Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Rootkit on Win7x64

  • This topic is locked This topic is locked
2 replies to this topic

#1 jbrid


  • Members
  • 2 posts
  • Local time:09:58 AM

Posted 12 May 2011 - 12:14 PM

Hi all, sorry for the long post. I wanted to try and provide as much info as possible.

Last night my HTPC crashed while my wife was watching something on a video site. When I got home the PC would not boot.

It is Win7x64. When you boot it, it goes directly to Startup Repair. After several minutes, I get the message: "Startup Repair cannot this repair this computer automatically." When I click on "View problem details," everything looks fine except for "Root cause found: Boot critical file D:\CI.dll is corrupt." From there I can click on the advanced options and I tried the following:

  • System Recovery Options -> System Restore: To a point on May 6 - This had no effect
  • System Recovery Options -> Command Prompt: sfc /scannow - it says it cannot run because system repair is pending and requires a restart
  • When booting in safe mode it also goes to Startup Repair and will not start Windows (same as normal boot).

I then tried the following:

1. Boot with a Win7 install disk and choose 'Repair Your Computer'. Then I get the System Recovery Options window and my Win7 installation is listed. Then I select it and choose 'Next'. I get this error:

"This version of System Recovery Options is not compatible with the version of Windows you are trying to repair. Try using a recovery disc that is compatible with this version of Windows"

2. Using Hiren's Boot CD v13.2, I tried to run RootkitRevealer. This utility would not run for some reason, it just opens a DOS window and then quickly shutdown.

3. Using Hiren's Boot CD v13.2, I tried to run TDSSKiller. I got an error trying to run this saying that it could not find WINHTTP.dll.

4. Using Hiren's Boot CD v13.2, I ran HijackThis. The log is here:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:36:25, on 2011-05-12
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal[/font][/size]

[size="3"][font="Calibri"]Running processes:

[size="3"][font="Calibri"]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O13 - DefaultPrefix: 
O13 - WWW Prefix: 
O13 - Home Prefix: 
O13 - Mosaic Prefix: 
O13 - FTP Prefix: 
O15 - ProtocolDefaults: [email=""]'@ivt'[/email] protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - X:\i386\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - X:\i386\system32\browseui.dll
O23 - Service: Indexing Service (CiSvc) - Unknown owner - X:\i386\system32\cisvc.exe (file missing)
O23 - Service: DCOM Services (DcomLaunch) - Unknown owner - svchost.exe (file missing)
O23 - Service: ImDisk Virtual Disk Driver Helper (ImDskSvc) - Olof Lagerkvist - X:\i386\system32\imdsksvc.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - X:\i386\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - X:\i386\system32\spoolsv.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - X:\i386\system32\smlogsvc.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - X:\i386\System32\ups.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - X:\i386\System32\vssvc.exe (file missing)[/font][/size]

End of file - 2755 bytes

5. Using Hiren's Boot CD v13.2, I ran GMER. The log is here:

GMER - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2011-05-12 06:33:59
Windows 5.1.2600 
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys[/font][/size]

---- System - GMER 1.0.15 ----

INT 0x01        \SystemRoot\system32\drivers\dummy.sys  F7B6E7C0
INT 0x03        \SystemRoot\system32\drivers\dummy.sys  F7B6E7E0
INT 0x1F        \I386\SYSTEM32\HALAACPI.DLL             80A18FD0
INT 0x37        \I386\SYSTEM32\HALAACPI.DLL             80A18728
INT 0x3D        \I386\SYSTEM32\HALAACPI.DLL             80A19B70
INT 0x41        \I386\SYSTEM32\HALAACPI.DLL             80A199CC
INT 0x50        \I386\SYSTEM32\HALAACPI.DLL             80A18800
INT 0xC1        \I386\SYSTEM32\HALAACPI.DLL             80A18984
INT 0xD1        \I386\SYSTEM32\HALAACPI.DLL             80A17D34
INT 0xE1        \I386\SYSTEM32\HALAACPI.DLL             80A18F0C
INT 0xE3        \I386\SYSTEM32\HALAACPI.DLL             80A18C70
INT 0xFD        \I386\SYSTEM32\HALAACPI.DLL             80A19464
INT 0xFE        \I386\SYSTEM32\HALAACPI.DLL             80A19604

---- Kernel code sections - GMER 1.0.15 ----

?               \I386\SYSTEM32\NTKRNLMP.EXE             kernel module suspicious modification
?               \I386\SYSTEM32\NTKRNLMP.EXE             The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                  dc_fsf.sys
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume1  dcrypt.sys
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume1  snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume2  dcrypt.sys
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume2  snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume3  dcrypt.sys
AttachedDevice  \Driver\ftdisk \Device\HarddiskVolume3  snapman.sys (Acronis Snapshot API/Acronis)

Device          \Driver\ACPI_HAL \Device\00000008       HALAACPI.DLL

AttachedDevice  \FileSystem\Fastfat \Fat                dc_fsf.sys
AttachedDevice  \FileSystem\Fastfat \Fat                fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread          System [4:132]                          F695A096

---- EOF - GMER 1.0.15 ----

6. Tried to run an old version of Kaspersky rescue disk (version 8?). It wouldn't run. I got this error:

[i][size="3"][font="Calibri"]!!Media not found
>>no bootable medium found. Waiting for new devices.
>>looking for the cdrom
>>attempting to mount media:-/dev/sr0
>>attempting to mount media:-/dev/sr1
>>attempting to mount media:-/dev/sda1
>>attempting to mount media:-/dev/sda2
>>attempting to mount media:-/dev/sdb1
>>attempting to mount media:-/dev/sdc
!!Media not found
!!Could not find CD to boot, something else needed!
>>determining root device...
!!Could not find the root block device in .
Please specify another value or : press Enter for the same. Type 'shell' for a
shell or a to skip...[/font][/size][/i]

I got this same error when trying to run other Linux based rescue CD's, i.e. BitDefender, and the Linux part of Hiren's.

No new hardware has been installed lately.

I installed Win7-SP1 about 2 weeks ago and didn't have any problems with it.

I am suspecting a Rootkit at this point, but I am not sure. This is nasty whatever it is. Any ideas of what to try next would be appreciated. Does anyone think this is a rootkit?

Thanks for your help!


Antec Fusion Remote Black Micro ATX Media Center / HTPC Case
Intel BOXDH55TC LGA 1156 Micro ATX Intel Motherboard
Antec EarthWatts Green EA-430D Power Supply
Intel Core i3-540 Clarkdale 3.06GHz LGA 1156
Western Digital Caviar Blue WD10EALS 1TB 7200 RPM SATA 3.0Gb/s 3.5" Internal Hard Drive
Kingston ValueRAM 4GB (2 x 2GB) 240-Pin DDR3 SDRAM DDR3 1333 (PC3 10600)
ASUS PCE-N13 PCI Express Wireless Adapter

Edited by jbrid, 12 May 2011 - 12:15 PM.

BC AdBot (Login to Remove)


#2 jbrid

  • Topic Starter

  • Members
  • 2 posts
  • Local time:09:58 AM

Posted 14 May 2011 - 08:01 PM

I was able to resolve this issue and wanted to post the steps I took in case it can help someone else.

I found these two threads to be helpful:


Here goes:

  • Downloaded the later Kaspersky Rescue Disk (v.10).During its boot sector scan it found Rootkit.Win32.TDSS.mbr and cleaned it.
  • I booted the PC in normal mode successfully.
  • Scanned with Microsoft Secruity Essentials and it found Karagany.A and cleaned it.
  • I ran sfc /scannow. I found that ehres.dll was corrupt and repaired that. I think this was a non-issue caused by a theme modification of Windows Media Center.
  • I ran CHKDSK /F. No issues.
  • I ran the ESET Online Scanner according to the instructions here. It found and cleaned Win32\Olmarik.AMN trojan.
  • I ran GMER. It reported (and I think deleted) c:\windows\softwaredistribution\datastore\log\tmp.edb.
  • I ran Sophos Anti-Rootkit. No issues.
My PC is running normally again.

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:12:58 AM

Posted 15 May 2011 - 04:11 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users