Jump to content


Blue Screen of Death- WIndows 7 x64 Home Premium


  • Please log in to reply
31 replies to this topic

#1 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 17 April 2012 - 04:09 PM

I have a laptop that I am working on that blue screens a minute or so after Windows 7 finishes booting.

The message on the blue screen is: IRQL_NOT_LESS_OR_EQUAL

Using this great tool, the minidump files reveal a problem with ntoskernel.exe.

I found here that it sounds like a driver issue.

I have scanned the computer with an AVG Rescue CD, and the first pass revealed virii present.


Memtest 86 ran fine for two passes with no errors. I assume the hard drive is in OK shape, because CHKDSK came up clean.

I have updated the video drivers to the latest version from Intel.

Anything else I could look at?

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#2 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,830 posts

Posted 17 April 2012 - 05:23 PM

I would start looking for all updated drivers for network cards wired and wireless, glide driver/software, webcam software (if there is one built in), sound card, you already did video, chipset drivers from manufacturer.  Sometimes those drivers get overwritten by bad stuff when computers get hit.

That's just a start.

What virii/malware did the rescue CD find, and was it able to remove it?

I am sure Corrine would say we are gonna need some scan results -- like the ones Corrine had alphaomega do on his potentially infected Windows computer. ;)

I had an XP Pro 64-bit system that absolutely loathed a Microsoft Keyboard and a Logitec Webcam (after market USB model). No malware at all. Just hated the drivers.

So we really need to determine what's what here.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#3 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 17 April 2012 - 05:44 PM

There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone.

I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else.

I am really thinking it is a driver/hardware issue.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#4 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,830 posts

Posted 17 April 2012 - 06:08 PM

Yes, I agree.  But whether it is a leftover problem due to a removed driver that may have been infected remains to be seen.

Obviously something appears to be addressing the wrong memory space and it's likely a driver problem.

I would get any updates you can to the drivers I mentioned. And go from there. You could also start disabling drivers for anything you can, but I think replacing drivers by getting updated drivers where possible (makes it easier for Windows to allow an overwrite if there's an updated driver rather than complaining that you already have that driver -- Catch 22).

Yes, it could be that NTOSKRNI.EXE corrupted or missing file as well. But might want to start with the small stuff ... knocking them out first?

BTW: Does it have Windows 7 SP1 on it? If so, maybe try to reinstall it?
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#5 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 17 April 2012 - 07:53 PM

View Postross549, on 17 April 2012 - 05:44 PM, said:

There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone.

I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else.

I am really thinking it is a driver/hardware issue.

Adam

I'd be happy to review logs if you wish.  Otherwise, the #1 place to get help with BSOD's/driver issues is Sysnative Forums.  It is a new forum I've been helping set up the last couple of months.  The other sites that provide help with these issues use the information and tools collected/created by the founders of Sysnative.com.

If you wish to confirm your computer is clean, please do the following:

Please download DDS.scr by sUBs and save it to your desktop:  Link
  • Double-Click dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear, DDS.txt and Attach.txt.
  • A window will open instructing you save & post the logs.
  • Save the logs to a convenient place such as your desktop.
  • Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply.
To get help with the BSOD/driver issue, follow the instructions here:  Blue Screen of Death (BSOD) Posting Instructions - Windows 7 & Vista.

Note: The jcgriff2 referenced in "jcgriff2 BSOD File Collection app" is the same jcgriff2 who is a member here.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#6 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,830 posts

Posted 17 April 2012 - 08:05 PM

Great resources Corrine!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#7 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 17 April 2012 - 08:26 PM

Oh, yeah.  I've been extremely fortunate to have a glimpse of their capabilities.  They are absolutely amazing!
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#8 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,830 posts

Posted 17 April 2012 - 11:21 PM

Yes, I am so glad you mentioned them as I didn't even realize they were there!
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#9 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 21,830 posts

Posted 17 April 2012 - 11:24 PM

It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering!

Looks like John might want to update his avatar here after the upgrade too.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#10 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 07:09 AM

For Corrine,

I ran the first tool, and will upload it sometime this afternoon when I am home from work.I don't think the computer is infected any more, but I am fairly certain the BSODs were not being caused by the virii.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#11 OFFLINE   jcgriff2

jcgriff2

    Message Adept

  • Members
  • PipPipPip
  • 47 posts

Posted 18 April 2012 - 11:19 AM

Hi -

The bugcheck is likely 0xa or 0xd1 (memory improperly referenced or bad memory referenced) and can be a driver issue.

If the BSODs are being caused by a 3rd party driver, Driver Verifier can help.  If D/V finds a violation, it will flag the driver and force the system to BSOD and add additional information to the dump file.

D/V needs to run for 24 hours minimum or BSOD - whichever is 1st.  You can use the system while D/V runs in the background, but be sure to save your work often as a BSOD may occur at any time.

http://www.sysnative...Driver-Verifier

Regards. . .

jcgriff2
Posted Image
J. C. Griffith
Windows Expert - Consumer
mvp.microsoft.com/en-us/mvp/Griffith

#12 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 18 April 2012 - 12:43 PM

View PostLilBambi, on 17 April 2012 - 11:24 PM, said:

It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering!

Looks like John might want to update his avatar here after the upgrade too.

For certain!  (I fixed John's avatar.)
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#13 OFFLINE   Temmu

Temmu

    The Assimilator

  • Forum MVP
  • 12,064 posts

Posted 18 April 2012 - 12:55 PM

thanks for pointing to this new resource (sysnative), corrine! :flowers: (sorry, no rose icon. perhaps the admins can fix that!)
Posted Image

#14 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 03:28 PM

This is really weird....

I booted the laptop up this afternoon to look at it a bit more, and it is working fine. Right now, it is applying updates, and humming along merrily....

Before, it would blue screen within two minutes of logging in.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#15 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 03:34 PM

I should mention that the only thing I did last night was run SpinRite on the hard drive overnight.
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#16 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 03:48 PM

Ignore that..... the laptop BSOD'd after the updates required a reboot.

Logs to come shortly.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#17 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 03:52 PM

Here is the DDS output....

http://harborpointe.org/DDS.txt

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#18 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 04:11 PM

I got the Driver Verifier settings all put together. When I rebooted the computer, the BIOS would no longer boot off the hard drive!

The Windows 7 install disc no longer shows a bootable copy of Windows on the hard drive.

Off to Ubuntu to see what's going on.....

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#19 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 06:22 PM

This is turning into a nightmare. The partition table got wiped somehow during the reboot.

Hmm....
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#20 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 18 April 2012 - 06:31 PM

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 1.6.0_31
Run by Luke at 4:49:10 on 2012-04-18
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3999.3295 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [Facebook Update] "C:\Users\Luke\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: Interfaces\{3FA165B0-C6C8-418B-BA59-EC524B2A392F} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{532BBBC3-E11E-4D17-9A54-7C17E0467651} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF} : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\05F6474756270AE4564777F627B60A13 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\35072796E647E416679775966696D2252303D2052485 : DhcpNameServer = 10.10.16.1
TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\5465F402737334337354 : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64:     Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll
TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
mRun-x64: [UCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun-x64: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll
FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll
FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\Luke\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/24 08:42:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]
S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.exe [2009-8-24 89088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1ca392ab847e6d0;Google Update Service (gupdate1ca392ab847e6d0);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104]
S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-10-24 632792]
S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-6-1 365952]
S2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]
S2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]
S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-6-1 222512]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104]
S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2012-04-18 08:41:43 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\offreg.dll
2012-04-17 16:17:14 -------- d-----w- C:\Windows\LastGood.Tmp
2012-04-17 12:24:10 -------- d-----w- C:\ProgramData\LightScribe
2012-04-14 01:56:09 3993600 ----a-w- C:\Program Files (x86)\GUTAA34.tmp
2012-04-14 01:56:09 -------- d-----w- C:\Program Files (x86)\GUMAA33.tmp
2012-04-14 00:07:07 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\mpengine.dll
2012-04-11 16:12:45 3993600 ----a-w- C:\Program Files (x86)\GUT23B6.tmp
2012-04-11 16:12:45 -------- d-----w- C:\Program Files (x86)\GUM2396.tmp
2012-04-11 03:03:22 3993600 ----a-w- C:\Program Files (x86)\GUTD69.tmp
2012-04-11 03:03:22 -------- d-----w- C:\Program Files (x86)\GUMD39.tmp
2012-04-11 02:59:57 20480 ----a-w- C:\Windows\svchost.exe
2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp
2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp
2012-04-10 22:25:24 -------- d-----w- C:\Users\Luke\AppData\Roaming\MicroST
.
==================== Find3M  ====================
.
2012-02-23 14:18:36 279656 ----a-w- C:\Windows\System32\MpSigStub.exe
2012-02-18 12:41:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-15 06:27:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-15 05:44:57 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-15 04:47:21 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-15 04:46:59 23552 ----a-w- C:\Windows\System32\drivers dtcp.sys
2012-02-10 06:18:10 1541120 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 06:17:55 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-10 06:17:54 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-10 06:17:54 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-10 06:17:54 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-10 05:41:38 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-10 05:41:20 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-10 05:41:20 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-10 05:41:20 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-10 05:41:19 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-03 04:16:03 3143168 ----a-w- C:\Windows\System32\win32k.sys
2012-01-25 06:27:11 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-01-25 06:27:11 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:20:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
.
============= FINISH:  4:49:28.38 ===============
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#21 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 18 April 2012 - 06:40 PM

Hi, Adam.

I posted your log here as it is much easier for comparison after the next step, seeing as how I see a trojan in your log.

I'll just post my "mini-lecture" about Bit Torrent.  At most security sites, it is required that any P2P programs be uninstalled before moving to the next step.  In this case, however, I'll just ask that you refrain from using it until we've finished.

A strong word of caution:  P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.  P2P Dangers Have Not Gone Away


Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

    Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.
  • If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    Posted Image
  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#22 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 07:06 PM

Corrine,

This is not my machine, but a co-workers. I use bittorrent, but on a linux system, with a few safeguards set up. I know P2P stuff can be dangerous if not managed properly.

What trojan is present? I found a few with AVG Rescue CD, and it said the drive was clean. The virus definition date was 27 Mar 12.

In any case, the master boot record is broken now. I ran Windows update on the machine, and enabled the Driver Verifier settings per post #11, and when I went to reboot, I got the message that no boot device was found. Checking the drive in linux revealed there were no partitions available. SpinRite said the same thing.

Right now, I am running a demo of Active Partition Recovery on the drive to see if it can "discover" the partitions. I know the demo will no write anything to the drive, but at least I might be able to see if it is recoverable.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#23 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 3,574 posts

Posted 18 April 2012 - 07:27 PM

I've seen too many instances of AVG not doing a very good job of cleaning and March 27 is a rather old date for definitions.  The correct location for svchost.exe is System32, not Windows:  C:\Windows\svchost.exe

Also, these look suspicious;

C:\Program Files (x86)\GUTAA34.tmp
C:\Program Files (x86)\GUMAA33.tmp
C:\Program Files (x86)\GUT23B6.tmp
C:\Program Files (x86)\GUM2396.tmp
C:\Program Files (x86)\GUTD69.tmp
C:\Program Files (x86)\GUMD39.tmp
C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp
C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp
C:\Users\Luke\AppData\Roaming\MicroST

This may be helpful:  How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#24 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 18 April 2012 - 07:40 PM

I'll give bootrec.exe a try when Active Partition Recovery completed. It won't be able to fix anything, since it is only the demo. I just wanted to see if it could potentially "discover" the partitions.

I knew that AVG was a bit slower getting definitions out into the field, but I had not heard it was fairly solid otherwise, aside from being a bit of a resource hog at times.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#25 OFFLINE   jcgriff2

jcgriff2

    Message Adept

  • Members
  • PipPipPip
  • 47 posts

Posted 19 April 2012 - 01:09 AM

You should be able to see the HDD in BIOS and with Active Partition Recovery, which is DOS-based.

Driver Verifier can cause no-boot if a boot driver is flagged; running Windows System Restore from Recovery fixes that.

I've never seen D/V cause loss of contact with the system partition.



;
Posted Image
J. C. Griffith
Windows Expert - Consumer
mvp.microsoft.com/en-us/mvp/Griffith




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users