Jump to content

Endless reboots


Recommended Posts

I posted this into the MBAM forum and have been directed to post here:

Firstly, I must stress that the pc in question is not mine, but belongs to a relative. I've never even seen it!

The pc had been infected with Antivirus Pro 2010, so I sent instructions for downloading, installing and using MBAM. She rang me to say that she had followed the instructions and everything seemed to be okay, until she rebooted the pc. (My last instruction was to reboot and run a second scan to make sure everything was now fine). Now the pc was showing the Dell bios splash screen, followed by the XP loading splash screen. Then it would go into a blue screen saying it was running chkdsk as the disk was dirty. It completed stages 1 and 2 okay, and went onto part 3. It counted up to 25% and then rebooted and went through the procedure again. Now it is stuck in this endless loop.

Any suggestions? I can find descriptions of similar problems on the internet, but no solutions.

Thanks in advance.

Link to post
Share on other sites

Hello,

A few observations first.

#1: It is much more preferable for your relative to post herself. That way I can deal directly with her.

#2: XP will always run CHKDSK in any event. You simply do not see it in vast majority of cases (by default).

If the system was improperly shut off, for example, or if XP detects a disk integrity issue, then it runs a more extensive CHKDSK. That is normal behavior.

What is not normal is for system to reboot. It should (once chkdsk is done) go forward to load Windows in GUI mode.

Tell your friend to use the XP Recovery Console environment, then run CHKDSK from there.

Hopefully she has the XP operating system CD. [not a system recovery CD]

Set pc BIOS to boot from CDROM. Place XP CD in drive. Reboot from the CD.

Select the first option R Repair/Recovery Console.

Select the Windows partition by number. Usually it is 1.

Login to XP with administrator account & password.

Then run

CHKDSK /P

from the command line.

Then use EXIT to finish the Recovery Console. The system reboots. Then you can pick XP and return to normal usage of XP.

Let me also suggest that your friend *install* the Recovery Console as a *bootup* option on the system.

That way the XP CD is not required each time Recovery Console is needed.

Obviously, you do need the XP CD from which to do initial install.

References for Recovery Console:

Description of the Windows XP Recovery Console - Article ID 314058

http://support.microsoft.com/kb/314058

HOW TO: Install and Use the Recovery Console for Windows XP

http://support.microsoft.com/kb/307654

Once CHKDSK issue is resolved, and XP is useable again, have your friend do the required pre-requisites and post logs back here in this thread.

Have your friend follow this guide -->

I'm infected - What do I do now?

http://www.malwarebytes.org/forums/index.php?showtopic=9573

That is needed so any remainders of Antivirus pro 2010 can be traced & removed

Link to post
Share on other sites

Hi Maurice,

Thanks for your prompt reply.

Let me first say that I appreciate that it would be easier dealing with the person with the problem first hand, but since she does not have access to her pc yet, she cannot get onto the internet. As soon as she is up and running, I'll hand this thread over to her for further instructions.

There is a slight delay in completing the first step you have sent me, as the CD she has is not the full Win XP CD, but a recovery CD. Hopefully, she'll have a full version by Monday, so we'll be able to complete your instructions then.

Many thanks!

Link to post
Share on other sites

Hi Maurice,

We got a Windows XP CD and booted from it into the Recovery Console. We typed the commands you said, and it appeared to check the disk, then exit okay. When it tried to reboot, it went back into the same endless loop as before (running chkdsk and getting to 25% then restarting).

What can we try next?

Thanks!

Link to post
Share on other sites

There's not much hope unless you manage to clear this issue somehow. By that I mean there's only 1 or 2 things to try.

a) Go back into Recovery Console. Type in

CHKDSK

(just like that, plain Chkdsk)

Watch to see what it reports and write them down.

b- Restart the system and straight away, start tapping & re-tap F8 function key.

At advanced boot options, select Safe mode with Command prompt

be sure to login with administrator rights account.

At the command prompt, type in

chkntfs /x c:

and press Enter

c) Once done, reboot/restart system. See if normal mode is use-able.

If not, repeat the reboot, restart. Now select Safe mode with Networking.

See if that works.

d) If you cannot clear this CHKDSK issue, I'm afraid there's not much I can suggest.

Link to post
Share on other sites

Maurice,

Thanks again for your efforts. I have told the computer's owner that I need to physically have the computer, which won't happen until the weekend at the earliest, as it is 70+ miles away. I can then see if anything obvious has been missed, backup the data and get it running smoothly again (possibly with a rebuild).

Many thanks,

dylan77

Link to post
Share on other sites

I now have the PC in my possession. I had intended to reformat the hard drive and reinstall everything, but I found that the Last Known Good configuration actually got the PC to boot into Windows XP.

I ran another MBAM scan and it found two infections. I told it to remove them, which it said it had done, then asked for a reboot to complete the process. When I did the reboot, it went back into it's endless reboot cycle of trying to check the C: drive and getting to 20% then rebooting. So I assume the problem comes when it tries to remove the Rootkit file on reboot.

I attached the HijackThis log at this point (booting from KNG config), and the MBAM log of the most recent scan, when it detected and tried to remove the two infections.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:07:45, on 11/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\mgoc\PSCRIPT.EXE

C:\WINDOWS\system32\dlcccoms.exe

C:\Program Files\blueyonder IST\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DK

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: PScript.lnk = C:\mgoc\PSCRIPT.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.co.uk/downloads/BU..._1/axofupld.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downloads/BU..._2/axofupld.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.com/activex/HMAtchmt.ocx

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--

End of file - 12507 bytes

------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41

Database version: 2896

Windows 5.1.2600 Service Pack 3

11/10/2009 13:46:35

mbam-log-2009-10-11 (13-46-35).txt

Scan type: Quick Scan

Objects scanned: 143312

Time elapsed: 26 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\gasfkyuxovbway.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\gasfkyuxovbway.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Many thanks for any help you can give.

Link to post
Share on other sites

Download RootRepeal from one of these links:

>>Link 1<<

or >>Link 2<<

  • SAVE the zip download to your system.
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Added STEP 2

Next step: Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2939.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of Rootrepeal log and the latest MBAM scan log

Link to post
Share on other sites

I have downloaded RootRepeal and run it. It gave the error message 'Could not read the boot sector. Try adjusting the Disk Access Level in the Options Dialog.'

I tried all four settings and the only one that didn't give me the above error message was Special Level.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/11 15:19

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: Volume C:\

Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1

Status: Sector mismatch

Path: Volume C:\, Sector 2

Status: Sector mismatch

Path: Volume C:\, Sector 3

Status: Sector mismatch

Path: Volume C:\, Sector 4

Status: Sector mismatch

Path: Volume C:\, Sector 5

Status: Sector mismatch

Path: Volume C:\, Sector 6

Status: Sector mismatch

Path: Volume C:\, Sector 7

Status: Sector mismatch

Path: Volume C:\, Sector 8

Status: Sector mismatch

Path: Volume C:\, Sector 9

Status: Sector mismatch

Path: Volume C:\, Sector 10

Status: Sector mismatch

Path: Volume C:\, Sector 11

Status: Sector mismatch

Path: Volume C:\, Sector 12

Status: Sector mismatch

Path: Volume C:\, Sector 13

Status: Sector mismatch

Path: Volume C:\, Sector 14

Status: Sector mismatch

Path: Volume C:\, Sector 15

Status: Sector mismatch

Path: Volume C:\, Sector 16

Status: Sector mismatch

Path: Volume C:\, Sector 17

Status: Sector mismatch

Path: Volume C:\, Sector 18

Status: Sector mismatch

Path: Volume C:\, Sector 19

Status: Sector mismatch

Path: Volume C:\, Sector 20

Status: Sector mismatch

Path: Volume C:\, Sector 21

Status: Sector mismatch

Path: Volume C:\, Sector 22

Status: Sector mismatch

Path: Volume C:\, Sector 23

Status: Sector mismatch

Path: Volume C:\, Sector 24

Status: Sector mismatch

Path: Volume C:\, Sector 25

Status: Sector mismatch

Path: Volume C:\, Sector 29

Status: Sector mismatch

Path: Volume C:\, Sector 30

Status: Sector mismatch

Path: Volume C:\, Sector 31

Status: Sector mismatch

Path: Volume C:\, Sector 32

Status: Sector mismatch

Path: Volume C:\, Sector 33

Status: Sector mismatch

Path: Volume C:\, Sector 34

Status: Sector mismatch

Path: Volume C:\, Sector 35

Status: Sector mismatch

Path: Volume C:\, Sector 36

Status: Sector mismatch

Path: Volume C:\, Sector 37

Status: Sector mismatch

Path: Volume C:\, Sector 38

Status: Sector mismatch

Path: Volume C:\, Sector 39

Status: Sector mismatch

Path: Volume C:\, Sector 40

Status: Sector mismatch

Path: Volume C:\, Sector 41

Status: Sector mismatch

Path: Volume C:\, Sector 42

Status: Sector mismatch

Path: Volume C:\, Sector 43

Status: Sector mismatch

Path: Volume C:\, Sector 44

Status: Sector mismatch

Path: Volume C:\, Sector 45

Status: Sector mismatch

Path: Volume C:\, Sector 47

Status: Sector mismatch

Path: Volume C:\, Sector 48

Status: Sector mismatch

Path: Volume C:\, Sector 49

Status: Sector mismatch

Path: Volume C:\, Sector 53

Status: Sector mismatch

Path: Volume C:\, Sector 54

Status: Sector mismatch

Path: Volume C:\, Sector 55

Status: Sector mismatch

Path: Volume C:\, Sector 56

Status: Sector mismatch

Path: Volume C:\, Sector 57

Status: Sector mismatch

Path: Volume C:\, Sector 58

Status: Sector mismatch

Path: Volume C:\, Sector 59

Status: Sector mismatch

Path: Volume C:\, Sector 60

Status: Sector mismatch

Path: Volume C:\, Sector 61

Status: Sector mismatch

Path: Volume C:\, Sector 62

Status: Sector mismatch

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gasfkycljbfhhu.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyocierudm.dat

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyuetetbvf.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyuxovbway.dll

Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkywxvnsiex.dat

Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_2rnrxmiycqul1gj

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\Temp\gasfkybvteetnwmc.tmp

Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyvjksxidbwt.tmp

Status: Invisible to the Windows API!

Path: c:\windows\temp\sqlite_a7kjlmeljjcnuwz

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_r6pnybql0p8mg5i

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_hlyutsg1grpexob

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_weggqi2va0mi9dc

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_ayb6uj4x2ax7h9u

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_zcg5gupjgsffft4

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_97p03yswphp8sv7

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_h0tewofk59zliml

Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}(2)\RP434(2)\snapshot

Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\system32\drivers\gasfkytdmxsafy.sys

Status: Invisible to the Windows API!

I hadn't updated the MBAM before as I hadn't connected the pc to the internet. I have now updated to the latest definitions. Log file follows:

Malwarebytes' Anti-Malware 1.41

Database version: 2941

Windows 5.1.2600 Service Pack 3

11/10/2009 15:36:55

mbam-log-2009-10-11 (15-36-55).txt

Scan type: Quick Scan

Objects scanned: 126702

Time elapsed: 13 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\gasfkyuxovbway.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\gasfkyuxovbway.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

When prompted, I allowed the pc to reboot and it went to the chkdsk screen again and then rebooted at 30%, so I have just shut it down for now.

As an aside, there seemed to be a large number of temporary internet files attached to the second user's account. Is it okay to delete these so the MBAM scan might run faster?

Link to post
Share on other sites

Yes you can delete temporary internet files and temp files in general.

But the presence of an mbr rootkit is much more of concern.

Let me advise at this time that a wipe & fresh reload of Windows is the safest and fastest thing to do. Please consider it and let me know, after you advise the owner.

If they wish to continue, neither I or anyone can vouch for the safety or cleanliness of the system.

If they wish to continue, then, do this next

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.

Reply with a copy of the Gmer log.

Be advised that this will likely be an extended effort at cleanup and will likely span for a few more days, as I am not online all the time.

Link to post
Share on other sites

To be honest, I think the pc's owner will go with whatever I recommend, so I'll reinstall everything. Just a couple of questions, if you don't mind:

1. Was this MBR rootkit the cause of the chkdsk reboot problems? If I format the hard drive, will this remove the problem? Do I need to do anything special when I format it (full/low-level, etc.)?

2. What software do you recommend to prevent this happening again. I usually install AVG Free edition as an anti-virus, but what Anti-Spyware/Anti-Malware would you recommend? Is it enough to have MBAM on there?

Thanks!

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.