Jump to content

Blue Screen of Death- WIndows 7 x64 Home Premium


ross549

Recommended Posts

I have a laptop that I am working on that blue screens a minute or so after Windows 7 finishes booting.

 

The message on the blue screen is: IRQL_NOT_LESS_OR_EQUAL

 

Using this great tool, the minidump files reveal a problem with ntoskernel.exe.

 

I found here that it sounds like a driver issue.

 

I have scanned the computer with an AVG Rescue CD, and the first pass revealed virii present.

 

Memtest 86 ran fine for two passes with no errors. I assume the hard drive is in OK shape, because CHKDSK came up clean.

 

I have updated the video drivers to the latest version from Intel.

 

Anything else I could look at?

 

Adam

Link to comment
Share on other sites

Guest LilBambi

I would start looking for all updated drivers for network cards wired and wireless, glide driver/software, webcam software (if there is one built in), sound card, you already did video, chipset drivers from manufacturer. Sometimes those drivers get overwritten by bad stuff when computers get hit.

 

That's just a start.

 

What virii/malware did the rescue CD find, and was it able to remove it?

 

I am sure Corrine would say we are gonna need some scan results -- like the ones Corrine had alphaomega do on his potentially infected Windows computer. ;)

 

I had an XP Pro 64-bit system that absolutely loathed a Microsoft Keyboard and a Logitec Webcam (after market USB model). No malware at all. Just hated the drivers.

 

So we really need to determine what's what here.

Link to comment
Share on other sites

There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone.

 

I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else.

 

I am really thinking it is a driver/hardware issue.

 

Adam

Link to comment
Share on other sites

Guest LilBambi

Yes, I agree. But whether it is a leftover problem due to a removed driver that may have been infected remains to be seen.

 

Obviously something appears to be addressing the wrong memory space and it's likely a driver problem.

 

I would get any updates you can to the drivers I mentioned. And go from there. You could also start disabling drivers for anything you can, but I think replacing drivers by getting updated drivers where possible (makes it easier for Windows to allow an overwrite if there's an updated driver rather than complaining that you already have that driver -- Catch 22).

 

Yes, it could be that NTOSKRNI.EXE corrupted or missing file as well. But might want to start with the small stuff ... knocking them out first?

 

BTW: Does it have Windows 7 SP1 on it? If so, maybe try to reinstall it?

Link to comment
Share on other sites

There were 7 trojans found by AVG. I was able to clean out the files, and a subsequent scan revealed they were gone.

 

I highly doubt the machine is suffering from any kind of infection any more. The error messages from Event Viewer really point to the ntoskernel, not anything else.

 

I am really thinking it is a driver/hardware issue.

 

Adam

 

I'd be happy to review logs if you wish. Otherwise, the #1 place to get help with BSOD's/driver issues is Sysnative Forums. It is a new forum I've been helping set up the last couple of months. The other sites that provide help with these issues use the information and tools collected/created by the founders of Sysnative.com.

 

If you wish to confirm your computer is clean, please do the following:

 

Please download DDS.scr by sUBs and save it to your desktop: Link

  • Double-Click dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear, DDS.txt and Attach.txt.
  • A window will open instructing you save & post the logs.
  • Save the logs to a convenient place such as your desktop.
  • Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply.

To get help with the BSOD/driver issue, follow the instructions here: Blue Screen of Death (BSOD) Posting Instructions - Windows 7 & Vista.

 

Note: The jcgriff2 referenced in "jcgriff2 BSOD File Collection app" is the same jcgriff2 who is a member here.

Link to comment
Share on other sites

Guest LilBambi

It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering!

 

Looks like John might want to update his avatar here after the upgrade too.

Link to comment
Share on other sites

For Corrine,

 

I ran the first tool, and will upload it sometime this afternoon when I am home from work.I don't think the computer is infected any more, but I am fairly certain the BSODs were not being caused by the virii.

 

Adam

Link to comment
Share on other sites

Hi -

 

The bugcheck is likely 0xa or 0xd1 (memory improperly referenced or bad memory referenced) and can be a driver issue.

 

If the BSODs are being caused by a 3rd party driver, Driver Verifier can help. If D/V finds a violation, it will flag the driver and force the system to BSOD and add additional information to the dump file.

 

D/V needs to run for 24 hours minimum or BSOD - whichever is 1st. You can use the system while D/V runs in the background, but be sure to save your work often as a BSOD may occur at any time.

 

http://www.sysnative...Driver-Verifier

 

Regards. . .

 

jcgriff2

Link to comment
Share on other sites

It's great that our own jcgriff2 is involved and it certainly makes me strongly encouraged by their offering!

 

Looks like John might want to update his avatar here after the upgrade too.

 

For certain! (I fixed John's avatar.)

Link to comment
Share on other sites

This is really weird....

 

I booted the laptop up this afternoon to look at it a bit more, and it is working fine. Right now, it is applying updates, and humming along merrily....

 

Before, it would blue screen within two minutes of logging in.

 

Adam

Link to comment
Share on other sites

I got the Driver Verifier settings all put together. When I rebooted the computer, the BIOS would no longer boot off the hard drive!

 

The Windows 7 install disc no longer shows a bootable copy of Windows on the hard drive.

 

Off to Ubuntu to see what's going on.....

 

Adam

Link to comment
Share on other sites

.

DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31

Run by Luke at 4:49:10 on 2012-04-18

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.3295 [GMT -4:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

-netsvcs

C:\Windows\system32\conhost.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll

BHO: DivX Plus Web Player HTML5

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll

TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN

uRun: [Facebook Update] "C:\Users\Luke\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"

mRun: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

mRun: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"

mRun: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"

mRun: [uCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"

mRun: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun: [updatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"

mRun: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"

mRun: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions

mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

TCP: Interfaces\{3FA165B0-C6C8-418B-BA59-EC524B2A392F} : DhcpNameServer = 192.168.42.129

TCP: Interfaces\{532BBBC3-E11E-4D17-9A54-7C17E0467651} : DhcpNameServer = 192.168.42.129

TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF} : DhcpNameServer = 10.0.1.1

TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\05F6474756270AE4564777F627B60A13 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\35072796E647E416679775966696D2252303D2052485 : DhcpNameServer = 10.10.16.1

TCP: Interfaces\{AEE474D9-D89B-4272-BCC2-C67CD89C41CF}\5465F402737334337354 : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll

BHO-X64: DivX Plus Web Player HTML5

BHO-X64: Increase performance and video formats for your HTML5

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\msneshellx.dll

TB-X64: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files (x86)\BitTorrentBar bBitT.dll

TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll

TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [CLMLServer for HP TouchSmart] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"

mRun-x64: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe

mRun-x64: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

mRun-x64: [TSMAgent] "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"

mRun-x64: [TVAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"

mRun-x64: [uCam_Menu] "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"

mRun-x64: [updateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

mRun-x64: [updateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun-x64: [updatePDIRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"

mRun-x64: [updatePSTShortCut] "C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"

mRun-x64: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun-x64: [Mobile Connectivity Suite] "C:\Program Files (x86)\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions

mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

mRun-x64: [sSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll

FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko5.dll

FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko6.dll

FF - component: C:\Users\Luke\AppData\Roaming\Mozilla\Firefox\Profiles\mak2lxe8.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll

FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Users\Luke\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll

FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: C:\Users\Luke\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R3 enecir;ENE CIR Receiver;C:\Windows\system32\DRIVERS\enecir.sys --> C:\Windows\system32\DRIVERS\enecir.sys [?]

S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/08/24 08:42:08];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2008-11-28 146928]

S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.exe [2009-8-24 89088]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate1ca392ab847e6d0;Google Update Service (gupdate1ca392ab847e6d0);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104]

S2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]

S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-10-24 632792]

S2 Recovery Service for Windows;Recovery Service for Windows;C:\Program Files (x86)\SMINST\BLService.exe [2009-6-1 365952]

S2 TVCapSvc;TV Background Capture Service (TVBCS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-11-26 296320]

S2 TVSched;TV Task Scheduler (TVTS);C:\Program Files (x86)\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-11-26 116096]

S3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-6-1 222512]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-9-19 133104]

S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]

S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]

.

=============== Created Last 30 ================

.

2012-04-18 08:41:43 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\offreg.dll

2012-04-17 16:17:14 -------- d-----w- C:\Windows\LastGood.Tmp

2012-04-17 12:24:10 -------- d-----w- C:\ProgramData\LightScribe

2012-04-14 01:56:09 3993600 ----a-w- C:\Program Files (x86)\GUTAA34.tmp

2012-04-14 01:56:09 -------- d-----w- C:\Program Files (x86)\GUMAA33.tmp

2012-04-14 00:07:07 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C49B0D55-04A7-46E3-97D6-0F0C9FCB6287}\mpengine.dll

2012-04-11 16:12:45 3993600 ----a-w- C:\Program Files (x86)\GUT23B6.tmp

2012-04-11 16:12:45 -------- d-----w- C:\Program Files (x86)\GUM2396.tmp

2012-04-11 03:03:22 3993600 ----a-w- C:\Program Files (x86)\GUTD69.tmp

2012-04-11 03:03:22 -------- d-----w- C:\Program Files (x86)\GUMD39.tmp

2012-04-11 02:59:57 20480 ----a-w- C:\Windows\svchost.exe

2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp

2012-04-10 22:25:26 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp

2012-04-10 22:25:24 -------- d-----w- C:\Users\Luke\AppData\Roaming\MicroST

.

==================== Find3M ====================

.

2012-02-23 14:18:36 279656 ----a-w- C:\Windows\System32\MpSigStub.exe

2012-02-18 12:41:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-02-15 06:27:54 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-02-15 05:44:57 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-02-15 04:47:21 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

2012-02-15 04:46:59 23552 ----a-w- C:\Windows\System32\drivers dtcp.sys

2012-02-10 06:18:10 1541120 ----a-w- C:\Windows\System32\DWrite.dll

2012-02-10 06:17:55 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll

2012-02-10 06:17:54 902656 ----a-w- C:\Windows\System32\d2d1.dll

2012-02-10 06:17:54 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll

2012-02-10 06:17:54 197120 ----a-w- C:\Windows\System32\d3d10_1.dll

2012-02-10 05:41:38 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-02-10 05:41:20 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll

2012-02-10 05:41:20 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll

2012-02-10 05:41:20 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll

2012-02-10 05:41:19 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2012-02-03 04:16:03 3143168 ----a-w- C:\Windows\System32\win32k.sys

2012-01-25 06:27:11 76288 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-01-25 06:27:11 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-01-25 06:20:59 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

.

============= FINISH: 4:49:28.38 ===============

Link to comment
Share on other sites

Hi, Adam.

 

I posted your log here as it is much easier for comparison after the next step, seeing as how I see a trojan in your log.

 

I'll just post my "mini-lecture" about Bit Torrent. At most security sites, it is required that any P2P programs be uninstalled before moving to the next step. In this case, however, I'll just ask that you refrain from using it until we've finished.

 

A strong word of caution: P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft. P2P Dangers Have Not Gone Away

 

 

Please follow these instructions carefully.

 

Download ComboFix from one of the following locations:

 

Link 1

Link 2

 

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
     
    Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications.
  • If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

 

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
     
    CF_RC1.png
  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
    CF_RC2.png
  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Link to comment
Share on other sites

Corrine,

 

This is not my machine, but a co-workers. I use bittorrent, but on a linux system, with a few safeguards set up. I know P2P stuff can be dangerous if not managed properly.

 

What trojan is present? I found a few with AVG Rescue CD, and it said the drive was clean. The virus definition date was 27 Mar 12.

 

In any case, the master boot record is broken now. I ran Windows update on the machine, and enabled the Driver Verifier settings per post #11, and when I went to reboot, I got the message that no boot device was found. Checking the drive in linux revealed there were no partitions available. SpinRite said the same thing.

 

Right now, I am running a demo of Active Partition Recovery on the drive to see if it can "discover" the partitions. I know the demo will no write anything to the drive, but at least I might be able to see if it is recoverable.

 

Adam

Link to comment
Share on other sites

I've seen too many instances of AVG not doing a very good job of cleaning and March 27 is a rather old date for definitions. The correct location for svchost.exe is System32, not Windows: C:\Windows\svchost.exe

 

Also, these look suspicious;

 

C:\Program Files (x86)\GUTAA34.tmp

C:\Program Files (x86)\GUMAA33.tmp

C:\Program Files (x86)\GUT23B6.tmp

C:\Program Files (x86)\GUM2396.tmp

C:\Program Files (x86)\GUTD69.tmp

C:\Program Files (x86)\GUMD39.tmp

C:\ProgramData\Microsoft\Windows\DRM\EB4E.tmp

C:\ProgramData\Microsoft\Windows\DRM\EB4D.tmp

C:\Users\Luke\AppData\Roaming\MicroST

 

This may be helpful: How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows

Link to comment
Share on other sites

I'll give bootrec.exe a try when Active Partition Recovery completed. It won't be able to fix anything, since it is only the demo. I just wanted to see if it could potentially "discover" the partitions.

 

I knew that AVG was a bit slower getting definitions out into the field, but I had not heard it was fairly solid otherwise, aside from being a bit of a resource hog at times.

 

Adam

Link to comment
Share on other sites

You should be able to see the HDD in BIOS and with Active Partition Recovery, which is DOS-based.

 

Driver Verifier can cause no-boot if a boot driver is flagged; running Windows System Restore from Recovery fixes that.

 

I've never seen D/V cause loss of contact with the system partition.

 

 

 

;

Link to comment
Share on other sites

http://www.cgsecurity.org/wiki/TestDisk

 

This wonderful open source program immediately discovered the partitions on the drive and re-wrote the MBR. I had to do a quick boot repair with the Windows install DVD, but it looks like windows actually will boot. I did not let it get far, because my primary concern is the recovery of the user data on this drive. I am going to have the customer bring his USB drive in and copy the data over in safe mode. When that is done, I will attempt to repair Windows however i can.

 

J. C.,

 

The BIOS on this laptop is strange - first of this type I have ever seen - it does not show the hard disks in the system. It is quite locked down. In linux, I could see the drive, but no partitions. Active Partition Recovery was not the right tool to run on the drive, I think. I am not sure exactly what it was doing, and it took quite a while to accomplish an analysis on the drive. Testdisk picked the partitions up within about a second of starting the analysis of the disk.

 

In any case, the MBR was definitely corrupted somehow. How it got that way, I am not sure. Windows might have messed with it (not sure how), or it may have been hit by one of the malware threats Corrine thinks may be present on this machine.

 

I think the best course of action is to get the user data off and wipe the machine and reinstall Windows. What do you think?

 

Adam

Link to comment
Share on other sites

A friend of mine at work has a USB drive with a PE environment in it and it is loded with tools.

 

Running Spybot Search and Destry on it, and it confirmed that the "misplaced" svchost.exe was in fact malware.

 

We are waiting to see if the scan finds anything else.

 

Adam

 

EDIT: The only other thing S&D found was a few tracking cookies.

Link to comment
Share on other sites

We also ran AntiVir on it, and it removed a few images that had exploit code.

 

After that, Mike (co-worker) began a defrag of the drive (still in PE environment), and it was running with no end in sight when we left five hours later. Yikes!

 

Adam

Link to comment
Share on other sites

Yeah. It was finished when we can in this morning. Looks like Windows is actually running smoothly. I am installing Microsoft Security Essentials and Win Patrol on it so the owner at least has some protection.

 

I've rebooted it several times this morning. So far, so good.

 

Mike also ran some system stress tests on it and those passed with flying colors.

 

It also boots a LOT faster.

 

Adam

Link to comment
Share on other sites

How fast is "a lot faster"?

 

If you would like the system to measure and report boot time to Desktop, download and save this VBS script to Desktop -

 

bootspeed.vbs - http://sysnative.com/0x1/bootspeed.vbs

 

Close all Windows. Double-click on bootspeed.vbs

 

Your system will reboot. Upon reaching Desktop, it will display the boot time

 

Regards. . .

 

jcgriff2

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...