Unexpected error '0xC0000034'

By kryan ยท 19 replies
Oct 9, 2010
  1. Hi everyone.

    I initially posted on the WIndows BSOD, Freezing and Restarting Help forum.

    I had a problem where my system froze at startup. I was being helped by two members, B00kWyrm and Route44. In one of my logs they pointed out a system error where system restore was unable to complete.

    They said that unexpected error '0xC0000034' means that it could not find this file '_filelst.cfg', and that this behavior has been observed as a result of malware/Trojans.

    They suggested a check-up at the Malware and Virus Removal forum.

    Since I last posted, the problem has been getting progressively worse to the point where the system freezes almost every time i start it up.

    Attached are the logs from DDS. Malwarebytes doesn't detect any threats. I tried running GMER, but the system hangs every single time, so I'm unable to attach a log.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 54,258   +383

  3. kryan

    kryan TS Rookie Topic Starter Posts: 65

    I tried running GMER again with "Devices" unchecked and in safe mode. Each time, the scan was interrupted by a blue screen, either "irql_not_less_or_equal" or "pfn_list_corrupt".

    Attached are the most recent logs from DDS and MBAM.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. kryan

    kryan TS Rookie Topic Starter Posts: 65

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000d

    Kernel Drivers (total 121):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F79000 ACPI.sys
    0xB7F68000 pci.sys
    0xB80A8000 ohci1394.sys
    0xB80B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xB80C8000 isapnp.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB80D8000 MountMgr.sys
    0xB7F49000 ftdisk.sys
    0xB8330000 PartMgr.sys
    0xB80E8000 VolSnap.sys
    0xB7F31000 atapi.sys
    0xB7F1A000 SI3132.sys
    0xB80F8000 disk.sys
    0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB7EE2000 fltmgr.sys
    0xB7ED0000 sr.sys
    0xB84BC000 SiWinAcc.sys
    0xB7EB9000 KSecDD.sys
    0xB7EA6000 WudfPf.sys
    0xB7E19000 Ntfs.sys
    0xB7DEC000 NDIS.sys
    0xB8338000 SiRemFil.sys
    0xB7DD2000 Mup.sys
    0xB82B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB6FF8000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB6FE4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB8418000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xB82C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB8420000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB8428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB8430000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xB6FC0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB8438000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB82D8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB82E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB82F8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB6F9D000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8308000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xB6F75000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB8318000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xB6E67000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xB6E14000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xB85DA000 \SystemRoot\system32\DRIVERS\ASACPI.sys
    0xB87AA000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB8158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB8588000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB6DFD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB8168000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB8178000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB8440000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB6D4C000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB8188000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB8448000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB8450000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8198000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB85DC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB6CEE000 \SystemRoot\system32\DRIVERS\update.sys
    0xB8594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB8598000 \SystemRoot\system32\drivers\WmBEnum.sys
    0xB81A8000 \SystemRoot\system32\drivers\WmXlCore.sys
    0xB81B8000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xB81C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB8458000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xB8208000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB85E2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB4A9C000 \SystemRoot\system32\drivers\ADIHdAud.sys
    0xB4A78000 \SystemRoot\system32\drivers\portcls.sys
    0xB8218000 \SystemRoot\system32\drivers\drmk.sys
    0xB49C1000 \SystemRoot\system32\drivers\AEAudio.sys
    0xB499E000 \SystemRoot\system32\drivers\adidts.sys
    0xB8612000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB875B000 \SystemRoot\System32\Drivers\Null.SYS
    0xB8614000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB8478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB8480000 \SystemRoot\System32\drivers\vga.sys
    0xB8616000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB8618000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8488000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8490000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8554000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB4926000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB48CD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB486B000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xB4845000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB8288000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB8298000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xB481D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB47FB000 \SystemRoot\System32\drivers\afd.sys
    0xB82A8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB47C7000 \SystemRoot\System32\drivers\truecrypt.sys
    0xB479C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB472C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB6DDD000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB84A0000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xB46F8000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xB6DAD000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB46B8000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xB864A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB48C5000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB83A0000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB868D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB42CC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB3EDB000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB4050000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB3B86000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB3AB7000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB39CB000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB366A000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB3527000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 40):
    0 System Idle Process
    4 System
    588 C:\WINDOWS\system32\smss.exe
    640 csrss.exe
    664 C:\WINDOWS\system32\winlogon.exe
    708 C:\WINDOWS\system32\services.exe
    728 C:\WINDOWS\system32\lsass.exe
    904 C:\WINDOWS\system32\nvsvc32.exe
    948 C:\WINDOWS\system32\svchost.exe
    996 svchost.exe
    1096 C:\WINDOWS\system32\svchost.exe
    1136 C:\WINDOWS\system32\svchost.exe
    1176 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1184 C:\Program Files\AVG\AVG9\avgrsx.exe
    1352 svchost.exe
    1408 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1640 svchost.exe
    1820 C:\WINDOWS\system32\spoolsv.exe
    1968 C:\WINDOWS\explorer.exe
    284 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    304 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    312 C:\WINDOWS\system32\atwtusb.exe
    344 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    384 C:\WINDOWS\system32\ctfmon.exe
    480 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    980 svchost.exe
    1680 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    1060 C:\Program Files\Java\jre6\bin\jqs.exe
    136 C:\WINDOWS\system32\PnkBstrA.exe
    400 C:\WINDOWS\system32\PnkBstrB.exe
    448 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    1088 C:\Program Files\AVG\AVG9\avgnsx.exe
    1440 C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    1936 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    2104 C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
    2216 C:\WINDOWS\system32\wuauclt.exe
    2760 alg.exe
    4024 wmiprvse.exe
    1940 C:\WINDOWS\system32\wscntfy.exe
    1988 C:\Documents and Settings\Ryan\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3500630AS, Rev: 3.AAE

    Size Device Name MBR Status
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    MBRCheck log looks good :)

    Combofix looks good too.

    I doubt, we're dealing with any infection here, but we'll keep checking.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  7. kryan

    kryan TS Rookie Topic Starter Posts: 65

    Logs are too long to paste in my post. I've attached them instead.

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
      [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CE646EE
      @Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C8B8CEBD
      @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  9. kryan

    kryan TS Rookie Topic Starter Posts: 65

    Okay, new problem.

    Whenever I try to boot my computer, I get the mesage "\WINDOWS\SYSTEM32\CONFIG\SYSTEM - file missing or corrupt".

    It then asks me to insert my Windows CD and repair the installation. Should I go ahead and do this?
  10. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Please, do so.
    It looks like system hive got corrupted - may happen, when dealing with an infection.
    Keep me posted.
  11. kryan

    kryan TS Rookie Topic Starter Posts: 65

    I've been trying to complete the ESET scan over the past couple of days, but my system either freezes or crashes to a blue screen during the process. The same thing happens in safe mode as well.
  12. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Wait. I assume, repair installation worked?
  13. kryan

    kryan TS Rookie Topic Starter Posts: 65

    Actually, it started booting again. the prompt hasn't appeared since then. Attached are the logs from OTL and Security Check. Will upload the ESET log if it ever completes.

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    OK :)..........
  15. kryan

    kryan TS Rookie Topic Starter Posts: 65

    ESET scan results attached.

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
  17. kryan

    kryan TS Rookie Topic Starter Posts: 65

    OTL log attached.

    I removed DDS, GMER, MBRCheck, ComboFix, OTL and ESET. I also installed WIndows updates as well as updates to the programs highlighted by Secunia PSI.

    Today is the first day in over a week that I've been able to use my computer. Over the past few days I got BSODs and freezes within minutes of starting up.

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    I'm glad to hear good news :)

    If no other issues...

    Way to go!! [​IMG]
    Good luck and stay safe :)
  19. kryan

    kryan TS Rookie Topic Starter Posts: 65

    Thank for all the help Broni.
  20. Broni

    Broni Malware Annihilator Posts: 54,258   +383

    You're very welcome :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...