Virus - H8SRTd.sys

Hello everyone, this is the first time I have ever needed advice fixing my system.

A program installed itself without my permission and began throwing out warnings about a trojan infection and saying I needed to update my virus protection. Avast! Is what I was using and it certainly was not the culprit. Spyhunter could not find anything except for an issue with audio and windows desktop or something or another, can't remember exactly but it said it fixed them. Observing one of my process monitors found I nothing odd. The program claimed taskmanager and reg edit were infected and had turned them off. This was beginning to annoy me. Hijack this failed to load so I rebooted and that turned into a mistake. The system went into the infinite reboot loop after crashing just as the windows logo and load bar were about to disappear. Luckily I have ERD Commander 2005 and had it attach to my system. I ran crash analyzer and it suspected a H8SRTd.sys driver was the culprit, saying the address was bad or pointing at free space. Deleting this file was futile as it was duplicated on reboot. Rolling back to multiple restore points also did not work. Now I am unsure if my normal anti-virus tools will work with ERD commander, that is the next step. So I can manipulate files, registry, and anything else, but I am not sure what I am looking for. Any help would be appreciated.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

As requested here is the log. However, it crashes if the registry box is checked, so I had to uncheck it in order to save the log. Attempts to run it with only the registry box check also failed.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-11 18:19:06
Windows 5.2.3790
Running: gmer.exe; Driver: C:\agldrfod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806385E4
INT 0x37 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80637EF0
INT 0x3D \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80639190
INT 0x41 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80638FF8
INT 0x50 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80637FC8
INT 0xC1 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80638140
INT 0xD1 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80637514
INT 0xE1 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8063852C
INT 0xE3 \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80638364
INT 0xFD \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80638A68
INT 0xFE \I386\system32\halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 80638BFC

---- Kernel code sections - GMER 1.0.15 ----

? si3112r.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetLastEvent] [F7223410] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetLowestDeviceObject] [F722341A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdGetDeviceObject] [F72233FA] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\drivers\VIDEOPRT.SYS[watchdog.sys!WdCompleteEvent] [F7223482] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] [F722307E] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] [F7223072] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] [F7226000] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] [F7223000] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] [F72231A8] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] [F722608A] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] [F7223106] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] [F72230CA] \SystemRoot\System32\drivers\watchdog.sys (Watchdog Driver/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000004 halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Other than the one blue screen, have you gotten any blue screens with the file listed below:
? si3112r.sys The system cannot find the file specified. !

That seems to be a hard drive firmware driver.

==

We'll take a good check at the Master Boot Record:

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

Okay, working on it right now. ERD has to reboot for my flash drive to show up once removed. I have gotten a blue screen, however I do not remember seeing that name. I'll try to get to the blue screen and find out.

It won't work. ERD seems to get in the way of anything being left on the desktop. I checked the desktop folder for every user and couldn't find it. It is possible it left it somewhere strange, what is the name of the file?

Try to download it again and save to your Desktop.

I mean when I run MBR.exe I cannot find the log. A black box blips across the screen and since ERD doesn't allow you to leave anything on its desktop I have no idea where the file is saved.

Try to run it from My Documents folder, and see if it will Save itself in there.

No good. Is there an alternate program we can use? The main system being basically forced to load by way of ERD, which works by loading off a CD and into its own shell. Saving anything to its desktop is denied due to it being unable to write. Although it seems like a flaw, I am unable work around it. If there is a program out there that saves it to the folder which the parent program resides it would work without a problem. GMER.exe worked because it let you save it in a directory of your choosing.

Download avz4.zip from HERE

1. Unzip it to your desktop to a folder named avz4
   
2. Double click on AVZ.exe to run it.
   
3. Run an update by clicking the Auto Update button on the Right of the Log window:
   
4. Click Start to begin the update
   

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the
   "Advanced System Analysis with malware removal mode enabled" check box.
   
   
3. Click on the Execute selected scripts.
   
4. Automatic scanning, healing and system check will be executed.
   
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
   
[*It is necessary to reboot your machine, because AVZ might disturb some
program operations (like antiviruses and firewall) during the system
scan.

6. All applications will work properly after the system restart.
   

When restarted

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the Advanced System Analysis" check box.
   
   
3. Click on the "Execute selected scripts".
   
4. A system check will be automatically performed, and the created logfile
   (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory
   as virusinfo_syscheck.zip.
   

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Go to MediaFire.com and upload them, then post the links here to the downloads.

I hope these odd-looking dll,s are what I am looking for.

http://www.mediafire.com/download.php?gmnd1cxynn3
http://www.mediafire.com/download.php?jtwzji5ynzn

Please download Cheetah-Anti-Rogue, and save to a folder.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

ERD has no program associated with .cmd I tried using the console with start /C:Cheetah-Anti-Rogue.cmd but it didn't seem to do anything.

rename it to cheetah.bat and see what happens.

Still no good. ERD wasn't meant to automatically recognize this stuff. Is there a way to manually run this command?

No. The database is too large.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

When running combofix the only thing that happens is a small grey load box appears for about 3 seconds and then disappears. No log is saved anywhere. ERD is hampering our efforts, can we ditch it and somehow get the machine to boot to windows?

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
  
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
  
• The scan will take a while, so be patient and let it run.
  
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• Save the file somewhere.
  
• Copy and paste that information in your next post.
  

Okay, I will try, but it will take some time for me to configure ERD to connect to the internet. You should be aware that ERD is a diagnostics shell with its own system files, process, services, etc... and is only intended to use it's own software to remedy problems.

PS I probably will not be able to reply until sometime around midnight tonight I work heavy hours over the weekend.

Last edited by Valyndiir01 on 15th January 2010, 9:37 pm; edited 1 time in total (Reason for editing : weekend work hours)

ERD is unable to connect to the internet and offers no configurations.

Since this is not allowing us to continue, our help ends here. I can say that your system is mostly clean, if not all the way.

My apologies.

You are telling me that, for future references, if a system will not boot to windows, I should reformat and not waste my time? I have no idea why rolling back to a restore point would cause my computer to crash on reboot. What a crock, it loaded fine before the restore point.

I am not giving up yet, I still have other tricks up my sleeve.

Here is the blue screen for the main hard drive.

STOP: C000021a {Fatal System Error}
The Windows Logon Process system process terminated with a status o
f 0xc0000135 (0x00000000 0x00000000).
The sytem has been shut down.

BTW si3112r.sys is a silicon image SATA firmware driver. No idea why it would be a problem when the main drive is a SCSI and the fact I disabled the SATA array to begin with. I am going to reinstall this system file and it will no longer be in question.

I am not giving up yet, I still have other tricks up my sleeve.

Please stay calm.

if a system will not boot to windows, I should reformat and not waste my time

Sometimes, that will be the solution, especially depending on how damaged the system is.

Can you tell me why you have ERD Commander 2005? This is an enterprise tool and is rather expensive for just a home user.

If you use it for home, how did you obtain it?

This enterprise tool has multiple commands and specific qualities built in to just rescue files, and attempt to repair.

With that in mind, any of the diagnostics that fail to work, the system will not boot on its own to Windows.

The diagnostics will continue to fail, so using ERD Commander 2005 will not function properly.

After checking with an expert on ERD Commander, it was said that the specific error code you have given when trying to boot, is a Registry Error, and there is no way to repair it from ERD Commander.

Now it is time to attempt to repair. Keep in mind, if this fails, a reformat and reinstall of your Operating System is going be recommended in order to get the computer back in correct state.

This topic has been moved, so other advisors can reply in, if necessary.

This error code: 0xc0000135 (0x00000000 0x00000000).
is a sign that the file userinit.exe is damaged, or is incorrectly referenced in the Registry.

It is time to replace this file, and fix the reference in the Registry that appears to be the source of the problem.

Failure to follow these instructions clearly and properly will cause permanent damage.
Print these instructions, as it may be easier.

=====
To fix the Registry via Recovery Console:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer. Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
   
2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
   
3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
   
4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
   
5. At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
   md tmp
   copy c:\windows\system32\config\system c:\windows\tmp\system.bak
   copy c:\windows\system32\config\software c:\windows\tmp\software.bak
   copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
   copy c:\windows\system32\config\security c:\windows\tmp\security.bak
   copy c:\windows\system32\config\default c:\windows\tmp\default.bak
   
   delete c:\windows\system32\config\system
   delete c:\windows\system32\config\software
   delete c:\windows\system32\config\sam
   delete c:\windows\system32\config\security
   delete c:\windows\system32\config\default
   
   copy c:\windows\repair\system c:\windows\system32\config\system
   copy c:\windows\repair\software c:\windows\system32\config\software
   copy c:\windows\repair\sam c:\windows\system32\config\sam
   copy c:\windows\repair\security c:\windows\system32\config\security
   copy c:\windows\repair\default c:\windows\system32\config\default
   
   
6. Type exit to quit Recovery Console. Your computer will restart.

Try to boot the computer and see if it boots.

If it does, then skip everything below, and let me know if you can log on successfully to Windows.

If it does not, then do the following:
Go to the Recovery Console again and log on to the current installation.

When you get to the Recovery Console prompt, type cd \ and press "Enter".

Type cd system~1\_resto~1 and press "Enter".

Type dir and press "Enter".

After you press enter you will see a list of folders (like rp1, rp2) If the list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter".
Note: Example: cd rp9 if the last restore point is rp10

Type cd snapshot and press "Enter".

Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".

Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".

Type exit and press "Enter".

Your PC will reboot. See if it will boot and log in.

=======================

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".

Type cd windows\system32\config and press "Enter".

Type ren system system.bak and press "Enter".

Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning.

=====


Boot the computer and see if it will start and log in.

[quote="DragonMaster Jay"]

Can you tell me why you have ERD Commander 2005? This is an enterprise tool and is rather expensive for just a home user.

If you use it for home, how did you obtain it?

Expense is subjective as are moody qeuries. Why are you curious?


md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
Access denied

What now?

Reformat and reinstall. System repair failed.

And since you are not willing to take this matter professionally, this topic is now closed.