Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD in Vista


  • This topic is locked This topic is locked
22 replies to this topic

#1 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 11 October 2011 - 05:53 AM

Good morning.

I am trying to find out what happened to my mother-in-law's computer and could use some help.

Computer: HP Pavilion a6110n running Vista Home Premium

Upon start up it appears to be loading for a few minutes and then the dreaded BSOD appears bearing the following message:

STOP: c000021a {Fatal System Error}
The initial session process or system process terminated unexpectedly with a status of 0x00000000 (0xc0000001 0x00100544).
The system has been shut down.



I did reboot and attempt to start in Safe Mode but this resulted in the same BSOD with the same error message.

From what I could gather from talking to my mother-in-law, the computer had not demonstrated any odd behavior prior to this BSOD.

She did attempt to use the Windows Error Recovery, which loads sometimes upon a reboot but when attempting to use that, several minutes after launching the Startup Repair option, I receive the following:

Startup Repair cannot repair this computer automatically, and then of course, gives me the option to send information about this problem to them. <_<


Included in that window is a fair amount of problem details, which I would be glad to pass along if someone wants/needs it.


So there you go, I hope that's enough information to get started.


Oh, one other thing that seems odd, I have, as you might imagine, rebooted this machine several times, and while attempting to use the F8 feature to boot in safe mode, I can't always get that screen/option to load.


Thanks in advance for any help/direction you might be able to give.

Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


BC AdBot (Login to Remove)

 


#2 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 12 October 2011 - 06:14 AM

Update.

After a couple of more reboots, I was able to get the F8 option to work.

Retried the obvious, just to make sure - Reboot in Safe Mode / Last Known Good Config - both of which resulted in the same BSOD in my OP.

I also selected the Repair option, which allowed me (from the System Recovery Options menu) to select System Restore, which I did, and selected one of the earliest dates, which in this case was 9-1-11.

After several minutes, I received a 'System Restore did not complete successfully. Your computer's system files and settings were not changed. Details: System Restore failed due to an unspecified error. System cannot find the file specified. (0x80070002)


I will attempt to use System Restore again, using a different restore point but also wanted to mention that among the options I have when selected my restore point are which disks to restore:

HP (C:) (System)
Recovery (D:)
Boot (X:)


However, no matter which restore point I choose (there are a couple for each day going back to 8-31-2011) this is what I see:

HP (C:) (System) Ready to restore
Recovery (D:) The disk is not in the selected restore point
Boot (X:) The disk is not in the selected restore point


I also wanted to make note of my other options in the event that someone thinks I should be trying something else.

Other options in the System Recovery window:

Startup Repair

Windows Complete PC Restore (which I don't think is an option for me since I'm pretty darn sure a back up has ever been made)

Windows Memory Diagnostic

Command Prompt

Recovery Manager



Okay, I'm going to keep sleuthing, maybe look up today's new code (0x80070002) and see what I can see but if you're zipping around and have stumbled upon my post, well then by all means, sit and spell and let me know what you think.

Thanks,

Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:34 AM

Posted 13 October 2011 - 04:40 AM

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 13 October 2011 - 05:31 AM

OK, will do.

And because I've seen the advice posted in so many other posts, I will make no further changes or attempt anything further until I hear from a BC member.

Thank you.

I know how flooded these boards can get so please know that while I would like to get this resolved as soon as I can, we (me and my sweet Mother-in-law) are not in a big hurry, we're just thankful knowing help is on the way.


Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 13 October 2011 - 08:02 AM

Hello Winterland,

Welcome to Bleeping Computer.:)

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#6 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 13 October 2011 - 06:57 PM

Good evening farbar, thank you for helping. Here is the text from the scan:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.4
Ran by SYSTEM at 2011-10-13 19:51:20
Running from J:\
(X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Owner\...\Run: [RunSpySweeperScheduleAtStartup] "C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner [86016 2007-03-07] (Hewlett-Packard)
HKU\Owner\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Owner\...\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-02-28] (Google Inc.)
HKLM\...\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-18] (Microsoft Corporation)
HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]
Tcpip\Parameters: [DhcpNameServer] 68.87.73.246 68.87.71.230

================================ Services (Whitelisted) ==================

2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [136360 2011-04-27] (Avira GmbH)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [269480 2011-07-02] (Avira GmbH)
3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]
3 RoxMediaDB9; "c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [66616 2011-07-02] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [138192 2011-07-02] (Avira GmbH)
3 HSF_DP; C:\Windows\System32\DRIVERS\HSX_DP.sys [980992 2008-05-08] (Conexant Systems, Inc.)
3 HSXHWBS2; C:\Windows\System32\DRIVERS\HSXHWBS2.sys [266752 2008-05-08] (Conexant Systems, Inc.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 Ps2; C:\Windows\System32\DRIVERS\PS2.sys [19072 2005-12-12] (Hewlett-Packard Company)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-10-13 19:51 - 2011-10-13 19:51 - 0000000 ____D C:\FRST
2011-10-12 15:58 - 2011-10-12 15:58 - 2011750400 __ASH C:\hiberfil.sys
2011-10-11 02:37 - 2011-10-12 14:27 - 0175958 ____A C:\Windows\ntbtlog.txt
2011-09-30 07:04 - 2011-09-30 07:04 - 0000000 ____D C:\5bcb1114a9d3eb836f3b79d7

============ 3 Months Modified Files and Folders ===============

2011-10-13 19:51 - 2011-10-13 19:51 - 0000000 ____D C:\FRST
2011-10-12 15:58 - 2011-10-12 15:58 - 2011750400 __ASH C:\hiberfil.sys
2011-10-12 14:27 - 2011-10-11 02:37 - 0175958 ____A C:\Windows\ntbtlog.txt
2011-10-02 10:28 - 2008-03-09 07:26 - 142562809 ____A C:\Windows\MEMORY.DMP
2011-09-30 07:04 - 2011-09-30 07:04 - 0000000 ____D C:\5bcb1114a9d3eb836f3b79d7
2011-09-30 07:04 - 2011-06-26 06:21 - 0000000 ___HD C:\Config.Msi
2011-09-30 07:04 - 2007-11-19 16:29 - 1234488 ____A C:\Windows\WindowsUpdate.log
2011-09-30 07:04 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2011-09-30 07:02 - 2006-11-02 02:23 - 0000179 ____A C:\Windows\win.ini
2011-09-30 06:56 - 2007-04-23 16:24 - 0000000 ____D C:\Windows\SMINST
2011-09-30 06:56 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-09-30 06:56 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-09-30 06:56 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-09-26 08:40 - 2006-11-02 05:01 - 0032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-09-26 08:10 - 2011-02-28 11:51 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4129377459-4185247545-3643136389-1000UA.job
2011-09-23 12:10 - 2011-02-28 11:51 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4129377459-4185247545-3643136389-1000Core.job
2011-09-17 11:01 - 2006-11-02 02:24 - 46249416 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-09-05 07:37 - 2007-12-05 10:17 - 0002200 ____A C:\Users\Owner\Application Data\wklnhst.dat
2011-09-05 07:37 - 2007-12-05 10:17 - 0002200 ____A C:\Users\Owner\AppData\Roaming\wklnhst.dat
2011-09-05 07:19 - 2007-04-23 16:26 - 0138974 ____A C:\Windows\PFRO.log
2011-08-28 13:14 - 2008-05-08 06:33 - 0000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job
2011-08-28 08:14 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2011-07-22 08:08 - 2011-08-11 04:35 - 3615232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-07-22 05:54 - 2011-08-11 04:35 - 1383424 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 1917.94 MB
Available physical RAM: 1485.65 MB
Total Pagefile: 1661.46 MB
Available Pagefile: 1507.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.55 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:289.31 GB) (Free:216.52 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:8.78 GB) (Free:1.01 GB) NTFS
8 Drive j: () (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==========================================================

Last Boot: 2011-10-02 14:27

======================= End Of Log ==========================

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 13 October 2011 - 09:27 PM

Let's take a look at the MBR.

  • We need to check the MBR.
    Please download MBR.EXE by GMER. Save the file on your flash drive.
  • Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

    cmd: copy /y j:\mbr.exe c:\
    cmd: c:\mbr.exe -c 0 1 j:\MBR.zip
    
    Now please enter System Recovery Options.
    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
    Also there be be a MBR.zip file on your flashdrive. Please attach it to your reply.


#8 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 14 October 2011 - 05:27 AM

Good morning farbar, thanks again for the quick response and the help. I have attached the MBR.zip file.

Here is the text from the Fixlog:


Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.2.4)
Ran by SYSTEM at 2011-10-14 06:17:28 R:1
Running from J:\

==============================================


========= copy /y j:\mbr.exe c:\ =========

1 file(s) copied.

========= End of CMD: =========


========= c:\mbr.exe -c 0 1 j:\MBR.zip =========

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 -> \Device\00000016

0x1 sector(s) have been successfully saved to "j:\MBR.zip".

========= End of CMD: =========


==== End of Fixlog ====

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 14 October 2011 - 05:38 AM

The MBR doesn't show any pattern of known infections.

There are vital registry entries missing and we are going to restore them.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Last Boot: 2011-10-02 14:27
end

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart the system, let it boot normally and tell me how it went.

#10 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 14 October 2011 - 05:40 PM

Evening farbar. Here is the text from the Fixlog:


Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.2.4)
Ran by SYSTEM at 2011-10-14 18:29:26 R:2
Running from J:\

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====



Shut down and rebooted a couple of times per your instructions, all of which resulted in the same BSOD as in the OP (I checked to make sure none of the codes had changed, but it was the same, word for word.)

If you're available, I'll be around all weekend doing the chores and checking in more often than during the work week.

Thanks again for the continued help.

Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 14 October 2011 - 06:34 PM

Hi Winterland,

The system didn't showed any sign of malware except broken registry entries.

Now please run another scan and post the log to if anything is improved.

#12 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 15 October 2011 - 05:43 AM

Good morning.

Ran another scan, which I will post in a moment, but also wanted to let you know that upon the reboot, I am now looking at the Window Error Recovery screen telling me that Windows failed to start and then give me the standard options:

Launch Start Up Repair

Start Windows Normally.

Here's the scan results I ran just a few minutes ago:


Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.2.4
Ran by SYSTEM at 2011-10-15 06:38:25
Running from J:\
(X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1773568 2007-03-12] (Hewlett-Packard)
HKU\Owner\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Owner\...\Run: [RunSpySweeperScheduleAtStartup] "C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForOwner [86016 2007-03-07] (Hewlett-Packard)
HKU\Owner\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
HKU\Owner\...\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-02-28] (Google Inc.)
HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]
Tcpip\Parameters: [DhcpNameServer] 68.87.73.246 68.87.71.230

================================ Services (Whitelisted) ==================

2 AntiVirSchedulerService; "C:\Program Files\Avira\AntiVir Desktop\sched.exe" [136360 2011-04-27] (Avira GmbH)
2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [269480 2011-07-02] (Avira GmbH)
3 IDriverT; "c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe" [x]
2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]
3 RoxMediaDB9; "c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [66616 2011-07-02] (Avira GmbH)
1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [138192 2011-07-02] (Avira GmbH)
3 HSF_DP; C:\Windows\System32\DRIVERS\HSX_DP.sys [980992 2008-05-08] (Conexant Systems, Inc.)
3 HSXHWBS2; C:\Windows\System32\DRIVERS\HSXHWBS2.sys [266752 2008-05-08] (Conexant Systems, Inc.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
3 Ps2; C:\Windows\System32\DRIVERS\PS2.sys [19072 2005-12-12] (Hewlett-Packard Company)
1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2006-11-02] (Promise Technology, Inc.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-10-14 18:29 - 2011-10-14 18:29 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2011-10-14 06:17 - 2011-10-14 06:02 - 0089088 ____A C:\mbr.exe
2011-10-13 19:51 - 2011-10-13 19:51 - 0000000 ____D C:\FRST
2011-10-12 15:58 - 2011-10-14 14:41 - 2011750400 __ASH C:\hiberfil.sys
2011-10-11 02:37 - 2011-10-12 14:27 - 0175958 ____A C:\Windows\ntbtlog.txt
2011-09-30 07:04 - 2011-09-30 07:04 - 0000000 ____D C:\5bcb1114a9d3eb836f3b79d7

============ 3 Months Modified Files and Folders ===============

2011-10-14 18:29 - 2011-10-14 18:29 - 0000000 ____D C:\Windows\System32\config\HiveBackup
2011-10-14 14:41 - 2011-10-12 15:58 - 2011750400 __ASH C:\hiberfil.sys
2011-10-14 06:02 - 2011-10-14 06:17 - 0089088 ____A C:\mbr.exe
2011-10-13 19:51 - 2011-10-13 19:51 - 0000000 ____D C:\FRST
2011-10-12 14:27 - 2011-10-11 02:37 - 0175958 ____A C:\Windows\ntbtlog.txt
2011-10-02 10:28 - 2008-03-09 07:26 - 142562809 ____A C:\Windows\MEMORY.DMP
2011-09-30 07:04 - 2011-09-30 07:04 - 0000000 ____D C:\5bcb1114a9d3eb836f3b79d7
2011-09-30 07:04 - 2011-06-26 06:21 - 0000000 ___HD C:\Config.Msi
2011-09-30 07:04 - 2007-11-19 16:29 - 1234488 ____A C:\Windows\WindowsUpdate.log
2011-09-30 07:04 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2011-09-30 07:02 - 2006-11-02 02:23 - 0000179 ____A C:\Windows\win.ini
2011-09-30 06:56 - 2007-04-23 16:24 - 0000000 ____D C:\Windows\SMINST
2011-09-30 06:56 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-09-30 06:56 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-09-30 06:56 - 2006-11-02 04:47 - 0003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-09-26 08:40 - 2006-11-02 05:01 - 0032550 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-09-26 08:10 - 2011-02-28 11:51 - 0000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4129377459-4185247545-3643136389-1000UA.job
2011-09-23 12:10 - 2011-02-28 11:51 - 0000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4129377459-4185247545-3643136389-1000Core.job
2011-09-17 11:01 - 2006-11-02 02:24 - 46249416 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-09-05 07:37 - 2007-12-05 10:17 - 0002200 ____A C:\Users\Owner\Application Data\wklnhst.dat
2011-09-05 07:37 - 2007-12-05 10:17 - 0002200 ____A C:\Users\Owner\AppData\Roaming\wklnhst.dat
2011-09-05 07:19 - 2007-04-23 16:26 - 0138974 ____A C:\Windows\PFRO.log
2011-08-28 13:14 - 2008-05-08 06:33 - 0000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job
2011-08-28 08:14 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\rescache
2011-07-22 08:08 - 2011-08-11 04:35 - 3615232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-07-22 05:54 - 2011-08-11 04:35 - 1383424 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 1917.94 MB
Available physical RAM: 1489.99 MB
Total Pagefile: 1661.46 MB
Available Pagefile: 1507.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.16 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:289.31 GB) (Free:217.15 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:8.78 GB) (Free:1.01 GB) NTFS
8 Drive j: () (Removable) (Total:3.75 GB) (Free:3.75 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==========================================================

Last Boot: 2011-10-02 14:27

======================= End Of Log ==========================

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 15 October 2011 - 06:18 AM

Good morning Winterland,

It still gives you the BSOS if you choose to boot normally?

If yes please the following:

Please replace the content of fixlist.txt with the following syntax and run the Fix and post Fixlog.txt:

start
reg: reg query hklm
reg: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
reg: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
end
Also type the following in the search box:

software*

Press Search and when finished post the Search.txt

Edited by farbar, 15 October 2011 - 06:19 AM.


#14 Winterland

Winterland
  • Topic Starter

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:34 PM

Posted 15 October 2011 - 06:34 AM

Hello again. Yeah, still getting the same BSOD, so per your instructions, here are the logs:



Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.2.4)
Ran by SYSTEM at 2011-10-15 07:25:55 R:3
Running from J:\

==============================================


========= reg query hklm =========


HKEY_LOCAL_MACHINE\888
HKEY_LOCAL_MACHINE\999
HKEY_LOCAL_MACHINE\COMPONENTS
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_LOCAL_MACHINE\SAM
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SYSTEM

========= End of Reg: =========


========= reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" =========


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
CurrentVersion REG_SZ 6.0
CurrentBuildNumber REG_SZ 6002
BuildLab REG_SZ 6002.vistasp2_gdr.110617-0336
BuildLabEx REG_SZ 6002.18484.x86fre.vistasp2_gdr.110617-0336
BuildGUID REG_SZ cfbc00e9-0902-4871-8e63-4e5cb5305bc9
CurrentType REG_SZ Multiprocessor Free
CSDVersion REG_SZ Service Pack 2
CSDBuildNumber REG_SZ 1621
SystemRoot REG_SZ C:\Windows


========= End of Reg: =========


========= reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" =========

ERROR: The system was unable to find the specified registry key or value.

========= End of Reg: =========


==== End of Fixlog ====



And here is the Search results:

Farbars Recovery Scan Tool 2.0.3
Ran by SYSTEM at 2011-10-15 07:26:15
Running from J:\

================== Search: software* ===================

C:\WINDOWS\System32\config\SOFTWARE
[2006-11-02 02:22] - [2011-10-15 07:25] - 40923136 ____A ()

C:\WINDOWS\System32\config\SOFTWARE.LOG
[2006-11-02 02:22] - [2006-11-02 07:28] - 0001024 ___AH () 6B6B297AF7BBB0AB348A3CE0BC75F6A4

C:\WINDOWS\System32\config\SOFTWARE.LOG1
[2006-11-02 04:33] - [2011-10-15 07:25] - 0262144 ___AH () 9FA701E90F070656B897C31B74C6C393

C:\WINDOWS\System32\config\SOFTWARE.LOG2
[2006-11-02 04:33] - [2010-06-16 11:33] - 0262144 ___AH () EC87A838931D4D5D2E94A04644788A55

C:\WINDOWS\System32\config\SOFTWARE.SAV
[2006-11-02 02:22] - [2006-11-02 02:34] - 10133504 ____A () 8B507B5CF95AD726A6568A48C9CAC380

C:\WINDOWS\System32\config\software_previous
[2006-11-02 02:22] - [2009-05-14 18:29] - 35389440 ____A () B16737CF7D128B3A68AEC7E90597F961

C:\WINDOWS\System32\config\RegBack\SOFTWARE
[2006-11-02 04:47] - [2011-10-02 14:27] - 40923136 ____A () 6AFA4306EDF4ED0BCFF7CE9239B3E7C1

C:\WINDOWS\System32\config\RegBack\SOFTWARE.LOG1
[2006-11-02 05:06] - [2011-10-02 14:27] - 0262144 ___AH () 33CDC095DA9D38F0FF99DCCF6A06544A

C:\WINDOWS\System32\config\RegBack\SOFTWARE.LOG2
[2006-11-02 05:06] - [2006-11-02 05:06] - 0000000 ___AH ()

C:\WINDOWS\System32\config\RegBack\SOFTWARE.OLD
[2006-11-02 04:47] - [2011-09-26 08:27] - 40923136 ____A () 4E4ABFCF9A92615C6218C7AC196C6068

C:\WINDOWS\System32\config\HiveBackup\software
[2011-10-14 18:29] - [2011-10-14 18:29] - 40923136 ____A () AC1CC2CAFFB123AFE9106721798376B9

C:\WINDOWS\Help\OEM\Scripts\SoftwareAndDriversPage.jse
[2007-04-23 16:08] - [2007-01-11 09:09] - 0015637 ____A () B786FED37C81B7D7CBD7BEF4E614F9F0

C:\Users\Owner\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\Users\Default User\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\Users\Default\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\Program Files\HP\HP Software Update\SoftwareUpdate.dll
[2007-05-01 10:02] - [2007-05-01 10:02] - 0765952 ___RA (Hewlett-Packard) 44FB731A0809BE002387876584D534B1

C:\hp\support\software.log
[2007-04-23 15:23] - [2007-04-23 16:37] - 0005784 ____A () 803CD9A8E3A979BC61384B20977A9C2B

C:\hp\HPQWare\Favs\EN_US\HP\Software and Driver Downloads.url
[2007-04-23 16:12] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\hp\HPQWare\Favs\EN_CA\HP\Software and Driver Downloads.url
[2007-04-23 16:13] - [2007-04-23 16:13] - 0000184 ____A () E88B7A75FBD3F36722CB22E6E4FE0A16

C:\FRST\Hives\software
[2011-10-13 19:51] - [2011-10-13 18:54] - 40923136 ____A () 07EE708FF6E41D8C66C934C133989BBE

C:\Documents and Settings\Owner\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\Documents and Settings\Default User\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

C:\Documents and Settings\Default\Favorites\HP\Software and Driver Downloads.url
[2007-11-19 14:16] - [2007-04-23 16:12] - 0000184 ____A () 36C26F873E2C97050C8B25E5BBA1E7D2

=== End Of Search ===


Thanks again for all the help. Been 'watching' you bounce all around the forums this morning.

I love this place.

Winterland

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:34 PM

Posted 15 October 2011 - 06:49 AM

There is something seriously wrong with the Software hive. It loads but there are important keys missing.

Please replace the content of fixlist.txt with the following syntax and run the Fix and post Fixlog.txt:

File: C:\WINDOWS\System32\config\SOFTWARE

Winterland: I'm not sure if I will be able to get back to you today. It is my daughter's birthday.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users