TechSpot

DRIVER_IRQL_NOT_LESS_OR_EQUAL STOP: 0x000000D1

By amstuart
Aug 8, 2005
Topic Status:
Not open for further replies.
  1. Hi:

    Running WinXP on a Gateway system with no viruses, malware, adware, etc. I am getting the BSOD only when connecting to the Internet. After each reboot, I get the same error codes and Kypkjts- address F8AEF484. There is no mention of any devices. I uninstalled my Intel Pro/100 VE Network card, reinstalled, looked for updated drivers, etc. There is no hardware attached, no USB devices, and no conflicts in Device Manager. If I unplug my Ethernet cable, the computer runs fine. With the Ethernet cable attached, the BSOD appears seconds after clicking on the IE 6.0 icon on my desktop.

    Thanks.

    Adam
  2. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    When Windows crashes with blue screen, it writes a system event 1001 and a minidump to the folder \windows\minidump
    Check system event 1001 and it has the content of the blue screen

    Event ID: 1001
    Source: Save Dump
    Description:
    The computer has rebooted from a bugcheck.The bugcheck was : 0xc000000a (0xe1270188, 0x00000002, 0x00000000, 0x804032100).
    Microsoft Windows..... A dump was saved in: .......


    Control Panel -> Adminstrative Tools -> Event Viewer -> System -> Event 1001. Copy the content and paste it back here

    Zip 5 to 6 minidumps and attach the zip files here. I will study the dump and find out the culprit.
  3. amstuart

    amstuart TS Rookie Topic Starter

    BSOD Follow-up

    Hi:

    Sorry for the quick question. What program should be used to open the .dmp files? MS Word allows Windows Default, MS-DOS, or other encoding: the majority of the text is nonsense characters for any choice. Notepad and Wordpad also yield nonsense characters.

    Thanks.
  4. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    microsoft windbg
  5. amstuart

    amstuart TS Rookie Topic Starter

    MiniDmp Files

    Hi:

    Attached are 5 minidmp files. Hoping to hear good news.

    Thank you.

    Adam

    Attached Files:

  6. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    This is the third time I handle this problem. Your windows is infected with virus. The time stamp of failing module of kypkjts is the same as the failing module of the following case.

    http://www.computing.net/windows2000/wwwboard/forum/62004.html
    If you search kypkjts at google, you cannot find any hit. I also find the same problem at exchange-experts.
    http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21412430.html

    Debug report of your minidumps
    BugCheck A, {fb4c0000, 2, 0, 804db48c}
    Probably caused by : kypkjts ( kypkjts+479 )
    f8aef000 f8af05e0 kypkjts kypkjts Mon Apr 18 22:31:48 2005 (4263C4D4)

    Run antivirus to make sure this windows does not infect with virus. Get rid of kypkjts.
  7. amstuart

    amstuart TS Rookie Topic Starter

    Minidmp results

    I appreciate the quick analysis. Since this is your thirs experience with this BSOD message, do you know which virus the OS was infected with? I have run updated Norton antiviral scans, MS Beta antispyware, Spyware Search and Destroy, Spyblaster is installed and updated, and WinPatrol is installed.
    I have GOOGLEd kypkjts+479 and can't find anything.

    Thanks.
  8. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    This virus rename the infected module to another name. For your case it is kypkjts. For the another case at expert exchange, the infected module name is woouhwq. From the stack trace, the infected module is a network module. Unfortunately the problem owner at Computing.net never respond to my message. You may install hijackthis and post your hijackthis log here. You can find a lot of posts of hijackthis at this forum.

    Another hit of the same problem and the infected module is wwackxt
    http://forums.tomcoyote.org/Help_Badly_Infected_Computer-t35912.html

    Stack trace of your crash.
    STACK_TEXT:
    80555e24 f8aef479 fb4bfffc f8aef40e 00000005 nt!strncmp+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    80555e48 f8aefa1a fb4bfa88 00000578 80555e68 kypkjts+0x479
    80555f68 f8aefa95 fb4bfa88 00000578 8264f828 kypkjts+0xa1a
    80555fb0 f8aeff9e fb4bfa60 fb4bfa74 0000058c kypkjts+0xa95
    80555fe4 ee3afa8d 000005a0 00000002 80556028 kypkjts+0xf9e
    80556058 ee3af836 83028518 82907478 eeaa1bb8 tcpip!IPFreeBuff+0x1cc
    80556110 ee3ae922 82907478 eeaa1bcc 0000058c tcpip!IPRcvPacket+0x296
    80556150 ee3ae84d 00000000 82a33370 eeaa1baa tcpip!ARPRcvPacket+0x128
    8055618c f835dc9f 82fb0008 00000000 f7de0b40 tcpip!ARPRcvPacket+0x53
    805561e0 f7ddb01d 009e5698 82975590 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x1c2
    805561f4 f7ddb1b4 83064130 82975590 00000001 psched!PsFlushReceiveQueue+0x15
    80556218 f7ddb5f9 82f19dc0 00000000 83064130 psched!PsEnqueueReceivePacket+0xda
    80556230 f835dd40 82f19db8 82d06580 82d06008 psched!ClReceiveComplete+0x13
    80556280 f7f83128 009e5698 805562a0 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x5a4
    805563e8 f7f832e8 01d06008 00000000 831c7130 e100b325+0xa128
    80556410 f8353f09 00d06008 80560f00 ffdff9c0 e100b325+0xa2e8
    80556428 804dcd22 82d063f4 82d063e0 00000000 NDIS!ndisMDpcX+0x21
    80556440 80560ca0 ffdffc50 00000000 80560ca0 nt!KiRetireDpcList+0x61
    80556450 804dcc07 00000000 0000000e 00000000 nt!KiIdleThread0
  9. amstuart

    amstuart TS Rookie Topic Starter

    HijackThis Log-Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 12:43:08 PM, on 8/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\wbphj\rvkjlui.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\sbuawefa.slt\prefs.js)
    O1 - Hosts: 216.39.69.102 view.atdmt.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WinPatrol Explorer] C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
    O4 - HKLM\..\Run: [Norton AntiVirus Scanner Module] C:\Program Files\Norton AntiVirus\NAVW32.EXE
    O4 - HKLM\..\Run: [rvkjlui] C:\WINNT\system32\wbphj\rvkjlui.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Bqqwes.exe
    O4 - HKLM\..\Run: [PaciSoft] C:\WINNT\System32\pacis.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [geccfqux] C:\WINNT\System32\brckpc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: mbgowhrobnwx - Unknown owner - C:\WINNT\system32\whrobnwx\mbgo.exe (file missing)
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
    O23 - Service: rvkjluiwbphj - Unknown owner - C:\WINNT\system32\wbphj\rvkjlui.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  10. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    Your hijackthis analysis report
    http://www.hijackthis.de/logfiles/5252a35a435f0833cdbdac3d55fc6a67.html
    Remove the following unknown processes and application
    C:\WINNT\system32\wbphj\rvkjlui.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
    C:\Program Files\Norton AntiVirus\NAVW32.EXE
    C:\WINNT\System32\brckpc.exe
    C:\WINNT\system32\whrobnwx\mbgo.exe
  11. amstuart

    amstuart TS Rookie Topic Starter

    Hijackthis Follow-up

    Hi:

    Ran Ewido Trojan's/Malware Remover in SAFE mode, cleaned the Prefetch folder, deleted the HijackThis items that were bulleted, re-ran AdAware, cleaned temp files, ran Killbox, ran Cleanup!, and re-ran HijackThis. These entries remain:

    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    Not sure whether to try connecting the computer to the Internet or manually remove the above two items first?

    Adam
     
  12. amstuart

    amstuart TS Rookie Topic Starter

    BSOD Eliminated!

    Hi:

    Thank you for getting my computer back in business! I manually deleted the remaining items with KillBox.exe and everything appears fine after connecting to the Internet.

    A million thank-you's for your time and patience.

    Adam
  13. nicofede

    nicofede TS Rookie

    Driver_irql_not_less_or_equal

    Hi,
    I found the same issue since I installed an ADSL modem on my desktop: at my first access on the web I got the problem.
    Some people on the net argued that the problem could reise from a driver conflict of the different modems. I disabled all modems but the ADSL one, and I still get the error. Yet, this only happens when I get online.

    I updated and ran several times McAfee AV and Ad-Aware, cleaned up everything.
    I installed Autoruns, but cannot find a suspected entry.

    Do you have any suggestions?
  14. amstuart

    amstuart TS Rookie Topic Starter

    Advice on Driver IRQL error

    Hi:

    As the experts will admonish, what worked for me might not work for you, even though the Driver IRQL BSOD end-result is the same. The order of attack is important: look at topic 53181 on the Geekstogo forum. Post #2, written by Kc (Thatman) gave me great advice on how to solve the issue. I'm not sure how acceptable another forum's column would be to reproduce here (even though we are all friends), so email me privately and I can copy and paste the instructions if you would like.

    Adam
    amstuart@sprintmail.com
  15. p1ishr

    p1ishr TS Rookie

    Similar BSOD Problem

    Hello, I just finished installing a Netgear Gigabit Ethernet PCI card in a Dell Dimensions PC running MS Windows 2000 Pro and after rebooting, received the following BSOD (only if I'm physically connected to the cable/dsl router and the Internet connection is up:

    Stop: 0x000000D1 [0x00000018, 0x00000002, 0x00000000, 0xf879d4d8]

    DRIVER_IRQL_NOT_LESS_OR_EQUAL

    Due to some odd occurances concerning the use of things Internet-enabled (mostly mail related such as MS Outlook and Yahoo Mail), I suspect a virus. Here are the results of running HiJackThis:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:52:29 PM, on 11/13/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
    C:\Documents and Settings\Claralita T Davis\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\RunOnce: [DelTmp] C:\DOCUME~1\CLARAL~1\LOCALS~1\Temp\Deltmp.exe /s
    O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: iM StartCenter.lnk = C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O15 - Trusted Zone: http://staffweb.lib.clemson.edu
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
    O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Also, here are the three zipped minidump files that were generated after three reboots with an active Internet connection present:



    No entries have been deleted yet after running HiJackThis>
  16. p1ishr

    p1ishr TS Rookie

    Re: Similar BSOD Problem

    Sorry...I sent the individual .dmp files instead of one .zip of all three...here is the zip:

    Attached Files:

  17. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    Hi,

    One a new thread for a new problem.
  18. bmdurr

    bmdurr TS Rookie

    I continue to have problems with errors on device drivers and saw the Hijack This reference so ran the free download and resulted in identifying several high threats - so had to purchase software to remove. Here is the log from Hijack This. Anyone who can understand and advise if identified threats were causing the problems (major concerns with Trojan/CWS combo)? Sorry for all the stuff - I to delete alot not sure if took out valuable stuff.

    <?xml version = "1.0"?>
    <Session START = "14 Nov 05 20:16:15" END = "14 Nov 05 20:16:15">
    <Information Version = "4.17" DatabaseVersion = "127" DataBaseDate = "8 Nov 2005"/>
    <PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "c6ce6eec82f187615d1002bb3bb50ed4"/>
    <PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "84885f9b82f4d55c6146ebf6065d75d2"/>
    <PROCESS NAME = "C:\WINDOWS\system32\Ati2evxx.exe" MD5 = "d24907c31a3004a560385e5048c72dd7"/>
    <PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "da81ec57acd4cdc3d4c51cf3d409af9f"/>
    <PROCESS NAME = "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" MD5 = "a80f0e7dc789150c3ae4f504e3b96b06"/>
    <PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\mcshield.exe" MD5 = "fe7985dae11fa70829762c5af39dbb27"/>
    <PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\vstskmgr.exe" MD5 = "dae0d925fa8d4aec46e924a136b93a32"/>
    <PROCESS NAME = "C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe" MD5 = "331b69d20d0983b93baf2f7e6daebb80"/>
    <PROCESS NAME = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" MD5 = "0efee4f2d23ba2d8b27fba942106e0e1"/>
    <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\WINDOWS\system32\wdfmgr.exe" MD5 = "ab0a7ca90d9e3d6a193905dc1715ded0"/>
    <PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "f1958fbf86d5c004cf19a5951a9514b7"/>
    <PROCESS NAME = "C:\WINDOWS\system32\Ati2evxx.exe" MD5 = "d24907c31a3004a560385e5048c72dd7"/>
    <PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a0732187050030ae399b241436565e64"/>
    <PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
    <PROCESS NAME = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" MD5 = "3f261a8554d95d66009863dcff1b2f72"/>
    <PROCESS NAME = "C:\Program Files\Intuit\QAgent\QAGENT.EXE" MD5 = "5b55861c2ce7d72d8e55f98ffbf95fb8"/>
    <PROCESS NAME = "C:\WINDOWS\system32\carpserv.exe" MD5 = "ea3be7f5cdef0fe4df1bf6dbfe7abde0"/>
    <PROCESS NAME = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" MD5 = "b5eca5948d7f8eaa00333231f33ea31a"/>
    <PROCESS NAME = "C:\WINDOWS\SOUNDMAN.EXE" MD5 = "d968b3259421c4a0627a62f4e0e96d6d"/>
    <PROCESS NAME = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" MD5 = "c6fa9370324cde99ec1c3f4a22a9be56"/>
    <PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" MD5 = "7fdd96f93adbe7e986aabae0ca446011"/>
    <PROCESS NAME = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" MD5 = "e4a7b1aa1e40676153a824ac00ec3450"/>
    <PROCESS NAME = "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" MD5 = "78915c3ad0024bacd46f41bf02ee4415"/>
    <PROCESS NAME = "C:\Program Files\iTunes\iTunesHelper.exe" MD5 = "1c2b9fcd48112b0297b83e7fc43d1b42"/>
    <PROCESS NAME = "C:\Program Files\QuickTime\qttask.exe" MD5 = "3e7d91f24d28c968b92c85c7e2882eed"/>
    <PROCESS NAME = "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\Bin\HPOstr05.exe" MD5 = "1666422fbd939586b1e54edad87e3c94"/>
    <PROCESS NAME = "C:\Program Files\iPod\bin\iPodService.exe" MD5 = "5590c0e3b40c924c2b94cb5868b8360a"/>
    <PROCESS NAME = "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\HPOVDX05.EXE" MD5 = "83fe7a2a31fab5afd2ba5ef8cb0bb530"/>
    <PROCESS NAME = "C:\WINDOWS\system32\hpoipm07.exe" MD5 = "dac39ffd1bce3b239616226b47594ab4"/>
    <PROCESS NAME = "C:\Program Files\Internet Explorer\iexplore.exe" MD5 = "e7484514c0464642be7b4dc2689354c8"/>
    <PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "8107deb204f560cd5e8326d6364f56db"/>
    <ScanningRegKeys>
    </ScanningRegKeys>
    <ScanningRegValues>
    </SW>
    <SW NAME = "Lycos Sidesearch">
    <REGVALUE VALUE = "Lycos Sidesearch Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
    <REGVALUEFOUND NAME = "Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
    </SW>
    <SW NAME = "Favoriteman">
    <REGVALUE VALUE = "Favoriteman software\microsoft\windows\counter"/>
    <REGVALUEFOUND NAME = "software\microsoft\windows\counter"/>
    </SW>
    <SW NAME = "Favoriteman">
    <REGVALUE VALUE = "Favoriteman software\microsoft\windows\server"/>
    <REGVALUEFOUND NAME = "software\microsoft\windows\server"/>
    </ScanningRegValues>
    <ScanningRegValuesChanged>
    </ScanningRegValuesChanged>
    <FILE PATH = "Trojan/CWS Combo C:\WINDOWS\system32\MSrev21.dll"/>
    <FILE PATH = "C:\WINDOWS\system32\MSrev21.dll"/>
    <FILE PATH = "Trojan/CWS Combo C:\WINDOWS\system32\MSrev41.dll"/>
    <FILE PATH = "C:\WINDOWS\system32\MSrev41.dll"/>
    <FILE PATH = "Favoriteman C:\WINDOWS\system32\vg.dat"/>
    <FILE PATH = "C:\WINDOWS\system32\vg.dat"/>
    </Scanning>

    <Information Message = "Starting to Quarantine 61 Items"/>
    <Quarantines>
    <QTFILE PATH = "C:\Program Files\XoftSpy\Quarantine\Quarantine14-11-2005-20-30-50.xpy" />
    <INFO ACTION = "Added"/>
    <INFO TIME = "14-11-2005-20-30-50"/>
    <REGVALUE RES = "{000007c6-17df-4438-92a4-de5537471ba3} = dword:00002008
    ">
    <REGVALUE RES = "counter = dword:00000001
    ">
    <REGVALUE RES = "server = www.f1organizer.com
    ">
    <QInformation Message = "Quarantining File Trojan/CWS Combo - C:\WINDOWS\system32\MSrev21.dll"/>
    <QInformation Message = "Quarantining File Trojan/CWS Combo - C:\WINDOWS\system32\MSrev41.dll"/>
    <QInformation Message = "Quarantining File Favoriteman - C:\WINDOWS\system32\vg.dat"/>
    <QInformation Message = "Quarantining File 247realmedia cookie -
    <Removal>
    <SW NAME = "Lycos Sidesearch">
    <REGVALUE NAME = "Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
    <REGVALUE RES = "Successfully Removed"/>
    </SW>
    <SW NAME = "Favoriteman">
    <REGVALUE NAME = "software\microsoft\windows\counter"/>
    <REGVALUE RES = "Successfully Removed"/>
    <REGVALUE NAME = "software\microsoft\windows\server"/>
    <REGVALUE RES = "Successfully Removed"/>
    </SW>
    <SW NAME = "Trojan/CWS Combo">
    <FILE NAME = "C:\WINDOWS\system32\MSrev21.dll"/>
    <FILE RES = "C:\WINDOWS\system32\MSrev21.dll Successfully ReMoved"/>
    <FILE NAME = "C:\WINDOWS\system32\MSrev41.dll"/>
    <FILE RES = "C:\WINDOWS\system32\MSrev41.dll Successfully ReMoved"/>
    </SW>
    <SW NAME = "Favoriteman">
    <FILE NAME = "C:\WINDOWS\system32\vg.dat"/>
    <FILE RES = "C:\WINDOWS\system32\vg.dat Successfully ReMoved"/>
  19. cpc2004

    cpc2004 TS Rookie Posts: 2,044

    Hi,

    Open a new thread for a new problem.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.