a very sick computerSolved/Closed

Question

Hello, 



Configuration: Windows XP / Chrome 23.0.1271.64


Hi, I am new here and I need a very big help. I have been searching for a solution to my problem. My computer is very sick and it needs a serious help. I don't have big knowledge about computers so please be patient with me. First, my computer is slow so I have removed some files in C/ and transferred it to D/ now I have like 10 gb free space. My computer is so lucky to have the killer BSOD, then followed by unmountable boot volume. I have tried chkdsk/r but with no success I guess cause it never reached 100 percent and it ran for like almost two days... now I have my computer working with a very slow speed, as of the moment BSOD didn't appear yet and I hope it will just disappear and will never bug me anymore. Anyhow, I noticed that the sound of my computer is not normal anymore after I have ran the chkdsk. The audio is like, a person gargling.... please help me... I am so desperate.... help please. Thanks.

Ambucias · Answer

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log. 

1. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step). 

4. Double click on the short cut ZHPDiag on your Destktop. 

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

7. Close ZHPDiag. 

8. To transmit the report, click on this link : 

https://authentification.site 

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt). 

10. Select the file ZHPDiag.txt. 

11. Click on "upload » 

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor

bcn101 · Answer

Hi Ambucias, 

thank you very much for the very quick reply. I have followed your instruction and have also downloaded zhp, I clicked it and have it running till it stopped in 43 % of the process. I tried it running thrice but to no success. Microsoft asked me to send a report and it gives me the following:

and the error report :

C:\DOCUME~1\Dewagede\LOCALS~1\Temp\WER21e3.dir00\ZHPDiag.exe.mdmp
C:\DOCUME~1\Dewagede\LOCALS~1\Temp\WER21e3.dir00\appcompat.txt





error signature : 
szAppName : ZHPDiag.exe     szAppVer : 1.3.1.39     szModName : hungapp     
szModVer : 0.0.0.0     offset : 00000000 




am I in big trouble?



thanks.

Ambucias · Answer

Big trouble you say, not really, at least for now.  I should be able to tell you if and when you are in trouble.

You may have a virus which prevents diagnostic tools from running.

What is your operating system?

What is the make and model of your machine?

1. Complete remove ZHP Diag from your computer. (I trust you know how to do that)

2. Boot your machine in safe mode with networking.

3. Download ZHP Diag again. 

4. Once on your desktop, change ZHP Diag's icon name to Kioskea.exe.

5. Launch ZHP Diag's installation.

6. Follow the instructions I gave you for the rest of the procedure.

Catch you later.

bcn101 · Answer

Ambucias, Hi, I did everything under safe mode networking. Btw, here is the link of the report : download link : http://speedy.sh/vsMcB/ZHPDiag.txt forum link : [code]http://speedy.sh/vsMcB/ZHPDiag.txt/code HTML link : Download at SpeedyShare sorry, posted it all just to be sure. thanks again and ill be waiting for your response. more powers!

Ambucias · Answer

Got it!  Please stand-by.

Ambucias · Answer

Hi Josh 

1. Your log reveals viruses: 

-Babylon Toolbar 
-Adware agent 
-Adware Hotbar 
-Click potato 
-Spyware Soft 2pc 
-Adware BHO 
-Infection PUP Offer box 
-Infection Dealo 
-Infection Try Media 
-Rogue Trojan Horse (RegGenie) 

2. Your disk is in good order 

3. You must update your Internet Explorer 

4. You should empty the following folder: C:\WINDOWS\Prefetch 

5.  Most all of the malware on your computer came with downloads through Limewire and eMule.  Limewire is infested with malware and so is eMule. 

6. Avast offers limited protection for your machine. 

7. If you get rid of the malware presently in your machine, you should be able to nurse back to health. 

8. On your desktop, ZHP Diag created an icon ZHP Fix.  Open ZHP fix. 

9. Copy and paste the following lines in the main window and then click GO.  Once you are done, close ZHP Fix 

[HKLM\Software\Application Updater]    [HKLM\Software\Freeze.com]     
[HKLM\Software\Search Settings]     
[HKLM\Software\Trymedia Systems]     
O43 - CFD: 3/9/2012 - 8:36:50 PM - [0.000] ----D C:\Program Files\Application Updater    
O43 - CFD: 10/20/2012 - 6:52:42 PM - [0.002] ----D C:\Program Files\RegGenie     
O43 - CFD: 3/4/2012 - 9:29:50 AM - [0.037] ----D C:\Program Files\Common Files\Spigot     
O43 - CFD: 12/5/2005 - 2:26:13 PM - [0] ----D C:\Documents and Settings\All Users\Favorites     
[HKLM\Software\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}]     
[HKLM\Software\Classes\CLSID\{26c9e18c-3717-4be1-a225-04e4471f5b6e}]     
[HKLM\Software\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}]     
[HKLM\Software\Classes\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}]     
[HKLM\Software\Classes\Interface\{618aad04-921f-44c2-be38-c0818af69861}]     
[HKLM\Software\Classes\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337}]     
[HKLM\Software\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}]     
[HKLM\Software\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}]     
[HKLM\Software\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]     
[HKLM\Software\Classes\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb}]     
[HKLM\Software\Classes\CLSID\{E46C8196-B634-44a1-AF6E-957C64278AB1}]    
[HKLM\Software\Google\Chrome\Extensions\bjeikeheijdjdfjbmknpefojickbkmom]    
[HKLM\Software\Application Updater]    
[HKLM\Software\freeze.com]     
[HKLM\Software\Search Settings]  
[HKLM\Software\Trymedia Systems]   
C:\Program Files\Application Updater     
C:\Program Files\Common Files\Spigot   

10. You have a copy of Malwarebyte.  Do not use it but do the following: 

  Download, install and run Malwarebyte which you can find on this site:  

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ es-anti-malware  

Ensure you make an update. 

Boot your computer in safemode 

Please request a FULL system scan, which may take from 20 minutes to hours.  Do not interfere no matter how long in takes.  The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace. 

If Malwarebyte restarts your system, launch it again to finish the Full scan.  

When the scan is completed, delete all items found. 

Once your computer is clean and working normally just to be on the safe side  
*Turn off system restore and wait 30 seconds,  
*Turn it back on and create a new restore point.  

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.  
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.  
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging. 

11. Delete the ZHP Diag log, rerun ZHP Diag and upload the new log on Speedyshare.  I wish to ensure we got rid of the Trojan Horse. 

Good luck

bcn101 · Answer

Hi ambucias, I have opened zhpfix but there's no "go" button. ls there like any other button that u should click....?

Ambucias · Answer

Once you have copied the lines, click on the second icon, the one beside the camera.  The lines will be pasted.  You will then see the Go button appear.

bcn101 · Answer

hi ambucias, I dont know if I did it correctly but, when I ran the malware set up a black box appeared and  gave me the ff report :

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:			
Windows Version:		Windows XP Home Edition
Windows Information:		Service Pack 3 (build 2600)
Logical Drives Mask:		0x0000003c

Kernel Drivers (total 141):
  0x804D7000 \WINDOWS\system32
tkrnlpa.exe
  0x806D1000 \WINDOWS\system32\hal.dll
  0xF7AFE000 \WINDOWS\system32\KDCOM.DLL
  0xF7A0E000 \WINDOWS\system32\BOOTVID.dll
  0xF74CF000 ACPI.sys
  0xF7B00000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF74BE000 pci.sys
  0xF75FE000 isapnp.sys
  0xF760E000 ohci1394.sys
  0xF761E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xF7A12000 compbatt.sys
  0xF7A16000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7BC6000 pciide.sys
  0xF787E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF7B02000 intelide.sys
  0xF74A0000 pcmcia.sys
  0xF762E000 MountMgr.sys
  0xF7481000 ftdisk.sys
  0xF7A1A000 ACPIEC.sys
  0xF7BC7000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
  0xF7886000 PartMgr.sys
  0xF763E000 VolSnap.sys
  0xF7469000 atapi.sys
  0xF764E000 disk.sys
  0xF765E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF7449000 fltmgr.sys
  0xF7437000 sr.sys
  0xF766E000 PxHelp20.sys
  0xF7420000 KSecDD.sys
  0xF740D000 WudfPf.sys
  0xF7380000 Ntfs.sys
  0xF7353000 NDIS.sys
  0xF7339000 Mup.sys
  0xF777E000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF7AAA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0xF6D4A000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
  0xF6D36000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF6D0E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xF78C6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF6CEA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF78CE000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF6CD7000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
  0xF778E000 \SystemRoot\system32\DRIVERS
ic1394.sys
  0xF6CBA000 \SystemRoot\system32\drivers	ifmsony.sys
  0xF6A9C000 \SystemRoot\system32\DRIVERS\w29n51.sys
  0xF78D6000 \SystemRoot\System32\Drivers\SonyNC.sys
  0xF779E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF78DE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF6A82000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
  0xF78E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF77AE000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF6EDB000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF6ECB000 \SystemRoot\system32\DRIVERSedbook.sys
  0xF6A5F000 \SystemRoot\system32\DRIVERS\ks.sys
  0xF7D31000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF7B56000 \SystemRoot\System32\Drivers\RootMdm.sys
  0xF78EE000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF6EBB000 \SystemRoot\system32\DRIVERSasl2tp.sys
  0xF7ABA000 \SystemRoot\system32\DRIVERS
distapi.sys
  0xF6A48000 \SystemRoot\system32\DRIVERS
diswan.sys
  0xF6EAB000 \SystemRoot\system32\DRIVERSaspppoe.sys
  0xF6E9B000 \SystemRoot\system32\DRIVERSaspptp.sys
  0xF78F6000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF6A37000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF6E8B000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF78FE000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF7906000 \SystemRoot\system32\DRIVERSaspti.sys
  0xF6E7B000 \SystemRoot\System32\Drivers\pcouffin.sys
  0xF790E000 \SystemRoot\system32\DRIVERS\RimSerial.sys
  0xF6E6B000 \SystemRoot\system32\DRIVERS	ermdd.sys
  0xF7B58000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF69B1000 \SystemRoot\system32\DRIVERS\update.sys
  0xF7ACA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF6E5B000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xAA09C000 \SystemRoot\system32\drivers\RtkHDAud.sys
  0xAA078000 \SystemRoot\system32\drivers\portcls.sys
  0xF77DE000 \SystemRoot\system32\drivers\drmk.sys
  0xAA046000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
  0xA9F52000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
  0xA9EA1000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xF786E000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7B8E000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF7B90000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7CA6000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7B92000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF79CE000 \SystemRoot\System32\drivers\vga.sys
  0xF7B94000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7B96000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF79FE000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF7996000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF7A9A000 \SystemRoot\system32\DRIVERSasacd.sys
  0xA8C87000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xA8C2E000 \SystemRoot\system32\DRIVERS	cpip.sys
  0xF768E000 \SystemRoot\System32\Drivers\aswTdi.SYS
  0xA8C06000 \SystemRoot\system32\DRIVERS
etbt.sys
  0xF79BE000 \SystemRoot\System32\Drivers\aswRdr.SYS
  0xF7AA6000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xA8BE4000 \SystemRoot\System32\drivers\afd.sys
  0xF76FE000 \SystemRoot\system32\DRIVERS
etbios.sys
  0xA8BB9000 \SystemRoot\system32\DRIVERSdbss.sys
  0xA8B49000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF771E000 \SystemRoot\System32\Drivers\Fips.SYS
  0xA8B23000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xF772E000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF774E000 \SystemRoot\system32\DRIVERS\arp1394.sys
  0xF79E6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xF7CEB000 \SystemRoot\system32\DRIVERS\DMICall.sys
  0xA8AA5000 \SystemRoot\System32\Drivers\aswSP.SYS
  0xA8AFB000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xA794E000 \SystemRoot\System32\Drivers\aswSnx.SYS
  0xF7966000 \SystemRoot\system32\DRIVERS\SonyImgF.sys
  0xA7A56000 \SystemRoot\System32\Drivers\Aavmker4.SYS
  0xA7A36000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xA7936000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7B70000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA90F3000 \SystemRoot\System32\drivers\Dxapi.sys
  0xA7B6A000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7CE1000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF020000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF041000 \SystemRoot\System32\ialmdev5.DLL
  0xBF075000 \SystemRoot\System32\ialmdd5.DLL
  0xBF157000 \SystemRoot\System32\ATMFD.DLL
  0xF7304000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
  0xA7882000 \SystemRoot\system32\DRIVERS\AegisP.sys
  0xA7830000 \SystemRoot\system32\DRIVERS
wlnkipx.sys
  0xF76DE000 \SystemRoot\system32\DRIVERS
wlnknb.sys
  0xA7872000 \SystemRoot\system32\DRIVERS\s24trans.sys
  0xA791A000 \SystemRoot\system32\DRIVERS
disuio.sys
  0xA77CA000 \SystemRoot\System32\Drivers\aswMon2.SYS
  0xA7685000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xA757C000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA7568000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xA75CD000 \SystemRoot\system32\DRIVERS
wlnkspx.sys
  0xF793E000 \??\C:\WINDOWS\system32\windrvNT.sys
  0xA727C000 \SystemRoot\system32\DRIVERS\srv.sys
  0xA723F000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA7474000 \SystemRoot\system32\drivers\sysaudio.sys
  0x7C900000 \WINDOWS\system32
tdll.dll

Processes (total 33):
       0 System Idle Process
       4 System
     724 C:\WINDOWS\system32\smss.exe
     844 csrss.exe
     868 C:\WINDOWS\system32\winlogon.exe
     912 C:\WINDOWS\system32\services.exe
     948 C:\WINDOWS\system32\lsass.exe
    1084 C:\WINDOWS\system32\svchost.exe
    1132 svchost.exe
    1172 C:\WINDOWS\system32\svchost.exe
    1260 C:\WINDOWS\system32\svchost.exe
    1408 svchost.exe
    1480 svchost.exe
    1816 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    2028 C:\WINDOWS\system32\spoolsv.exe
     788 svchost.exe
     832 C:\WINDOWS\system32\svchost.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1456 C:\Program Files\Java\jre7\bin\jqs.exe
    1748 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    1952 C:\WINDOWS\system32\svchost.exe
     376 wmpnetwk.exe
    1580 C:\WINDOWS\explorer.exe
     248 C:\WINDOWS\system32\wuauclt.exe
    2552 alg.exe
    3072 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    3216 C:\Program Filesealealplayer\Updateealsched.exe
    3268 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3292 C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
    3332 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3400 C:\WINDOWS\system32\ctfmon.exe
    3424 C:\Documents and Settings\Dewagede\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe
    3856 C:\Program Files\ZHPDiag\mbrcheck.exe

\.\C: --> \.\PhysicalDrive0 at offset 0x00000001'805e2000  (NTFS)
\.\D: --> \.\PhysicalDrive0 at offset 0x0000000d'85c32800  (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS021G  

      Size  Device Name          MBR Status
  --------------------------------------------
     93 GB  \.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!



i was trying to doanload malware bytes but it didnt allow me to.. I mean aside from that black box I didnt see anything. also this morning the blue screen appeared again with : kernel stalk inpage error.


:(

Ambucias · Answer

Hello 101,

I am afraid that you have mistaken.  I trust that you ensure that only the lines you copied appeared in the ZHP Fix window before you pressed GO ?

Blue screen again you say!  Have you mentioned it in your original message ?  Blue screen means bad news.  When did you get a blue screen and what was the error message ?

Please explain that you were not allowed to download Malwarebyte.  Any error message ?  What did you see ?

Please delete the previous ZHP Diag log and run another to post on Speedyshare.

Communication is very important so please, tell me everything.

Regards

bcn101 · Answer

Ambucias, When I ran malware anti-malware it said that, there are no malwares found. So, we can assume that it is clean? Below is the link of the reports: download link : http://speedy.sh/bthgH/ZHPDiag.Txt forum link : [code]http://speedy.sh/bthgH/ZHPDiag.Txt/code HTML link : Download at SpeedyShare I just would like to clarify something.... my computer still freezes and slow,,,, any remedies? :(

bcn101 · Answer

Hi... it was this morning that I saw the BSOD with a text kernel stalk inoage error.
When I first tried to run malware anti-malware only a black box appeared and then after like 2 seconds its gone. So I wasnt able to do anything. what I did I went to another website and downloaded malware anti malware, saved it in my usb and transferred in my laptop. 

I just sent you the new log of the ZHP diag.

I hope I did it right.

:/

Ambucias · Answer

Did you run Malwarebyte or anti-malware ?

bcn101 · Answer

i run this : Malwarebytes Anti-Rootkit BETA 1.01.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 7.0.5730.13

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 1.861000 GHz
Memory total: 1063370752, free: 735907840




did I mess it up?


the link that you gave me.... gave me this report :


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:			
Windows Version:		Windows XP Home Edition
Windows Information:		Service Pack 3 (build 2600)
Logical Drives Mask:		0x0000003c

Kernel Drivers (total 141):
  0x804D7000 \WINDOWS\system32
tkrnlpa.exe
  0x806D1000 \WINDOWS\system32\hal.dll
  0xF7AFE000 \WINDOWS\system32\KDCOM.DLL
  0xF7A0E000 \WINDOWS\system32\BOOTVID.dll
  0xF74CF000 ACPI.sys
  0xF7B00000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xF74BE000 pci.sys
  0xF75FE000 isapnp.sys
  0xF760E000 ohci1394.sys
  0xF761E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xF7A12000 compbatt.sys
  0xF7A16000 \WINDOWS\system32\DRIVERS\BATTC.SYS
  0xF7BC6000 pciide.sys
  0xF787E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xF7B02000 intelide.sys
  0xF74A0000 pcmcia.sys
  0xF762E000 MountMgr.sys
  0xF7481000 ftdisk.sys
  0xF7A1A000 ACPIEC.sys
  0xF7BC7000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
  0xF7886000 PartMgr.sys
  0xF763E000 VolSnap.sys
  0xF7469000 atapi.sys
  0xF764E000 disk.sys
  0xF765E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xF7449000 fltmgr.sys
  0xF7437000 sr.sys
  0xF766E000 PxHelp20.sys
  0xF7420000 KSecDD.sys
  0xF740D000 WudfPf.sys
  0xF7380000 Ntfs.sys
  0xF7353000 NDIS.sys
  0xF7339000 Mup.sys
  0xF777E000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0xF7AAA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0xF6D4A000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
  0xF6D36000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xF6D0E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xF78C6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0xF6CEA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xF78CE000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xF6CD7000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
  0xF778E000 \SystemRoot\system32\DRIVERS
ic1394.sys
  0xF6CBA000 \SystemRoot\system32\drivers	ifmsony.sys
  0xF6A9C000 \SystemRoot\system32\DRIVERS\w29n51.sys
  0xF78D6000 \SystemRoot\System32\Drivers\SonyNC.sys
  0xF779E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xF78DE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xF6A82000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
  0xF78E6000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xF77AE000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xF6EDB000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xF6ECB000 \SystemRoot\system32\DRIVERSedbook.sys
  0xF6A5F000 \SystemRoot\system32\DRIVERS\ks.sys
  0xF7D31000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xF7B56000 \SystemRoot\System32\Drivers\RootMdm.sys
  0xF78EE000 \SystemRoot\System32\Drivers\Modem.SYS
  0xF6EBB000 \SystemRoot\system32\DRIVERSasl2tp.sys
  0xF7ABA000 \SystemRoot\system32\DRIVERS
distapi.sys
  0xF6A48000 \SystemRoot\system32\DRIVERS
diswan.sys
  0xF6EAB000 \SystemRoot\system32\DRIVERSaspppoe.sys
  0xF6E9B000 \SystemRoot\system32\DRIVERSaspptp.sys
  0xF78F6000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xF6A37000 \SystemRoot\system32\DRIVERS\psched.sys
  0xF6E8B000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xF78FE000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xF7906000 \SystemRoot\system32\DRIVERSaspti.sys
  0xF6E7B000 \SystemRoot\System32\Drivers\pcouffin.sys
  0xF790E000 \SystemRoot\system32\DRIVERS\RimSerial.sys
  0xF6E6B000 \SystemRoot\system32\DRIVERS	ermdd.sys
  0xF7B58000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xF69B1000 \SystemRoot\system32\DRIVERS\update.sys
  0xF7ACA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xF6E5B000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xAA09C000 \SystemRoot\system32\drivers\RtkHDAud.sys
  0xAA078000 \SystemRoot\system32\drivers\portcls.sys
  0xF77DE000 \SystemRoot\system32\drivers\drmk.sys
  0xAA046000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
  0xA9F52000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
  0xA9EA1000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
  0xF786E000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xF7B8E000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xF7B90000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xF7CA6000 \SystemRoot\System32\Drivers\Null.SYS
  0xF7B92000 \SystemRoot\System32\Drivers\Beep.SYS
  0xF79CE000 \SystemRoot\System32\drivers\vga.sys
  0xF7B94000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xF7B96000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xF79FE000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xF7996000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xF7A9A000 \SystemRoot\system32\DRIVERSasacd.sys
  0xA8C87000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xA8C2E000 \SystemRoot\system32\DRIVERS	cpip.sys
  0xF768E000 \SystemRoot\System32\Drivers\aswTdi.SYS
  0xA8C06000 \SystemRoot\system32\DRIVERS
etbt.sys
  0xF79BE000 \SystemRoot\System32\Drivers\aswRdr.SYS
  0xF7AA6000 \SystemRoot\System32\drivers\ws2ifsl.sys
  0xA8BE4000 \SystemRoot\System32\drivers\afd.sys
  0xF76FE000 \SystemRoot\system32\DRIVERS
etbios.sys
  0xA8BB9000 \SystemRoot\system32\DRIVERSdbss.sys
  0xA8B49000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0xF771E000 \SystemRoot\System32\Drivers\Fips.SYS
  0xA8B23000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xF772E000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xF774E000 \SystemRoot\system32\DRIVERS\arp1394.sys
  0xF79E6000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0xF7CEB000 \SystemRoot\system32\DRIVERS\DMICall.sys
  0xA8AA5000 \SystemRoot\System32\Drivers\aswSP.SYS
  0xA8AFB000 \SystemRoot\system32\DRIVERS\usbscan.sys
  0xA794E000 \SystemRoot\System32\Drivers\aswSnx.SYS
  0xF7966000 \SystemRoot\system32\DRIVERS\SonyImgF.sys
  0xA7A56000 \SystemRoot\System32\Drivers\Aavmker4.SYS
  0xA7A36000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xA7936000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xF7B70000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA90F3000 \SystemRoot\System32\drivers\Dxapi.sys
  0xA7B6A000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xF7CE1000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF020000 \SystemRoot\System32\ialmdnt5.dll
  0xBF012000 \SystemRoot\System32\ialmrnt5.dll
  0xBF041000 \SystemRoot\System32\ialmdev5.DLL
  0xBF075000 \SystemRoot\System32\ialmdd5.DLL
  0xBF157000 \SystemRoot\System32\ATMFD.DLL
  0xF7304000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
  0xA7882000 \SystemRoot\system32\DRIVERS\AegisP.sys
  0xA7830000 \SystemRoot\system32\DRIVERS
wlnkipx.sys
  0xF76DE000 \SystemRoot\system32\DRIVERS
wlnknb.sys
  0xA7872000 \SystemRoot\system32\DRIVERS\s24trans.sys
  0xA791A000 \SystemRoot\system32\DRIVERS
disuio.sys
  0xA77CA000 \SystemRoot\System32\Drivers\aswMon2.SYS
  0xA7685000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xA757C000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA7568000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xA75CD000 \SystemRoot\system32\DRIVERS
wlnkspx.sys
  0xF793E000 \??\C:\WINDOWS\system32\windrvNT.sys
  0xA727C000 \SystemRoot\system32\DRIVERS\srv.sys
  0xA723F000 \SystemRoot\system32\drivers\wdmaud.sys
  0xA7474000 \SystemRoot\system32\drivers\sysaudio.sys
  0x7C900000 \WINDOWS\system32
tdll.dll

Processes (total 33):
       0 System Idle Process
       4 System
     724 C:\WINDOWS\system32\smss.exe
     844 csrss.exe
     868 C:\WINDOWS\system32\winlogon.exe
     912 C:\WINDOWS\system32\services.exe
     948 C:\WINDOWS\system32\lsass.exe
    1084 C:\WINDOWS\system32\svchost.exe
    1132 svchost.exe
    1172 C:\WINDOWS\system32\svchost.exe
    1260 C:\WINDOWS\system32\svchost.exe
    1408 svchost.exe
    1480 svchost.exe
    1816 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    2028 C:\WINDOWS\system32\spoolsv.exe
     788 svchost.exe
     832 C:\WINDOWS\system32\svchost.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1456 C:\Program Files\Java\jre7\bin\jqs.exe
    1748 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    1952 C:\WINDOWS\system32\svchost.exe
     376 wmpnetwk.exe
    1580 C:\WINDOWS\explorer.exe
     248 C:\WINDOWS\system32\wuauclt.exe
    2552 alg.exe
    3072 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    3216 C:\Program Filesealealplayer\Updateealsched.exe
    3268 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3292 C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
    3332 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3400 C:\WINDOWS\system32\ctfmon.exe
    3424 C:\Documents and Settings\Dewagede\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe
    3856 C:\Program Files\ZHPDiag\mbrcheck.exe

\.\C: --> \.\PhysicalDrive0 at offset 0x00000001'805e2000  (NTFS)
\.\D: --> \.\PhysicalDrive0 at offset 0x0000000d'85c32800  (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS021G  

      Size  Device Name          MBR Status
  --------------------------------------------
     93 GB  \.\PhysicalDrive0   Windows XP MBR code detected
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Ambucias · Answer

If you have sent me the correct log, you system is still infected especially with a rogue Trojan horse and other malware

Here is what we will do:

To keep your system safe, you must follow the instructions hereunder to the letter: 

1. Download Combofix to your desktop. 

https://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button) 

2.Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. 

3. Double click on the ComboFix icon. 

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. 

4. Accept the disclaimer and the recovery 

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. 

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. 

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. 

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. 

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run. 

Good luck

bcn101 · Answer

okay ill do it. I have done this before. Thanks, really for being so patient.

bcn101 · Answer

Hi another problem. I have run combofix and closed ask, the windows and also disabled my anti virus program. It is now in Autoscan but a window appeared saying that: c:\combofix\mtee.3XE is not a valid Win32 application. What should I do?

Ambucias · Answer

Please explain what you mean by : and closed ask

Boot in safe mode with networking and run Combofix again.  Remember Combofix takes a long time to run, it will go though at least 20 stages shown in a black window.

bcn101 · Answer

Hi Ambucias,

Last night I tried to run it again (not in safe mode) normal windows and it worked....

below is the log :

ComboFix 12-11-13.02 - Dewagede 14/11/2012   7:07.14.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.679 [GMT 1:00]
Running from: c:\documents and settings\Dewagede\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((   Files Created from 2012-10-14 to 2012-11-14  )))))))))))))))))))))))))))))))
.
.
2012-11-13 18:44 . 2012-11-13 18:44	140616	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2012-11-13 18:44 . 2012-11-13 18:44	35144	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2012-11-11 14:54 . 2012-11-11 14:54	512	----a-w-	C:\PhysicalDisk0_MBR.bin
2012-11-10 10:28 . 2012-11-13 22:16	--------	d-----w-	c:\program files\ZHPDiag
2012-11-10 10:28 . 2012-11-13 22:16	--------	d-----w-	C:\ZHP
2012-10-21 11:38 . 2012-10-21 11:38	--------	d-----w-	C:\found.000
2012-10-20 18:12 . 2012-10-20 18:12	--------	d-----w-	c:\windows\system32\wbem\Repository
2012-10-20 17:48 . 2012-10-20 17:48	--------	d-----w-	c:\documents and settings\Dewagede\Application Data\SpeedyPC Software
2012-10-20 17:48 . 2012-10-20 17:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\SpeedyPC Software
2012-10-20 17:48 . 2012-10-20 17:48	--------	d-----w-	c:\program files\SpeedyPC Software
2012-10-20 17:48 . 2012-10-20 17:48	--------	d-----w-	C:\Dell
2012-10-16 14:29 . 2012-10-16 14:29	--------	d-----w-	c:\program files\NirSoft
2012-10-16 13:20 . 2012-10-16 13:20	--------	d-----w-	c:\documents and settings\Dewagede\Application Data\RegGenie
2012-10-16 11:47 . 2012-10-16 11:47	--------	d-----w-	c:\documents and settings\Dewagede\Application Data\DriverCure
2012-10-16 11:17 . 2012-10-20 17:47	--------	d-s---w-	c:\documents and settings\Administrator
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 22:51 . 2011-10-22 20:16	361032	----a-w-	c:\windows\system32\drivers\aswSP.sys
2012-10-30 22:51 . 2011-10-22 20:16	35928	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2012-10-30 22:51 . 2011-10-22 20:15	738504	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51 . 2011-10-22 20:15	54232	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2012-10-30 22:51 . 2011-10-22 20:15	97608	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2012-10-30 22:51 . 2011-10-22 20:15	89752	----a-w-	c:\windows\system32\drivers\aswmon.sys
2012-10-30 22:51 . 2011-10-22 20:16	21256	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 22:51 . 2011-10-22 20:15	25256	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2012-10-30 22:51 . 2011-10-22 20:15	41224	----a-w-	c:\windows\avastSS.scr
2012-10-30 22:50 . 2011-10-22 20:14	227648	----a-w-	c:\windows\system32\aswBoot.exe
2012-10-27 16:32 . 2012-04-10 08:47	696760	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2012-10-27 16:32 . 2011-09-10 17:14	73656	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-16 13:14 . 2012-09-16 13:14	93672	----a-w-	c:\windows\system32\WindowsAccessBridge.dll
2012-09-16 13:13 . 2012-06-16 16:25	143872	----a-w-	c:\windows\system32\javacpl.cpl
2012-09-16 13:13 . 2012-06-16 16:28	821736	----a-w-	c:\windows\system32
pDeployJava1.dll
2012-09-16 13:13 . 2010-09-13 16:54	746984	-c--a-w-	c:\windows\system32\deployJava1.dll
2012-08-27 19:12 . 2005-12-05 20:19	832512	----a-w-	c:\windows\system32\wininet.dll
2012-08-27 19:12 . 2005-12-05 20:18	1830912	------w-	c:\windows\system32\inetcpl.cpl
2012-08-27 19:12 . 2005-12-05 20:18	78336	----a-w-	c:\windows\system32\ieencode.dll
2012-08-27 19:12 . 2005-12-05 20:18	17408	------w-	c:\windows\system32\corpol.dll
2012-08-24 13:53 . 2005-12-05 20:19	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2005-12-05 20:19	2192896	----a-w-	c:\windows\system32
toskrnl.exe
2012-08-21 12:58 . 2004-08-03 22:59	2069632	----a-w-	c:\windows\system32
tkrnlpa.exe
2012-09-22 13:17 . 2012-09-22 13:17	136672	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[7] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll
.
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[-] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\ServicePackFiles\i386\usp10.dll
[7] 2004-08-04 . 2EB58F9DCD6AB320B46744A4EA48B2D2 . 406528 . . [1.0420.2600.2180] . . c:\windows\$NtServicePackUninstall$\usp10.dll
.
[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[-] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\dllcache\shsvcs.dll
[-] 2009-07-27 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\$hf_mig$\KB971029\SP3QFE\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB971029$\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
[7] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50	121528	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-06 68856]
"Facebook Update"="c:\documents and settings\Dewagede\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-08-16 138096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"TkBellExe"="c:\program filesealealplayer\updateealsched.exe" [2012-06-09 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-09-23 926896]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\VESWinlogon]
2005-05-21 01:42	73728	----a-w-	c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0aswBoot.exe /A:* /L:1033 /KBD:2 /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"=
"c:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"=
"c:\WINDOWS\system32\LEXPPS.EXE"=
"c:\Documents and Settings\Dewagede\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe"=
"c:\Program Files\DivX\DivX Update\DivXUpdate.exe"=
"c:\Program Files\Common Files\Java\Java Update\jucheck.exe"=
"c:\Program Files\Common Files\Java\Java Update\jusched.exe"=
"c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"=
"c:\Program Files\real\RealUpgrade\realupgrade.exe"=
"c:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE"=
"c:\WINDOWS\system32\dwwin.exe"=
"c:\Program Files\real\realplayer\realplay.exe"=
"c:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe"=
"c:\Program Files\Common Files\Java\Java Update\jaucheck.exe"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\Documents and Settings\Dewagede\My Documents\Downloads\wlsetup-web.exe"=
"c:\Program Files\Mozilla Firefox\firefox.exe"=
"c:\Program Files\Mozilla Firefox\plugin-container.exe"=
"c:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe"=
"c:\Program Files\Common Files\Research In Motion\AppLoader\Loader.exe"=
"c:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe"=
"c:\WINDOWS\pchealth\helpctr\binaries\HelpHost.exe"=
"c:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe"=
"c:\Documents and Settings\Dewagede\Local Settings\Application Data\Akamai\netsession_win.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=
"c:\Program Files\Skype\Phone\Skype.exe"=
"c:\Documents and Settings\Dewagede\Local Settings\Application Data\Facebook\Video\Skype\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1856:TCP"= 1856:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [22/10/2011 21:15 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22/10/2011 21:16 361032]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [05/12/2005 21:19 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/10/2011 21:16 21256]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [11/06/2008 07:44 47360]
S2 Change Modem Device Service;Change Modem Device Service;"c:\windows\system32\ChgService.exe" -service --> c:\windows\system32\ChgService.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 12:28 160944]
S3 cmnsusbser;Mobile Connector USB Device for Legacy Serial Communication LCT2053s;c:\windows\system32\drivers\cmnsusbser.sys [06/08/2010 20:14 103424]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [13/11/2012 19:44 35144]
S3 mbamswissarmy;mbamswissarmy;c:\windows\system32\drivers\mbamswissarmy.sys [13/11/2012 19:44 140616]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [07/10/2011 18:41 594048]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [06/12/2005 00:54 28800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 16:32]
.
2012-11-14 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-11-10 22:50]
.
2012-11-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3397393471-2348751738-1897457302-1006Core.job
- c:\documents and settings\Dewagede\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-09 12:36]
.
2012-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3397393471-2348751738-1897457302-1006UA.job
- c:\documents and settings\Dewagede\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-09 12:36]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-30 20:04]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-03-30 20:04]
.
2012-11-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3397393471-2348751738-1897457302-1006Core.job
- c:\documents and settings\Dewagede\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 20:04]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3397393471-2348751738-1897457302-1006UA.job
- c:\documents and settings\Dewagede\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-08-16 20:04]
.
2012-11-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3397393471-2348751738-1897457302-1006.job
- c:\program files\Real\RealUpgradeealupgrade.exe [2012-04-30 16:21]
.
2012-11-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3397393471-2348751738-1897457302-1006.job
- c:\program files\Real\RealUpgradeealupgrade.exe [2012-04-30 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1:9421
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.43.1
FF - ProfilePath - c:\documents and settings\Dewagede\Application Data\Mozilla\Firefox\Profiles\o1gzvcpw.default\
FF - prefs.js: keyword.URL - hxxp://es.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-Z1 - c:\docume~1\Dewagede\LOCALS~1\Temp\Rar$EX42.840\mbar\mbar.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-14 07:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
.
C:\sccfg.sys 358 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\*PNP1c4c\0000]
@DACL=(02 0000)
"Service"="1133813799"
"ClassGUID"="{4D36E97D-E325-11CE-BFC1-08002BE10318}"
"Class"="System"
"DeviceDesc"="PCI bus"
"Mfg"="Technologies Inc"
"LocationInformation"="on Microsoft ACPI-Compliant System"
"ConfigFlags"=dword:00000000
"Capabilities"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2012-11-14  07:33:36
ComboFix-quarantined-files.txt  2012-11-14 06:33
.
Pre-Run: 15,058,563,072 bytes free
Post-Run: 16,627,195,904 bytes free
.
- - End Of File - - C915EC854087D0B94A4443CEAA757878



My obrsevations:

- Computer is still slow and it is taking too much time to load whenever I open a browser.

- When I start my computer it is always asking me to have a disk check d:\ and I cancel it always because it is very slow. What should I do to prevent it from dick checking?

- I am now using my mobile as a router, I understand that my connection would be slower but I am just wondering because the packets sent is always higher than the packets received, is it a problem? the difference is between 200 - 500.

Thanks for the help.

bcn101 · Answer

Hi,



closed ask - should be "closed all the windows" - typo error. Sorry.

Ambucias · Answer

Hello,

Looks like Combofix quarantined most malware.

In my estimation routers and wifi always slow down are always.

Three things you can do to speed up:

1. Download and run CCleaner

https://ccm.net/downloads/security-and-maintenance/4555-ccleaner/

2. Prenvent useless programmes from starting at boot time, they munch on your ram.

Download and run the following startup lite tool:

https://www.malwarebytes.com/mwb-download/

3. Download and run the following free but efficient registry cleaner:

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

4. Make sure that the previous ZHP Diag log is completely removed from your machine and post a new one on Speedyshare.  I will make a last check.

Regards

bcn101 · Answer

Hi there, I have run the CCleaner that I already have, and have downloaded the one from malwarebyte and the other registry cleaner. I just would like to ask cause when I clicked repair, it told me that if there are some files that are hidden it cannot give me the guarantee of repairing it 100 percent? what should I do. and about the issue of disk checking every start up how would I turn it off? i have uploaded the latest zhp diag in speedy share, and other question is, I have downloaded fb video calling set up before but I cant remove it now and the other thing is the old combofix... it is not also allowing me to remove it. Is there some solution? thanks Ambucias :) download link : http://speedy.sh/rYFxu/ZHPDiag.txt forum link : [code]http://speedy.sh/rYFxu/ZHPDiag.txt/code HTML link : Download at SpeedyShare

Ambucias · Answer

Hello,

I must leave in a few minutes, I will look at your log in the morning.  You should get my reply by noon your time.  I'm in Quebec.

Eusing Free always makes a back-up so it's safe to repair. (restore button)

Try removing combofix after reboot.  To remove any application, you can use CCleaner, just use the tool button.  If Fb still can't be removed, I will tell you how in the morning.

For your check issue:

1. Click on start and then on Run
2. Type cmd and click ok.  A black window will open
3. Type chkdsk
4. Press enter and let run.
5. Close the window.

Tell me how you did with the above so that I have all in info to read with my coffee.

Asta la proxima
Ambucias

Ambucias · Answer

Ola,

You must have sent me the very same ZHP Diag log, it shows the very same infections as before.

Please remove all previous logs from your machine.

Regards

bcn101 · Answer

Hi ambucias, sorry for the late reply. So you're in Canada... I thought you are in europe too. :)

Btw, my apologies for the wrong log, here is the new log that zhp gave me, I run it again : 

download link : http://speedy.sh/yCxex/ZHPDiag.Txt


and btw, I have a question, you told me to run this black box (cmd)
it gave me a report but I cant save it nor copy it. what will I do?

Ambucias · Answer

I will look at your log now.

About chkdsk, just tell me if some files were repaired and if you still get the check disk message.

I am more in Québec than in Canada.  But we will not discuss politics. (It's like if I was born in Barcelona)

Ambucias · Answer

The log shows the very same infections as before.  I'm afaid that the old log is still in the machine.

I suggest that you completely remove ZHP Diag using CCleaner. Ensure that all the previous logs are deleted from the computer. Click on start, the search, type ZHP.  Delete all items that are found. 

Download and install a fresh ZHP Diag and upload a log again.

Is you machine still slow?  Do you still get the disk message at start up?

bcn101 · Answer

okay ill do it.. yeah still getting the disk check at start up :(

okay.... lets set aside politics.... :)

bcn101 · Answer

Ambucias, Hi how are you doing ?
Got a problem here.


First, zhp is always not rsponding... I have run it like three times renamed it to kioskea.exe but still with no success.

My computer is still slow, disk checking particulary d:\ still exist during start up. :(


maybe some virus is preventing it?

bcn101 · Answer

ambucias, hi.... I have run zhp in safe mode with networking.


here is the log : http://speedy.sh/8Eqp2/ZHPDiag-report

i hope I made it right this time....


and just an hour ago bsod appeared with kernel intact error message :(

bcn101 · Answer

HI there,


here's the log : http://speedy.sh/vJktB/ZHP.txt

i hope I did it really right this time :)

bsod appeared twice last night :(
computer is still slow though a bit better compared. before.

Ambucias · Answer

Ola Josh,

You did it right!  How are things in Madrid?

Here is what I found and my suggestions:

1. You still have e-mule! Are you looking for trouble?

2. You have a programme called Microsoft Net Framework which is used for programming.  If you never use it, it takes space for nothing, so you can flush it.

3. Again, I insist, Avast is far from the best antivirus protection.

4. Your Windows is outdated and must be updated.

5. If you no longer use Mozilla Firefox, please delete it or update it.

6. If you no longer use Chrome, please delete it, there traces of it in your programme files.

7. We still have an infection in the form of adware and possibly another in the MBR.  I will deal with the adware for the moment.

a) ZHP Diag created an icon ZHP Fix (seringe)
b) Open ZHP Fix and copy the following lines:

O43 - CFD: 11/14/2012 - 12:15:41 AM - [0] ----D C:\Documents and Settings\All Users\Favorites    
[HKLM\Software\Classes\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]    
[HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]    
O3 - Toolbar: (no name) - [HKLM]{EF99BD32-C1FB-11D2-892F-0090271D4F88} . (...) --  (.not file.)    

c) Click on the second button, the one next to camera looks like a clipboard.  The lines you copied should appear in the main window and a Go button will appear at the buttom.

d) Click on Go and close ZHP Fix.

8. Aftwe you have updated your Windows, click on Run, type cmd, ok. In the black window type sfc/scannow, press enter.  Let it run and close.

9.  Download, install and run to defragment your harddrive, both C and D :

https://ccm.net/download/download-1454-defraggler

10.  Report on your system.

Good luck

bcn101 · Answer

Hi there..... I never knew that I have emule..don't even know what is it...neither...i didn't know that I had limewire :/

Im now removing network framework...computer is so slow..its like creeping. Bsod appeared again. Ill   the log later.

Ambucias · Answer

e-mule and limewire need to be downloaded and installed.  Is there a ghost in your assienda?

Ambucias · Answer

To fix the check disk issue:

1. Go to command prompt (Run, cmd)

2. Type chkdsk d: /F /R  (You can copy and paste this command)

3. Press enter and let run

(Watch and note any repairs)

(F = repairs errors R, locates bad sectors and recovers readables)

bcn101 · Answer

hi, I am now in sfc/ scannow but it wasnt able to finish the process cause it is asking me for my windows xp cd which I dont have. It says that files needed for windows to run has been replaced by unrecognized versions... :( should I run the defragmenter instead? btw im not in madrid... im in barcelona.

Ambucias · Answer

Barcelona you say!  Very interesting !  Separatist !

I need some answers to the following questions:

1. Why don't you have the Windows CD's ?

2. Why has your Windows Genuine Advantage been disabled ?

3. Have you followed my instructions and updated your Windows ?

4. Have you ran ZHP Fix as instructed ? (Adware will munch you ram and slow down the system)

Defraggler should be run after you have deleted all that is supposed to be deleted and after cleaning the registry.

Did I sent you this totally free yet very efficient registry cleaner :

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

bcn101 · Answer

hi ! 

- I dont have the cd cause iu bought this "second-hand" 
- with windows genuine advantage I dont have any idea what this is :( 
- and I have updated my windows... it has an auto update prompt.. which is      happening almost everyday and im sick of it? :/ 
- yes I have run zhp fix.. does it need some log too?  
ill run defragger now ? 

im not catalan, I just live here. I know ebglish since I was a kid.. im from asia.. the philippines :) 
au revoir !

Ambucias · Answer

Second hand, it explains e-mule's presence.

Okay let me know.

No, a Fix log will not be necessary.

P.S. I assumed that you ran Eusing Free before Defraggler.

bcn101 · Answer

Salut!

I tried running eusing cleaner again though I have run it before....the first tome that you asked me to download it....but since last night i,can't finish running it cause bsod always appear. Several bsods appeared and the last one emnds with 01. This is giving me a headache really. I tried running cmd in safemode but it did not let me. :(

bcn101 · Answer

hi, im now doing the defragmentation... is it always takes long? cause I need to go somehwere and need to bring my laptop can I like stop it and do it again later? :/

Ambucias · Answer

Yes, you can stop.

Please don't take your lappy where there are viruses.

Ambucias · Answer

Hi Josh,

(your name is Josh is it?)

I have looked at your most recent log again and I have noted two suspicious applications in Windows.  I don't want to tell you to delete them until I am sure. I have asked a colleague's advice.

Those apps may be involved in the BSOD.

Stand by.

Ambucias · Answer

Download the following on your desktop:

http://www.nirsoft.net/utils/bluescreenview.zip

Unzip the file

Double click on BlueScreenView.exe 

At the end of the scan, click on edit and then on select all

Go on file and click on save selected items

Save the log as bsod.txt

Open bsod.txt, copy and paste here.

bcn101 · Answer

Hi..thanks for being so patient..i ran my laptop for defragging all night last night and when I Wolfe up..its still on but its all black...screen didn't work..perhaps bsod attacked again. I'm now Rtnning defraggler again.... Can I do your instructions while I run defeaggler... Thanks ambucias :)

Ambucias · Answer

Yes you can.

Your laptop followed your example and went to sleep just as you did.  Try no letting it go to the screen saver, disable the screen saver and power saver or once in awhile, give it a nudge.

bcn101 · Answer

Hi ambucias,

How's everything going?

here's the bsod report:

==================================================
Dump File         : Mini112012-03.dmp
Crash Time        : 20/11/2012 14:09:20
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x005c0069
Parameter 2       : 0x00000002
Parameter 3       : 0x00000000
Parameter 4       : 0xf74727b7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+97b7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+97b7
Stack Address 1   : atapi.sys+78fe
Stack Address 2   : ntoskrnl.exe+18199
Stack Address 3   : atapi.sys+5b17
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini112012-03.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini112012-02.dmp
Crash Time        : 20/11/2012 08:38:42
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x0000000c
Parameter 2       : 0x00000005
Parameter 3       : 0x00000001
Parameter 4       : 0xf74715f7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+85f7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+85f7
Stack Address 1   : atapi.sys+3b93
Stack Address 2   : atapi.sys+614b
Stack Address 3   : ntoskrnl.exe+6a437
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini112012-02.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini112012-01.dmp
Crash Time        : 20/11/2012 08:21:51
Bug Check String  : KERNEL_STACK_INPAGE_ERROR
Bug Check Code    : 0x00000077
Parameter 1       : 0xc000000e
Parameter 2       : 0xc000000e
Parameter 3       : 0x00000000
Parameter 4       : 0x006d2000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+21ce3
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.6284 (xpsp_sp3_gdr.120821-1629)
Processor         : 32-bit
Crash Address     : ntoskrnl.exe+21ce3
Stack Address 1   : ntoskrnl.exe+381ac
Stack Address 2   : ntoskrnl.exe+38ee6
Stack Address 3   : ntoskrnl.exe+651b4
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini112012-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111912-01.dmp
Crash Time        : 19/11/2012 15:18:51
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x0000000c
Parameter 2       : 0x00000005
Parameter 3       : 0x00000001
Parameter 4       : 0xf74715f7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+85f7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+85f7
Stack Address 1   : atapi.sys+3b93
Stack Address 2   : atapi.sys+614b
Stack Address 3   : ntoskrnl.exe+6a437
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111912-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111812-03.dmp
Crash Time        : 18/11/2012 13:44:30
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x0000000c
Parameter 2       : 0x00000005
Parameter 3       : 0x00000001
Parameter 4       : 0xf74715f7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+85f7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+85f7
Stack Address 1   : atapi.sys+3b93
Stack Address 2   : atapi.sys+614b
Stack Address 3   : ntoskrnl.exe+6a437
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111812-03.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111812-02.dmp
Crash Time        : 18/11/2012 13:30:10
Bug Check String  : CRITICAL_OBJECT_TERMINATION
Bug Check Code    : 0x000000f4
Parameter 1       : 0x00000003
Parameter 2       : 0x86ea1da0
Parameter 3       : 0x86ea1f14
Parameter 4       : 0x805c86bc
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+21ce3
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.6284 (xpsp_sp3_gdr.120821-1629)
Processor         : 32-bit
Crash Address     : ntoskrnl.exe+21ce3
Stack Address 1   : ntoskrnl.exe+f0741
Stack Address 2   : ntoskrnl.exe+f1767
Stack Address 3   : aswSnx.SYS+1862b
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111812-02.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111812-01.dmp
Crash Time        : 18/11/2012 09:29:39
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x0000000c
Parameter 2       : 0x00000005
Parameter 3       : 0x00000001
Parameter 4       : 0xf74715f7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+85f7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+85f7
Stack Address 1   : atapi.sys+3b93
Stack Address 2   : atapi.sys+614b
Stack Address 3   : ntoskrnl.exe+6a437
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111812-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111712-02.dmp
Crash Time        : 17/11/2012 22:39:25
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x007400c5
Parameter 2       : 0x00000005
Parameter 3       : 0x00000000
Parameter 4       : 0xf746ed23
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+5d23
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+5d23
Stack Address 1   : atapi.sys+85ee
Stack Address 2   : atapi.sys+3b93
Stack Address 3   : atapi.sys+614b
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111712-02.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111712-01.dmp
Crash Time        : 17/11/2012 11:26:23
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x0000000c
Parameter 2       : 0x00000005
Parameter 3       : 0x00000001
Parameter 4       : 0xf74715f7
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+85f7
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+85f7
Stack Address 1   : atapi.sys+3b93
Stack Address 2   : atapi.sys+614b
Stack Address 3   : ntoskrnl.exe+6a437
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111712-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
==================================================

==================================================
Dump File         : Mini111612-01.dmp
Crash Time        : 16/11/2012 18:27:57
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x100000d1
Parameter 1       : 0x44706351
Parameter 2       : 0x00000005
Parameter 3       : 0x00000000
Parameter 4       : 0xf746ed26
Caused By Driver  : atapi.sys
Caused By Address : atapi.sys+5d26
File Description  : IDE/ATAPI Port Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 5.1.2600.5512 (xpsp.080413-2108)
Processor         : 32-bit
Crash Address     : atapi.sys+5d26
Stack Address 1   : atapi.sys+85ee
Stack Address 2   : atapi.sys+3b93
Stack Address 3   : atapi.sys+614b
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\Mini111612-01.dmp
Processors Count  : 1
Major Version     : 15
Minor Version     : 2600
Dump File Size    : 90,112
=================================================


by the way, I have run defragger again over night but the same thingn happened it slept too so I tunrned it off when I woke up this morning and when I turned it on again it said that it recovered from a seriuos problem, so perhaps bsod attacked again. This bsod showed up like twice this morning too. I hope logs can help to eliminate it.
 :/

I did chkdsk d:/ too but it didnt give me any log.

Ambucias · Answer

Dear Josh,

Thanks for the bsod log in which the codes show the nature of problems.

 Sorry but I have bad news.

I trust that you make regular back-ups as you may soon lose use of your second hand lappy.  It's clear to me now why the previous owner sold it.

1. The motherboard is overheating.

2. Worst, there several bad sectors on the hard disk which can only be repaired by a new hard disk.

Because of the above, the system and the OS is looking for memory but can't find it.

My suggestion is that you begin shopping for a new laptop.  A new machine will no doubt cost you less than a repair.

Best regards

bcn101 · Answer

hi ambucias,

I appreciate your help really. I am actually going to buy a new one and dump this poor old sony vaio, but I cant do that till early next year. Can it still survive like till March 2013? hahaha, can we have some tools to make its life a bit longer?

Ambucias · Answer

Tools for a HD with bad sectors and a sick mummy board ?

Take your lappy to the cathedral and pray Saint Jude, the patron saint of desperate causes.

If you don't use your laptop at all, chances are it will last till next March; mind you some predict the end of the world by the end of next month. Hence you are a winner all the way.

bcn101 · Answer

HI, you really made me laugh. By the way, is the case closed already? BSOD appeared again.. just a few minutes ago. :(

Ambucias · Answer

Hi,

The bsod will keep appearing for as long as you use the machine and this until your HD gives up on life, it is agonising.  I told you about the bad sectors and the overheating motherboard.  Only physical action from a qualified technician can repair and it's not worth your while.

Regards

bcn101 · Answer

HI there, thank you for the reply.. so it is onw way of saying that this case is already hopeless? I have seen like two comments from another person... what about it?

A very sick computer

53 responses

Subscribe To Our Newsletter!