Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit related BSODs


  • Please log in to reply
6 replies to this topic

#1 i4004

i4004

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 31 October 2016 - 07:34 PM

peculiar case, worth documenting:

 

out of nowhere, i got STOP: c000021a {Fatal system error} Windows subsystem system process terminated unexpectedlywith a status of 0x0000005......

 

this shows once and after that it becomes STOP:0x000000F4 BSOD 

it appears shortly after windows reaches desktop.

 

MBAM scan's most interesting find is

Files: 4
PUP.Optional.Conduit, C:\Program Files\Conduit\Community Alerts\Alert.dll, , [25986f30d2c813234181f11c7d839868],
PUP.Optional.ConduitTB.Gen, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [f8c579260199b5812e625485788a867a],
Rogue.Link, C:\Documents and Settings\Administrator.UNIMATRIX001\Favorites\Free Pornstars @ Pornstar Pile.url, , [5667faa5ecae90a6228e5dafe221f10f],
Rootkit.Agent, C:\WINDOWS\system32\drivers\str.sys, , ,

 

 

after this i did combofix (attached one such log) and it finds 'logongui.exe' and 'msgsvc.dll' (system32 folder) as infected, on top of few weird files that FRST indicates too (files with ? mark, i can't see these files via windows explorer or total commander...tried erasing them via CFScript.txt and combofix, but to no avail), combofix says it can fix msgsvc (by copying it from another location in windows directory) but not the logongui.exe, so i copied that file from working machine, after this pc boots, but not for long, as error sequence repeats (with one and then (after reboot) another BSOD). probably worth mentioning that combofix is bleeping about avast being active, but i can't turn it off because i don't see it in safe mode. and i can't remove it via avastclear.exe. it is also bleeping about lacking recovery console, but tough luck there too, seems xp server for that purpose is down, and the version on xp cd seems too old (?)

 

did all sorts of different things too, checked for rootkits with rkill, tdsskiller and others, checked MBR etc.

checked BSOD minudump (nir sofer's BlueScreenView says ntoskrnl.exe most of the time, windows debugging tools say csrss.exe...), swapped RAM sticks, reinstalled VGA driver, HDtune tested hdd etc.

probably the most interesting thing is that i restored hdd image from the time windows was working ok, and soon after BSOD reappears (i didn't use sector-by-sector mode of acronis true image to restore it, though). also at the time of that restoration i had 3 more hdds connected in the system..i dunno if rootkits like to skip from drive to drive...

 

 

i'm now writing this from safe mode which works ok. also, it's dual boot system, windows2000 is working too. regarding device manager entry in frst report, one picture :

IDE2016-11-01_005530_zpskjdy3bsc.png

 

dunno why is it doubling these entries, i was clearing cmos somewhere during all this, so perhaps it's some mismatch.

 

here is frst.txt:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2016
Ran by izi-2 (administrator) on ASUS (01-11-2016 00:29:07)
Running from C:\MyDokumenta2
Loaded Profiles: izi-2 (Available Profiles: izi-2)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> explorer.exe
Failed to access process -> ctfmon.exe
Failed to access process -> firefox.exe
Failed to access process -> FRST.exe
Failed to access process -> wmiprvse.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [18077696 2008-12-23] (Realtek Semiconductor Corp.)
HKLM\...\Run: [mouseElf] => C:\Program Files\Scroll Mouse\MouseElf.exe [438364 2005-12-16] ()
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2508104 2009-11-02] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-04] (CANON INC.)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2651088 2016-10-28] (Malwarebytes Corporation)
HKLM\...\Run: [AvastUI.exe] => E:\Program Files\AvAstXP\AvastUI.exe [7408312 2016-10-31] (AVAST Software)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [CDRAutoRun] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => E:\Program Files\AvAstXP\ashShell.dll [2016-10-31] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FileBox eXtender.lnk [2008-09-19]
ShortcutTarget: FileBox eXtender.lnk -> C:\Program Files\FileBX\FileBX.exe (Hyperionics Technology LLC)
BootExecute: autocheck autochk /p \??\O:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9}: [NameServer] 195.29.166.116,195.29.166.117

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2000478354-73586283-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: FGCatchUrl -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -> C:\Program Files\FlashGet\jccatch.dll [2007-08-06] (www.flashget.com)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> E:\Program Files\AvAstXP\aswWebRepIE.dll [2016-10-31] (AVAST Software)
BHO: FlashGet GetFlash Class -> {F156768E-81EF-470C-9057-481BA8380DBA} -> C:\Program Files\FlashGet\getflash.dll [2007-05-18] (www.flashget.com)
Toolbar: HKU\S-1-5-21-2000478354-73586283-725345543-500 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 [2016-11-01]
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF NetworkProxy: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> type", 0
FF Extension: (YouTube™ Flash® Player) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\jid1-HAV2inXAnQPIeA@jetpack.xpi [2016-10-31]
FF Extension: (FlashGot) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-03-18]
FF Extension: (Video DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-10-31]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-10-31]
FF Extension: (DownThemAll!) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-04-24]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default [2016-10-31]
FF DefaultSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF SelectedSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> www.google.com
FF Extension: (Adblock Latitude) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{016acf6d-e5c0-4768-9376-3763d1ad1978}.xpi [2016-02-08] [not signed]
FF Extension: (DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2015-07-15]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Broad Intelligence\XULPlayer\Profiles\xulplayer [2009-08-01]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - E:\Program Files\AvAstXP\WebRep\FF
FF Extension: (Avast Online Security) - E:\Program Files\AvAstXP\WebRep\FF [2016-10-31]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-18] ()
FF Plugin: @java.com/DTPlugin,version=10.4.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-04-04] (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2008-06-11] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
StartMenuInternet: FIREFOX.EXE - E:\Firefox40\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; E:\Program Files\AvAstXP\AvastSvc.exe [243296 2016-10-31] (AVAST Software)
S2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-10-28] (Malwarebytes Corporation)
S2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12664 2006-10-18] ()
S2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [32792 2016-10-31] (AVAST Software)
S1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [35096 2016-03-23] (AVAST Software)
S2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [91168 2016-10-31] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-10-31] (AVAST Software)
S0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [58776 2016-10-31] (AVAST Software)
S1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [815792 2016-10-31] (AVAST Software)
S1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [449640 2016-10-31] (AVAST Software)
S3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [187208 2016-10-31] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [67216 2016-10-31] (AVAST Software)
S0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224616 2016-10-31] (AVAST Software)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [38656 2007-03-14] (Attansic Technology corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
S2 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
S3 DSDrv4; C:\Program Files\DScaler\DSDrv4.sys [8801 2005-12-18] () [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [14944 2014-11-18] ()
S1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [59976 2016-10-28] ()
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10208 2014-11-18] ()
S3 FlyPCI; E:\Program Files\SlyDiman\SlyControl2\FlyPCI.sys [4134 2003-10-10] () [File not signed]
R3 genmcmnUSB; C:\WINDOWS\System32\DRIVERS\gflmouhid.sys [6656 2004-04-19] ()
R0 giveio; C:\WINDOWS\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 IT9135BDA; C:\WINDOWS\System32\Drivers\IT9135BDA.sys [145280 2011-10-19] (ITE                      )
S3 LVCap138; C:\WINDOWS\System32\DRIVERS\tvcap.sys [301568 2004-10-27] (Philips) [File not signed]
S3 lvtuner; C:\WINDOWS\System32\DRIVERS\lvtuner.sys [14464 2004-10-20] (Animation Technologies Inc.) [File not signed]
R1 MagicTune; C:\WINDOWS\system32\drivers\MTictwl.sys [12062 2004-10-11] () [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15360 2004-08-03] (Microsoft Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2002-12-31] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-03-11] (Sonic Solutions) [File not signed]
S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2002-12-31] ()
S3 SKYNET; C:\WINDOWS\System32\DRIVERS\SkyNET.SYS [349184 2006-03-13] (B2C2, Inc.) [File not signed]
S3 SliceDisk5; C:\Program Files\A-FF Find and Mount\slicedisk.sys [26192 2011-02-25] (Atola) [File not signed]
R0 speedfan; C:\WINDOWS\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [359040 2009-06-28] (Microsoft Corporation) [File not signed]
R0 viamraid; C:\WINDOWS\System32\DRIVERS\viamraid.sys [60672 2004-07-06] (VIA Technologies inc,.ltd)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys [X]
S4 IntelIde; no ImagePath
U4 NVSvc; no ImagePath
U3 SCardDrv; no ImagePath
U4 uploadmgr; no ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S0 wgptk; System32\drivers\nfqida.sys [X]
S2 zmatfkbg; \??\C:\WINDOWS\system32\drivers\wwqca.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2027-11-27 04:34 - 2027-11-27 04:34 - 00000000 ____D C:\My Music
2027-11-27 03:14 - 2027-11-27 03:14 - 00000000 ____D C:\My PixAround
2027-11-27 03:12 - 2007-11-20 22:56 - 00000324 ____H C:\Config.sys
2027-11-27 02:57 - 2027-11-27 02:57 - 00000244 _____ C:\Config.ctl
2027-11-27 02:49 - 2027-11-27 02:49 - 00000000 ____D C:\My Documents
2027-11-27 02:47 - 2027-11-27 02:47 - 00140676 ___SH C:\SETUPLOG.OLD
2027-11-27 02:47 - 2027-11-27 02:47 - 00011195 ___SH C:\NETLOG.TXT
2016-11-01 00:27 - 2016-11-01 00:29 - 00000000 ____D C:\FRST
2016-10-31 23:49 - 2016-10-31 23:48 - 00098304 _____ C:\WINDOWS\Minidump\Mini103116-04.dmp
2016-10-31 23:36 - 2016-11-01 00:29 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\temp
2016-10-31 23:36 - 2016-10-31 23:36 - 00014138 _____ C:\ComboFix2.txt
2016-10-31 23:36 - 2016-10-31 23:36 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2016-10-31 23:32 - 2016-10-31 23:34 - 00000000 _____ C:\WINDOWS\system32\last.dump
2016-10-31 20:37 - 2016-10-31 20:37 - 00000678 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2016-10-31 20:36 - 2016-10-31 23:30 - 00000288 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-10-31 20:35 - 2016-10-31 20:35 - 00334280 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-10-31 20:35 - 2016-10-31 20:35 - 00052184 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-10-31 20:31 - 2016-10-31 20:31 - 06334848 _____ (AVAST Software) C:\Documents and Settings\All Users\Desktop\avast_free_antivirus_setup_online.exe
2016-10-31 19:51 - 2016-10-31 19:51 - 00006228 _____ C:\Documents and Settings\Administrator.UNIMATRIX001\Desktop\MBRCheck_10.31.16_19.51.04.txt
2016-10-31 19:23 - 2016-10-31 19:29 - 00129566 _____ C:\TDSSKiller.3.1.0.11_31.10.2016_19.23.19_log.txt
2016-10-31 19:19 - 2016-10-31 19:19 - 00012273 _____ C:\ComboFix1.txt
2016-10-31 06:26 - 2016-10-31 06:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2016-10-31 06:24 - 2016-10-31 06:29 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Desktop\mbar
2016-10-31 02:51 - 2016-10-31 23:36 - 00000000 ____D C:\Qoobox
2016-10-31 02:51 - 2016-10-31 23:30 - 00000000 ____D C:\WINDOWS\erdnt
2016-10-31 02:51 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2016-10-31 02:51 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2016-10-31 02:51 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2016-10-31 02:42 - 2016-10-31 02:42 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-03.dmp
2016-10-31 01:56 - 2016-10-31 06:26 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-10-31 01:56 - 2016-10-31 06:24 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-10-31 01:56 - 2016-10-31 01:56 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-10-31 01:56 - 2016-10-31 01:56 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-10-31 01:56 - 2016-10-31 01:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-10-31 01:56 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-10-31 01:52 - 2016-10-31 01:53 - 00004396 _____ C:\Documents and Settings\Administrator.UNIMATRIX001\Desktop\Rkill.txt
2016-10-31 01:18 - 2016-10-31 01:18 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-02.dmp
2016-10-31 01:07 - 2016-10-31 01:07 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-01.dmp
2016-10-30 21:57 - 2016-10-30 21:57 - 00000000 __SHD C:\WINDOWS\CSC

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-01 00:29 - 2008-08-30 07:15 - 00000000 ____D C:\MyDokumenta2
2016-10-31 23:49 - 2013-12-19 23:19 - 01147000 _____ C:\WINDOWS\ntbtlog.txt
2016-10-31 23:49 - 2008-11-09 06:03 - 00000000 ____D C:\WINDOWS\Minidump
2016-10-31 23:33 - 2008-01-12 01:49 - 00458340 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2016-10-31 23:30 - 2008-01-12 02:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-10-31 23:30 - 2008-01-12 02:05 - 00000000 __SHD C:\Documents and Settings\NetworkService
2016-10-31 23:30 - 2008-01-12 02:05 - 00000000 __SHD C:\Documents and Settings\LocalService
2016-10-31 23:30 - 2002-12-31 11:00 - 00000227 _____ C:\WINDOWS\system.ini
2016-10-31 23:28 - 2008-01-12 02:05 - 00000178 ___SH C:\Documents and Settings\Administrator.UNIMATRIX001\ntuser.ini
2016-10-31 23:19 - 2011-04-03 22:40 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2016-10-31 20:36 - 2016-03-22 04:02 - 00224616 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-10-31 20:36 - 2008-01-12 01:29 - 00000000 ___HD C:\WINDOWS\inf
2016-10-31 20:35 - 2016-03-22 04:02 - 00815792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00449640 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00187208 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00091168 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00067216 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00064272 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00058776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00032792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-10-31 20:32 - 2016-03-23 00:48 - 00000000 ____D C:\Program Files\AVAST Software
2016-10-31 19:59 - 2008-12-29 20:40 - 01037821 _____ C:\WINDOWS\setupapi.log.0.old
2016-10-31 03:05 - 2008-01-12 01:45 - 00000000 ___HD C:\Documents and Settings\Default User
2016-10-31 02:59 - 2008-01-12 02:45 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2016-10-31 02:59 - 2008-01-12 02:45 - 00024576 _____ C:\WINDOWS\system32\config\SAM.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 17825792 _____ C:\WINDOWS\system32\config\SOFTWARE.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 06815744 _____ C:\WINDOWS\system32\config\SYSTEM.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 00524288 _____ C:\WINDOWS\system32\config\DEFAULT.bak
2016-10-31 02:58 - 2009-07-18 21:33 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Temp
2016-10-31 02:58 - 2008-12-29 18:34 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\IEPro
2016-10-31 02:58 - 2008-01-12 02:05 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001
2016-10-31 02:40 - 2008-01-12 01:29 - 00000000 ____D C:\WINDOWS\PeerNet
2016-10-31 02:39 - 2012-07-07 18:42 - 00000000 ____D C:\Program Files\Conduit
2016-10-31 01:47 - 2009-09-29 23:15 - 00000000 ____D C:\Program Files\SpeedFan
2016-10-31 01:23 - 2008-12-29 20:43 - 00001640 _____ C:\WINDOWS\I_VIEW32.INI
2016-10-30 21:53 - 2015-12-27 19:59 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2016-10-30 21:52 - 2002-12-31 11:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2008-01-12 21:19 - 2007-11-14 20:04 - 0037941 ____C () C:\Program Files\FLV_Extract.zip
2014-02-27 03:16 - 2014-02-27 03:16 - 0000000 _____ () C:\Program Files\GUT3A7.tmp
2008-12-30 17:40 - 2008-12-21 20:44 - 1379392 ____C () C:\Program Files\VirtualDub-1.8.7.zip
2009-08-01 16:57 - 2009-08-01 16:57 - 0000099 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\MPUI.ini
2009-06-16 19:48 - 2016-03-09 01:36 - 63358644 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Log
2009-06-24 22:32 - 2016-03-09 01:35 - 0000477 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Vprj
2008-01-12 21:20 - 2016-05-02 01:50 - 0034816 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-18 00:35 - 2010-07-28 23:49 - 0000334 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\magnifier.ini
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LmeUSB.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000425 _____ () C:\Documents and Settings\All Users\Application Data\LmeZJSW.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LSDmbTH.log
2009-08-04 05:03 - 2011-04-27 18:31 - 0001373 ____C () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 i4004

i4004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 02 November 2016 - 08:56 PM

ok, some new developments here: tried another video card, worked a bit, then BSODs returned. put service pack 3, BSOD changed (0x0000007E).

tried to zero fill hdd, no dice, seatools just says it "failed" (other than that hdd doesn't show any signs fo problems, no bad sectors, passes seatools other tests, passes hdd regenerator check, can eraseMBR etc.)

 

took another hdd, loaded above mentioned disk image, and got to desktop, but hourglass symbol is all that's working, adjusted BIOS (was in AHCI mode, probably it defaults to it for 'new' drive), disconnected optical drive, reboot, and i finally have a working OS again.

 

now for the interesting twist and my guesstimate what really happened here: there is a rootkit in that image i was restoring! ie same rootkit that mbam found few days ago.

 

acronis_2016-11-03_002805_zps3picpo6c.jp

 

but on it's own this rootkit it's not crashing the system (after all that's disk image from may this year and i used the pc whole time), but when something damaged avast (perhaps lack of xp sp3, perhaps rootkit itself, perhaps disk filesystem problems) the whole hell breaks loose and one can't remove avast (for example one event viewer event


Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7026
Date:        2.11.2016
Time:        21:05:13
User:        N/A
Computer:    ASUS
Description:
The following boot-start or system-start driver(s) failed to load:
AsIO
aswRvrt
aswSnx
aswSP
aswVmm
ESProtectionDriver
Fips
intelppm

).

probably because half of avast was missing. tried "avastclear.exe" early on, just hangs.

 

avast is now not starting at all ("The Avast Antivirus service failed to start due to the following error:
The system cannot find the path specified.") so it's not partially damaged anymore, it's no more, so no BSODs. removed rootkit with MBAM (again <wink>), here's how frst looks now with a working system (i'll probably need to remove avast completely manually):

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2016
Ran by izi-2 (administrator) on ASUS (03-11-2016 01:06:21)
Running from C:\MyDokumenta2\rootkit adventures2
Loaded Profiles: izi-2 (Available Profiles: izi-2)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
() C:\PROGRA~1\SCROLL~1\MouseElf.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\Tablet.exe
(Hyperionics Technology LLC) C:\Program Files\FileBX\FileBX.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\WTablet\TabUserW.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\Tablet.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(SAMSUNG) C:\Program Files\SEC\MagicTune 2.5\MagicTune.exe
(FastStone Soft) C:\Program Files\FastStone Capture\FSCapture.exe
(Mozilla Corporation) E:\Firefox40\firefox.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [18077696 2008-12-23] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [mouseElf] => C:\Program Files\Scroll Mouse\MouseElf.exe [438364 2005-12-16] ()
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2508104 2009-11-02] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-04] (CANON INC.)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2622432 2016-01-29] (Malwarebytes Corporation)
HKLM\...\Run: [vmware-tray] => D:\VMware\VMware Workstation\vmware-tray.exe
HKLM\...\Run: [AvastUI.exe] => "K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\AvastUI.exe" /nogui
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [CDRAutoRun] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoDriveAutoRun] 0x60000000
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: C - AllwaySync'n'Go.exe -autorun
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: {a1000fe5-6a54-11e2-947a-001d607096c7} - G:\setupSNK.exe
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: {b922aea4-79e8-11de-825d-00d0d70bba5b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\ashShell.dll No File
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FileBox eXtender.lnk [2008-09-19]
ShortcutTarget: FileBox eXtender.lnk -> C:\Program Files\FileBX\FileBX.exe (Hyperionics Technology LLC)
BootExecute: autocheck autochk /p \??\O:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9}: [NameServer] 195.29.166.116,195.29.166.117

Internet Explorer:
==================
HKU\S-1-5-21-2000478354-73586283-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: FGCatchUrl -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -> C:\Program Files\FlashGet\jccatch.dll [2007-08-06] (www.flashget.com)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\aswWebRepIE.dll => No File
BHO: FlashGet GetFlash Class -> {F156768E-81EF-470C-9057-481BA8380DBA} -> C:\Program Files\FlashGet\getflash.dll [2007-05-18] (www.flashget.com)
Toolbar: HKU\S-1-5-21-2000478354-73586283-725345543-500 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 [2016-11-03]
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF NetworkProxy: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> type", 0
FF Extension: (YouTube™ Flash® Player) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\jid1-HAV2inXAnQPIeA@jetpack.xpi [2016-11-02]
FF Extension: (FlashGot) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-03-18]
FF Extension: (Video DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-11-02]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-02]
FF Extension: (DownThemAll!) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-04-24]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default [2016-02-08]
FF DefaultSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF SelectedSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> www.google.com
FF Extension: (Adblock Latitude) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{016acf6d-e5c0-4768-9376-3763d1ad1978}.xpi [2016-02-08] [not signed]
FF Extension: (DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2015-07-15]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Broad Intelligence\XULPlayer\Profiles\xulplayer [2009-08-01]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\WebRep\FF => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-18] ()
FF Plugin: @java.com/DTPlugin,version=10.4.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-04-04] (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2008-06-11] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
StartMenuInternet: FIREFOX.EXE - E:\Firefox40\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\WebRep\Chrome\aswWebRepChrome.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [740832 2016-01-29] (Malwarebytes Corporation)
R2 TabletService; C:\WINDOWS\system32\Tablet.exe [942080 2006-09-05] (Wacom Technology, Corp.) [File not signed]
S2 avast! Antivirus; "K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_bleepBIG\AvastSvc.exe" [X]
S2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12664 2006-10-18] ()
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [32792 2016-03-22] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [35096 2016-03-23] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [91168 2016-03-22] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-03-22] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [58776 2016-03-22] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [816304 2016-03-22] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [447848 2016-03-22] (AVAST Software)
S3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [171608 2016-03-22] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [67088 2016-03-22] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [221240 2016-03-22] (AVAST Software)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [38656 2007-03-14] (Attansic Technology corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R2 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
S3 DSDrv4; C:\Program Files\DScaler\DSDrv4.sys [8801 2005-12-18] () [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [14944 2014-11-18] ()
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [50016 2016-01-29] ()
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10208 2014-11-18] ()
S3 FlyPCI; E:\Program Files\SlyDiman\SlyControl2\FlyPCI.sys [4134 2003-10-10] () [File not signed]
R3 genmcmnUSB; C:\WINDOWS\System32\DRIVERS\gflmouhid.sys [6656 2004-04-19] ()
R0 giveio; C:\WINDOWS\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 IT9135BDA; C:\WINDOWS\System32\Drivers\IT9135BDA.sys [145280 2011-10-19] (ITE                      )
R3 LVCap138; C:\WINDOWS\System32\DRIVERS\tvcap.sys [301568 2004-10-27] (Philips) [File not signed]
R3 lvtuner; C:\WINDOWS\System32\DRIVERS\lvtuner.sys [14464 2004-10-20] (Animation Technologies Inc.) [File not signed]
R1 MagicTune; C:\WINDOWS\system32\drivers\MTictwl.sys [12062 2004-10-11] () [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15360 2004-08-03] (Microsoft Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2002-12-31] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-03-11] (Sonic Solutions) [File not signed]
S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2002-12-31] ()
S3 SKYNET; C:\WINDOWS\System32\DRIVERS\SkyNET.SYS [349184 2006-03-13] (B2C2, Inc.) [File not signed]
S3 SliceDisk5; C:\Program Files\A-FF Find and Mount\slicedisk.sys [26192 2011-02-25] (Atola) [File not signed]
R0 speedfan; C:\WINDOWS\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [359040 2009-06-28] (Microsoft Corporation) [File not signed]
R0 viamraid; C:\WINDOWS\System32\DRIVERS\viamraid.sys [60672 2004-07-06] (VIA Technologies inc,.ltd)
S3 CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys [X]
S4 IntelIde; no ImagePath
U4 NVSvc; no ImagePath
U3 SCardDrv; no ImagePath
U4 uploadmgr; no ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S2 zmatfkbg; \??\C:\WINDOWS\system32\drivers\wwqca.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2027-11-27 04:34 - 2027-11-27 04:34 - 00000000 ____D C:\My Music
2027-11-27 03:16 - 2027-11-27 03:16 - 00000000 __SHD C:\RECYCLED
2027-11-27 03:14 - 2027-11-27 03:14 - 00000000 ____D C:\My PixAround
2027-11-27 03:12 - 2007-11-20 22:56 - 00000324 ____H C:\Config.sys
2027-11-27 02:57 - 2027-11-27 02:57 - 00000244 _____ C:\Config.ctl
2027-11-27 02:49 - 2027-11-27 02:49 - 00000000 ____D C:\My Documents
2027-11-27 02:47 - 2027-11-27 02:47 - 00140676 ___SH C:\SETUPLOG.OLD
2027-11-27 02:47 - 2027-11-27 02:47 - 00011195 ___SH C:\NETLOG.TXT
2016-11-03 01:06 - 2016-11-03 01:06 - 00000000 ____D C:\FRST
2016-11-03 00:01 - 2016-11-03 00:01 - 00020230 _____ C:\Archive.rar
2016-11-02 23:44 - 2016-11-02 23:45 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-11-02 23:44 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-11-02 23:44 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-11-02 22:58 - 2016-11-02 22:58 - 00000000 __SHD C:\WINDOWS\CSC

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-03 01:06 - 2011-09-28 17:49 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Temp
2016-11-03 00:58 - 2008-08-30 07:15 - 00000000 ____D C:\MyDokumenta2
2016-11-03 00:29 - 2008-12-29 20:43 - 00001652 _____ C:\WINDOWS\I_VIEW32.INI
2016-11-03 00:23 - 2016-03-22 04:02 - 00000330 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-11-03 00:23 - 2008-01-12 02:13 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\WTablet
2016-11-03 00:23 - 2008-01-12 02:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-03 00:15 - 2008-01-12 02:05 - 00032442 _____ C:\WINDOWS\SchedLgU.Txt
2016-11-03 00:15 - 2008-01-12 02:05 - 00000178 ___SH C:\Documents and Settings\Administrator.UNIMATRIX001\ntuser.ini
2016-11-02 23:02 - 2013-12-19 23:19 - 00527856 _____ C:\WINDOWS\ntbtlog.txt
2016-11-02 22:49 - 2008-01-12 01:49 - 00458340 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2016-11-02 22:48 - 2015-12-27 19:59 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2016-11-02 22:47 - 2002-12-31 11:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2008-01-12 21:19 - 2007-11-14 20:04 - 0037941 ____C () C:\Program Files\FLV_Extract.zip
2014-02-27 03:16 - 2014-02-27 03:16 - 0000000 _____ () C:\Program Files\GUT3A7.tmp
2008-12-30 17:40 - 2008-12-21 20:44 - 1379392 ____C () C:\Program Files\VirtualDub-1.8.7.zip
2009-08-01 16:57 - 2009-08-01 16:57 - 0000099 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\MPUI.ini
2009-06-16 19:48 - 2016-03-09 01:36 - 63358644 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Log
2009-06-24 22:32 - 2016-03-09 01:35 - 0000477 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Vprj
2008-01-12 21:20 - 2016-05-02 01:50 - 0034816 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-18 00:35 - 2010-07-28 23:49 - 0000334 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\magnifier.ini
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LmeUSB.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000425 _____ () C:\Documents and Settings\All Users\Application Data\LmeZJSW.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LSDmbTH.log
2009-08-04 05:03 - 2011-04-27 18:31 - 0001373 ____C () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files


Edited by i4004, 02 November 2016 - 09:00 PM.


#3 i4004

i4004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 03 November 2016 - 06:48 PM

to end this saga: i tried to zero-fill the old drive once again, this time succesfull with older version of seatools for dos, copied the disk image to it, and guess what, BSODs came back.

 

 

so scrap all of the above,  it was a failing hdd issue, purely hardware problem.

in all my time fixing pcs i've never seen anything like this case, usually one can recognize failing drive by event viewer in win, SMART parameters, hdd test programs, CHKDSK etc.

not so here. although STOP:0x000000F4 BSOD is usually connected to hdd subsystem of pc (ie cables, hdd or controller), i was also getting other BSODs (last one was C0000145) and old disk passed all tests without problems. i've left it (removed from machine) with STOP: c000021a BSOD, and that one has nothing to do with hardware at all.

 

but there you go, best test for hardware component is to swap it for known good piece.

 

this thread now belongs in hardware section of the forum.

 

cheers



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 05 November 2016 - 07:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/631040 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:11 AM

Posted 05 November 2016 - 09:19 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!


#6 Al1000

Al1000

  • Global Moderator
  • 7,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:09:11 AM

Posted 17 November 2016 - 12:19 AM

Topic reopened at OP's request



#7 i4004

i4004
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:11 AM

Posted 18 November 2016 - 05:07 PM

BSOD originally mentioned ( STOP: c000021a {Fatal system error} Windows subsystem system process terminated unexpectedlywith a status of 0x0000005...... ) reapearred again  ( :mellow: ).

 

yeap, it did, and it was present at every boot. so i started reading about it again (mostly re-reading, frankly)....found a thread (on thg uk) that mentions faulty monitor as cause of 021a and 0F4 bsod's, both of which i originally had, but no dice, i have STOP: c000021a  with different monitor too.

 

so i revisited this

http://www.bleepingcomputer.com/forums/t/230326/crash-to-stop-c000021a-fatal-system-error/?p=1301690

and i re-read this

http://www.updatexp.com/0xC0000005.html

namely this part:

 

0xC0000005 - Resolution Suggestion Two:

In Windows XP Service Pack 2 Microsoft introduced Data execution prevention (DEP), a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. In Windows XP SP2, DEP is enforced by both hardware and software.

Some software/application behaviours are incompatible with DEP - data execution prevention. Applications which perform dynamic code generation (such as Just-In-Time code generation) and that do not explicitly mark generated code with Execute permission might have compatibility issues with data execution prevention. Applications which are not built with SafeSEH must have their exception handlers located in executable memory regions.

 

 

and i remembered i have "Malwarebytes Anti-Exploit" (MBAE) installed and some of its options mention DEP things. uninstalled it (from safe mode) and then pc booted normally.

now to try few explanations: windows 2000 is working because it doesn't have MBAE installed. safe mode is working because it doesn't load MBAE. if i was to install linux it would also probably work, because there would be no MBAE installed.

this program is set to update automatically so particular update probably has a bug that affects XP.

another thing: i have MBAE installed on another machine (XP, Home version) and there are no problems there. that machine doesn't have avast installed. i uninstalled avast from there because it was slowing internet traffic to a standstill. so i feel avast interacts in some way with MBAE.

 

i will probably now put back the old disk, and clone this one to it.

 

this will probably be the end of this BSOD, but if it reappears, i will reopen the thread again and troubleshoot it, the machine will not win, i will!  :thumbup2: 


Edited by i4004, 18 November 2016 - 05:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users