Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm fine except ... chkdsk /f will not run at boot and ...


  • This topic is locked This topic is locked
70 replies to this topic

#1 Digitalrust

Digitalrust

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 07 March 2012 - 12:10 AM

I'm hoping Is there a really nice expert at bleepingcomputer.com who would be willing to figure out this wierd puzzle?

.
==== The Problem ========================
.

In XP Pro SP3, after setting "chkdsk /f " to run during boot, chkdsk /f will not run during boot.

Possible TDL3 rootkit infection ?

.
==== 21 Unsuccessful steps I've taken to make chkdsk /f run at boot, after being selected ========================
.
1.
Start, Run, "chkdsk /f", Y (yes do it after drive is UN-mounted), Reboot
= CHKDSK does not run at boot

2.
Start, My Computer, Right click c:, Properties, Tools, Error-checking, Check now, Tic automatically fix file system errors, Start, Yes when
un-mounted, Ok, Reboot
=CHKDSK does not run at boot

3.
I checked the registry to see if CHKDSK /f was set properly:
start, run, "regedit", navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: BootExecute Type:REG_MULTI_SZ Data: autocheck autochk /p \??\C: autocheck autochk *
= yes chkdsk /f is set to run at boot

4.
I checked to see if dirty bit is set:
Start, Run, "cmd", "fsutil dirty query c:"
= Volume - c: is NOT Dirty

5.
Run, "cmd", "fltmc.exe"
I get a "graph" with columns Filter Name, Num Instances, and Frame.
Row 1 says "KLIF" under Filter Name, "2" under Num Instances, "0" under Frame.
Row 2 says "sr" under Filter Name, nothing under Num Instances, <Legacy> under Frame

6. removed kaspersky internet security
tried steps 1 and 2
= chkdsk did not run
kaspersky reinstalled.

7.
I checked to see if the file was the original file:
c:\WINDOWS\System32\autochk.exe exists
Start, Run, "sigverif", Advanced, "autochk.exe", "C:\WINDOWS\System32"
= Your files have been scanned and verified as digitally signed

8.
I checked to see if the file was the original file, using a different method:
I ran Sysinternals, sigcheck.exe c:\windows\system32\autochk.exe
= Verified: Signed
Signing date: 6:13 PM 4/13/2008
Publisher: Microsoft Corporation
Description: Auto Check Utility
Product: Microsoft<< Windows<< Operating System
Version: 5.1.2600.5512
File Version: 5.1.2600.5512 <xpsp.080413-2111>

9.
I checked to see if autochk.exe had all the drivers it needed I ran Dependency Walker
= no errors were reported.

10.
To see if the drive itself had a problems I ran the Western Digital Data Lifeguard Diagnostic for Windows
extended test
= the drive passed

11.
To see if the drive itself had a problems I ran Avanquest Partition Commander, Check File System Integrity
= the file system passed

12.
To see if I could run chkdsk from the recovery console I
During boot I selected Windows Recovery Console, at the c:\WINDOWS, "chkdsk /r" (/p is implied)
checking both the drive and the file system
I repeated steps 1 and 2
= chkdsk will not run at boot

13.
Checked bios to be certain the SATA drive is set to IDE. It is.

14.
I checked to see if any dlls had been over written
I put Windows XP Pro Install Disk with SP3 slipstreamed on it in to the CD drive
Start, Run, "sfc /scannow"
I repeated steps 1 and 2
= chkdsk will not run at boot

15.
I replaced autochk.exe with an autochk.exe from a working system.
= chkdsk will not run at boot.

16.
To see if the chkdsk problem might be a malware problem
I ran Malwarebytes Anti-malware
= nothing found

17.
To see if the chkdsk problem might be a malware problem
I ran Eset online scanner
=nothing found

18.
To see if the chkdsk problem might be a malware problem
I ran Kaspersky Full Scan
= nothing found

19.
To see if the regedit info was wrong I changed
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: BootExecute Type:REG_MULTI_SZ Data: autocheck autochk /p \??\C: autocheck autochk *
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: BootExecute Type:REG_MULTI_SZ Data:
repeated step 2
after setting chkdsk /f to boot I checked the registry before booting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: BootExecute Type:REG_MULTI_SZ Data: autocheck autochk /p \??\C:
rebooted
=chkdsk does not run at boot.

20.
I tried:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: BootExecute Type:REG_MULTI_SZ Data: autocheck autochk *
=chkdsk does not run at boot.

21.
I tried to boot into safe mode to set chkdsk /f
= System will NOT boot into Safe Mode.

****** This may be a clue but I don't know how to use it *******

.
==== Notes to Bleeping Computer Expert: ========================
.
A. Last year this computer was exhibiting odd behavior in 2011, see: www.bleepingcomputer.com March 14, 2011 "Outlook express autonomous,
odd Kaspersky warnings, Malwarebytes fights infection and loses?" The odd behavior stopped.

In fall of 2011, the computer BSOD for the first time ever that was visible on screen. Frequency of BSOD increased. Many different reported BSOD reasons including 0x0000000A - IRQL_NOT_LESS_OR_EQUAL, 0x0000004E - PFN_LIST_CORRUPT, etc. I consulted with Microsoft support they suggested that all errors pointed to bad memory. They said even though the memory I was using had passed memtest86+ 4.20 for 24 hours I should try testing it against the Intel Burn Test. I discovered my memory would not pass Intel Burn test V2 at all. So all memory was replaced and and all BSOD stopped. With the new memory Memtest86+ passes no errors, Intel Burn Test V2 passes 10 extreme tests.

A month passed without any errors.

Then I tried to run chkdsk /f at boot and discovered the current problem.

B. While trying to run GMER for this posting I got an IRQL_NOT_LESS_OR_EQUAL BSOD occured. I ran chkdsk /p from the Windows Recovery Console.
GMER was able to run and complete.

C. The system boots to normal mode.
I have not found any programs with problems, while running in normal mode, except for GMER.

D. System restore is not turned on.

E. Avanquest Driver Genius reports I am using all of the latest drivers.

F. After running GMER, when it stopped, Kaspersky popped up a window stating the "Kaspersky blacklist Key file is corrupt, update now".
I tried several times to run Kaspersky update but it failed.

G. Reboot, ran Kaspersky updated = update successful.

H. So it won't run chkdsk at boot and it won't boot to safe mode.

.
==== Description of my computer system ========================
.

OS XP Pro Service Pack 3, All updates installed.
System Manufacturer Gigabyte Technology Co., Ltd.
System Model GA-X38-DQ6
Processor Intel Core 2 Quad Q6600 Kentsfield 2.4ghz
BIOS Version/Date Award Software International, Inc. F8 - latest bios update
Total Physical Memory 4,096.00 MB
Available Physical Memory 2.76 GB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Memtest86+ - memory passes 48 hour test
Intel Burn Test V2 passes 10 extreme tests
Hard Drive: 500gig Western Digital Caviar Black
Video Card: EVGA 512-P3-N802-A1 GeForce 8800GT
Not Overclocking
System BIOS set a FailSafe Mode
Antivirus Protection: Kaspersky Pure 2.0.12.1.288

.
==== DDS.TXT Follows ========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Arclight at 16:48:33 on 2012-03-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2795 [GMT -8:00]
.
AV: Kaspersky PURE 2.0 *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky PURE 2.0 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky pure 2.0\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky pure 2.0\klwtbbho.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -STOP
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [avp] "c:\program files\kaspersky lab\kaspersky pure 2.0\avp.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky pure 2.0\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749}

{38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky

pure 2.0\ievkbd.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky

pure 2.0\klwtbbho.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275451588953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1275451580703
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{45D67174-305D-4300-A2B7-219DD6101ACD} : DhcpNameServer = 192.168.1.1
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - "c:\documents and settings\arclight\my documents\data\core security programs\sysinternals\PROCEXP.EXE"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\arclight\application data\mozilla\firefox\profiles\fekzoa6k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\mie\alternatiff\npzzatif.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\drivers\CSCrySec.sys [2012-1-18 88632]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-2-26 38432]
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2011-10-20 135984]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\drivers\CSVirtualDiskDrv.sys [2012-1-18 39352]
R1 GearAspiSys;GearAspiSys;c:\windows\system32\drivers\GEARASPISYS.SYS [2008-4-12 53412]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-10-20 13104]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-2-24 583472]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky pure 2.0\avp.exe [2011-12-24 202296]
R2 CSObjectsSrv;CryptoStorage control service;c:\program files\common files\infowatch\cryptostorage\ProtectedObjectsSrv.exe

[2009-12-21 743992]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2011-10-25 66560]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-30 2253120]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2011-7-3 28256]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2011-3-10 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2007-5-9 107648]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-11-8 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-11-8 3768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN

v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-2-20 1691480]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2011-7-3 28256]
S3 CEUSBAUD;DigiTech USB MIDI Driver (MIDI);c:\windows\system32\drivers\ceusbaud.sys [2008-4-12 17920]
S3 epppdt;EPSON 1394.3 Class;c:\windows\system32\drivers\epppdt.sys [2008-3-20 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\system32\drivers\epppdtpr.sys [2008-3-20 14457]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2007-7-27 14336]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\arclight\application data\nvidia\hwaccess.sys --> c:\documents and

settings\arclight\application data\nvidia\HWAccess.sys [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-11-8 200704]
S3 USB18PRG;mikroElektronika USB18F Device (x86 Platform);c:\windows\system32\drivers\USB18PRG.sys [2008-11-12 39424]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache

4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-05 00:14:50 75208 ----a-w- c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
2012-03-05 00:14:29 -------- d-----w- c:\program files\Foxit Software
2012-03-04 02:57:16 -------- d-sh--r- C:\cmdcons
2012-03-04 02:57:14 -------- d-----w- c:\windows\setup.pss
2012-03-04 02:56:51 -------- d-----w- c:\windows\setupupd
2012-02-25 05:14:25 -------- d-----r- C:\Backup
2012-02-25 05:13:22 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-02-25 05:13:22 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-02-25 05:11:27 -------- d-----w- c:\program files\common files\InfoWatch
2012-02-25 05:11:19 -------- d-----w- c:\program files\Kaspersky Lab
2012-02-21 21:46:10 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2012-02-21 21:45:56 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2012-02-21 21:45:30 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-02-21 21:43:49 40936 ----a-w- c:\windows\system32\drivers\point32.sys
2012-02-21 21:30:07 64616 ----a-w- c:\windows\system32\RtkCoInstIIXP.dll
2012-02-21 21:30:07 11368 ----a-w- c:\windows\system32\RtkCoLDRXP.dll
2012-02-21 21:30:05 21736 ----a-w- c:\windows\system32\drivers\RTAIODAT.DAT
2012-02-21 21:28:21 1976920 ------w- c:\windows\system32\xRaidSetup.exe
2012-02-21 21:28:21 162392 ------w- c:\windows\system32\xRaidAPI.dll
2012-02-20 23:19:39 359016 ----a-w- c:\windows\vncutil.exe
2012-02-20 23:19:38 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2012-02-20 23:19:38 129640 ----a-w- c:\windows\RtkAudioService.exe
2012-02-20 23:19:37 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2012-02-20 23:19:35 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2012-02-20 23:18:46 -------- d-----w- C:\ViewSonic
2012-02-20 04:36:11 26880 -c--a-w- c:\windows\system32\dllcache\atirtsnd.sys
2012-02-20 00:28:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-19 04:35:28 -------- d-----w- c:\program files\nLite
2012-02-19 02:30:08 -------- d-----w- c:\program files\Driver-Soft
2012-02-18 05:41:10 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-18 05:41:10 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-17 05:43:23 -------- d-----w- c:\program files\common files\HP
2012-02-17 05:43:03 966656 ----a-w- c:\windows\system32\hpost_p03b.dll
2012-02-17 05:43:03 885760 ----a-w- c:\windows\system32\hposwia_p03b.dll
2012-02-17 05:43:03 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2012-02-17 05:43:03 315392 ----a-w- c:\windows\system32\hposc_p03a.dll
2012-02-17 05:43:03 309760 ----a-w- c:\windows\system32\difxapi.dll
2012-02-17 05:21:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-17 04:52:35 317440 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp101.dll
2012-02-17 04:52:35 123904 ----a-w- c:\windows\system32\hpf3l101.dll
2012-02-17 04:50:20 -------- d-----w- c:\program files\HP
2012-02-15 05:32:36 -------- d-----w- c:\program files\OpenTZT
2012-02-10 03:39:21 -------- d-----w- c:\documents and settings\arclight\application data\Electronics 2000
2012-02-10 03:39:21 -------- d-----w- c:\documents and settings\all users\application data\Electronics 2000
2012-02-10 01:19:30 -------- d-----w- c:\program files\MIE
2012-02-08 02:29:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-02-08 02:29:39 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-02-08 02:29:14 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-02-08 02:29:02 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2012-02-08 02:28:37 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2012-02-08 02:28:00 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2012-02-08 02:27:32 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2012-02-08 02:26:29 82944 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2012-02-08 02:26:04 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2012-02-08 02:24:30 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2012-02-08 02:24:06 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-02-08 02:24:05 16000 -c--a-w- c:\windows\system32\dllcache\smbbatt.sys
2012-02-08 02:22:56 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2012-02-08 02:22:03 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2012-02-08 02:22:02 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll
2012-02-08 02:21:47 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2012-02-08 02:21:06 6016 -c--a-w- c:\windows\system32\dllcache\qic157.sys
2012-02-08 02:20:57 159232 -c--a-w- c:\windows\system32\dllcache\ptpusd.dll
2012-02-08 02:20:51 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2012-02-08 02:20:44 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2012-02-08 02:20:41 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2012-02-08 02:20:14 28032 -c--a-w- c:\windows\system32\dllcache\perm3.sys
2012-02-08 02:20:14 259328 -c--a-w- c:\windows\system32\dllcache\perm3dd.dll
2012-02-08 02:20:13 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2012-02-08 02:20:13 211584 -c--a-w- c:\windows\system32\dllcache\perm2dll.dll
2012-02-08 02:18:52 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2012-02-08 02:17:52 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2012-02-08 02:17:42 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2012-02-08 02:17:32 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2012-02-08 02:17:24 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2012-02-08 02:17:08 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2012-02-08 02:16:42 7040 -c--a-w- c:\windows\system32\dllcache\ltotape.sys
2012-02-08 02:16:23 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2012-02-08 02:16:13 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2012-02-08 02:16:12 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2012-02-08 02:15:51 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2012-02-08 02:15:38 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll
2012-02-08 02:15:35 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys
2012-02-08 02:15:35 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2012-02-08 02:15:26 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2012-02-08 02:14:38 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2012-02-08 02:14:33 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2012-02-08 02:14:33 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2012-02-08 02:13:13 20352 -c--a-w- c:\windows\system32\dllcache\hidbatt.sys
2012-02-08 02:13:08 28288 -c--a-w- c:\windows\system32\dllcache\grserial.sys
2012-02-08 02:13:03 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2012-02-08 02:13:03 10624 -c--a-w- c:\windows\system32\dllcache\gameenum.sys
2012-02-08 02:11:10 206976 -c--a-w- c:\windows\system32\dllcache\dot4.sys
2012-02-08 02:11:06 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2012-02-08 02:10:10 249856 -c--a-w- c:\windows\system32\dllcache\ctmasetp.dll
2012-02-08 02:09:56 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2012-02-08 02:09:51 13952 -c--a-w- c:\windows\system32\dllcache\cmbatt.sys
2012-02-08 02:09:39 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2012-02-08 02:09:28 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-02-08 02:08:44 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2012-02-08 02:08:42 14208 -c--a-w- c:\windows\system32\dllcache\battc.sys
2012-02-08 02:08:37 13696 -c--a-w- c:\windows\system32\dllcache\avcstrm.sys
2012-02-08 02:08:36 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2012-02-08 02:07:56 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2012-02-08 02:07:56 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
.
==================== Find3M ====================
.
2012-02-20 18:34:40 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-02-20 18:34:40 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-02-20 18:34:37 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-02-20 00:28:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-20 00:13:04 588 ----a-w- c:\windows\Vue 6 Infinite.reg
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-24 20:21:48 229776 ----a-w- c:\windows\system32\klogon.dll
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-12-14 02:27:30 7069288 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2011-12-13 19:01:00 1698408 ----a-w- c:\windows\RtlExUpd.dll
2007-03-09 07:12:32 27648 --sha-w- c:\windows\system32\AVSredirect.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5002AALX-32Z3A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF7657000]<< >>UNKNOWN [0xF7647000]<< >>UNKNOWN

[0xF75A8000]<< >>UNKNOWN [0x80700000]<< >>UNKNOWN [0xF7452000]<< >>UNKNOWN [0xF7A4F000]<< >>UNKNOWN

[0xF7707000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8B416AB8]
\Driver\Disk[0x8B426E98] -> IRP_MJ_CREATE -> 0xF765DBB0
3 [0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000082[0x8B41C688]
\Driver\ACPI[0x8B47E9C8] -> IRP_MJ_CREATE -> 0xF75AECB8
5 [0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP0T0L0-3[0x8B3E18D8]
\Driver\atapi[0x8B423848] -> IRP_MJ_CREATE -> 0xF745C6F2
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b;

PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0xF7459864
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:49:39.39 ===============

Attached Files


Edited by Digitalrust, 07 March 2012 - 05:23 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 12 March 2012 - 07:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 02:33 AM

Hi,

Thank you for responding. I really appreciate your offering to help me.

I am writing this from a friends computer as mine is not booting now.

While I was waiting for a response I tried start, run, chkdsk /f /v /r /x c:

As usual chkdsk was skipped and normal mode booted.

So I ran the western digital data lifeguard program again. It still reports the disk passes its extended test.

Then I tried ruinning sfc /scannow, again, but this time with the original install disk in the D: drive not the one that had sp3 slipstreamed.

But I did that only after I made sure the registry was pointed at the service pack directory, like it should be.

When I rebooted my computer for the first time since the problem started, other than when I ran chkdsk from the recovery console, I saw the light blue chkdsk screen with a message in the upper left corner:

"Checking file system on c:
the type of file system is NTFS
cannot open volume for direct access
windows has finished checking the disk
......"

But it didn't do a chkdsk scan.
Instead It started in normal mode.

Everything seemed fine until I noticed the Google search page looked wrong.
So I rebooted

Now
It won't boot to safe mode
and it won't boot to normal mode.

I'm sorry but I will not be able to respond again until march 15th.

Thank you for your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 13 March 2012 - 05:45 PM

It looks like TDL3 has stopped your system booting.

You should be able to boot using a Linux operating system.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#5 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 06:37 PM

Hi M0le,

I'm on the sick computer.

I just turned it on and it booted.

I don't understand that at all.

I'm not going to do anything until you tell me how to proceed.

Should I still make USB flash drive xPUD thing you just suggested?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 13 March 2012 - 06:42 PM

Change of plan. Let's see of we can find out what's happening with TDL3.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 07:44 PM

I tried that myself when I didn't get a reply to my bleepingcomputer request.

When no one responded I figured I was on my own.

Since DDS said it might be a TLD3 problem I

I ran TDSSKiller from my desktop.
checked all parameters
TDSSKiller saw 9 threats so I clicked quarantine them all.
I ran it again and it found 290 more threats. So I quarantined them too.

The log file is attached.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 13 March 2012 - 07:57 PM

It has quarantined some unsigned drivers but there's nothing solid. Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 08:51 PM

While it was scanning I noticed some files were locked.
I don't recognise kl2.sys, klim5.sys or klmouflt.sys but kl1.sys is the last file I see listed before safe mode stops loading.

Here is the log file from the scan.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 13 March 2012 - 08:54 PM

The kl files are Kaspersky files and are legitimate.

There's nothing showing TDL3 is still there, please run FSS, another scanner which may help us

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#11 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 09:03 PM

Here is the FSS log

Attached Files

  • Attached File  FSS.txt   2.03KB   2 downloads


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 13 March 2012 - 09:05 PM

That all checks out - it's like there's suddenly nothing there. Can you rerun DDS and post the log, I'm interested in what it now says about the TDL3 detection.
Posted Image
m0le is a proud member of UNITE

#13 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 March 2012 - 09:37 PM

dss generated files attached.

chkdsk /f still does not work
safeboot mode still fails to boot.

and there are 300 files in quarantine.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 14 March 2012 - 05:47 PM

It looks like damage which can be sorted out.

Let's see if we can repair your safe mode.
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Open Posted Image on your desktop.
  • Copy and paste the resultant log here in your next reply.

Posted Image
m0le is a proud member of UNITE

#15 Digitalrust

Digitalrust
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 14 March 2012 - 08:42 PM

Here is the safe boot repair log

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users