Help with my computer, Bad_Pool_Caller that led to some weird file recovery behaviour

[ken545]

Awong, how are ya doing ? What I was hoping would happen at the PIT was for them to run a test of your hard drive to determine its health and go from there, lets check a bit further as there where some bad entries on your DDS log but we addressed them with OTL.


Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is NOT TICKED, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[awong]

Hello Ken545,
Thanks for keeping tabs on me over at PCP.
Here's the log for MBRCheck and ESET. Looks like ESET found something.
PCP is also asking for a PIT test to be run. I guess they want to compare analysis-fu Would that confuse things?

*****MBRCheck log*****

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 103):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7438000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7427000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7497000 MountMgr.sys
0xF7408000 ftdisk.sys
0xF798D000 dmload.sys
0xF73E2000 dmio.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF73CA000 atapi.sys
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73AA000 fltmgr.sys
0xF7398000 sr.sys
0xF74D7000 PxHelp20.sys
0xF7381000 KSecDD.sys
0xF72F4000 Ntfs.sys
0xF72C7000 NDIS.sys
0xF72AD000 Mup.sys
0xF74E7000 avgrkx86.sys
0xF74F7000 AVGIDSxx.sys
0xF722C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF773F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7208000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71E0000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7517000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7757000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7767000 \SystemRoot\system32\drivers\Afc.sys
0xF71BD000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7787000 \SystemRoot\system32\DRIVERS\avgfwdx.sys
0xF798F000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0xF7597000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7797000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7991000 \SystemRoot\system32\DRIVERS\WacomVKHid.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF792B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF71A6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF75B7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF75C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7195000 \SystemRoot\system32\DRIVERS\psched.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7165000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF75E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7997000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7107000 \SystemRoot\system32\DRIVERS\update.sys
0xF794B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\omci.sys
0xF7957000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7817000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0xF7963000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7667000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7677000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF799D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF791F000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79A1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7BCC000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7777000 \SystemRoot\System32\drivers\vga.sys
0xF7003000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF79A9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79AB000 \SystemRoot\System32\Drivers\ArcRec.SYS
0xF779F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77AF000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7947000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF6FD0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6F77000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6F51000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6F17000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF70F3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6EEF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6ECD000 \SystemRoot\System32\drivers\afd.sys
0xF7697000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6EA2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6E32000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF781F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF782F000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7867000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF6DF2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79B3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF725C000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77A7000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BA3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xF696E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF667A000 \SystemRoot\system32\DRIVERS\srv.sys
0xF63D6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 19):
0 System Idle Process
4 System
768 C:\WINDOWS\system32\smss.exe
816 csrss.exe
840 C:\WINDOWS\system32\winlogon.exe
892 C:\WINDOWS\system32\services.exe
904 C:\WINDOWS\system32\lsass.exe
1072 C:\WINDOWS\system32\svchost.exe
1200 svchost.exe
1416 C:\WINDOWS\system32\svchost.exe
1428 svchost.exe
1592 C:\Program Files\AVG\AVG9\avgchsvx.exe
1604 svchost.exe
1784 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1800 C:\Program Files\AVG\AVG9\avgcsrvx.exe
456 C:\WINDOWS\explorer.exe
868 C:\Program Files\Mozilla Firefox\firefox.exe
1444 C:\Program Files\Mozilla Firefox\plugin-container.exe
804 C:\Documents and Settings\alexander\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500JD-75HBC0, Rev: 08.02D08
PhysicalDrive1 Model Number: TOSHIBAExternal USB 3.0, Rev: 0001

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365
931 GB \\.\PhysicalDrive1 RE: Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

*****end MBRCheck log*****

*****ESET log*****

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17112 (vista_gdr.120629-0008)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=26dd81ad0e4b3342bb9e73ab2c4b9f77
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-12 03:30:30
# local_time=2012-09-12 08:30:30 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 114539185 114539185 0 0
# compatibility_mode=1031 16777174 100 93 0 88634288 0 0
# compatibility_mode=8192 67108863 100 0 32420853 32420853 0 0
# scanned=252854
# found=6
# cleaned=0
# scan_time=7710
C:\Documents and Settings\alexander\My Documents\Downloads\cnet_spybotsd162_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\alexander\My Documents\Downloads\YouTubeDownloaderSetup34.exe a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
C:\Install\cnet2_audacity-win-1_2_6_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Install\VLC_32.exe a variant of Win32/InstallIQ application (unable to clean) 00000000000000000000000000000000 I
C:\Install\YouTubeDownloaderSetup273.exe a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
C:\Install\Nero\wordview_en-us.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I

[ken545]

Hi,

Go ahead back at the PIT and run the tests they would like you to run, it will check all your hardware, your sound, video, memory, hard drive and more

It wouldn't hurt to open these folders and remove what ever is in there but not the folder itself
C:\Documents and Settings\alexander\My Documents\Downloads
C:\Install

MBRCheck checks your Master Boot Record to see if its infected but it is not


I want to check to make sure there is not a hidden MBR partition, this is a quick scan

ListParts is a small utility that will create a log that contains a listing of all the hard drive partitions on your computer, which can then be posted on the forum that you are receiving help. This tool is useful for diagnosing rootkit infections that create additional hidden partitions on your computer.

Note: There are both 32-bit and 64-bit versions of GrantPerms available. Please pick the version that matches your operating system's bit type.

You want to download the 32 bit version
http://www.bleepingcomputer.com/download/listparts/





Another quick scanner
Download CKScanner by askey127 from Here & save it to your Desktop.

• Doubleclick CKScanner.exe then click Search For Files
• When the cursor hourglass disappears, click Save List To File
• A message box will verify the file saved
• Please Run this program only once
• Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

[awong]

Hello Ken545,

Here are the logs you requested. I'll also hop over to PCP and run their PIT test as well. The CKScanner seems to be picking up an a lot of my texture files which have "crack" or "cracked" in them

Thanks
AWhang

*****ListParts log*****

ListParts by Farbar Version: 10-08-2012
Ran by alexander (administrator) on 13-09-2012 at 06:57:56
Windows XP (X86)
Running From: C:\Documents and Settings\alexander\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 3070.07 MB
Available physical RAM: 2451.83 MB
Total Pagefile: 4450.39 MB
Available Pagefile: 4093.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.41 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:228.93 GB) (Free:78.06 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:916.7 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 932 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 47 MB 32 KB
Partition 2 Primary 229 GB 47 MB
Partition 3 Unknown 3938 MB 229 GB
======================================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 229 GB Healthy System (partition with boot components)
======================================================================================================

Disk: 0
Partition 3
Type : DB
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 932 GB 1024 KB
======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D TOSHIBA EXT NTFS Partition 932 GB Healthy
======================================================================================================

****** End Of Log ******

*****CKScanner Log*****

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\all users\application data\adobe\photoshop elements\6.0\locale\en_us\photo creations metadata\backgrounds\cracked paint.xml
c:\documents and settings\all users\documents\nintndo ds\professor layton and the diabolical box (u)\00000_no$gba-w\battery\4982 - safecracker - the ultimate puzzle adventure (usa) (en,fr,es) [b].sav
c:\flexlm\awkeygen.exe
c:\program files\alias\maya7.0\brushes\fun\cracks.mel
c:\program files\alias\maya7.0\brushes\fun\cracks.mel.icon
c:\program files\alias\maya7.0\scripts\others\crackshatter.mel
c:\program files\autodesk\maya2009\brushes\fun\cracks.mel
c:\program files\autodesk\maya2009\brushes\fun\cracks.mel.icon
c:\program files\autodesk\maya2009\scripts\others\crackshatter.mel
c:\program files\autodesk\maya2009\scripts\others\crackshatter.res.mel
c:\program files\autodesk\maya2011\brushes\fun\cracks.mel
c:\program files\autodesk\maya2011\brushes\fun\cracks.mel.icon
c:\program files\autodesk\maya2011\docs\maya2011\en_us\files\uv_texture_mapping_creating_a_cracker_box_model.htm
c:\program files\autodesk\maya2011\presets\nparticles\examples\crackegg.ma
c:\program files\autodesk\maya2011\presets\nparticles\examples\.mayaswatches\crackegg.ma.swatch
c:\program files\autodesk\maya2011\resources\l10n\ja_jp\scripts\crackshatter.res.mel
c:\program files\autodesk\maya2011\scripts\others\crackshatter.mel
c:\program files\autodesk\maya2011\scripts\others\crackshatter.res.mel
c:\program files\autodesk\maya2012\brushes\fun\cracks.mel
c:\program files\autodesk\maya2012\brushes\fun\cracks.mel.icon
c:\program files\autodesk\maya2012\presets\nparticles\examples\crackegg.ma
c:\program files\autodesk\maya2012\presets\nparticles\examples\.mayaswatches\crackegg.ma.swatch
c:\program files\autodesk\maya2012\resources\l10n\ja_jp\scripts\crackshatter.res.mel
c:\program files\autodesk\maya2012\scripts\others\crackshatter.mel
c:\program files\autodesk\maya2012\scripts\others\crackshatter.res.mel
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\jasc software inc\paint shop pro studio\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro studio\patterns\cracked paint.pspimage
scanner sequence 3.ZZ.11.JJNAEH
----- EOF -----

[ken545]

Awong,

c:\flexlm\awkeygen.exe
Can you explain this, it appears to be some sort of program to circumvent a Program license

[awong]

"aw" could stand for alias wavefront, which used to own Maya, the software I use at work. I have valid licenses for a suite of programs (now owned by Autodesk) that includes Mudbox, Maya, 3dMax, etc. I bought an educational package a few years back.

But if it's used to get around a license, then I'm not sure what it's for.

-AW

[ken545]

OK, just want to let you know to never fool around downloading anything via the torrents , the illegal stuff is all infected.

I see you posted the correct link for your test at the Pit, lets see what they have to say

[awong]

...I didn't get a notification that you had replied to my last entry. I think I'm still subscribed to this thread and I usually get an email when you post...not this time though (?).

Anyways, it looks like their suggestions were all related to optimizing performance. I was hoping that they would have some hints as to why my chkdsk is failing. The bright note is that they didn't find any bug-a-boos so that's a relief.

I just wish I could get my machine off Safe Mode and have it run successfully through chkdsk. Do you know if, while in chkdsk, it's normal for the machine to stop talking to the monitor? Maybe it is running, just taking a long time?

Suggestions?

Thanks
AWhang

[ken545]

Awang,

Are you saying that CHKDSK runs on every startup, are you not able to boot into normal windows ?

[awong]

Yes, so far, everytime I attempt to start it tries to run a chkdsk.
I'm pretty sure it's because I had asked for a chkdsk and the only way it can start one is on boot-up.

I recall, after my blue screen of death with the bad pool caller, it was suggested to run a chkdsk, so I tried. But, because my machine keeps dying on the 2nd of 5 checks, it never completes. I then need to shut my machine down (holding on/off button until the machine dies) then I'd restart...only to end up back on the chkdsk page, where I'd get stuck on the 2nd of 5 again...endless cycle.

Thanks
AWhang