ross549 Posted April 17, 2012 Share Posted April 17, 2012 I have a laptop that I am working on that blue screens a minute or so after Windows 7 finishes booting. The message on the blue screen is: IRQL_NOT_LESS_OR_EQUAL Using this great tool, the minidump files reveal a problem with ntoskernel.exe. I found here that it sounds like a driver issue. I have scanned the computer with an AVG Rescue CD, and the first pass revealed virii present. Memtest 86 ran fine for two passes with no errors. I assume the hard drive is in OK shape, because CHKDSK came up clean. I have updated the video drivers to the latest version from Intel. Anything else I could look at? Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 17, 2012 Share Posted April 17, 2012 I would start looking for all updated drivers for network cards wired and wireless, glide driver/software, webcam software (if there is one built in), sound card, you already did video, chipset drivers from manufacturer. Sometimes those drivers get overwritten by bad stuff when computers get hit. That's just a start. What virii/malware did the rescue CD find, and was it able to remove it? I am sure Corrine would say we are gonna need some scan results -- like the ones Corrine had alphaomega do on his potentially infected Windows computer. I had an XP Pro 64-bit system that absolutely loathed a Microsoft Keyboard and a Logitec Webcam (after market USB model). No malware at all. Just hated the drivers. So we really need to determine what's what here. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 17, 2012 Author Share Posted April 17, 2012 There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone. I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else. I am really thinking it is a driver/hardware issue. Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 17, 2012 Share Posted April 17, 2012 Yes, I agree. But whether it is a leftover problem due to a removed driver that may have been infected remains to be seen. Obviously something appears to be addressing the wrong memory space and it's likely a driver problem. I would get any updates you can to the drivers I mentioned. And go from there. You could also start disabling drivers for anything you can, but I think replacing drivers by getting updated drivers where possible (makes it easier for Windows to allow an overwrite if there's an updated driver rather than complaining that you already have that driver -- Catch 22). Yes, it could be that NTOSKRNI.EXE corrupted or missing file as well. But might want to start with the small stuff ... knocking them out first? BTW: Does it have Windows 7 SP1 on it? If so, maybe try to reinstall it? Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 17, 2012 Share Posted April 17, 2012 There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone. I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else. I am really thinking it is a driver/hardware issue. Adam I'd be happy to review logs if you wish. Otherwise, the #1 place to get help with BSOD's/driver issues is Sysnative Forums. It is a new forum I've been helping set up the last couple of months. The other sites that provide help with these issues use the information and tools collected/created by the founders of Sysnative.com. If you wish to confirm your computer is clean, please do the following: Please download DDS.scr by sUBs and save it to your desktop: Link Double-Click dds.scr and a command window will appear. This is normal. Shortly after two logs will appear, DDS.txt and Attach.txt. A window will open instructing you save & post the logs. Save the logs to a convenient place such as your desktop. Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply. To get help with the BSOD/driver issue, follow the instructions here: Blue Screen of Death (BSOD) Posting Instructions - Windows 7 & Vista. Note: The jcgriff2 referenced in "jcgriff2 BSOD File Collection app" is the same jcgriff2 who is a member here. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 18, 2012 Share Posted April 18, 2012 Great resources Corrine! Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 18, 2012 Share Posted April 18, 2012 Oh, yeah. I've been extremely fortunate to have a glimpse of their capabilities. They are absolutely amazing! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 18, 2012 Share Posted April 18, 2012 Yes, I am so glad you mentioned them as I didn't even realize they were there! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 18, 2012 Share Posted April 18, 2012 It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering! Looks like John might want to update his avatar here after the upgrade too. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 For Corrine, I ran the first tool, and will upload it sometime this afternoon when I am home from work.I don't think the computer is infected any more, but I am fairly certain the BSODs were not being caused by the virii. Adam Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted April 18, 2012 Share Posted April 18, 2012 Hi - The bugcheck is likely 0xa or 0xd1 (memory improperly referenced or bad memory referenced) and can be a driver issue. If the BSODs are being caused by a 3rd party driver, Driver Verifier can help. If D/V finds a violation, it will flag the driver and force the system to BSOD and add additional information to the dump file. D/V needs to run for 24 hours minimum or BSOD - whichever is 1st. You can use the system while D/V runs in the background, but be sure to save your work often as a BSOD may occur at any time. http://www.sysnative...Driver-Verifier Regards. . . jcgriff2 Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 18, 2012 Share Posted April 18, 2012 It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering! Looks like John might want to update his avatar here after the upgrade too. For certain! (I fixed John's avatar.) Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 This is really weird.... I booted the laptop up this afternoon to look at it a bit more, and it is working fine. Right now, it is applying updates, and humming along merrily.... Before, it would blue screen within two minutes of logging in. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 I should mention that the only thing I did last night was run SpinRite on the hard drive overnight. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 Ignore that..... the laptop BSOD'd after the updates required a reboot. Logs to come shortly. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 Here is the DDS output.... http://harborpointe.org/DDS.txt Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 I got the Driver Verifier settings all put together. When I rebooted the computer, the BIOS would no longer boot off the hard drive! The Windows 7 install disc no longer shows a bootable copy of Windows on the hard drive. Off to Ubuntu to see what's going on..... Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 This is turning into a nightmare. The partition table got wiped somehow during the reboot. Hmm.... Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 18, 2012 Share Posted April 18, 2012 . DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31 Run by Luke at 4:49:10 on 2012-04-18 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.3295 [GMT -4:00] . SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe -netsvcs C:\Windows\system32\conhost.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\SysWOW64\NOTEPAD.EXE C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb uInternet Settings,ProxyOverride = *.local uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll mWinlogon: Userinit=userinit.exe BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll BHO: DivX Plus Web Player HTML5 : {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN uRun: [Facebook Update] "C:\Users\Luke\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" mRun: [uCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" mRun: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" mRun: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun: [updatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" mRun: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe mRun: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab TCP: Interfaces\{3FA165B0-C6C8-418B-BA59-EC524B2A392F} : DhcpNameServer = 192.168.42.129 TCP: Interfaces\{532BBBC3-E11E-4D17-9A54-7C17E0467651} : DhcpNameServer = 192.168.42.129 TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF} : DhcpNameServer = 10.0.1.1 TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\05F6474756270AE4564777F627B60A13 : DhcpNameServer = 192.168.2.1 TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\35072796E647E416679775966696D2252303D2052485 : DhcpNameServer = 10.10.16.1 TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\5465F402737334337354 : DhcpNameServer = 192.168.1.1 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll BHO-X64: DivX Plus Web Player HTML5 : {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll BHO-X64: Increase performance and video formats for your HTML5 - No File BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe" mRun-x64: [uCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam" mRun-x64: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5" mRun-x64: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun-x64: [updatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0" mRun-x64: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter" mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe mRun-x64: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun-x64: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\ FF - prefs.js: browser.startup.homepage - www.yahoo.com FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll FF - plugin: C:\Users\Luke\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll . ============= SERVICES / DRIVERS =============== . R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?] S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?] S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/24 08:42:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928] S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.exe [2009-8-24 89088] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate1ca392ab847e6d0;Google Update Service (gupdate1ca392ab847e6d0);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104] S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?] S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-10-24 632792] S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-6-1 365952] S2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320] S2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096] S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-6-1 222512] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104] S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?] S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?] S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?] S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?] . =============== Created Last 30 ================ . 2012-04-18 08:41:43 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\offreg.dll 2012-04-17 16:17:14 -------- d-----w- C:\Windows\LastGood.Tmp 2012-04-17 12:24:10 -------- d-----w- C:\ProgramData\LightScribe 2012-04-14 01:56:09 3993600 ----a-w- C:\Program Files (x86)\GUTAA34.tmp 2012-04-14 01:56:09 -------- d-----w- C:\Program Files (x86)\GUMAA33.tmp 2012-04-14 00:07:07 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\mpengine.dll 2012-04-11 16:12:45 3993600 ----a-w- C:\Program Files (x86)\GUT23B6.tmp 2012-04-11 16:12:45 -------- d-----w- C:\Program Files (x86)\GUM2396.tmp 2012-04-11 03:03:22 3993600 ----a-w- C:\Program Files (x86)\GUTD69.tmp 2012-04-11 03:03:22 -------- d-----w- C:\Program Files (x86)\GUMD39.tmp 2012-04-11 02:59:57 20480 ----a-w- C:\Windows\svchost.exe 2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp 2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp 2012-04-10 22:25:24 -------- d-----w- C:\Users\Luke\AppData\Roaming\MicroST . ==================== Find3M ==================== . 2012-02-23 14:18:36 279656 ----a-w- C:\Windows\System32\MpSigStub.exe 2012-02-18 12:41:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll 2012-02-15 06:27:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll 2012-02-15 05:44:57 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll 2012-02-15 04:47:21 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys 2012-02-15 04:46:59 23552 ----a-w- C:\Windows\System32\drivers dtcp.sys 2012-02-10 06:18:10 1541120 ----a-w- C:\Windows\System32\DWrite.dll 2012-02-10 06:17:55 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll 2012-02-10 06:17:54 902656 ----a-w- C:\Windows\System32\d2d1.dll 2012-02-10 06:17:54 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll 2012-02-10 06:17:54 197120 ----a-w- C:\Windows\System32\d3d10_1.dll 2012-02-10 05:41:38 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll 2012-02-10 05:41:20 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll 2012-02-10 05:41:20 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll 2012-02-10 05:41:20 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll 2012-02-10 05:41:19 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll 2012-02-03 04:16:03 3143168 ----a-w- C:\Windows\System32\win32k.sys 2012-01-25 06:27:11 76288 ----a-w- C:\Windows\System32\rdpwsx.dll 2012-01-25 06:27:11 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll 2012-01-25 06:20:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe . ============= FINISH: 4:49:28.38 =============== Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 18, 2012 Share Posted April 18, 2012 Hi, Adam. I posted your log here as it is much easier for comparison after the next step, seeing as how I see a trojan in your log. I'll just post my "mini-lecture" about Bit Torrent. At most security sites, it is required that any P2P programs be uninstalled before moving to the next step. In this case, however, I'll just ask that you refrain from using it until we've finished. A strong word of caution: P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft. P2P Dangers Have Not Gone Away Please follow these instructions carefully. Download ComboFix from one of the following locations: Link 1 Link 2 !!! IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications. If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding. Double-click ComboFix.exe on your desktop and follow the prompts. As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console. When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click "Yes" to continue scanning for malware. When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 Corrine, This is not my machine, but a co-workers. I use bittorrent, but on a linux system, with a few safeguards set up. I know P2P stuff can be dangerous if not managed properly. What trojan is present? I found a few with AVG Rescue CD, and it said the drive was clean. The virus definition date was 27 Mar 12. In any case, the master boot record is broken now. I ran Windows update on the machine, and enabled the Driver Verifier settings per post #11, and when I went to reboot, I got the message that no boot device was found. Checking the drive in linux revealed there were no partitions available. SpinRite said the same thing. Right now, I am running a demo of Active Partition Recovery on the drive to see if it can "discover" the partitions. I know the demo will no write anything to the drive, but at least I might be able to see if it is recoverable. Adam Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 18, 2012 Share Posted April 18, 2012 I've seen too many instances of AVG not doing a very good job of cleaning and March 27 is a rather old date for definitions. The correct location for svchost.exe is System32, not Windows: C:\Windows\svchost.exe Also, these look suspicious; C:\Program Files (x86)\GUTAA34.tmp C:\Program Files (x86)\GUMAA33.tmp C:\Program Files (x86)\GUT23B6.tmp C:\Program Files (x86)\GUM2396.tmp C:\Program Files (x86)\GUTD69.tmp C:\Program Files (x86)\GUMD39.tmp C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp C:\Users\Luke\AppData\Roaming\MicroST This may be helpful: How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 18, 2012 Author Share Posted April 18, 2012 I'll give bootrec.exe a try when Active Partition Recovery completed. It won't be able to fix anything, since it is only the demo. I just wanted to see if it could potentially "discover" the partitions. I knew that AVG was a bit slower getting definitions out into the field, but I had not heard it was fairly solid otherwise, aside from being a bit of a resource hog at times. Adam Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted April 19, 2012 Share Posted April 19, 2012 You should be able to see the HDD in BIOS and with Active Partition Recovery, which is DOS-based. Driver Verifier can cause no-boot if a boot driver is flagged; running Windows System Restore from Recovery fixes that. I've never seen D/V cause loss of contact with the system partition. ; Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 19, 2012 Author Share Posted April 19, 2012 http://www.cgsecurity.org/wiki/TestDisk This wonderful open source program immediately discovered the partitions on the drive and re-wrote the MBR. I had to do a quick boot repair with the Windows install DVD, but it looks like windows actually will boot. I did not let it get far, because my primary concern is the recovery of the user data on this drive. I am going to have the customer bring his USB drive in and copy the data over in safe mode. When that is done, I will attempt to repair Windows however i can. J. C., The BIOS on this laptop is strange - first of this type I have ever seen - it does not show the hard disks in the system. It is quite locked down. In linux, I could see the drive, but no partitions. Active Partition Recovery was not the right tool to run on the drive, I think. I am not sure exactly what it was doing, and it took quite a while to accomplish an analysis on the drive. Testdisk picked the partitions up within about a second of starting the analysis of the disk. In any case, the MBR was definitely corrupted somehow. How it got that way, I am not sure. Windows might have messed with it (not sure how), or it may have been hit by one of the malware threats Corrine thinks may be present on this machine. I think the best course of action is to get the user data off and wipe the machine and reinstall Windows. What do you think? Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 19, 2012 Author Share Posted April 19, 2012 A friend of mine at work has a USB drive with a PE environment in it and it is loded with tools. Running Spybot Search and Destry on it, and it confirmed that the "misplaced" svchost.exe was in fact malware. We are waiting to see if the scan finds anything else. Adam EDIT: The only other thing S&D found was a few tracking cookies. Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 19, 2012 Author Share Posted April 19, 2012 We also ran AntiVir on it, and it removed a few images that had exploit code. After that, Mike (co-worker) began a defrag of the drive (still in PE environment), and it was running with no end in sight when we left five hours later. Yikes! Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 19, 2012 Share Posted April 19, 2012 Joy! Sounds like fun... Quote Link to comment Share on other sites More sharing options...
ross549 Posted April 20, 2012 Author Share Posted April 20, 2012 Yeah. It was finished when we can in this morning. Looks like Windows is actually running smoothly. I am installing Microsoft Security Essentials and Win Patrol on it so the owner at least has some protection. I've rebooted it several times this morning. So far, so good. Mike also ran some system stress tests on it and those passed with flying colors. It also boots a LOT faster. Adam Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted April 20, 2012 Share Posted April 20, 2012 How fast is "a lot faster"? If you would like the system to measure and report boot time to Desktop, download and save this VBS script to Desktop - bootspeed.vbs - http://sysnative.com/0x1/bootspeed.vbs Close all Windows. Double-click on bootspeed.vbs Your system will reboot. Upon reaching Desktop, it will display the boot time Regards. . . jcgriff2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.