Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Physical Dumping of Memory Blue Screen


  • This topic is locked This topic is locked
3 replies to this topic

#1 BrianJBustos

BrianJBustos

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, FL
  • Local time:04:24 AM

Posted 29 December 2008 - 08:20 PM

Hello, I've recently had the "Physical Dumping of Memory" Blue Screen popping up a few times recently. I recently replaced some of my Security Programs so I figure that might be the cause. I have replaced my Micro Trend Security Suite with:

AVIRA Virus Scan
PC Tools Firewall
Super AntiSpyware
Spyware Blaster.

The blue screen has usually appeared during and after I've run one of the scans.


Thanks in advance for the help and if you need to know any other information feel free to ask, I will be checking this thread regularly.

- Brian J Bustos

Anyway, here's the logs I got by the Preparation Guide.

DDS (Version 1.1.0) - NTFSx86
Run by Jose at 20:10:34.50 on Mon 12/29/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.604 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: PC Tools Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PC Tools Firewall Plus\FWService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Jose\Application Data\U3\000016A078729896\LaunchPad.exe
C:\Documents and Settings\Jose\Desktop\dds.scr
C:\Documents and Settings\Jose\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hometab.bellsouth.net
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2061126
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
TB: {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - c:\program files\bodog poker\BPGame.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL rlryrp.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jose\applic~1\mozilla\firefox\profiles\shph4gen.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://urlseek.vmn.net/search.php?lg=en&mkt=en&type=dns&fr=vmn&tbtype=egames&tbn=egamesbar&tbo=www.egames.com__2Fgamebar__2Foptions.html&q=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\jose\application data\mozilla\firefox\profiles\shph4gen.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\common\npyaxmpb.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-28 11840]
R1 pctgntdi;pctgntdi;\??\c:\windows\system32\drivers\pctgntdi.sys [2008-12-29 159600]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-12-28 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-12-28 151297]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service []
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCTAppEvent;PCTAppEvent Driver;\??\c:\windows\system32\drivers\PCTAppEvent.sys [2008-12-29 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2008-12-29 146800]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-28 52032]
R3 pctplfw;pctplfw;\??\c:\windows\system32\drivers\pctplfw.sys [2008-12-29 95640]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S1 a6913ba7;a6913ba7;c:\windows\system32\drivers\a6913ba7.sys []
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2008-3-29 29744]
S3 pac207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2008-9-27 616064]
S4 sysrest.sys;sysrest.sys;\??\c:\windows\system32\sysrest.sys []

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2008-12-29 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-29 15:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-29 15:17 <DIR> --d----- c:\docume~1\jose\applic~1\SUPERAntiSpyware.com
2008-12-29 15:16 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-29 13:08 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-29 12:14 <DIR> --d----- c:\docume~1\jose\applic~1\PCToolsFirewallPlus
2008-12-29 12:13 132,976 a------- c:\windows\system32\drivers\PCTCore.sys
2008-12-29 12:13 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2008-12-29 12:13 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2008-12-29 12:12 97,408 a------- c:\windows\system32\drivers\pctfw.sys
2008-12-29 12:12 <DIR> --d----- c:\program files\common files\PC Tools
2008-12-29 12:12 95,640 a------- c:\windows\system32\drivers\pctplfw.sys
2008-12-29 12:12 <DIR> --d----- c:\program files\PC Tools Firewall Plus
2008-12-29 00:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2008-12-29 00:07 <DIR> --d----- c:\program files\COMODO
2008-12-28 23:36 375 a---h--- C:\IPH.PH
2008-12-28 22:44 <DIR> --d----- c:\program files\Avira
2008-12-28 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-12-28 22:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-28 22:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-28 16:39 <DIR> --d----- C:\BLSInfo
2008-12-28 16:35 6,345 a----r-- c:\windows\system32\DevMngr.vxd
2008-12-28 16:35 69,632 a------- c:\windows\system32\MCCDevice.dll
2008-12-28 16:35 6,048 a------- c:\windows\system32\MCC16.dll
2008-12-28 16:34 <DIR> --d----- c:\program files\common files\Motive
2008-12-28 16:31 37,376 a------- c:\windows\system32\ReportReader.dll
2008-12-28 16:31 87,040 a------- c:\windows\system32\WebFlowIDPersist.dll
2008-12-28 16:31 40,448 a------- c:\windows\system32\BJAXSecurityManager.dll
2008-12-28 16:31 1,073,152 a------- c:\windows\system32\ActiveUtils.dll
2008-12-28 16:31 327,680 a------- c:\windows\system32\snmpaxctrl.dll
2008-12-28 16:31 86,016 a------- c:\windows\system32\BJInstaller.dll
2008-12-28 16:31 73,728 a------- c:\windows\system32\BinaryAggregator1.dll
2008-12-28 16:31 28,819,372 a------- C:\BellSouthIW.reg
2008-12-28 13:53 445,630 a------- c:\windows\system32\PerfStringBackup.INI
2008-12-28 13:48 2,126 a------- c:\windows\system32\wpa.dbl
2008-12-28 13:45 <DIR> --d-h--- c:\windows\PIF
2008-12-28 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2008-12-28 12:20 <DIR> --d----- c:\program files\Citrix
2008-12-28 12:19 61,224 a------- c:\documents and settings\jose\GoToAssistDownloadHelper.exe
2008-12-27 17:21 <DIR> --d----- c:\program files\CCleaner
2008-12-06 14:43 1,409 a------- c:\windows\QTFont.for
2008-11-30 19:17 <DIR> --d----- c:\documents and settings\jose\LocalLow
2008-11-30 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-03 19:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-06-13 17:01 251 a------- c:\program files\wt3d.ini
2008-05-04 19:31 0 a------- c:\program files\temp01
2008-02-24 15:08 774,144 a------- c:\program files\RngInterstitial.dll
2006-12-31 13:57 0 a---h--- c:\docume~1\alluse~1\applic~1\gwseh.dat
2006-12-17 13:19 88 ---shr-- c:\windows\system32\29C9872985.sys

============= FINISH: 20:10:50.15 ===============

Attached Files


Brian J Bustos


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:24 AM

Posted 06 January 2009 - 09:58 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.

Please post the contents of the ark.txt as your next reply.

#3 BrianJBustos

BrianJBustos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, FL
  • Local time:04:24 AM

Posted 07 January 2009 - 06:34 PM

I'm sorry, the problem is on my parents' computer and I went back to college. They do not really know how to use a computer that well and I cannot get remote desktop connection to work. So for now, you can close this topic.

Thanks anyways.
Brian J Bustos


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:24 AM

Posted 07 January 2009 - 06:44 PM

Ok thanks for letting us know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users