Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD: Virus or hardware?


  • Please log in to reply
9 replies to this topic

#1 lavalos

lavalos

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 16 February 2010 - 07:26 PM

For the last weeks my desktop running XP SP2 is getting the BSOD with different errors codes:

NTFS_FILE_SYSTEM
MULTIPLE_IRP_COMPLETE_REQUESTS
KERNEL_MODE_EXCEPTION_NOT_HANDLED
SECURITY_SYSTEM
MULTIPLE_IRP_COMPLETE_REQUESTS

At the same time, I am unable to boot in safe mode (locks up) and I am also unable to run the chkdsk from
startup ("cannot open volume for direct access" message). I can boot to safe mode -directory services
repair only mode, but still get the "cannot open volume..." message.

The problem started a few weeks after I changed my firewall to PC Tools firewall, keeping my AVG antivirus
(I made the same change to my laptop and did not have any problem there). I started getting a message
saying that an "external source tampered with the firewall fwsettings.ini initilization file but was
corrected". This message repeated until the computer locked up or got the BSOD. After some tweaking,
running "antieverything" software, I still get a few of the message anymore and still get radom BSOD.

These are the things I did so far:

- Checked memory - ok
- Checked boot drive with Seagate DOS software (long test) and is passed.
- Ran Chkdsk through the recovery tool from the XP CD (only way to run it). Always message " found and fixed
one or more errors on the volume."
- Ran conflictinfo - ok
- Ran rootkit revealer - ok
- Ran Panda Antirootkit - ok
- Ran Root Repeal - ok
- Ran blacklight - ok
- Ran AVG antivirus - ok
- Ran Bitdefender Quickscan - ok
- Ran Kaspersky online scan - ok
- Ran A-squared Antimalware - ok
- Ran Malwarebytes antimalware - ok
- Ran Hijack this - I checked the suspicious entries online and nothing was odd

I still get eventual BSODs even when booted to safe mode -directory services repair mode.

I also ran Dr. Web antivirus and each time, before hanging up,it gives a message that a virus was found and
to check its log. The log never includes a virus reference but always has several files indicating "read
error", but each time the error files are different: Some files with "Read error" messages are correctly
read the following pass.

At this point I have no idea even if this is a hardware or software problem, but if the hard disk program says the disk is ok, doesn't seem to be the disk.



PD

1) Some days before the problem started, my regular scanning found a virus in a file and was cleaned. I don't remember what virus it was.
2) As I know there are conflicts between antivirus software, I have the "on -execution" option of the
A-squared antimalware turned off to avoid possible conflicts with AVG.

Here my DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Lucho at 19:30:56.45 on Mon 02/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1133 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: a-squared Anti-Malware *On-access scanning enabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}
FW: PC Tools Firewall Plus *enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lucho\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Live! Cam Manager] c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [Google Update] "c:\documents and settings\lucho\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [EasyTuneVPro] c:\program files\gigabyte\et5pro\ETcall.exe
mRun: [EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\windows\temp\E_S9A.tmp" /EF "HKLM"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [a-squared] "c:\program files\a-squared anti-malware\a2guard.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\SiICfg.lnk.disabled
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220772257687
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258914886078
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://playerg91.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15105/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lucho\applic~1\mozilla\firefox\profiles\yj535je5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Mozilla Add-ons
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\lucho\application data\mozilla\firefox\profiles\yj535je5.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\lucho\application data\mozilla\firefox\profiles\yj535je5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\lucho\application data\mozilla\firefox\profiles\yj535je5.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\lucho\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 CFRMD;cfrmd;c:\windows\system32\drivers\CFRMD.sys [2010-1-18 133448]
R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\pnp680.sys [2008-9-7 37031]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-7 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-7 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-7 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-11-21 233136]
R1 TSKNF602.SYS;TSKNF602.SYS;c:\windows\system32\drivers\Tsknf602.sys [2009-2-7 11168]
R2 a2AntiMalware;a-squared Anti-Malware Service;c:\program files\a-squared anti-malware\a2service.exe [2010-1-19 1858144]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-7 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-7 297752]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2008-9-6 59776]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-21 88040]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2009-11-21 818432]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2008-9-6 19456]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2008-9-6 9600]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2009-11-21 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2009-11-21 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-11-21 115216]
R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2008-9-7 6272]
R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2008-9-7 498464]
R3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2008-9-6 9510]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-3 133104]
S3 GEST Service;GEST Service for program management.;c:\program files\gigabyte\gest\gsvr.exe [2008-9-6 55816]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2009-1-21 34064]
S3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [2009-11-21 32680]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S4 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\aawservice.exe [?]
S4 GPOYXSXBES;GPOYXSXBES;c:\docume~1\lucho\locals~1\temp\gpoyxsxbes.exe --> c:\docume~1\lucho\locals~1\temp\GPOYXSXBES.exe [?]
S4 VLJX;VLJX;c:\docume~1\lucho\locals~1\temp\vljx.exe --> c:\docume~1\lucho\locals~1\temp\VLJX.exe [?]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2010-02-12 21:42:05 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-02-12 21:42:05 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-02-06 22:34:28 0 d-----w- c:\program files\NTFS Undelete
2010-02-05 23:32:04 0 d-----w- c:\documents and settings\lucho\DoctorWeb
2010-01-24 22:06:40 0 d-----w- c:\windows\pss
2010-01-24 21:23:08 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-24 17:31:40 0 d-----w- c:\program files\SystemRequirementsLab
2010-01-22 23:23:54 0 d-----w- c:\program files\NirSoft
2010-01-22 19:44:09 250 ----a-w- c:\windows\gmer.ini
2010-01-20 05:51:12 0 d-----w- c:\program files\a-squared Anti-Malware
2010-01-20 01:26:02 0 d-----w- c:\docume~1\lucho\applic~1\QuickScan
2010-01-20 00:42:16 0 d-----w- c:\program files\Toucan
2010-01-19 00:13:39 18184 ----a-w- c:\windows\system32\cnat.exe
2010-01-19 00:13:39 133448 ----a-w- c:\windows\system32\drivers\CFRMD.sys

==================== Find3M ====================

2010-02-16 01:23:46 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-01-19 01:08:05 70664 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-01-19 01:08:05 58816 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-01-19 01:08:05 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2010-01-19 01:08:04 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-01-19 01:08:04 32680 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2010-01-19 01:08:04 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 19:32:40.40 ===============

An here is GMER log. Due to continuous hanging up, I had to run the "files" part under safe mode-and it finished but could not save the log, but the only line shown is the one included at the end.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2010-02-15 21:13:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwCreateKey [0xBA6C182E]
SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwDeleteKey [0xBA6C253A]
SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwDeleteValueKey [0xBA6C1F4E]
SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwOpenKey [0xBA6C1ACC]
SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwQueryValueKey [0xBA6C1D52]
SSDT cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.) ZwSetValueKey [0xBA6C22CA]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs cfrmd.sys (COMODO Safe Delete Filter/COMODO Security Solutions Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- EOF - GMER 1.0.14 ----


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2010-02-15 21:14:56
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{03354E7B-01C2-16E4-3AAC-29EFD060911E}\InprocServer32@ ole32.dll

---- EOF - GMER 1.0.14 ----

"files" scan gave this single line:

\device\harddisk\DR0 Sector 08: copy of MBR


Hope somebody can help me.

Edited by lavalos, 16 February 2010 - 07:29 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:03 PM

Posted 20 February 2010 - 08:51 AM

hi lavalos,

Your log is a few days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?


#3 lavalos

lavalos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 23 February 2010 - 11:58 AM

Hi shelf life, and yes , I still need help. I've been waiting for someone to look at my case!



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:03 PM

Posted 24 February 2010 - 07:41 PM

hi,

ok lets see. You have already run several tools. Why dont you as a experiment uninstall PCtools firewall. It appears this was the last thing installed on your machine. You can always re-install it if things dont get better. do you still have this installed:

COMODO Safe Delete Filter

see this link which is similar to yours: http://forums.comodo.com/comodo-system-cle....html;msg368744
MULTIPLE_IRP_COMPLETE_REQUESTS
KERNEL_MODE_EXCEPTION_NOT_HANDLED

How Can I Reduce My Risk to Malware?


#5 lavalos

lavalos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 25 February 2010 - 01:51 PM

Hi shelf life.

Since my post with the program logs (and before I got the note saying not to change the computer), I removed the Comodo program as well as the A-squared antimalware (expired). Since then, I haven't have a BSOD, although I haven't been using the computer too much because of the problems.

I verified that I can't still boot in safe mode, and when running chkdsk at startup, I still get that "cannot open volume for direct access".

Should I still try to remove the PCTools firewall or is there other possible cause to these problems?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:03 PM

Posted 25 February 2010 - 07:06 PM

Do you have anything else installed from PCTools or just there firewall. You have service pack 2 installed? any chance you have the original XP installation media. to boot from and run it in the recovery console?

How Can I Reduce My Risk to Malware?


#7 lavalos

lavalos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 26 February 2010 - 12:14 PM

I only have the PCTools firewall and AVG antivirus. I am running XP SP2 and do have the disk.

I booted to the Recovery Console several times and ran chkdsk: each time it came with some errors, that supposedly were corrected.

By the way, Iyesterday I tried Dr. Web again and it finished without any warning (Before, I was getting some messages, and the log showed that it could not open some files).

What should I try now? Another Chkdsk under Recovery Console?

Edited by lavalos, 26 February 2010 - 12:17 PM.


#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:03 PM

Posted 27 February 2010 - 08:17 AM

If the problem seems to be better than I would just leave PCtools firewall installed. Its typical that some system files are 'locked' and cant be opened by antivirus. Sure try chkdsk again from the recovery console.

How Can I Reduce My Risk to Malware?


#9 lavalos

lavalos
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 03 March 2010 - 09:32 PM

I uninstalled my AVG antivirus and PCTools firewall, ran chkdsk and reinstalled them and now I can safe boot and run chkdsk at startup.

So far, no new problems showing.

Thanks

#10 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:03 PM

Posted 04 March 2010 - 08:32 PM

ok good. If all is well here are some tips to help you remain malware free even though this wasnt really a malware issue i will post it anyway


10 Tips that should help *Reduce and Prevent* your risk To Malware:


1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. Use the Alt+F4 key to close your browser. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware on your computer then its time to review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source?

5) Don't click on ads/pop ups or any offer from websites requesting that you need to install software to your computer--*for any reason.* Use the Alt+f4 key to close your browser.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Consider using another browser. Internet Explorer is and will continue to be the most exploited browser because it is widely used.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p networks then you are also much more likely to encounter malicious code. Do you really trust the source of the file? Do you really need another malware source?

A longer version in link below.

Edited by shelf life, 04 March 2010 - 08:37 PM.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users