[cmcrgl]

Thank you for the service you are providing to exasperated computer users.

While I have had some success repairing systems, this time I am completely stimied by an infection on my nephew's Dell Latitude D830. When I began, it was suffering from several problems. I have whittled them down a bit, in that I can now boot the machine into Safe Mode; however, allowing a "normal startup" results in the next restart failing with the following two screens being displayed:

1) Invalid BOOT.INI file
Booting from C:\windows\

2) Windows could not start because the following file is missing or corrupt:
<windows root>\system32\hal.dll

Using bootcfg /rebuild from the Recovery Console option on the XP install disk allows a successful boot, although if one allows a "normal startup" the next restart will fail with the messages already cited appearing.

I have attempted to follow repair regime outlined in the Geeks to G!_Virus Spyware and Trojan Removal_Malware and Spyware Cleaning Guide;however, when operating in "normal" mode I can only get as far as the "restart" requested by TFC before I have to begin afresh. Running TFC in "Safe" mode does not end with a restart request, and I can continue with the other steps. At this point, I thought it best to seek some assistance. Apparently, something in the normal boot sequence is deleting the boot.ini file. I can run all the programs in the guide in safe mode, but I don't know if logs generated in safe mode would be of use. Please advise me how to proceed in order to generate logs from Malwarebytes/ Avira/ GMER Rootkit Scanner and OTL that will be useful in solving this problem.

Thank you for your assistance.

Richard Luken

[Advertisements]

Greetings, cmcrgl. Welcome to GeeksToGo. My name is Cruise475 and I am here to help you with your malware troubles.

Before we get started, I would like to mention a few things

• There may be some delays between my posts to you. I am still in training, so every response must be checked with a resident expert before I can give them to you!
• Please be patient, researching logs takes time!
• Please follow my instructions step by step, if something does not work, or you get confused just ask for clarification
• Please do not attach any logs unless I specifically ask for it, it makes it easier for us to check your logs! Just post them right into the topic. If it requires more than one post, feel free to spread them over multiple posts!
• While we are working together, please do not run any tools without being directed to do so. Running some of our tools unsupervised can be very dangerous!
• Lastly, You may find it beneficial to print my instructions, or save them to a text file. As some of my instructions may require you to reboot into safe mode

In the following instructions, I am going to have you run two programs. GMER and OTS. The OTS scan can be completed in Safe Mode, however can you attempt to run GMER in normal mode, if for some reason it does not work, don't worry about it

Step 1:Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2 :To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.


Download OTS to your Desktop (This program can be run in safe mode)

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
  
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under custom scans copy and paste the following:
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  /md5stop
  %systemroot%\*. /mp /s
  c:\$recycle.bin\*.* /s
  CREATERESTOREPOINT
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

Thanks
Cruise

[Cruise475]

Greetings, cmcrgl. Welcome to GeeksToGo. My name is Cruise475 and I am here to help you with your malware troubles.

Before we get started, I would like to mention a few things

• There may be some delays between my posts to you. I am still in training, so every response must be checked with a resident expert before I can give them to you!
• Please be patient, researching logs takes time!
• Please follow my instructions step by step, if something does not work, or you get confused just ask for clarification
• Please do not attach any logs unless I specifically ask for it, it makes it easier for us to check your logs! Just post them right into the topic. If it requires more than one post, feel free to spread them over multiple posts!
• While we are working together, please do not run any tools without being directed to do so. Running some of our tools unsupervised can be very dangerous!
• Lastly, You may find it beneficial to print my instructions, or save them to a text file. As some of my instructions may require you to reboot into safe mode

In the following instructions, I am going to have you run two programs. GMER and OTS. The OTS scan can be completed in Safe Mode, however can you attempt to run GMER in normal mode, if for some reason it does not work, don't worry about it

Step 1:Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2 :To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.


Download OTS to your Desktop (This program can be run in safe mode)

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
  
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under custom scans copy and paste the following:
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  /md5stop
  %systemroot%\*. /mp /s
  c:\$recycle.bin\*.* /s
  CREATERESTOREPOINT
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

Thanks
Cruise

[Cruise475]

Hi cmcrgl,

On another note, neither the OTS or the GMER scan should require a reboot

Thanks
Cruise

[cmcrgl]

Hello and Thank You Cruise,

I appreciate your working on my problem, and I understand that responses may be delayed as your responses are being inspected by an expert before being posted. I'm glad to be part of your training, and I salute your willingness to participate. I will do my best to faithfully follow your instructions. My own responses may be delayed sometimes as well, as I do not have an "always on" Internet connection, nor am I "always on."

I ran GMER as per your instructions and the log is pasted here:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 19:09:41
Windows 5.1.2600 Service Pack 3
Running: eumghx9k.exe; Driver: C:\DOCUME~1\Max\LOCALS~1\Temp\awlyrkob.sys


---- System - GMER 1.0.15 ----

SSDT BA797E1E ZwCreateKey
SSDT BA797E14 ZwCreateThread
SSDT BA797E23 ZwDeleteKey
SSDT BA797E2D ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340]
SSDT BA797E32 ZwLoadKey
SSDT sptd.sys ZwOpenKey [0xB9EBE0B0]
SSDT BA797E00 ZwOpenProcess
SSDT BA797E05 ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xB9EC4418]
SSDT sptd.sys ZwQueryValueKey [0xB9EC4298]
SSDT BA797E3C ZwReplaceKey
SSDT BA797E37 ZwRestoreKey
SSDT BA797E28 ZwSetValueKey
SSDT BA797E0F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8DA5360, 0x36E81D, 0xE8000020]
.text USBPORT.SYS!DllUnload B8D858AC 5 Bytes JMP 8A9981C8
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB5894300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA3A8300, 0x1B7E, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB55EDF00, 0x24000, 0x48000000]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device 8AAD51E8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 8A8DE1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AAD81E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AAD81E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AAD81E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AAD81E8
Device \Driver\usbuhci \Device\USBPDO-1 8A8DE1E8
Device \Driver\usbehci \Device\USBPDO-2 8A98C1E8
Device \Driver\usbehci \Device\USBPDO-3 8A98C1E8
Device \Driver\usbuhci \Device\USBPDO-4 8A8DE1E8
Device \Driver\usbuhci \Device\USBPDO-5 8A8DE1E8
Device \Driver\usbuhci \Device\USBPDO-6 8A8DE1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AAD91E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AAD91E8
Device \Driver\Cdrom \Device\CdRom0 8A8A7790
Device \Driver\atapi \Device\Ide\IdePort0 [B9DF4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DF4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DF4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DF4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A675790
Device \Driver\NetBT \Device\NetbiosSmb 8A675790
Device \Driver\usbuhci \Device\USBFDO-0 8A8DE1E8
Device \Driver\usbuhci \Device\USBFDO-1 8A8DE1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{90EC3E19-6D5F-47FE-803E-E7041C1D1A50} 8A675790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6B3790
Device \Driver\usbehci \Device\USBFDO-2 8A98C1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{175DA87D-AD32-4C34-AF76-C5323A8029E4} 8A675790
Device 8A6B3790
Device \Driver\usbuhci \Device\USBFDO-3 8A8DE1E8
Device \Driver\Ftdisk \Device\FtControl 8AAD91E8
Device \Driver\usbuhci \Device\USBFDO-4 8A8DE1E8
Device \Driver\usbuhci \Device\USBFDO-5 8A8DE1E8
Device \Driver\usbehci \Device\USBFDO-6 8A98C1E8
Device \FileSystem\Cdfs \Cdfs 8A8AF790
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSotct.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlryl.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShmxm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSjnst.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSubwj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSxmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSScahc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhkp.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkgai.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSotct.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlryl.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShmxm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSjnst.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSubwj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSxmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSScahc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhkp.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkgai.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmvpt.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSotct.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSlryl.dat
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSShmxm.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSvkql.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSjnst.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSubwj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSxmxh.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSScahc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSkhkp.log
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSkgai.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

I then ran the OTS scan with the settings given. That log-- OTS.txt is attached to this post as requested:

 OTS.Txt   189.96KB   197 downloads

Again, I appreciate your assistance and await your reply.

cmcrgl

[Cruise475]

Hey There,

While P2P programs are not illegal to use, the files that you download are frequently bundled with spyware, malware, and viruses. I recommend that you remove these programs in order to help protect your computer against further infections.


Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Max\Application Data\Mozilla\FireFox\Profiles\u22bdwzz.default\prefs.js
YN -> browser.search.defaultenginename -> "Fast Browser Search"
YN -> browser.search.defaultthis.engineName -> "FearFM Customized Web Search"
YN -> browser.search.defaulturl -> "http://www.fastbrows...?s=DEF&v=18&q="
YN -> browser.search.order.1 -> "Fast Browser Search"
YN -> browser.search.selectedEngine -> "Fast Browser Search"
YN -> browser.search.useDBForOrder -> true
YN -> extensions.enabledItems -> {C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}:2.2.9
< FireFox Extensions [User Folders] > ->
YY -> My Web Tattoo (Fast Browser Search) -> C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\u22bdwzz.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} [HKLM] -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [Google Dictionary Compression sdch]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> ssqNdabA ->
[Files/Folders - Modified Within 30 Days]
NY -> wrxtmnzu.job -> C:\WINDOWS\tasks\wrxtmnzu.job
NY -> eumghx9k.exe -> C:\eumghx9k.exe
NY -> KPEX.job -> C:\WINDOWS\tasks\KPEX.job
[Files - No Company Name]
NY -> eumghx9k.exe -> C:\eumghx9k.exe
NY -> SIMANT.DLL -> C:\WINDOWS\System32\SIMANT.DLL
NY -> VERMONT1.DLL -> C:\WINDOWS\System32\VERMONT1.DLL
NY -> VRX1.DLL -> C:\WINDOWS\System32\VRX1.DLL
NY -> dump_wmimmc(3).sys -> C:\WINDOWS\System32\drivers\dump_wmimmc(3).sys
NY -> dump_wmimmc(2).sys -> C:\WINDOWS\System32\drivers\dump_wmimmc(2).sys
NY -> pbadrvdll.dll -> C:\WINDOWS\System32\pbadrvdll.dll
[File - Lop Check]
NY -> KPEX.job -> C:\WINDOWS\Tasks\KPEX.job
NY -> wrxtmnzu.job -> C:\WINDOWS\Tasks\wrxtmnzu.job
[Custom Scans]
YY -> eumghx9k.exe -> C:\eumghx9k.exe
[Purity]
[Empty Temp Folders]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

NEXT

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe"
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.datetime_log" please copy and paste the contents of that file here.

NOTE: THE LOG WILL NOT OPEN AUTOMATICALLY

Once you are complete with both steps, I would like to review the OTS fix, and TDSS Killer Log. Also, please give me an update on your computer's problems. Especially the boot issue.

Thanks
Cruise

[cmcrgl]

Thank you for the next steps. I have carried them out and will list/attach the files you requested to this post.

Upon running OTS with the "Fix" instructions pasted in resulted in a reboot that led to the appearance of the original problem:

Upon the reboot the following appeared:

1) Invalid BOOT.INI file
Booting from C:\windows\

2) Windows could not start because the following file is missing or corrupt:
<windows root>\system32\hal.dll

I booted from a CD, ran the recovery console and rebuilt the boot.ini file using bootcfg /rebuild. Following the reboot, I was back on the desktop with the log file from OTS in notebook open on the desktop.

Here are the contents of that file:

All Processes Killed
[Registry - Safe List]
Prefs.js: "Fast Browser Search" removed from browser.search.defaultenginename
Prefs.js: "FearFM Customized Web Search" removed from browser.search.defaultthis.engineName
Prefs.js: "http://www.fastbrows...?s=DEF&v=18&q=" removed from browser.search.defaulturl
Prefs.js: "Fast Browser Search" removed from browser.search.order.1
Prefs.js: "Fast Browser Search" removed from browser.search.selectedEngine
Prefs.js: true removed from browser.search.useDBForOrder
Prefs.js: {C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}:2.2.9 removed from extensions.enabledItems
C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\u22bdwzz.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}\META-INF folder moved successfully.
C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\u22bdwzz.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}\chrome folder moved successfully.
C:\Documents and Settings\Max\Application Data\Mozilla\Firefox\Profiles\u22bdwzz.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\ deleted successfully.
LoadLibrary failed for C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqNdabA\ deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\tasks\wrxtmnzu.job moved successfully.
C:\eumghx9k.exe moved successfully.
C:\WINDOWS\tasks\KPEX.job moved successfully.
[Files - No Company Name]
File C:\eumghx9k.exe not found!
LoadLibrary failed for C:\WINDOWS\System32\SIMANT.DLL
C:\WINDOWS\System32\SIMANT.DLL moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\VERMONT1.DLL
C:\WINDOWS\System32\VERMONT1.DLL moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\VRX1.DLL
C:\WINDOWS\System32\VRX1.DLL moved successfully.
C:\WINDOWS\System32\drivers\dump_wmimmc(3).sys moved successfully.
C:\WINDOWS\System32\drivers\dump_wmimmc(2).sys moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pbadrvdll.dll
C:\WINDOWS\System32\pbadrvdll.dll moved successfully.
[File - Lop Check]
File C:\WINDOWS\Tasks\KPEX.job not found!
File C:\WINDOWS\Tasks\wrxtmnzu.job not found!
[Custom Scans]
File/Folder C:\eumghx9k.exe not found.
[Purity]
Purity scan complete.
[Empty Temp Folders]


User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Max
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 505 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02052010_194448

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


I then ran TDSSKiller.exe as instructed. Here is the log file:

20:02:17:332 2088 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
20:02:17:332 2088 ================================================================================
20:02:17:332 2088 SystemInfo:

20:02:17:332 2088 OS Version: 5.1.2600 ServicePack: 3.0
20:02:17:332 2088 Product type: Workstation
20:02:17:332 2088 ComputerName: THE_REVELATOR
20:02:17:332 2088 UserName: Max
20:02:17:332 2088 Windows directory: C:\WINDOWS
20:02:17:332 2088 Processor architecture: Intel x86
20:02:17:332 2088 Number of processors: 1
20:02:17:332 2088 Page size: 0x1000
20:02:17:332 2088 Boot type: Normal boot
20:02:17:332 2088 ================================================================================
20:02:17:342 2088 UnloadDriverW: NtUnloadDriver error 2
20:02:17:342 2088 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:02:17:362 2088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:02:17:362 2088 UtilityInit: KLMD drop and load success
20:02:17:362 2088 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
20:02:17:362 2088 UtilityInit: KLMD open success
20:02:17:362 2088 UtilityInit: Initialize success
20:02:17:362 2088
20:02:17:362 2088 Scanning Services ...
20:02:17:362 2088 CreateRegParser: Registry parser init started
20:02:17:362 2088 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
20:02:17:362 2088 CreateRegParser: DisableWow64Redirection error
20:02:17:362 2088 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:02:17:362 2088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
20:02:17:362 2088 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:02:17:362 2088 wfopen_ex: Trying to KLMD file open
20:02:17:362 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
20:02:17:372 2088 wfopen_ex: File opened ok (Flags 2)
20:02:17:372 2088 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394AE8
20:02:17:372 2088 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:02:17:372 2088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
20:02:17:372 2088 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:02:17:372 2088 wfopen_ex: Trying to KLMD file open
20:02:17:372 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
20:02:17:372 2088 wfopen_ex: File opened ok (Flags 2)
20:02:17:372 2088 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394B90
20:02:17:372 2088 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
20:02:17:372 2088 CreateRegParser: EnableWow64Redirection error
20:02:17:372 2088 CreateRegParser: RegParser init completed
20:02:17:873 2088 GetAdvancedServicesInfo: Raw services enum returned 414 services
20:02:17:883 2088 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:02:17:883 2088 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:02:17:883 2088
20:02:17:883 2088 Scanning Kernel memory ...
20:02:17:883 2088 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:02:17:883 2088 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AB1F670
20:02:17:883 2088 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
20:02:17:883 2088
20:02:17:883 2088 DetectCureTDL3: DEVICE_OBJECT: 8825A3C8
20:02:17:883 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8825A3C8
20:02:17:883 2088 KLMD_ReadMem: Trying to ReadMemory 0x8825A3C8[0x38]
20:02:17:883 2088 DetectCureTDL3: DRIVER_OBJECT: 8AB1F670
20:02:17:883 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AB1F670[0xA8]
20:02:17:883 2088 KLMD_ReadMem: Trying to ReadMemory 0xE1BA4588[0x18]
20:02:17:883 2088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:02:17:883 2088 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
20:02:17:883 2088 DetectCureTDL3: IrpHandler (1) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
20:02:17:883 2088 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
20:02:17:883 2088 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
20:02:17:883 2088 DetectCureTDL3: IrpHandler (5) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (6) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (7) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (8) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
20:02:17:883 2088 DetectCureTDL3: IrpHandler (10) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (11) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (12) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (13) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
20:02:17:883 2088 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
20:02:17:883 2088 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
20:02:17:883 2088 DetectCureTDL3: IrpHandler (17) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (18) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (19) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (20) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (21) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
20:02:17:883 2088 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
20:02:17:883 2088 DetectCureTDL3: IrpHandler (24) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (25) addr: 804F355A
20:02:17:883 2088 DetectCureTDL3: IrpHandler (26) addr: 804F355A
20:02:17:883 2088 TDL3_FileDetect: Processing driver: Disk
20:02:17:883 2088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:883 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:903 2088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:02:17:903 2088
20:02:17:903 2088 DetectCureTDL3: DEVICE_OBJECT: 8821A658
20:02:17:903 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8821A658
20:02:17:903 2088 DetectCureTDL3: DEVICE_OBJECT: 8838FBF0
20:02:17:903 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8838FBF0
20:02:17:903 2088 KLMD_ReadMem: Trying to ReadMemory 0x8838FBF0[0x38]
20:02:17:903 2088 DetectCureTDL3: DRIVER_OBJECT: 8A64FCB8
20:02:17:903 2088 KLMD_ReadMem: Trying to ReadMemory 0x8A64FCB8[0xA8]
20:02:17:903 2088 KLMD_ReadMem: Trying to ReadMemory 0xE10C25B0[0x1E]
20:02:17:903 2088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
20:02:17:903 2088 DetectCureTDL3: IrpHandler (0) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (1) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (2) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (3) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (4) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (5) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (6) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (7) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (8) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (9) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (10) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (11) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (12) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (13) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (14) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (15) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (16) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (17) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (18) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (19) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (20) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (21) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (22) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (23) addr: 8A5F0440
20:02:17:903 2088 DetectCureTDL3: IrpHandler (24) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (25) addr: 804F355A
20:02:17:903 2088 DetectCureTDL3: IrpHandler (26) addr: 804F355A
20:02:17:903 2088 KLMD_ReadMem: Trying to ReadMemory 0xBA3B9F26[0x400]
20:02:17:903 2088 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
20:02:17:903 2088 TDL3_FileDetect: Processing driver: USBSTOR
20:02:17:903 2088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:02:17:903 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:02:17:913 2088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
20:02:17:913 2088
20:02:17:913 2088 DetectCureTDL3: DEVICE_OBJECT: 8AAA2C68
20:02:17:913 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAA2C68
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AAA2C68[0x38]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT: 8AB1F670
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AB1F670[0xA8]
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0xE1BA4588[0x18]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:02:17:913 2088 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
20:02:17:913 2088 DetectCureTDL3: IrpHandler (1) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
20:02:17:913 2088 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
20:02:17:913 2088 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
20:02:17:913 2088 DetectCureTDL3: IrpHandler (5) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (6) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (7) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (8) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
20:02:17:913 2088 DetectCureTDL3: IrpHandler (10) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (11) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (12) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (13) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
20:02:17:913 2088 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
20:02:17:913 2088 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
20:02:17:913 2088 DetectCureTDL3: IrpHandler (17) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (18) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (19) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (20) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (21) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
20:02:17:913 2088 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
20:02:17:913 2088 DetectCureTDL3: IrpHandler (24) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (25) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (26) addr: 804F355A
20:02:17:913 2088 TDL3_FileDetect: Processing driver: Disk
20:02:17:913 2088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:913 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:913 2088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:02:17:913 2088
20:02:17:913 2088 DetectCureTDL3: DEVICE_OBJECT: 8AAA39F0
20:02:17:913 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AAA39F0
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AAA39F0[0x38]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT: 8AB1F670
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AB1F670[0xA8]
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0xE1BA4588[0x18]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:02:17:913 2088 DetectCureTDL3: IrpHandler (0) addr: BA0EEBB0
20:02:17:913 2088 DetectCureTDL3: IrpHandler (1) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (2) addr: BA0EEBB0
20:02:17:913 2088 DetectCureTDL3: IrpHandler (3) addr: BA0E8D1F
20:02:17:913 2088 DetectCureTDL3: IrpHandler (4) addr: BA0E8D1F
20:02:17:913 2088 DetectCureTDL3: IrpHandler (5) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (6) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (7) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (8) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (9) addr: BA0E92E2
20:02:17:913 2088 DetectCureTDL3: IrpHandler (10) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (11) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (12) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (13) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (14) addr: BA0E93BB
20:02:17:913 2088 DetectCureTDL3: IrpHandler (15) addr: BA0ECF28
20:02:17:913 2088 DetectCureTDL3: IrpHandler (16) addr: BA0E92E2
20:02:17:913 2088 DetectCureTDL3: IrpHandler (17) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (18) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (19) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (20) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (21) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (22) addr: BA0EAC82
20:02:17:913 2088 DetectCureTDL3: IrpHandler (23) addr: BA0EF99E
20:02:17:913 2088 DetectCureTDL3: IrpHandler (24) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (25) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (26) addr: 804F355A
20:02:17:913 2088 TDL3_FileDetect: Processing driver: Disk
20:02:17:913 2088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:913 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:02:17:913 2088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:02:17:913 2088
20:02:17:913 2088 DetectCureTDL3: DEVICE_OBJECT: 8AB13AB8
20:02:17:913 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB13AB8
20:02:17:913 2088 DetectCureTDL3: DEVICE_OBJECT: 8AB1D4D0
20:02:17:913 2088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AB1D4D0
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AB1D4D0[0x38]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT: 8AB58148
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0x8AB58148[0xA8]
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0xE1BB0D88[0x1A]
20:02:17:913 2088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:02:17:913 2088 DetectCureTDL3: IrpHandler (0) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (1) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (2) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (3) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (4) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (5) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (6) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (7) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (8) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (9) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (10) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (11) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (12) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (13) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (14) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (15) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (16) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (17) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (18) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (19) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (20) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (21) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (22) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (23) addr: B9DF4B40
20:02:17:913 2088 DetectCureTDL3: IrpHandler (24) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (25) addr: 804F355A
20:02:17:913 2088 DetectCureTDL3: IrpHandler (26) addr: 804F355A
20:02:17:913 2088 KLMD_ReadMem: Trying to ReadMemory 0xB9DF2864[0x400]
20:02:17:913 2088 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
20:02:17:913 2088 TDL3_FileDetect: Processing driver: atapi
20:02:17:913 2088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:02:17:913 2088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
20:02:17:923 2088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
20:02:17:923 2088
20:02:17:923 2088 Completed
20:02:17:923 2088
20:02:17:923 2088 Results:
20:02:17:933 2088 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:02:17:933 2088 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:02:17:933 2088 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:02:17:933 2088
20:02:17:933 2088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:02:17:933 2088 UtilityDeinit: KLMD(ARK) unloaded successfully

I will pass on to my nephew,the owner of the machine, your recommendation on peer-to-peer file sharing programs. As noted, the boot problem was present when OTS rebooted the machine at the end of its "Fix" run. I have not attempted another reboot since rebuilding the boot.ini file and running the remainder of the steps as you instructed.

Would you like me to try another reboot before we continue?

Thanks again.

cmcrgl

[Cruise475]

Hi cmcrgl,

Yes, please go ahead and try that reboot one more time.

Thanks
Cruise

[cmcrgl]

Thank you for the quick reply. I have rebooted. No Joy. Same symptoms.

Should I rebuild the boot.ini file again?

[Cruise475]

Hi cmcrgl,

Go ahead for now if you do not plan on shutting down your computer for the night. It is likely that I will not be able to get you a set of instructions until tomorrow.

Sorry for the delay.

~Cruise

[cmcrgl]

Cruise:

Thank you for your patience and sticking with me. I will rebuild the boot.ini and there is no need to shut the machine off. Or, if I reboot into the "safe mode" at the end of the rebuild, I can turn off the machine tonight and when I reboot it I should get to the "full" desktop when I power up tomorrow, or upon next receipt of a reply from you.

Hope you have a good evening!

cmcrgl

[Cruise475]

Hi cmcrgl,

Goto Start > Run > type msconfig and press enter.

Select Boot.ini

Under this tab, there should be a button that says Check all boot paths. Seelct that, and then let me know what happens.

Thanks
Cruise

[cmcrgl]

Hello Cruise,

Started msconfig, but there is NO boot.ini tab visible! Running msconfig brings up this window:



Do I need to get a new copy of msconfig for this machine?

On my own computer, msconfig brings up a window that has a boot.ini tab, and also a radio button on the General tab for selecting between different boot.ini files.

Please advise on the next step.

cmcrgl

[Cruise475]

Hi cmcrgl,

If you goto Start > Run and type C:\boot.ini, does the file open without any problems?

Thanks
Cruise

[cmcrgl]

Cruise,

When I type the command c:/boot.ini in the run window I get an error message window telling me:

Windows cannot find C:\boot.ini Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I'm pretty sure that it's gone. Opening a command window Start/Run/cmd, going to the root directory of the c drive and typing "boot.ini" as a command gives an error message:

boot.ini is not recognized as an internal or external command.

Searching the root directory for boot.ini yeilds a "file not found" error.

Something that loads when one does a "regular boot" is deleting the boot.ini file. This is something that, seemingly, does not load/occur when starting in "safe" mode.

What would you like me to try next? I'm guessing that I should rebuild the boot.ini file. Can this be done within windows, or do I need to do it from the recovery panel? That's my guess, but I will await your instructions.

Thanks.

[Cruise475]

Hi there cmcrgl,

Sorry about the delay, this is requiring some research


Goto Start > Run and type CMD

Once the command prompt opens up navigate to the root (C:\) directory. You can do this by typing cd .. each time, until your prompt shows C:\>

Once you are at your root directory type attrib +s +h +r Boot.ini

Now restart your computer and see if this has helped any.

Thanks
Cruise