Machine potentially infected acting as if hard drive damaged but...

[pgovotsos]

Hello,

I have a system that it is possibly infected and it is impossible for me to perform ANY of the tasks on it that the pinned msg instructs. I'll explain why.

The system is a Dell laptop with WinXP loaded on an NTFS partition. The system was running Malwarebyte's AntiMalware 1.39 with resident protection ON. The system has 3 partitions - a small FAT32 diagnostic partition, the NTFS system partition, and a FAT32 recovery partition. Normally, the system boots into the system partition with no interaction. The other 2 are accessed during a POST intereuption.

When I turn the machine on now, it POSTs normally then accesses the hard drive to boot. Immediately an error displays that a read error occurred (implying a hard drive failure) and freezes. No method has been able to boot.

I tried Avira's rescue CD. It starts fine, but attempting to scan hda1, it freezes.

I used FreeDOS boot cd and using fdisk, saw that all the partitions were there, but the system partition was no longer marked bootable. I fixed that, but it made no difference to the boot process.

I used the Ultimate Boot CD and was able to run some disk scans. They reported several read errors on the disk. After about 100 errors, I stopped scanning.

No tool I had used seemed to show anything other than a hard drive failure.

Then I used Hiren's BootCD (I know it's shady, but I am desperate and stumbled across it on a search). I opened what it calls a mini Windows XP session. Drive manager showed all the partitions were present and properly set. I am running Super AntiSpyware on the system as I type (for some reason it is running SUPER slow). It has found 8 samples of what it calls "Rootkit.Unclassified/USBHubB".

MBAM's resident protection found nothing. The system was shut down normally at the end of the day. When startup was attempted the next day, this was the situation presented.

Any ideas what this rootkit is? How it entered? This machine ONLY runs a proprietary Chrysler program (it's used by a mechanic) and Internet Explorer to check webmail. No other processes are run on it. It is connected to the shop network by WiFi.

Any suggestions on how to address this system?

Thank in advance for any help you can offer,

Panagiotis Govotsos

[AdvancedSetup]

Sorry for the delay but the site has been overly busy with too many requests for assistance.

If you still need help please let me know.

[pgovotsos]

Hi Ron,

Thanks for the reply. Yes, I'm still stuck. Can a rootkit make the system respond as if there is a hard drive failure at boot? The only way I've been able to get any access is using Hiren's boot CD. Running Super Anti Spyware is the only thing that reports anything and what it reports is "Rootkit.Unclassified/USBHubB". I've no idea what this is and googling only gives scant information beyond that it exists.

Any help you can give would be greatly appreciated.

Thanks,

Panagiotis

Sorry for the delay but the site has been overly busy with too many requests for assistance.

If you still need help please let me know.

[AdvancedSetup]

Yes a root kit can prevent bootup and an improper or unexpected removal of a driver from a root kit can as well. That is not their normal purpose though they're installed in such a fashion as to prevent removal.

If you can't start the the system even in safe mode then you're sort of stuck trying to use remote tools like UBCD. The disk errors being reported though by what utility on UBCD4W ?

I would first try to boot with UBCD4W again and see if you can backup any and all important data. Then run a DOS prompt and do a CHKDSK C: /R and hope for the best.

It sounds more like the disk might have invalid clusters on it. What about running some of the DISK CHECK utilities from the CD first before the CHKDSK ?

If this is a VERY critical system then you may want to have someone else with experience provide some hands on diagnostics as some of these tools, scans could possibly lose data or prevent successful data recovery if it comes down to that.

Have you tried using the Recovery Console to attempt to repair the bootup process?

http://support.microsoft.com/kb/314058

You can also try to do an in place repair install if needed to get it to boot again.

http://michaelstevenstech.com/XPrepairinstall.htm

[pgovotsos]

The read error appears during POST (at least that's what it seems like - system turns on, POST runs, screen blanks, the error message appears - no other messages). The MBR apparently never executes and so starting Windows in any mode is impossible. The only reason I think it might be caused by malware and not a physical error is that I can access it with _some_ tools on UBCD4Win and Hiren's boot cd.

The tool used to check the drive on UBCD4Win is the Toshiba disk check tool (it's a Toshiba drive).

What would be the purpose of a rootkit simulating a hardware failure? I thought rootkits "infected" the system to achieve a purpose - an apparently nonfunctioning system prevents it from doing anything!

Thanks again,

Panagiotis

[AdvancedSetup]

I aplogize for the delay but circumstances beyond my control have prevented me from responding.

You're best bet at this time is to start a NEW post and reference this current post so that someone else can assist you.

I will be out of town for the next week and probably will not have access to assist you with this.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.