Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


my small buisness server crashed BSOD every 2 minutes HELP

  • This topic is locked This topic is locked
2 replies to this topic

#1 shopit


  • Members
  • 3 posts
  • Local time:01:54 PM

Posted 13 May 2013 - 11:54 AM

I posted this in the windows 7 catagory and they said to put it here and suggested malware to be the cause. we have a backup of the main data but its corrupt it wont stay running long enough to do a full backup and a days worth of transactions are in it we need. about 1k of items are in it. Plus we have everything setup for our slave computers etc. So I'm really trying to resurect this thene clone the drive for a full backup copy.


heres the infor form my last post:


ok guys so I own a small business and my server runs a sql server. Randomly thursday my software started crashing every two minutes. we had no idea why or what was going on at first. So I used to much more avid into windows back in the xp days and before. I kinda switched to mac and haven't messed with newer windows. I actually just picked up a win 8 surface pro to use for tuning trucks and quickbooks. 


So as I've looked at it at first ive though malware. Cause it would stay open in safe mode but not in reg mode. And my software wont run in safe mode so can't backup my data. So I've scanned with windows malicious software tools, I've scanned with pcmatic from pc pitstop as we use it for used laptops we sell and works relatively well. Tried iola which works rather well there system mechanic. So far the windows tools found 4 malware which were according to all scans removed. Then if i go to certain settings or windows update or such it shuts off instantly. I figured its either malware, memory, a driver or registry error.  I don't think its memory or i would think it would shut down the same in safe mode. 


The error I get with windows update is just a straight crash

If I go to dell and go to the driver update tool i get "unable to install or run this application. This application requires your system to be updated to Microsoft common language runtime version 4.0.30319.0"


Also when the computer comes back up from its blue screen I get run dl error "there was a problem starting c:users/server/appdata/roaming/msrex.dll the specified module couldn't be found"


Second error was a run dl "there was a problem starting c:users/server/appdata/roaming/rcsnpa.dll the specified module could not be found."


The blue screen states technical information:

**** stop: 0x0000008e (0xc0000005,0x835c7487,0xb653f66c,0x00000000)

*** atport.sys - adress 835c7487 base at 835c1000, datestamp 4ce788e8



The trojans found since 5/10 was trojan:win32/medfos.x and medfos.b on the 11th was trojan:html/redirector.bb and two copies of that. At last scan nothing found anything else. There was one more program found when i put it into an external lightning jig on my mac clam found but i forgot what it was it was something trojan.something..


I have attached the rammon file and I'm going to use the driver utility to try and list the drivers.  I really need this up online or I'm going to be loosing business fast and cash....


DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16448
Run by Server at 12:42:48 on 2013-05-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3037.1959 [GMT -4:00]
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
============== Running Processes ================
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.DATAAGE\MSSQL\Binn\sqlservr.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\StarMicronics\TSP100\Software\20110121\Ondemand.exe
C:\ProgramData\iTwin Connect\iTwinConnectAssist.exe
C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
============== Pseudo HJT Report ===============
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Seagull Drivers] ssdal_nc.exe startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [AcronisTibMounterMonitor] c:\program files\common files\acronis\tibmounter\TibMounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [TSP100ecoOndemand] c:\program files\starmicronics\tsp100\software\20110121\Ondemand.exe
mRun: [iTwinAssist] "c:\programdata\itwin\iTwinAssist.exe"
mRun: [iTwinConnectAssist] "c:\programdata\itwin connect\iTwinConnectAssist.exe"
mRun: [msrex] rundll32.exe "c:\users\server\appdata\roaming\msrex.dll",ClearWeakRefs
mRun: [rcsnpa] rundll32.exe "c:\users\server\appdata\roaming\rcsnpa.dll",Set_New
mRun: [TimeServer] "c:\users\server\appdata\roaming\macromedia\WINAF4A.exe"
mRun: [PC Pitstop PC Matic Reminder] c:\program files\pcpitstop\pc matic\Reminder-PCMatic.exe
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://dealer.md-bmc.rpdss.com/ActiveX/smsx.cab
DPF: {5445BE81-B796-11D2-B931-002018654E2E} - hxxps://dealer.md-bmc.rpdss.com/ActiveX/smsx.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1332265517162
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://
TCP: NameServer =
TCP: Interfaces\{04AAD8B1-3255-4BEE-BBEA-228F4831E3A6} : NameServer =
TCP: Interfaces\{539AC7B1-418B-4CB0-BE93-1B066AC8F253} : NameServer =
TCP: Interfaces\{8A5453B5-9F23-4366-9714-93DBA3024248} : NameServer =,
TCP: Interfaces\{8A5453B5-9F23-4366-9714-93DBA3024248} : DHCPNameServer =
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
============= SERVICES / DRIVERS ===============
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-10-15 55776]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 177376]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2012-11-15 94048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-9-14 35552]
R0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\drivers\fltsrv.sys [2012-8-28 93928]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\drivers\tib_mounter.sys [2012-8-28 689672]
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [2012-8-28 139336]
R0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\drivers\vidsflt.sys [2012-8-28 99720]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-10-22 179936]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2012-9-21 19936]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-10-2 159712]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-9-21 164832]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-5-10 34592]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys [2013-5-11 26248]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2012-8-28 3696632]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2013-5-11 1070080]
R2 MSSQL$DATAAGE;SQL Server (DATAAGE);c:\program files\microsoft sql server\mssql10_50.dataage\mssql\binn\sqlservr.exe [2010-4-3 42884448]
R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2013-5-10 86216]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2013-5-11 68464]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2012-12-16 5120]
R2 syncagentsrv;Acronis Sync Agent Service;c:\program files\common files\acronis\syncagent\syncagentsrv.exe [2012-8-18 7017888]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2012-8-28 234752]
R3 ivin;iTwin Connect Virtual Ethernet Adapter #2;c:\windows\system32\drivers\ivin.sys [2013-3-6 32456]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-8-27 273960]
S1 MpKslf09d666d;MpKslf09d666d;c:\programdata\microsoft\microsoft antimalware\definition updates\{9d47d9d0-cfef-49c2-9ee7-83fab89763be}\MpKslf09d666d.sys [2013-5-10 29904]
S3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2012-7-22 6656]
S3 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2012-7-22 240480]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DIRECTIORM;DIRECTIORM;c:\program files\rammon\DirectIo32.sys [2013-5-11 22120]
S3 dpK00701;U.are.UÆ Fingerprint Reader Upper Driver;c:\windows\system32\drivers\dpK00701.sys [2010-2-24 59280]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-6-24 23456]
S3 inh;iTwin Connect NAT Helper;c:\windows\system32\drivers\inh.sys [2013-3-6 25952]
S3 iTwinConnectService;iTwin Connect Service;c:\programdata\itwin connect\iTwinConnectService.exe [2013-3-6 570152]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-5-20 30576]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 PortEmulator;Port Emulator (Star);c:\program files\starmicronics\tsp100\software\20110121\portemu_umdf_tsp100.exe [2011-2-23 143360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TcpEmulatorTSP100LAN;TCP Port Emulator (TSP100);c:\program files\starmicronics\tsp100\software\20110121\tcpemu_tsp100lan.exe [2011-2-23 249856]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-9-6 52224]
S3 usbdpfp;U.are.UÆ Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2010-2-24 57744]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-9-6 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-9-3 87968]
S4 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
S4 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
S4 BingDesktopUpdate;Bing Desktop Update service;c:\program files\microsoft\bingdesktop\BingDesktopUpdater.exe [2013-4-10 168592]
S4 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$DATAAGE;SQL Server Agent (DATAAGE);c:\program files\microsoft sql server\mssql10_50.dataage\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
=============== File Associations ===============
FileExt: .scr: scrfile=NOTEPAD.EXE "%1"
FileExt: .reg: regfile=NOTEPAD.EXE "%1"
FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1"
FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1"
FileExt: .js: JSFile=NOTEPAD.EXE "%1"
FileExt: .jse: JSEFile=NOTEPAD.EXE "%1"
FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1"
=============== Created Last 30 ================
2013-05-12 03:28:06 -------- d-----w- c:\users\server\appdata\local\Deployment
2013-05-12 03:28:06 -------- d-----w- c:\users\server\appdata\local\Apps
2013-05-12 03:06:33 -------- d-----w- c:\program files\RAMMon
2013-05-12 02:47:41 26248 ----a-w- c:\windows\system32\drivers\ElRawDsk.sys
2013-05-12 01:41:25 2097472 ----a-w- c:\windows\system32\Incinerator32.dll
2013-05-12 01:41:24 68464 ----a-w- c:\windows\system32\drivers\PDFsFilter.sys
2013-05-12 01:41:24 56200 ----a-w- c:\windows\system32\offreg.dll
2013-05-12 01:41:24 41616 ----a-w- c:\windows\system32\iolobtdfg.exe
2013-05-12 01:41:24 23568 ----a-w- c:\windows\system32\smrgdf.exe
2013-05-12 01:40:28 -------- d-----w- C:\iolo
2013-05-12 01:38:48 -------- d-----w- c:\users\server\appdata\roaming\iolo
2013-05-12 01:19:17 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-05-12 01:17:43 74703 ----a-w- c:\windows\system32\mfc45.dat
2013-05-12 01:17:33 -------- d-----w- c:\programdata\iolo
2013-05-12 01:17:33 -------- d-----w- c:\program files\iolo
2013-05-12 01:14:16 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2013-05-11 14:41:06 -------- d-----w- c:\program files\ThreatExpert Memory Scanner
2013-05-10 23:01:13 -------- d-----w- c:\users\server\appdata\roaming\AVG2013
2013-05-10 23:00:23 34592 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-10 23:00:21 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-05-10 22:59:46 -------- d--h--w- C:\$AVG
2013-05-10 22:59:46 -------- d-----w- c:\programdata\AVG2013
2013-05-10 22:59:21 -------- d-----w- c:\program files\AVG
2013-05-10 22:55:01 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9d47d9d0-cfef-49c2-9ee7-83fab89763be}\MpKslf09d666d.sys
2013-05-10 20:53:13 -------- d-----w- c:\programdata\PCPitstopDat
2013-05-10 14:38:32 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9d47d9d0-cfef-49c2-9ee7-83fab89763be}\mpengine.dll
2013-05-09 23:06:17 68608 ----a-w- c:\users\server\dl4oip3zcg067.exe
2013-05-09 14:38:52 6906960 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
==================== Find3M  ====================
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-03-14 11:15:08 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-14 11:15:08 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-07 00:42:42 32456 ----a-w- c:\windows\system32\drivers\ivin.sys
2013-03-07 00:39:27 25952 ----a-w- c:\windows\system32\drivers\inh.sys
2003-02-21 09:42:22 348160 ----a-w- c:\program files\common files\msvcr71.dll
============= FINISH: 12:43:09.31 ===============

 is the DDS file script

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:54 PM

Posted 16 May 2013 - 07:32 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:05:54 PM

Posted 22 May 2013 - 08:21 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users