BSOD & trouble shutting down

By aero05
Nov 13, 2011
Post New Reply
  1. My MIL's computer wasn't used all summer and is now having troubles. Thanks in advance for the help!

    GMER -
    Rootkit quick scan 2011-11-06 15:39:33
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\0000004e Hitachi_ rev.V5CO
    Running: eflilr4i.exe; Driver: C:\Users\bjames\AppData\Local\Temp\uxlyipoc.sys

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D27E9A6]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_24
    Run by bjames at 15:43:40 on 2011-11-06
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1030 [GMT -5:00]
    ============== Running Processes ===============
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\System32\svchost.exe -k swprv
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://
    mStart Page = hxxp://
    mDefault_Page_URL = hxxp://
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
    mRun: [<NO NAME>]
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    TCP: DhcpNameServer =
    TCP: Interfaces\{53BD23A1-05C7-43D7-A86D-B2B242EFA34D} : DhcpNameServer =
    ================= FIREFOX ===================
    FF - ProfilePath - c:\users\bjames\appdata\roaming\mozilla\firefox\profiles\pi8nwz5s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    ============= SERVICES / DRIVERS ===============
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-17 442200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2007-1-1 320856]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2007-1-1 20568]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2007-1-1 54616]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-10-17 44768]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-9 1153368]
    R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
    R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
    =============== Created Last 30 ================
    2011-11-06 20:42:37 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cc6e74c1-b190-4cd7-b847-e828927b0591}\offreg.dll
    2011-11-06 20:42:29 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{cc6e74c1-b190-4cd7-b847-e828927b0591}\mpengine.dll
    2011-10-31 02:15:08 -------- d-----w- C:\PerfLogs
    2011-10-25 13:57:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-25 12:05:43 -------- d-----w- c:\users\bjames\appdata\roaming\IrfanView
    2011-10-25 12:05:42 -------- d-----w- c:\program files\IrfanView
    2011-10-21 14:15:05 -------- d-----w- c:\users\bjames\appdata\roaming\Malwarebytes
    2011-10-21 14:14:12 -------- d-----w- c:\programdata\Malwarebytes
    2011-10-21 14:14:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-10-21 14:14:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-10-17 21:02:30 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-10-17 19:20:55 -------- d-----w- C:\6ec46e9af185638eb9a602b7ac0b68
    ==================== Find3M ====================
    2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
    2011-09-06 20:36:26 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    ============= FINISH: 15:45:32.06 ===============

    Malwarebytes' Anti-Malware

    Database version: 8016

    Windows 6.0.6000 (Safe Mode)
    Internet Explorer 7.0.6000.17037

    11/6/2011 12:35:48 PM
    mbam-log-2011-11-06 (12-35-48).txt

    Scan type: Quick scan
    Objects scanned: 165580
    Time elapsed: 1 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  2. Mark56

    Mark56 TechSpot Paladin Posts: 1,889

    I can't see anything nasty in the above log but I notice that Windows Defender is running alongside Avast. You should not run two Anti Virus programs side by side as this can reduce your systems security and cause conflicts. Disable Windows Defender.

    Have you had any previous Anti Virus programs installed on the system, there appears to be some entries relating to Norton. If you did have Norton installed then please run this Removal Tool to clean out all the remnants.
    Norton Uninstall Tool

    After this, if the system continues to have BSOD's please attach the minidumps to your next post for analysis. Here's how:

  3. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Thanks for the quick response Mark56. I didn't realize that Defender was running, so I turned it off. Also ran the Norton Uninstall.

    The computer ran fine, I was able to start and shut down without incident. I ran MalwareBytes again with no problem, but when I ran SpyBot the computer froze. Did a hard shutdown and now it just goes to a black screen with the cursor blinking... unable to get it to restart.

    What now? (I'm posting from another computer.)
  4. Mark56

    Mark56 TechSpot Paladin Posts: 1,889

    I am beginning to think this may be an infection, but there are a couple more things you can try.

    First see if it will boot into Safe Mode.

    Second, remove all but one of the RAM sticks and see if it will boot into Normal mode, if not, swap the sticks so you try and start it with each stick one at a time.
  5. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Computer was able to boot up no problem this morning in regular mode. Started and shutdown several times.

    Then I tried it in safe mode, starting and shutting down with no issues. Also removed and switched around the RAM, started and shut down several times with no issues on each stick.

    So, right now it is running fine. Any ideas on why it started up this morning okay, but was frozen yesterday?
  6. Mark56

    Mark56 TechSpot Paladin Posts: 1,889

    Sometimes these things happen and are usually due to a hardware problem, i.e. a loose connection. Now the fault has dissapeared there is nothing to look for, just have to keep your fingers crossed it doesn't return.

    You could take a chance and run Spybot again and see if it freezes. Personally I would replace Spybot with SuperAntiSpyware which is more highly rated and less of a memory hog. To uninstall Spybot you first need to disable Teatimer.exe in the Task Manager.
  7. aero05

    aero05 TS Rookie Topic Starter Posts: 41

    Thanks Mark56. I will take your recommendation by removing Spybot and replacing it with SuperAntiSpyware.

    Consider this one resolved and I'll repost if I run into problems down the road.

    Thanks again for your help and quick responses... its is much appreciated!!!
  8. Mark56

    Mark56 TechSpot Paladin Posts: 1,889

    Your welcome and I'll keep my fingers crossed for you.
  9. jcv365

    jcv365 TS Rookie

    ntkrnlpa.exe ntkrnlpa.exe+77766 BSOD


    Please can someone help me with my bsod.

    My machine can't shutdown. I used blue screen viewer and found that the following files were causing it. I'm having trouble doing a bugcheck and finding out which drivers are causing this problem.

    halmacpi.dll halmacpi.dll+5b48 0x83802000 0x83839000 0x00037000 0x4ce788d2 2010/11/20 10:37:38 Microsoft® Windows® Operating System Hardware Abstraction Layer DLL 6.1.7601.17514 (win7sp1_rtm.101119-1850) Microsoft Corporation C:\Windows\system32\halmacpi.dll
    ntkrnlpa.exe ntkrnlpa.exe+77766 0x83839000 0x83c4b000 0x00412000 0x4e02a389 2011/06/23 04:23:05 Microsoft® Windows® Operating System NT Kernel & System 6.1.7601.17640 (win7sp1_gdr.110622-1506) Microsoft Corporation C:\Windows\system32\ntkrnlpa.exe

    Please can someone help me as this is really frustrating.
  10. jcv365

    jcv365 TS Rookie


    Here is the minidumps for my crash. Please your help is much appreciated.

    Attached Files:

  11. Mark56

    Mark56 TechSpot Paladin Posts: 1,889

    jcv365, please read the site rules, you must start your own thread to get assistance.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...