Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD - Possibly Caused By MyWebSearch


  • This topic is locked This topic is locked
5 replies to this topic

#1 ryan_m

ryan_m

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 April 2009 - 10:41 AM

Let me begin with a little background...

I am pretty well-versed in Malware/Spyware/Virus removal, having solved countless computer problems involving these topics...

Last week, I managed to come across one that I can absolutely NOT figure out...


The specific action that causes this problem is opening an AutoCAD drawing file from a network location, but ONLY while an Anti-Virus program is running. If I turn off Anti-Virus protection (I've tried Avast, Avira, and AVG), the computer runs perfectly fine (relatively speaking)... If Anti-Virus is up and running and I try to open an AutoCAD drawing, BSOD, every time.

Below is a list of SOME of the software that I have at my disposal, as I'm sure that someone will ask for my logs... I have most other common Anti-Spyware/Malware utilities as well.

Memtest86
ATF-Cleaner
Avast
Avira
AVG
ComboFix
HJT
Kaspersky
Mbam
RootkitBuster
RSIT
RunScanner
SDFix
SIW
Spyware Blaster
Spyware Guard
Super Anti Spyware
WnDbg


I'm pretty sure that this problem was caused by Avast trying to remove the MyWebSearch spyware program

Every time I get a BSOD, it lists the probable cause as the Anti-Virus program itself...



Let me know what information you'd like and I'll post it right away.


THANKS in advance,
Ryan

BC AdBot (Login to Remove)

 


#2 ryan_m

ryan_m
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 April 2009 - 10:55 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:25 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Apps\Miramar\PC MACLAN\ATMsg.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Apps\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Apps\Miramar\PC MACLAN\ATSPOOL.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\apps\AutoCAD 2005\acad.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Claris Corp\ClarisWorks 5.0\ClarisWorks.exe
C:\Program Files\Trend Micro\HijackThis\NotHijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Apps\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6ABE4BC3-7253-418E-85E8-F334A73154D3} (CSmartClient Object) - http://www.smart-clip.com/activex/SmartClip.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://68.196.46.248:3010/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F17C4FA-881E-4EFC-B170-0BC7AC15E107}: NameServer = 198.6.1.1,198.6.1.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F17C4FA-881E-4EFC-B170-0BC7AC15E107}: NameServer = 198.6.1.1,198.6.1.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{6F17C4FA-881E-4EFC-B170-0BC7AC15E107}: NameServer = 198.6.1.1,198.6.1.2
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Apps\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c99d9c8afcf564) (gupdate1c99d9c8afcf564) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Apps\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Apps\Miramar\PC MACLAN\ATSPOOL.EXE

--
End of file - 9233 bytes

#3 ryan_m

ryan_m
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 April 2009 - 11:34 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Andrew at 12:32:47.56 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.536 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Apps\Miramar\PC MACLAN\ATMsg.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Apps\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Apps\Miramar\PC MACLAN\ATSPOOL.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\apps\AutoCAD 2005\acad.exe
C:\DOCUME~1\Andrew\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Claris Corp\ClarisWorks 5.0\ClarisWorks.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Andrew\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SB Audigy 2 Startup Menu] /L:ENG
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Miramar Systems, Inc.] c:\apps\miramar\pc maclan\atmsg.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [RunNarrator] Narrator.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6ABE4BC3-7253-418E-85E8-F334A73154D3} - hxxp://www.smart-clip.com/activex/SmartClip.cab
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file://c:\program files\autocad 2002\AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\autocad 2002\InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\autocad 2002\InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\autocad 2002\AcPreview.ocx
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://68.196.46.248:3010/activex/RACtrl.cab
TCP: {6F17C4FA-881E-4EFC-B170-0BC7AC15E107} = 198.6.1.1,198.6.1.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\5bdpv2qv.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlservr.exe -sinventorcontent --> c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlservr.exe -sINVENTORCONTENT [?]
S2 gupdate1c99d9c8afcf564;Google Update Service (gupdate1c99d9c8afcf564);c:\program files\google\update\GoogleUpdate.exe [2009-3-5 133104]
S3 PortTalk;PortTalk;c:\windows\system32\drivers\PortTalk.sys [2006-1-13 3567]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlagent.exe -i inventorcontent --> c:\program files\microsoft sql server\mssql$inventorcontent\binn\sqlagent.EXE -i INVENTORCONTENT [?]

=============== Created Last 30 ================

2009-04-06 10:00 <DIR> --d----- C:\ComboFix
2009-04-06 09:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 09:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 09:53 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 09:38 34,890 a------- c:\windows\system32\dllcache\wlandrv2.sys
2009-04-06 09:37 53,760 a------- c:\windows\system32\dllcache\vfwwdm32.dll
2009-04-06 09:36 47,616 a------- c:\windows\system32\dllcache\umaxcam.dll
2009-04-06 09:35 81,408 a------- c:\windows\system32\dllcache\tgiul50.dll
2009-04-06 09:34 48,736 a------- c:\windows\system32\dllcache\srwlnd5.sys
2009-04-06 09:33 45,568 a------- c:\windows\system32\dllcache\smb3w.dll
2009-04-06 09:32 36,480 a------- c:\windows\system32\dllcache\sfmanm.sys
2009-04-06 09:31 166,720 a------- c:\windows\system32\dllcache\s3m.sys
2009-04-06 09:30 128,286 a------- c:\windows\system32\dllcache\ptserli.sys
2009-04-06 09:29 26,153 a------- c:\windows\system32\dllcache\pcmlm56.sys
2009-04-06 09:28 9,344 a------- c:\windows\system32\dllcache\ntapm.sys
2009-04-06 09:27 21,888 a------- c:\windows\system32\dllcache\mxcard.sys
2009-04-06 09:26 58,368 a------- c:\windows\system32\dllcache\m3091dc.dll
2009-04-06 09:25 18,432 a------- c:\windows\system32\dllcache\jupiw.dll
2009-04-06 09:24 161,020 a------- c:\windows\system32\dllcache\i81xnt5.sys
2009-04-06 09:23 93,696 a------- c:\windows\system32\dllcache\hpgt42.dll
2009-04-06 09:22 43,520 a------- c:\windows\system32\dllcache\EXCH_fcachdll.dll
2009-04-06 09:21 455,199 a------- c:\windows\system32\dllcache\el985n51.sys
2009-04-06 09:20 7,424 a------- c:\windows\system32\dllcache\ddsmc.sys
2009-04-06 09:19 314,752 a------- c:\windows\system32\dllcache\camdro21.sys
2009-04-06 09:18 49,664 a------- c:\windows\system32\dllcache\adrot.dll
2009-04-06 09:16 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-04-06 09:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-06 08:52 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-06 08:52 0 a------- c:\windows\system32\RENB6.tmp
2009-04-06 08:52 0 a------- c:\windows\system32\RENB5.tmp
2009-04-03 08:32 1,057,760 a------- c:\windows\system32\ati3d2ag.dll
2009-04-02 12:28 <DIR> --d----- c:\windows\system32\NtmsData
2009-04-02 08:54 <DIR> --d----- c:\windows\ERUNT
2009-04-02 08:52 <DIR> --d----- C:\SDFix
2009-04-02 08:46 161,792 a------- c:\windows\SWREG.exe
2009-04-02 08:46 98,816 a------- c:\windows\sed.exe
2009-04-01 15:54 <DIR> --d----- c:\program files\SpywareGuard
2009-04-01 14:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-01 14:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-01 14:23 <DIR> --d----- c:\docume~1\andrew\applic~1\SUPERAntiSpyware.com
2009-04-01 14:22 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-01 13:08 <DIR> --d----- c:\docume~1\andrew\applic~1\Malwarebytes
2009-04-01 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-31 14:37 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-31 10:45 624,672 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-31 10:45 8,396 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-26 15:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-26 10:25 <DIR> --d----- c:\program files\QuickPik
2009-03-24 11:44 <DIR> --d----- C:\CNC
2009-03-12 01:30 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-11 14:47 <DIR> --d----- C:\eb30c2019a361bf1eb68c97f

==================== Find3M ====================

2009-03-25 09:22 56,592 a------- c:\docume~1\andrew\applic~1\GDIPFONTCACHEV1.DAT
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-06-30 13:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008063020080701\index.dat

============= FINISH: 12:32:55.79 ===============

#4 ryan_m

ryan_m
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 06 April 2009 - 11:36 AM

Microsoft ® Windows Debugger Version 6.11.0001.402 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini040609-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Apr 6 11:15:16.531 2009 (GMT-4)
System Uptime: 0 days 0:01:48.109
Loading Kernel Symbols
...............................................................
................................................................
..............................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 806f0753, a958779c, 0}

Unable to load image \SystemRoot\system32\DRIVERS\avgntflt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for avgntflt.sys
*** ERROR: Module load completed but symbols could not be loaded for avgntflt.sys
Probably caused by : avgntflt.sys ( avgntflt+e30f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806f0753, The address that the exception occurred at
Arg3: a958779c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
hal!ExAcquireFastMutex+f
806f0753 ff09 dec dword ptr [ecx]

TRAP_FRAME: a958779c -- (.trap 0xffffffffa958779c)
Unable to read trap frame at a958779c

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 804f4786 to 806f0753

STACK_TEXT:
a958780c 804f4786 a9587cc0 00000000 86523f5c hal!ExAcquireFastMutex+0xf
a9587820 f767bf56 86b4f0f4 86c44458 00000000 nt!FsRtlLookupPerStreamContextInternal+0x14
a9587884 f7676c0e 86c44458 a9587cc0 00000000 fltmgr!FltpGetStreamListCtrl+0x5a
a95878a0 aa04030f 86d6c008 a9587cc0 a95878c8 fltmgr!FltGetStreamHandleContext+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
a95878c0 f7676888 86523f5c a95878e0 a9587910 avgntflt+0xe30f
a9587920 f76782a0 00587968 86cd677c a9587968 fltmgr!FltpPerformPreCallbacks+0x2d4
a9587934 f7678c48 a9587968 00000000 86b6d020 fltmgr!FltpPassThroughInternal+0x32
a9587950 f7679059 a9587968 86cd66f8 873936c8 fltmgr!FltpPassThrough+0x1c2
a9587980 804e37f7 86b6d020 86cd66e8 86cd66e8 fltmgr!FltpDispatch+0x10d
a9587990 8056c15b 00000000 a9587c34 a9587cc0 nt!IopfCallDriver+0x31
a95879c4 8058396b 00000000 86b6d020 00000000 nt!IopCloseFile+0x27c
a9587a0c 8058395a a9587cc0 86f86018 86084e24 nt!IopDeleteFile+0x46
a9587af0 80563fec 86f86030 00000000 86084d80 nt!IopParseDevice+0xdd6
a9587b78 805684da 00000000 a9587bb8 00000040 nt!ObpLookupObjectName+0x56a
a9587bcc 8057c913 00000000 00000000 81e25c01 nt!ObOpenObjectByName+0xeb
a9587d54 804de7ec 0012ec14 0012ebdc 0012ec40 nt!NtQueryFullAttributesFile+0x124
a9587d54 7c90e4f4 0012ec14 0012ebdc 0012ec40 nt!KiFastCallEntry+0xf8
0012ec40 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND: kb

FOLLOWUP_IP:
avgntflt+e30f
aa04030f ?? ???

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: avgntflt+e30f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: avgntflt

IMAGE_NAME: avgntflt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49817839

FAILURE_BUCKET_ID: 0x8E_avgntflt+e30f

BUCKET_ID: 0x8E_avgntflt+e30f

Followup: MachineOwner
---------

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:20 AM

Posted 18 April 2009 - 11:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:20 AM

Posted 25 April 2009 - 07:56 AM

Since you have not followed my instructions, even with asking to reopen this thread, it is now closed.

You need to post anew following all instructions.

Too much time has passed now.

Sorry,

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users