Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 FixTDSS Caused Endless Reboot


  • This topic is locked This topic is locked
7 replies to this topic

#1 Codexe

Codexe

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:06:09 AM

Posted 17 September 2012 - 04:49 PM

The Windows 7 Profressional 32bit Machine I was working on got infected so I ran Malwarebytes and MSE which removed a few items but was still having issues connecting to google, bing, and couldn't send out emails via Outlook. So I ran FixTDSS and now the machine wont boot.

The BSOD error is as follows:

**Stop: 0x0000007E (Oxc0000005,0x8ae92211,0x80786988,0x80786560)
** WDFLDR.SYS - Address 8AE92211 base at 8AE89000, Datestamp 4a5bbf1d

I ran a chkdsk /f /r and the rusults came back clean. I've tried to do a repair, Last Known Good, and ran a few commands bootrec.exe /fixmbr : sfc /scannow found and error but could not fix it.

I have read a few posts on the issue on your site so I ran FRST.EXE

Any help would be greatly appreciated.

Thank You!

Cody

Results from FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-09-2012 01
Ran by SYSTEM at 17-09-2012 16:37:44
Running from F:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [7739936 2009-09-11] (Realtek Semiconductor)
HKLM\...\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup [1337608 2010-01-26] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM\...\Run: [eCopy Scan Inbox Monitor] "C:\Program Files\eCopy\Desktop 9.2\Bin\InboxMonitor.exe" -run [79112 2008-01-29] (eCopy, Inc.)
HKLM\...\Run: [eDP2eD] "C:\Program Files\eCopy\Desktop 9.2\Bin\eDP2eD.exe" [144648 2008-01-29] (eCopy, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [997408 2010-11-30] (Microsoft Corporation)
HKLM\...\Run: [KeyBoard] C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe [36864 2006-12-21] ()
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKU\LisaBauer\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\LisaBauer\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [221184 2005-02-16] (InstallShield Software Corporation)
HKU\LisaBauer\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [79136 2008-10-24] (Macrovision Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.200.250
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Scanner File Utility.lnk
ShortcutTarget: Scanner File Utility.lnk -> C:\Program Files\Kyocera\FileUtility\NsCatCom.exe (KYOCERA MITA Corporation)

==================== Services (Whitelisted) ===================

2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe [81920 2009-03-31] (Andrea Electronics Corporation)
2 BPowMon; C:\Program Files\Broadcom\BPowMon\BPowMon.exe [79168 2009-08-17] (Broadcom Corp.)
2 DLPWD; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [116032 2009-08-28] (Dell Inc.)
2 DLSDB; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [140184 2006-12-07] (Dell Inc.)
2 LMIGuardianSvc; "C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe" [374184 2012-07-12] (LogMeIn, Inc.)
2 LMIMaint; "C:\Program Files\LogMeIn\x86\RaMaint.exe" [136616 2012-07-12] (LogMeIn, Inc.)
2 LogMeIn; "C:\Program Files\LogMeIn\x86\LogMeIn.exe" [390528 2011-09-16] (LogMeIn, Inc.)
3 PACSPTISVR-Sound_Organizer; "C:\Program Files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe" [157024 2010-11-19] (Sony Corporation)
2 SFUSVC; C:\Program Files\Kyocera\FileUtility\SFUSVC.exe [61440 2003-09-16] (KYOCERA MITA CORPORATION)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]

==================== Drivers (Whitelisted) ====================

3 k57nd60x; C:\Windows\System32\DRIVERS\k57nd60x.sys [273960 2009-08-21] (Broadcom Corporation)
2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [12856 2011-09-16] (LogMeIn, Inc.)
3 lmimirr; C:\Windows\System32\DRIVERS\lmimirr.sys [10144 2011-09-16] (LogMeIn, Inc.)
2 LMIRfsDriver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.)
1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2010-10-24] (Microsoft Corporation)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [45200 2009-07-09] (Sonic Solutions)
4 LMIRfsClientNP; [x]
0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2012-09-17 14:48 - 2012-09-17 14:48 - 00000000 ____D C:\Windows\Microsoft Antimalware
2012-09-17 13:41 - 2012-09-17 13:41 - 00000000 ____D C:\Windows\System32\config\mybackup
2012-09-17 11:36 - 2012-09-17 11:35 - 00904230 ____A (Farbar) C:\FRST.exe
2012-09-17 11:33 - 2012-09-17 11:32 - 04751448 ____A (Swearware) C:\ComboFix.exe
2012-09-17 11:29 - 2012-01-26 04:33 - 01932256 ____A (Symantec Corporation) C:\FixTDSS.exe
2012-09-17 06:53 - 2012-09-17 06:54 - 00000000 ____D C:\tdsskiller
2012-09-17 05:46 - 2012-09-17 05:46 - 00026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-09-17 05:46 - 2012-09-17 05:46 - 00000000 ____D C:\Users\LisaBauer\AppData\Roaming\FixTDSS
2012-09-14 16:48 - 2012-09-17 06:53 - 02211928 ____A (Kaspersky Lab ZAO) C:\TDSSKiller.exe
2012-09-14 09:23 - 2012-09-14 09:24 - 00000000 ____D C:\Users\All Users\036DFF850C8997B81B238B704F147C45
2012-09-14 09:23 - 2012-09-14 09:23 - 00184836 ____A C:\Windows\System32\c_726536.nls
2012-08-27 06:57 - 2012-08-27 08:26 - 00000000 ____D C:\Users\LisaBauer\AppData\Local\LogMeIn Rescue Applet
2012-08-22 11:51 - 2012-08-22 11:52 - 00001986 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-21 07:54 - 2012-08-21 07:54 - 00009480 ____A C:\Users\LisaBauer\Documents\Zitzman- Ryan Bush.wpd
2012-08-21 07:29 - 2012-08-21 07:29 - 00009534 ____A C:\Users\LisaBauer\Documents\Zitzman- James Lowe.wpd
2012-08-21 06:40 - 2012-08-21 06:40 - 00007943 ____A C:\Users\LisaBauer\Documents\Zitzman- Larry Newcomb.wpd
2012-08-21 06:20 - 2012-08-21 06:20 - 00007499 ____A C:\Users\LisaBauer\Documents\Zitzman- George Soloman Recorded Statement.wpd


==================== 3 Months Modified Files ==================

2012-09-17 11:35 - 2012-09-17 11:36 - 00904230 ____A (Farbar) C:\FRST.exe
2012-09-17 11:32 - 2012-09-17 11:33 - 04751448 ____A (Swearware) C:\ComboFix.exe
2012-09-17 06:53 - 2012-09-14 16:48 - 02211928 ____A (Kaspersky Lab ZAO) C:\TDSSKiller.exe
2012-09-17 05:46 - 2012-09-17 05:46 - 00026872 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixTDSS.sys
2012-09-17 05:46 - 2010-07-27 03:11 - 00721264 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-17 05:32 - 2011-01-31 08:41 - 00017998 ____A C:\Windows\setupact.log
2012-09-17 05:18 - 2012-01-27 08:28 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-17 04:58 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-17 04:58 - 2009-07-13 20:34 - 00014256 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-17 04:52 - 2012-01-27 08:27 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-17 04:51 - 2011-01-31 08:41 - 01511458 ____A C:\Windows\WindowsUpdate.log
2012-09-17 04:51 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-14 10:38 - 2011-02-07 05:25 - 00012034 ____A C:\Windows\PFRO.log
2012-09-14 09:23 - 2012-09-14 09:23 - 00184836 ____A C:\Windows\System32\c_726536.nls
2012-09-11 12:06 - 2010-08-31 11:23 - 00000407 ____A C:\Windows\wtskbill.INI
2012-09-07 13:04 - 2011-01-31 06:55 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-27 07:29 - 2011-10-21 15:31 - 00001990 ___AH C:\Users\LisaBauer\Documents\Default.rdp
2012-08-23 04:14 - 2010-08-11 11:32 - 00000008 _RASH C:\Users\LisaBauer\ntuser.pol
2012-08-22 11:52 - 2012-08-22 11:51 - 00001986 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-21 07:54 - 2012-08-21 07:54 - 00009480 ____A C:\Users\LisaBauer\Documents\Zitzman- Ryan Bush.wpd
2012-08-21 07:29 - 2012-08-21 07:29 - 00009534 ____A C:\Users\LisaBauer\Documents\Zitzman- James Lowe.wpd
2012-08-21 06:40 - 2012-08-21 06:40 - 00007943 ____A C:\Users\LisaBauer\Documents\Zitzman- Larry Newcomb.wpd
2012-08-21 06:20 - 2012-08-21 06:20 - 00007499 ____A C:\Users\LisaBauer\Documents\Zitzman- George Soloman Recorded Statement.wpd
2012-08-20 08:07 - 2010-08-10 06:00 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2012-08-06 10:54 - 2012-08-06 10:54 - 00000913 ____A C:\Users\Public\Desktop\Accounts Payable.lnk
2012-08-06 10:54 - 2010-08-31 12:04 - 00000944 ____A C:\Users\Public\Desktop\Taskbill.lnk
2012-08-06 10:54 - 2010-08-31 12:04 - 00000944 ____A C:\Users\Public\Desktop\System Configuration.lnk
2012-08-06 10:54 - 2010-08-31 12:04 - 00000920 ____A C:\Users\Public\Desktop\Tabs3.lnk
2012-08-06 10:54 - 2010-08-31 12:04 - 00000908 ____A C:\Users\Public\Desktop\PracticeMaster.lnk
2012-08-06 09:26 - 2010-08-25 05:44 - 00060304 ____A C:\Users\LisaBauer\g2mdlhlpx.exe
2012-07-20 12:26 - 2012-07-20 12:26 - 00000661 ____A C:\EasyShareInstall.log
2012-07-17 12:53 - 2012-07-17 12:53 - 00003899 ____A C:\Users\LisaBauer\Receptionist.wpd
2012-07-12 04:02 - 2012-01-27 11:22 - 00087456 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2012-07-12 04:02 - 2012-01-27 11:22 - 00083392 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2012-07-12 04:02 - 2012-01-27 11:22 - 00030624 ____A (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2012-06-21 11:46 - 2012-06-21 11:44 - 02302976 ____A C:\Users\LisaBauer\Desktop\backup.pst

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-06 04:42:30
Restore point made on: 2012-08-10 04:01:34
Restore point made on: 2012-08-13 06:59:33
Restore point made on: 2012-08-17 04:01:44
Restore point made on: 2012-08-20 04:44:42
Restore point made on: 2012-08-23 11:33:39
Restore point made on: 2012-08-27 04:46:45
Restore point made on: 2012-08-30 08:31:11
Restore point made on: 2012-09-04 04:29:16
Restore point made on: 2012-09-07 07:35:15
Restore point made on: 2012-09-11 07:34:51

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 3036.8 MB
Available physical RAM: 2400.3 MB
Total Pagefile: 3035.08 MB
Available Pagefile: 2410.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.65 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:223.67 GB) (Free:175.03 GB) NTFS
2 Drive e: (WIN_7_PROFESSIONAL) (CDROM) (Total:4.78 GB) (Free:0 GB) UDF
3 Drive f: (Transcend) (Removable) (Total:7.46 GB) (Free:7.36 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (RECOVERY) (Fixed) (Total:9.12 GB) (Free:5.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 7660 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 9 GB 40 MB
Partition 3 Primary 223 GB 9 GB

=========================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 9 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 223 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 4096 KB

=========================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F Transcend FAT32 Removable 7656 MB Healthy

=========================================================

Last Boot: 2012-09-05 20:12

==================== End Of Log ============================

Edited by Codexe, 18 September 2012 - 06:47 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:09 PM

Posted 18 September 2012 - 06:37 AM

Hello Cody,

Welcome to the forum.

I think you meant WDFLDR.SYS and not WDFLR.SYS.

Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

wdf01000.sys;wdfldr.SYS

Note: The file names should be separated by semicolon (;)

Click Search File(s) button and post the log it makes to your reply.

#3 Codexe

Codexe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:06:09 AM

Posted 18 September 2012 - 07:01 AM

Hello Farbar,

Sorry for the typo, I edited my previous post and corrected that mistake.

Below is the result from the search:

Farbar Recovery Scan Tool (x86) Version: 16-09-2012 01
Ran by SYSTEM at 2012-09-18 07:55:27
Running from F:\

================== Search: "wdf01000.sys;wdfldr.sys" ===================

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.1.7600.16385_none_76296e5d7f3fae5b\Wdf01000.sys
[2009-07-13 15:11] - [2012-09-17 07:44] - 0445008 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.1.7600.16385_none_76296e5d7f3fae5b\WdfLdr.sys
[2009-07-13 15:11] - [2009-07-13 17:19] - 0038480 ____A (Microsoft Corporation) FE7A7675C26FE936226641EF32AE9BB5

C:\Windows\System32\drivers\WdfLdr.sys
[2009-07-13 15:11] - [2009-07-13 17:19] - 0038480 ____A (Microsoft Corporation) FE7A7675C26FE936226641EF32AE9BB5

C:\Users\LisaBauer\AppData\Roaming\FixTDSS\Archive\Wdf01000.sys
[2012-09-17 05:46] - [2009-07-13 17:19] - 0445008 ____A (Microsoft Corporation) 9950E3D0F08141C7E89E64456AE7DC73

=== End Of Search ===

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:09 PM

Posted 18 September 2012 - 07:50 AM

No need to edit the old post. In case you wanted to edit please add a new post.:)

There seems nothing wrong with that file. But there is something wrong with a related driver. We are going to fix it and see how it goes.

Please download Attached File  fixlist.txt   384bytes   56 downloads
Save it to your flash drive.
Boot to System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#5 Codexe

Codexe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:06:09 AM

Posted 18 September 2012 - 10:58 AM

The fix worked.

Thank you so much for your help!!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:09 PM

Posted 18 September 2012 - 01:39 PM

Great. :thumbup2:

Do you want me to check the system or you will be able to do the rest?

#7 Codexe

Codexe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:06:09 AM

Posted 19 September 2012 - 01:52 PM

I was able to do the rest.

Thank You Again!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:09 PM

Posted 19 September 2012 - 03:39 PM

You are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users