CAN'T RUN CHKDSK EVEN IN SAFE MODE!

DAPOLSZOWY · 03-22-2012, 12:50 PM

HI
JUST FINISHEED READING ABOUT THE THE PERSON WHO HAD THE SAME PROBLEM ON A DIFFERENT OPERATING SYSTEM. I TRIED ALL THE PROCEDURES THAT jcgriff2 SUGGESTED-AS IN "C:\WINDOWS\SYSTEN32\CHKDSK C:\F\F\V\X" AND GOT THE OLD CHKDSK AT NEXT STARTUP MESSAGE. CLICKING YES JUST GETS THE MESSAGE THAT CHKDSK HAS BEEN
CANCELLED. ANY FURTHER HELP WOULD BE GREATLY APPRECIATED!
ALSO, I HAVE EXHAUSTED ANTI VIRUS, ROOTKIT SCANS, ETC TRYING TO GET RID OF THE INFAMOUS "RUSSIAN 666 VIRUS". I'VE GOTTEN DOWN TO WHERE WHEN A FIELD IS FULL OF 6s, I CAN JUST BACKSPACE TO THE BEGINNING OF THE FIELD AND THEN EVERY THING IS OK. EXCEPT THAT WHEN I OPEN IE, THE PAGE OPENS AND THEN SHUTS DOWN. I' M CURRENTLY RUNNING 'OPERA" JUST TO HAVE ACCESS TO ONLINE SCANS, THE LAST BEING Malware Removal Guide for Windows - Select Real Security, WHICH HAS TAKEN ME A WEEK JUST TO RUN THROUGH!
AGAIN, ANY HELP WILL BE GREATLY APPRECIATED!

PS - THIS IS SLL HAPPENING ON A TOSHIBA 505A S6980 LAPTOP.

joeten · 03-22-2012, 01:11 PM

Hi and welcome to TSF please follow the instructions here NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum
gather as much info as you can leave what you cannot http://www.techsupportforum.com/forums/f50/en make a new thread here
and include the info and anything you could not do please mention

**jenae** · 03-22-2012, 02:54 PM

Hi, I agree with Joe, you are still infected please follow instructions and post at the security forum. If you don't mind you can help us learn as your problem with chkdsk is difficult to replicate. Go to start search and type:- cmd, right click on the returned cmd.exe and select "run as administrator" at the prompt (copy paste)

Code:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager">0 & notepad 0

press enter
post the notepad outcome here.

DAPOLSZOWY · 03-25-2012, 07:56 AM

EXI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
CriticalSectionTimeout REG_DWORD 0x278d00
GlobalFlag REG_DWORD 0x0
HeapDeCommitFreeBlockThreshold REG_DWORD 0x0
HeapDeCommitTotalFreeThreshold REG_DWORD 0x0
HeapSegmentCommit REG_DWORD 0x0
HeapSegmentReserve REG_DWORD 0x0
ProcessorControl REG_DWORD 0x2
ResourceTimeoutCount REG_DWORD 0x9e340
BootExecute REG_MULTI_SZ autocheck autochk /k:C *
ExcludeFromKnownDlls REG_MULTI_SZ
ObjectDirectories REG_MULTI_SZ \Windows\0\RPC Control
ProtectionMode REG_DWORD 0x1
NumberOfInitialSessions REG_DWORD 0x2
SetupExecute REG_MULTI_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Quota System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\WPA

DAPOLSZOWY · 03-25-2012, 09:27 AM

I HOPE THAT THIS INFO IS HELPFUL. I COULDN'T UP LOAD TO SPECIFIED SECURITY LINK BECAUSE THE PAGE COULDN'T BE FOUND.

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Linfa at 18:30:37 on 2012-03-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3964.2214 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [ccleaner] "C:\Program Files\CCleaner\CCleaner64.exe" /AUTO
uRun: [IE New Window Maximizer] C:\Program Files (x86)\IE New Window Maximizer\iemaximizer.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{4B4B4B5A-54AE-4320-9047-7E7387263C9E} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{8E15EEBC-3CBA-40AA-B6F4-E06F4CF916C4}\75051445572656A7 : DhcpNameServer = 168.94.0.15 168.94.0.14
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - C:\Program Files (x86)\TOSHIBA\My Toshiba\MyToshiba.exe /SETUP
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\windows\system32\cmd.exe /D /C start C:\windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
.
============= SERVICES / DRIVERS ===============
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\windows\system32\DRIVERS\MpFilter.sys --> C:\windows\system32\DRIVERS\MpFilter.sys [?]
R1 SBRE;SBRE;\??\C:\windows\system32\drivers\SBREdrv.sys --> C:\windows\system32\drivers\SBREdrv.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-8-10 248688]
R2 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [2009-7-14 42368]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 rimspci;rimspci;C:\windows\system32\DRIVERS\rimspe64.sys --> C:\windows\system32\DRIVERS\rimspe64.sys [?]
R2 risdpcie;risdpcie;C:\windows\system32\DRIVERS\risdpe64.sys --> C:\windows\system32\DRIVERS\risdpe64.sys [?]
R2 rixdpcie;rixdpcie;C:\windows\system32\DRIVERS\rixdpe64.sys --> C:\windows\system32\DRIVERS\rixdpe64.sys [?]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\windows\system32\drivers\IntcHdmi.sys --> C:\windows\system32\drivers\IntcHdmi.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\windows\system32\DRIVERS\MpNWMon.sys --> C:\windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\windows\system32\DRIVERS\NisDrvWFP.sys --> C:\windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-10 135664]
S2 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-10 135664]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service; [x]
S3 MatSvc;Microsoft Automated Troubleshooting Service;C:\Program Files\Microsoft Fix it Center\Matsvc.exe [2011-6-13 343856]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-9-29 54136]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service; [x]
S3 TPCHSrv;TPCH Service; [x]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-23 23:18:35 -------- d-----w- C:\ProgramData\Geek Squad
2012-03-23 20:30:03 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{16B894F1-F1AC-48CE-BF47-66EC9A6BD254}\mpengine.dll
2012-03-22 16:28:21 -------- d-----w- C:\Users\Linfa\AppData\Local\FixItCenter
2012-03-22 16:24:55 -------- d-----w- C:\windows\MATS
2012-03-22 16:24:54 -------- d-----w- C:\Program Files\Microsoft Fix it Center
2012-03-22 16:19:41 525544 ----a-w- C:\windows\System32\deployJava1.dll
2012-03-22 16:19:21 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2012-03-22 14:36:17 287304 ----a-w- C:\windows\System32\drivers\TrufosAlt.sys
2012-03-22 12:03:03 -------- d-----w- C:\ProgramData\SpeedMaxPc
2012-03-18 01:39:17 49752 ----a-w- C:\windows\System32\drivers\SBREDrv.sys
2012-03-18 01:39:17 27472 ----a-w- C:\windows\System32\sbbd.exe
2012-03-18 01:39:07 -------- d-----w- C:\VIPRERESCUE
2012-03-17 22:12:27 -------- d-----w- C:\windows\SysWow64\wbem\Performance
2012-03-17 22:11:45 303616 ----a-w- C:\SetACL.exe
2012-03-17 22:04:12 290304 ----a-w- C:\subinacl.exe
2012-03-17 22:03:09 -------- d-----w- C:\Reg_Backup
2012-03-17 20:28:24 -------- d-----w- C:\Users\Linfa\AppData\Local\Opera
2012-03-16 16:17:20 12872 ----a-w- C:\windows\System32\bootdelete.exe
2012-03-14 17:33:44 -------- d-----w- C:\Program Files\Synaptics
2012-03-14 02:17:51 5559152 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-03-14 02:17:50 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 02:17:49 3913584 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2012-03-14 00:43:39 3145728 ----a-w- C:\windows\System32\win32k.sys
2012-03-14 00:43:38 1544192 ----a-w- C:\windows\System32\DWrite.dll
2012-03-14 00:43:37 1077248 ----a-w- C:\windows\SysWow64\DWrite.dll
2012-03-13 21:09:41 -------- d-----w- C:\Users\Linfa\AppData\Roaming\Malwarebytes
2012-03-13 17:25:49 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe
2012-03-13 17:25:49 77312 ----a-w- C:\windows\System32\rdpwsx.dll
2012-03-13 17:25:49 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll
2012-03-13 17:25:48 1031680 ----a-w- C:\windows\System32\rdpcore.dll
2012-03-13 17:25:47 826880 ----a-w- C:\windows\SysWow64\rdpcore.dll
2012-03-13 17:25:47 23552 ----a-w- C:\windows\System32\drivers\tdtcp.sys
2012-03-13 17:25:47 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys
2012-03-13 13:10:51 -------- d-----w- C:\windows\pss
2012-03-13 01:54:43 -------- d-----w- C:\Users\Linfa\AppData\Local\Babylon
2012-03-13 01:54:42 -------- d-----w- C:\Users\Linfa\AppData\Roaming\Babylon
2012-03-13 01:34:46 -------- d-----w- C:\ProgramData\Stardock
2012-03-13 01:27:20 -------- d-----w- C:\Users\Linfa\AppData\Local\ClipboardManager
2012-03-12 19:31:07 -------- d-----w- C:\windows\System32\SPReview
2012-03-12 19:30:41 -------- d-----w- C:\windows\System32\EventProviders
2012-03-12 19:13:20 1139200 ----a-w- C:\windows\System32\FntCache.dll
2012-03-12 19:13:19 902656 ----a-w- C:\windows\System32\d2d1.dll
2012-03-12 19:13:19 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2012-03-12 19:11:51 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2012-03-12 02

05 42672 ----a-w- C:\windows\SysWow64\drivers\fsbts.sys
2012-03-12 02:02:38 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 05:15:52 -------- d-----w- C:\ProgramData\iolo
2012-03-11 04

07 -------- d-----w- C:\Users\Linfa\AppData\Roaming\ThemeManager
2012-03-11 04:05:26 -------- d-----w- C:\Users\Linfa\AppData\Local\Theme Manager
2012-03-11 03:03:10 48976 ----a-w- C:\windows\System32\netfxperf.dll
2012-03-11 03:03:10 1942856 ----a-w- C:\windows\System32\dfshim.dll
2012-03-11 03:01:59 1556992 ----a-w- C:\windows\System32\RacEngn.dll
2012-03-11 03:00:59 1796096 ----a-w- C:\windows\System32\certmgr.dll
2012-03-11 02:58:59 2576384 ----a-w- C:\windows\SysWow64\gameux.dll
2012-03-11 02:57:55 155520 ----a-w- C:\windows\System32\drivers\ataport.sys
2012-03-11 02:56:59 86528 ----a-w- C:\windows\SysWow64\isoburn.exe
2012-03-11 02:55:59 60928 ----a-w- C:\Program Files\Windows Defender\MsMpCom.dll
2012-03-11 02:54:58 3072 ----a-w- C:\windows\System32\drivers\en-US\tsusbflt.sys.mui
2012-03-11 02:54:57 2560 ----a-w- C:\windows\System32\drivers\en-US\rdpwd.sys.mui
2012-03-11 02:54:53 6144 ----a-w- C:\windows\System32\drivers\en-US\IPMIDrv.sys.mui
2012-03-11 02:54:53 4608 ----a-w- C:\windows\System32\drivers\en-US\kbdclass.sys.mui
2012-03-11 02:54:45 399872 ----a-w- C:\windows\System32\dpx.dll
2012-03-11 02:54:45 189952 ----a-w- C:\windows\SysWow64\wdscore.dll
2012-03-11 02:54:24 189952 ----a-w- C:\windows\SysWow64\sqmapi.dll
2012-03-11 02:53:11 189952 ----a-w- C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll
2012-03-11 02:53:10 606208 ----a-w- C:\windows\SysWow64\wbem\fastprox.dll
2012-03-11 02:53:10 363008 ----a-w- C:\windows\SysWow64\wbemcomn.dll
2012-03-11 02:35:45 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-03-11 02:35:44 529408 ----a-w- C:\windows\System32\wbemcomn.dll
2012-03-11 02:34:34 244736 ----a-w- C:\windows\System32\sqmapi.dll
2012-03-10 23:23:24 -------- d-----w- C:\windows\SysWow64\Wat
2012-03-10 23:23:24 -------- d-----w- C:\windows\System32\Wat
2012-03-10 22:22:06 -------- d-----w- C:\Program Files (x86)\IE New Window Maximizer
2012-03-10 22:00:53 487424 ----a-w- C:\windows\SysWow64\msvcp70.dll
2012-03-10 22:00:53 344064 ----a-w- C:\windows\SysWow64\msvcr70.dll
2012-03-10 22:00:52 974848 ----a-w- C:\windows\SysWow64\mfc70.dll
2012-03-10 22:00:52 608448 ----a-w- C:\windows\SysWow64\comctl32.ocx
2012-03-10 22:00:51 -------- d-----w- C:\Program Files (x86)\AML Products
2012-03-10 21:59:22 -------- d-----w- C:\Program Files\Speccy
2012-03-10 21:57:38 -------- d-----w- C:\Program Files\CCleaner
2012-03-10 21

07 -------- d-----w- C:\Users\Linfa\AppData\Local\Microsoft Games
2012-03-10 19:56:38 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-10 18:35:06 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C05154B8-FA85-45EB-BE0C-B3D73230006D}\gapaengine.dll
2012-03-10 18:28:00 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-10 18:27:52 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-10 18:25:48 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75AAE4F5-C3D8-4BD8-A613-5FFEAF425895}\mpengine.dll
2012-03-10 17:51:40 509952 ----a-w- C:\windows\System32\ntshrui.dll
2012-03-10 17:51:40 442880 ----a-w- C:\windows\SysWow64\ntshrui.dll
2012-03-10 17:51:21 1395712 ----a-w- C:\windows\System32\mfc42.dll
2012-03-10 17:51:21 1359872 ----a-w- C:\windows\System32\mfc42u.dll
2012-03-10 17:51:20 1164288 ----a-w- C:\windows\SysWow64\mfc42u.dll
2012-03-10 17:51:20 1137664 ----a-w- C:\windows\SysWow64\mfc42.dll
2012-03-10 17:51:13 142336 ----a-w- C:\windows\System32\poqexec.exe
2012-03-10 17:51:13 123904 ----a-w- C:\windows\SysWow64\poqexec.exe
2012-03-10 17:49:55 961024 ----a-w- C:\windows\System32\CPFilters.dll
2012-03-10 17:48:36 1923952 ----a-w- C:\windows\System32\drivers\tcpip.sys
2012-03-10 17:47:11 30208 ----a-w- C:\windows\System32\dnscacheugc.exe
2012-03-10 17:47:11 28672 ----a-w- C:\windows\SysWow64\dnscacheugc.exe
2012-03-10 17:47:11 183296 ----a-w- C:\windows\System32\dnsrslvr.dll
2012-03-10 17:46:59 64512 ----a-w- C:\windows\SysWow64\devobj.dll
2012-03-10 17:46:59 44544 ----a-w- C:\windows\SysWow64\devrtl.dll
2012-03-10 17:46:59 404480 ----a-w- C:\windows\System32\umpnpmgr.dll
2012-03-10 17:46:59 252928 ----a-w- C:\windows\SysWow64\drvinst.exe
2012-03-10 17:46:59 207872 ----a-w- C:\windows\System32\cfgmgr32.dll
2012-03-10 17:46:59 145920 ----a-w- C:\windows\SysWow64\cfgmgr32.dll
2012-03-10 17:46:15 31232 ----a-w- C:\windows\SysWow64\prevhost.exe
2012-03-10 17:46:15 31232 ----a-w- C:\windows\System32\prevhost.exe
2012-03-10 17:44:10 974336 ----a-w- C:\windows\System32\WFS.exe
2012-03-10 17:44:10 267776 ----a-w- C:\windows\System32\FXSCOVER.exe
2012-03-10 17:43:07 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2012-03-10 17:43:07 2048 ----a-w- C:\windows\System32\tzres.dll
2012-03-10 17:39:53 77312 ----a-w- C:\windows\System32\packager.dll
2012-03-10 17:39:53 67072 ----a-w- C:\windows\SysWow64\packager.dll
.
==================== Find3M ====================
.
2012-03-12 19:41:06 152576 ----a-w- C:\windows\SysWow64\msclmd.dll
2012-03-12 19:41:05 175616 ----a-w- C:\windows\System32\msclmd.dll
2012-01-31 12:44:20 279656 ------w- C:\windows\System32\MpSigStub.exe
2011-12-30 06:26:08 515584 ----a-w- C:\windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\windows\System32\drivers\afd.sys
.
============= FINISH: 18:30:55.84 ===============

.

**JackBauer_24** · 03-25-2012, 09:30 AM

You are already receiving assistance here CAN'T RUN CHKDSK EVEN IN SAFE MODE!

please do not post multiple post regarding the same issue.

Your other thread has been merged with this one.

**JackBauer_24** · 03-25-2012, 11:30 AM

You have already posted the log.... No need to post it again since I have merged the threads.

Also is that a ComboFix log if so we can not analize any potential infection logs here.
We are not permitted to and we are not infection personal here.

Your repost will be deleted.

Do you have administrative rights and privileges to your user account?

If you have limited access you may not have the privileges to run a CHKDSK

spunk.funk · 03-25-2012, 12:48 PM

Go to an Elevated Command Prompt and type in fsutil dirty query C:
It should come back and tell you that the C: drive is dirty. This should remove the Dirty bit. Now you can probably type chkdsk C: /F then type a Y and reboot the computer. And Check Disk should run. If this fails, you are infected and you need to post your Hijack This Log in that forum for more help.

**jenae** · 03-25-2012, 08:07 PM

Hi, you have an invalid reg value open regedit and navigate to:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager, in the right payne locate this entry:-

BootExecute REG_MULTI_SZ autocheck autochk /k:C *, highlight this entry (BootExecute) and right click, select "modify" in the value data (autocheck autochk /k:C *) will be highlighted, copy paste this here:-

autocheck autochk *

Press OK and restart your computer. Try chkdsk now.

You need to do this manually as the system has a handle on this key and is one that is hard to access.Your current value disables chkdsk on startup.

DAPOLSZOWY · 04-08-2012, 12:48 PM

HEY JENAE,
SORRY IT'S TAKEN SO LONG TO REPLY, BUT I'M SELF TAUGHT AND I'M WORKING MY WAY THROUGH ALL THE SUGGESTIONS THAT I'VE BEEN GETTING. I REPLACED THE REGISTRY VALUE WITH YOURS , REBOOTED, TRIED CHKDSK @ NET START-UP AND GOT THE OLD CXKDSK HAS BEEN CANCELLED. TRIED CHKDSK /F AND GOT THE SAME MESSAGE.
PREVIOUSLY TRIED THE C-DISK IS DIRTY THING, BUT GOT THE SAME RESULTS.

HOPEFULLY YOU GUYS CAN THINK OF SOME MORE THINGS TO TRY! I GUESS THAT I,VE BEEN POSTING THINGS TO THE WRONG THREAD(?),BUT APPARENTLY, I HAVE SOME HOW GOTTEN THE REQUIRED INFO BACK TO THE TECH SUPPORT FORUM FOR YOU ALL TO ANALYZE.
SOMEONE PREVIOUSLY MENTIONED SOMETHING ABOUT "HIJACK THIS".
NOT REALLY SURE WHAT THAT IS, BUT I'LL CHECK IT OUT.
AGAIN, THANKS FOR ALL THE HELP, AND LOOK FORWARD TO ADDITIONAL SUGGESTIONS!
DAVE
P.S. GO BREWERS

DAPOLSZOWY · 04-08-2012, 12:54 PM

[QUOTE=DAPOLSZOWY;3693009]HEY JENAE,
SORRY IT'S TAKEN SO LONG TO REPLY, BUT I'M SELF TAUGHT AND I'M WORKING MY WAY THROUGH ALL THE SUGGESTIONS THAT I'VE BEEN GETTING. I REPLACED THE REGISTRY VALUE WITH YOURS , REBOOTED, TRIED CHKDSK @ NET START-UP AND GOT THE OLD CXKDSK HAS BEEN CANCELLED. TRIED CHKDSK /F AND GOT THE SAME MESSAGE.
PREVIOUSLY TRIED THE C-DISK IS DIRTY THING, BUT GOT THE SAME RESULTS.

HOPEFULLY YOU GUYS CAN THINK OF SOME MORE THINGS TO TRY! I GUESS THAT I,VE BEEN POSTING THINGS TO THE WRONG THREAD(?),BUT APPARENTLY, I HAVE SOME HOW GOTTEN THE REQUIRED INFO BACK TO THE TECH SUPPORT FORUM FOR YOU ALL TO ANALYZE.
SOMEONE PREVIOUSLY MENTIONED SOMETHING ABOUT "HIJACK THIS".
NOT REALLY SURE WHAT THAT IS, BUT I'LL CHECK IT OUT.
AGAIN, THANKS FOR ALL THE HELP, AND LOOK FORWARD TO ADDITIONAL SUGGESTIONS!
DAVE
P.S. GO BREWERS[NO MATTER WHERE YOU GO, THERE YOU ARE!]

joeten · 04-08-2012, 12:54 PM

Hi please don't post hijackthis logs here it is the wrong area of the forum to deal with that

**jenae** · 04-08-2012, 03:38 PM

Hi, for the moment please stay in this thread, your registry value cannot be easily changed, so something has done this and unless the change I asked you to make takes, chkdsk will not run. Please run this cmd again and post the notepad outcome here:-

Code:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager">0 & notepad 0

BTW please use black text I have ancient eyes and have difficulty reading your tone.

joeten · 04-09-2012, 10:46 AM

Hi jenae sorry I did not want the op to post hjt logs is all

**jenae** · 04-09-2012, 02:52 PM

Hi Joe, no that's fine it's just this section of the registry is treated with kid gloves by the OS, so any changes usually have to be deliberate. So if my suggested reg mod does not take, we need to do more work. NO amt of security work can alter this, until that reg key is changed chkdsk will not run, it's how we turn it off. Plus we need more system changes after this, then I would suggest a run through our security forum to ensure this doesn't happen all over again.

joeten · 04-10-2012, 03:46 AM

Ok jenae seems fair enough and the op now knows about hjt logs so I will watch and hopefully learn (provied I understand)

DAPOLSZOWY · 05-01-2012, 02:46 PM

HI JENAE,
HERE IS THE INFO THAT YOU ASKED FOR. SORRY FOR THE DELAY- HAD TO GET USED TO OPERA 'CAUSE IE9 WON'T RELOAD.
AGAIN, THANKS FOR THE HELP
DAVE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
CriticalSectionTimeout REG_DWORD 0x278d00
GlobalFlag REG_DWORD 0x0
HeapDeCommitFreeBlockThreshold REG_DWORD 0x0
HeapDeCommitTotalFreeThreshold REG_DWORD 0x0
HeapSegmentCommit REG_DWORD 0x0
HeapSegmentReserve REG_DWORD 0x0
ProcessorControl REG_DWORD 0x2
ResourceTimeoutCount REG_DWORD 0x9e340
BootExecute REG_MULTI_SZ autocheck autochk *
ExcludeFromKnownDlls REG_MULTI_SZ
ObjectDirectories REG_MULTI_SZ \Windows\0\RPC Control
ProtectionMode REG_DWORD 0x1
NumberOfInitialSessions REG_DWORD 0x2
SetupExecute REG_MULTI_SZ

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Quota System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\WPA

**jenae** · 05-01-2012, 03:26 PM

Hi, the system still has a handle on chkdsk go to start, search and type:- cmd, right click on the returned cmd.exe and select "run as administrator" at the prompt type :-

Code:

CHKNTFS /D

press enter this resets to default.

Next press win(start) + r key at the same time in the run box type:- msconfig press OK. Go to the boot tab and put a check in "OS boot information" and apply out.

Restart your computer you will see what loads and a disk check run, if so your chkdsk problem should be fixed.

How did you get on at the security forum?

DAPOLSZOWY · 05-04-2012, 12:21 PM

HI JENAE,
WELL I RAN CHKDSK /D, CHECKED THE "OS BOOT INFO", APPLIED OUT, REBOOTED AND GOT THE OLD NOTORIOUS "CHKDSK HAS BEEN CANCELLED", AGAIN! SO UPON STARTUP, I RAN CHKDSK FROM CMD PROMPT AND WAS TOLD "RUNNING IN READ MODE ONLY- NO
'F' PARAMETER SPECIFIED". RAN CHKDSK /F, HIT YES TO RUN AT NEXT START-UP AND GOT (GUESS WHAT?) CHKDSK HAS BEEN CANCELLED AFTER REBOOTING I DON'T THINK THAT THIS COMPUTER LIKES ME!
OR
GHOSTS IN THE MACHINE?
ANYWAY, THANKS FOR THE HELP AND I'M READY FOR SOME MORE IDEAS.

ALSO, I'VE REQUESTED SOME DIRECTION IN THE PROPER PROCEDURE OF USING THIS SITE. I'VE CHECKED OUT ALL THE RULES AND REGS, BUT CAN'T FIND THE ANY INFO ON THREADS, WHEN TO USE NEW THREADS ETC.. I DON'T KNOW WHAT HALF OF THE TERMS BRING USED IN THE RULES MEAN, IE: FLAMING, TROLLING ETC. IS THERE ANY INFO WHERE I CAN BE MADE AWARE OF THESE THINGS? 'CAUSE I KEEP VIOLATING SOME KIND OF THREADING/POSTING LAWS, AND DON'T WANT TO LOSE MY CORRESPONDANCE PRIVELAGES WITH YOU!
TALK TO YOU SOON,
DAVE

**jenae** · 05-04-2012, 04:11 PM

Hi, the registry setting is correct according to what you posted so either a stuck key is cancelling the chkdsk (press any key to cancel) OR we have a problem elsewhere. Lets cancel disk check for one occasion, open a cmd prompt as admin (as shown) and at the prompt type:-

chkntfs C: /X press enter restart computer

Next go back to cmd (as admin) and type:-

chkdsk C: /F press enter agree Y to run at boot restart, let us know how you get on.

EDIT, do not worry about running fowl of the rules, we will guide you if you do, nothing you have done so far is in anyway outside our rules.