BSOD & trouble shutting down

[aero05]

My MIL's computer wasn't used all summer and is now having troubles. Thanks in advance for the help!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-06 15:39:33
Windows 6.0.6000 Harddisk0\DR0 -> \Device\0000004e Hitachi_ rev.V5CO
Running: eflilr4i.exe; Driver: C:\Users\bjames\AppData\Local\Temp\uxlyipoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D27E9A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_24
Run by bjames at 15:43:40 on 2011-11-06
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1030 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{53BD23A1-05C7-43D7-A86D-B2B242EFA34D} : DhcpNameServer = 65.32.5.111 65.32.5.112
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\bjames\appdata\roaming\mozilla\firefox\profiles\pi8nwz5s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-17 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2007-1-1 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2007-1-1 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-1-1 54616]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-10-17 44768]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-9 1153368]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
.
=============== Created Last 30 ================
.
2011-11-06 20:42:37 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cc6e74c1-b190-4cd7-b847-e828927b0591}\offreg.dll
2011-11-06 20:42:29 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cc6e74c1-b190-4cd7-b847-e828927b0591}\mpengine.dll
2011-10-31 02:15:08 -------- d-----w- C:\PerfLogs
2011-10-25 13:57:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-25 12:05:43 -------- d-----w- c:\users\bjames\appdata\roaming\IrfanView
2011-10-25 12:05:42 -------- d-----w- c:\program files\IrfanView
2011-10-21 14:15:05 -------- d-----w- c:\users\bjames\appdata\roaming\Malwarebytes
2011-10-21 14:14:12 -------- d-----w- c:\programdata\Malwarebytes
2011-10-21 14:14:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-21 14:14:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-17 21:02:30 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-17 19:20:55 -------- d-----w- C:\6ec46e9af185638eb9a602b7ac0b68
.
==================== Find3M ====================
.
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
.
============= FINISH: 15:45:32.06 ===============


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8016

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

11/6/2011 12:35:48 PM
mbam-log-2011-11-06 (12-35-48).txt

Scan type: Quick scan
Objects scanned: 165580
Time elapsed: 1 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Mark56]

I can't see anything nasty in the above log but I notice that Windows Defender is running alongside Avast. You should not run two Anti Virus programs side by side as this can reduce your systems security and cause conflicts. Disable Windows Defender.

Have you had any previous Anti Virus programs installed on the system, there appears to be some entries relating to Norton. If you did have Norton installed then please run this Removal Tool to clean out all the remnants.
Norton Uninstall Tool

After this, if the system continues to have BSOD's please attach the minidumps to your next post for analysis. Here's how:

First locate your minidump files, they are usually found by clicking on your C: drive, in Windows Explorer, then click on Windows to view the contents. If your operating system is installed under a different drive letter then look there. They should be stored under a file called minidump.The files will have a .dmp extension.

Zip up at least 6 of the most recent files into one zip folder and save on your desktop (if there are less then just zip up what you have).

NOTE To zip up a file in Windows (all versions). Right-click the file or folder, click on Send To, and then click Compressed (zipped) Folder and save it to your desktop.
Open Windows Explorer, click on Desktop in the left column so you can see the zip file. In the left column click on C: > Windows > Minidump and then drag & drop any additional .dmp files into the zip folder.


• Below the Message Box click on Go Advanced. Then scroll down until you see a button, Manage Attachments. Click on that and a new window opens.
• Click on the Browse button, find the zip folder you made earlier and doubleclick on it.
• Now click on the Upload button. When done, click on the Close this window button at the bottom of the page.
• Enter your message-text in the message box, then click on Submit Message/Reply.

 

[aero05]

Thanks for the quick response Mark56. I didn't realize that Defender was running, so I turned it off. Also ran the Norton Uninstall.

The computer ran fine, I was able to start and shut down without incident. I ran MalwareBytes again with no problem, but when I ran SpyBot the computer froze. Did a hard shutdown and now it just goes to a black screen with the cursor blinking... unable to get it to restart.

What now? (I'm posting from another computer.)

 

[Mark56]

I am beginning to think this may be an infection, but there are a couple more things you can try.

First see if it will boot into Safe Mode.

Second, remove all but one of the RAM sticks and see if it will boot into Normal mode, if not, swap the sticks so you try and start it with each stick one at a time.

 

[aero05]

Computer was able to boot up no problem this morning in regular mode. Started and shutdown several times.

Then I tried it in safe mode, starting and shutting down with no issues. Also removed and switched around the RAM, started and shut down several times with no issues on each stick.

So, right now it is running fine. Any ideas on why it started up this morning okay, but was frozen yesterday?

 

[Mark56]

Sometimes these things happen and are usually due to a hardware problem, i.e. a loose connection. Now the fault has dissapeared there is nothing to look for, just have to keep your fingers crossed it doesn't return.

You could take a chance and run Spybot again and see if it freezes. Personally I would replace Spybot with SuperAntiSpyware which is more highly rated and less of a memory hog. To uninstall Spybot you first need to disable Teatimer.exe in the Task Manager.

 

[aero05]

Thanks Mark56. I will take your recommendation by removing Spybot and replacing it with SuperAntiSpyware.

Consider this one resolved and I'll repost if I run into problems down the road.

Thanks again for your help and quick responses... its is much appreciated!!!

 

[Mark56]

Your welcome and I'll keep my fingers crossed for you.

 

[jcv365]

ntkrnlpa.exe ntkrnlpa.exe+77766 BSOD

Hi,

Please can someone help me with my bsod.

My machine can't shutdown. I used blue screen viewer and found that the following files were causing it. I'm having trouble doing a bugcheck and finding out which drivers are causing this problem.


halmacpi.dll halmacpi.dll+5b48 0x83802000 0x83839000 0x00037000 0x4ce788d2 2010/11/20 10:37:38 Microsoft® Windows® Operating System Hardware Abstraction Layer DLL 6.1.7601.17514 (win7sp1_rtm.101119-1850) Microsoft Corporation C:\Windows\system32\halmacpi.dll
ntkrnlpa.exe ntkrnlpa.exe+77766 0x83839000 0x83c4b000 0x00412000 0x4e02a389 2011/06/23 04:23:05 Microsoft® Windows® Operating System NT Kernel & System 6.1.7601.17640 (win7sp1_gdr.110622-1506) Microsoft Corporation C:\Windows\system32\ntkrnlpa.exe


Please can someone help me as this is really frustrating.

 

[jcv365]

Minidump

Here is the minidumps for my crash. Please your help is much appreciated.

 

[Mark56]

jcv365, please read the site rules, you must start your own thread to get assistance.