Hi:

Running WinXP on a Gateway system with no viruses, malware, adware, etc. I am getting the BSOD only when connecting to the Internet. After each reboot, I get the same error codes and Kypkjts- address F8AEF484. There is no mention of any devices. I uninstalled my Intel Pro/100 VE Network card, reinstalled, looked for updated drivers, etc. There is no hardware attached, no USB devices, and no conflicts in Device Manager. If I unplug my Ethernet cable, the computer runs fine. With the Ethernet cable attached, the BSOD appears seconds after clicking on the IE 6.0 icon on my desktop.

Thanks.

Adam

When Windows crashes with blue screen, it writes a system event 1001 and a minidump to the folder \windows\minidump
Check system event 1001 and it has the content of the blue screen

Event ID: 1001
Source: Save Dump
Description:
The computer has rebooted from a bugcheck.The bugcheck was : 0xc000000a (0xe1270188, 0x00000002, 0x00000000, 0x804032100).
Microsoft Windows..... A dump was saved in: .......


Control Panel -> Adminstrative Tools -> Event Viewer -> System -> Event 1001. Copy the content and paste it back here

Zip 5 to 6 minidumps and attach the zip files here. I will study the dump and find out the culprit.

BSOD Follow-up

Hi:

Sorry for the quick question. What program should be used to open the .dmp files? MS Word allows Windows Default, MS-DOS, or other encoding: the majority of the text is nonsense characters for any choice. Notepad and Wordpad also yield nonsense characters.

Thanks.

microsoft windbg

MiniDmp Files

Hi:

Attached are 5 minidmp files. Hoping to hear good news.

Thank you.

Adam

This is the third time I handle this problem. Your windows is infected with virus. The time stamp of failing module of kypkjts is the same as the failing module of the following case.

http://www.computing.net/windows2000/wwwboard/forum/62004.html
If you search kypkjts at google, you cannot find any hit. I also find the same problem at exchange-experts.
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21412430.html

Debug report of your minidumps
BugCheck A, {fb4c0000, 2, 0, 804db48c}
Probably caused by : kypkjts ( kypkjts+479 )
f8aef000 f8af05e0 kypkjts kypkjts Mon Apr 18 22:31:48 2005 (4263C4D4)

Run antivirus to make sure this windows does not infect with virus. Get rid of kypkjts.

Minidmp results

I appreciate the quick analysis. Since this is your thirs experience with this BSOD message, do you know which virus the OS was infected with? I have run updated Norton antiviral scans, MS Beta antispyware, Spyware Search and Destroy, Spyblaster is installed and updated, and WinPatrol is installed.
I have GOOGLEd kypkjts+479 and can't find anything.

Thanks.

This virus rename the infected module to another name. For your case it is kypkjts. For the another case at expert exchange, the infected module name is woouhwq. From the stack trace, the infected module is a network module. Unfortunately the problem owner at Computing.net never respond to my message. You may install hijackthis and post your hijackthis log here. You can find a lot of posts of hijackthis at this forum.

Another hit of the same problem and the infected module is wwackxt
http://forums.tomcoyote.org/Help_Badly_Infected_Computer-t35912.html

Stack trace of your crash.
STACK_TEXT:
80555e24 f8aef479 fb4bfffc f8aef40e 00000005 nt!strncmp+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
80555e48 f8aefa1a fb4bfa88 00000578 80555e68 kypkjts+0x479
80555f68 f8aefa95 fb4bfa88 00000578 8264f828 kypkjts+0xa1a
80555fb0 f8aeff9e fb4bfa60 fb4bfa74 0000058c kypkjts+0xa95
80555fe4 ee3afa8d 000005a0 00000002 80556028 kypkjts+0xf9e
80556058 ee3af836 83028518 82907478 eeaa1bb8 tcpip!IPFreeBuff+0x1cc
80556110 ee3ae922 82907478 eeaa1bcc 0000058c tcpip!IPRcvPacket+0x296
80556150 ee3ae84d 00000000 82a33370 eeaa1baa tcpip!ARPRcvPacket+0x128
8055618c f835dc9f 82fb0008 00000000 f7de0b40 tcpip!ARPRcvPacket+0x53
805561e0 f7ddb01d 009e5698 82975590 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x1c2
805561f4 f7ddb1b4 83064130 82975590 00000001 psched!PsFlushReceiveQueue+0x15
80556218 f7ddb5f9 82f19dc0 00000000 83064130 psched!PsEnqueueReceivePacket+0xda
80556230 f835dd40 82f19db8 82d06580 82d06008 psched!ClReceiveComplete+0x13
80556280 f7f83128 009e5698 805562a0 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x5a4
805563e8 f7f832e8 01d06008 00000000 831c7130 e100b325+0xa128
80556410 f8353f09 00d06008 80560f00 ffdff9c0 e100b325+0xa2e8
80556428 804dcd22 82d063f4 82d063e0 00000000 NDIS!ndisMDpcX+0x21
80556440 80560ca0 ffdffc50 00000000 80560ca0 nt!KiRetireDpcList+0x61
80556450 804dcc07 00000000 0000000e 00000000 nt!KiIdleThread0

HijackThis Log-Thanks

Logfile of HijackThis v1.99.1
Scan saved at 12:43:08 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\wbphj\rvkjlui.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\sbuawefa.slt\prefs.js)
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol Explorer] C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
O4 - HKLM\..\Run: [Norton AntiVirus Scanner Module] C:\Program Files\Norton AntiVirus\NAVW32.EXE
O4 - HKLM\..\Run: [rvkjlui] C:\WINNT\system32\wbphj\rvkjlui.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Bqqwes.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINNT\System32\pacis.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [geccfqux] C:\WINNT\System32\brckpc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: mbgowhrobnwx - Unknown owner - C:\WINNT\system32\whrobnwx\mbgo.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: rvkjluiwbphj - Unknown owner - C:\WINNT\system32\wbphj\rvkjlui.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Your hijackthis analysis report
http://www.hijackthis.de/logfiles/5252a35a435f0833cdbdac3d55fc6a67.html
Remove the following unknown processes and application
C:\WINNT\system32\wbphj\rvkjlui.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\WINNT\System32\brckpc.exe
C:\WINNT\system32\whrobnwx\mbgo.exe

Hijackthis Follow-up

Hi:

Ran Ewido Trojan's/Malware Remover in SAFE mode, cleaned the Prefetch folder, deleted the HijackThis items that were bulleted, re-ran AdAware, cleaned temp files, ran Killbox, ran Cleanup!, and re-ran HijackThis. These entries remain:

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

Not sure whether to try connecting the computer to the Internet or manually remove the above two items first?

Adam

BSOD Eliminated!

Hi:

Thank you for getting my computer back in business! I manually deleted the remaining items with KillBox.exe and everything appears fine after connecting to the Internet.

A million thank-you's for your time and patience.

Adam

Driver_irql_not_less_or_equal

Hi,
I found the same issue since I installed an ADSL modem on my desktop: at my first access on the web I got the problem.
Some people on the net argued that the problem could reise from a driver conflict of the different modems. I disabled all modems but the ADSL one, and I still get the error. Yet, this only happens when I get online.

I updated and ran several times McAfee AV and Ad-Aware, cleaned up everything.
I installed Autoruns, but cannot find a suspected entry.

Do you have any suggestions?

Advice on Driver IRQL error

Hi:

As the experts will admonish, what worked for me might not work for you, even though the Driver IRQL BSOD end-result is the same. The order of attack is important: look at topic 53181 on the Geekstogo forum. Post #2, written by Kc (Thatman) gave me great advice on how to solve the issue. I'm not sure how acceptable another forum's column would be to reproduce here (even though we are all friends), so email me privately and I can copy and paste the instructions if you would like.

Adam
amstuart@sprintmail.com

Similar BSOD Problem

Hello, I just finished installing a Netgear Gigabit Ethernet PCI card in a Dell Dimensions PC running MS Windows 2000 Pro and after rebooting, received the following BSOD (only if I'm physically connected to the cable/dsl router and the Internet connection is up:

Stop: 0x000000D1 [0x00000018, 0x00000002, 0x00000000, 0xf879d4d8]

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Due to some odd occurances concerning the use of things Internet-enabled (mostly mail related such as MS Outlook and Yahoo Mail), I suspect a virus. Here are the results of running HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:52:29 PM, on 11/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
C:\Documents and Settings\Claralita T Davis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\RunOnce: [DelTmp] C:\DOCUME~1\CLARAL~1\LOCALS~1\Temp\Deltmp.exe /s
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: iM StartCenter.lnk = C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://staffweb.lib.clemson.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/cpbrkpie.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Also, here are the three zipped minidump files that were generated after three reboots with an active Internet connection present:



No entries have been deleted yet after running HiJackThis>

Re: Similar BSOD Problem

Sorry...I sent the individual .dmp files instead of one .zip of all three...here is the zip:

Hi,

One a new thread for a new problem.

I continue to have problems with errors on device drivers and saw the Hijack This reference so ran the free download and resulted in identifying several high threats - so had to purchase software to remove. Here is the log from Hijack This. Anyone who can understand and advise if identified threats were causing the problems (major concerns with Trojan/CWS combo)? Sorry for all the stuff - I to delete alot not sure if took out valuable stuff.

<?xml version = "1.0"?>
<Session START = "14 Nov 05 20:16:15" END = "14 Nov 05 20:16:15">
<Information Version = "4.17" DatabaseVersion = "127" DataBaseDate = "8 Nov 2005"/>
<PROCESS NAME = "C:\WINDOWS\system32\services.exe" MD5 = "c6ce6eec82f187615d1002bb3bb50ed4"/>
<PROCESS NAME = "C:\WINDOWS\system32\lsass.exe" MD5 = "84885f9b82f4d55c6146ebf6065d75d2"/>
<PROCESS NAME = "C:\WINDOWS\system32\Ati2evxx.exe" MD5 = "d24907c31a3004a560385e5048c72dd7"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\spoolsv.exe" MD5 = "da81ec57acd4cdc3d4c51cf3d409af9f"/>
<PROCESS NAME = "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" MD5 = "a80f0e7dc789150c3ae4f504e3b96b06"/>
<PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\mcshield.exe" MD5 = "fe7985dae11fa70829762c5af39dbb27"/>
<PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\vstskmgr.exe" MD5 = "dae0d925fa8d4aec46e924a136b93a32"/>
<PROCESS NAME = "C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe" MD5 = "331b69d20d0983b93baf2f7e6daebb80"/>
<PROCESS NAME = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" MD5 = "0efee4f2d23ba2d8b27fba942106e0e1"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\WINDOWS\system32\wdfmgr.exe" MD5 = "ab0a7ca90d9e3d6a193905dc1715ded0"/>
<PROCESS NAME = "C:\WINDOWS\System32\alg.exe" MD5 = "f1958fbf86d5c004cf19a5951a9514b7"/>
<PROCESS NAME = "C:\WINDOWS\system32\Ati2evxx.exe" MD5 = "d24907c31a3004a560385e5048c72dd7"/>
<PROCESS NAME = "C:\WINDOWS\Explorer.EXE" MD5 = "a0732187050030ae399b241436565e64"/>
<PROCESS NAME = "C:\WINDOWS\System32\svchost.exe" MD5 = "8f078ae4ed187aaabc0a305146de6716"/>
<PROCESS NAME = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" MD5 = "3f261a8554d95d66009863dcff1b2f72"/>
<PROCESS NAME = "C:\Program Files\Intuit\QAgent\QAGENT.EXE" MD5 = "5b55861c2ce7d72d8e55f98ffbf95fb8"/>
<PROCESS NAME = "C:\WINDOWS\system32\carpserv.exe" MD5 = "ea3be7f5cdef0fe4df1bf6dbfe7abde0"/>
<PROCESS NAME = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" MD5 = "b5eca5948d7f8eaa00333231f33ea31a"/>
<PROCESS NAME = "C:\WINDOWS\SOUNDMAN.EXE" MD5 = "d968b3259421c4a0627a62f4e0e96d6d"/>
<PROCESS NAME = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" MD5 = "c6fa9370324cde99ec1c3f4a22a9be56"/>
<PROCESS NAME = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" MD5 = "7fdd96f93adbe7e986aabae0ca446011"/>
<PROCESS NAME = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" MD5 = "e4a7b1aa1e40676153a824ac00ec3450"/>
<PROCESS NAME = "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" MD5 = "78915c3ad0024bacd46f41bf02ee4415"/>
<PROCESS NAME = "C:\Program Files\iTunes\iTunesHelper.exe" MD5 = "1c2b9fcd48112b0297b83e7fc43d1b42"/>
<PROCESS NAME = "C:\Program Files\QuickTime\qttask.exe" MD5 = "3e7d91f24d28c968b92c85c7e2882eed"/>
<PROCESS NAME = "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\Bin\HPOstr05.exe" MD5 = "1666422fbd939586b1e54edad87e3c94"/>
<PROCESS NAME = "C:\Program Files\iPod\bin\iPodService.exe" MD5 = "5590c0e3b40c924c2b94cb5868b8360a"/>
<PROCESS NAME = "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\HPOVDX05.EXE" MD5 = "83fe7a2a31fab5afd2ba5ef8cb0bb530"/>
<PROCESS NAME = "C:\WINDOWS\system32\hpoipm07.exe" MD5 = "dac39ffd1bce3b239616226b47594ab4"/>
<PROCESS NAME = "C:\Program Files\Internet Explorer\iexplore.exe" MD5 = "e7484514c0464642be7b4dc2689354c8"/>
<PROCESS NAME = "C:\Program Files\XoftSpy\XoftSpy.exe" MD5 = "8107deb204f560cd5e8326d6364f56db"/>
<ScanningRegKeys>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "Lycos Sidesearch">
<REGVALUE VALUE = "Lycos Sidesearch Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
<REGVALUEFOUND NAME = "Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
</SW>
<SW NAME = "Favoriteman">
<REGVALUE VALUE = "Favoriteman software\microsoft\windows\counter"/>
<REGVALUEFOUND NAME = "software\microsoft\windows\counter"/>
</SW>
<SW NAME = "Favoriteman">
<REGVALUE VALUE = "Favoriteman software\microsoft\windows\server"/>
<REGVALUEFOUND NAME = "software\microsoft\windows\server"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
<FILE PATH = "Trojan/CWS Combo C:\WINDOWS\system32\MSrev21.dll"/>
<FILE PATH = "C:\WINDOWS\system32\MSrev21.dll"/>
<FILE PATH = "Trojan/CWS Combo C:\WINDOWS\system32\MSrev41.dll"/>
<FILE PATH = "C:\WINDOWS\system32\MSrev41.dll"/>
<FILE PATH = "Favoriteman C:\WINDOWS\system32\vg.dat"/>
<FILE PATH = "C:\WINDOWS\system32\vg.dat"/>
</Scanning>

<Information Message = "Starting to Quarantine 61 Items"/>
<Quarantines>
<QTFILE PATH = "C:\Program Files\XoftSpy\Quarantine\Quarantine14-11-2005-20-30-50.xpy" />
<INFO ACTION = "Added"/>
<INFO TIME = "14-11-2005-20-30-50"/>
<REGVALUE RES = "{000007c6-17df-4438-92a4-de5537471ba3} = dword:00002008
">
<REGVALUE RES = "counter = dword:00000001
">
<REGVALUE RES = "server = www.f1organizer.com
">
<QInformation Message = "Quarantining File Trojan/CWS Combo - C:\WINDOWS\system32\MSrev21.dll"/>
<QInformation Message = "Quarantining File Trojan/CWS Combo - C:\WINDOWS\system32\MSrev41.dll"/>
<QInformation Message = "Quarantining File Favoriteman - C:\WINDOWS\system32\vg.dat"/>
<QInformation Message = "Quarantining File 247realmedia cookie -
<Removal>
<SW NAME = "Lycos Sidesearch">
<REGVALUE NAME = "Software\Microsoft\Internet Explorer\extensions\cmdmapping\{000007c6-17df-4438-92a4-de5537471ba3}"/>
<REGVALUE RES = "Successfully Removed"/>
</SW>
<SW NAME = "Favoriteman">
<REGVALUE NAME = "software\microsoft\windows\counter"/>
<REGVALUE RES = "Successfully Removed"/>
<REGVALUE NAME = "software\microsoft\windows\server"/>
<REGVALUE RES = "Successfully Removed"/>
</SW>
<SW NAME = "Trojan/CWS Combo">
<FILE NAME = "C:\WINDOWS\system32\MSrev21.dll"/>
<FILE RES = "C:\WINDOWS\system32\MSrev21.dll Successfully ReMoved"/>
<FILE NAME = "C:\WINDOWS\system32\MSrev41.dll"/>
<FILE RES = "C:\WINDOWS\system32\MSrev41.dll Successfully ReMoved"/>
</SW>
<SW NAME = "Favoriteman">
<FILE NAME = "C:\WINDOWS\system32\vg.dat"/>
<FILE RES = "C:\WINDOWS\system32\vg.dat Successfully ReMoved"/>

Hi,

Open a new thread for a new problem.