Whenever I boot up my pc I get BSOD.
Windows comes up with this error message:
Problemsignatur:
Navn på problemhændelse: BlueScreen
OS-version: 6.0.6002.2.2.0.768.3
Landestandard-id: 1030
Flere oplysninger om problemet:
BCCode: 1000007e
BCP1: C0000005
BCP2: 870AC720
BCP3: 8B56FBB8
BCP4: 8B56F8B4
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Filer, der hjælper med til at beskrive problemet:
C:\Windows\Minidump\Mini083011-25.dmp
C:\Users\TheFracker\AppData\Local\Temp\WER-100917-0.sysdata.xml
C:\Users\TheFracker\AppData\Local\Temp\WER1360.tmp.version.txt
When the BSOD comes up it says IRQL_NOT_LESS_OR_EQUAL.
I posted in tech support and was asked to go here and follow the 6-step instructions. Route44 who helped me out suspected that conhost.exe is the problem. Conhost.exe is currently running in taskmanager and keeps starting up again when I close the process. Under the description it says bitcoin-miner. I have searched for conhost.exe on my computer and I can't find it.
All the scans have been done in Safe Mode, because I can't succesfully boot up in normal mode.
Avast scan didn't find anything.
Microsoft Security Essentials found Win32/CoinMaker and deleted it. It also found conhost.exe and couldn't verify wether it was harmful or not and therefore didn't do anything about it.
Microsoft Security Essentials Log:
----------------------------------------------------------------------------------
Command: MpSigStub.exe /program "C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe" ANTIMALWARE /q
Start time: 30-08-2011 15:10 (version 10.3.1781.0)
=================================== ProductSearch ==================================
Microsoft Security Essentials:
Status: Active
Product: 3.0.8402.0
Engine: Not found
Signatures: Not found
NIS Engine: Not found
NIS Signatures: Not found
================================ PackageDiscovery ================================
AM FE: NIS Full:
Engine: 1.1.7604.0 NIS engine: 2.0.5854.0
AS base VDM: 1.111.0.0 NIS base VDM: 9.0.0.0
AV base VDM: 1.111.0.0 NIS full VDM: 9.285.0.0
AS delta VDM: 1.111.1045.0
AV delta VDM: 1.111.1045.0
================================ PatchApplication ================================
Patched nisfull.vdm to 9.285.0.0
================================= MpUpdateEngine =================================
Updated from C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs (0x0)
================================= ValidateUpdate =================================
MpSigStub successfully updated Microsoft Security Essentials using the AM FE package.
Original: Updated to:
Engine: 0.0.0.0 1.1.7604.0
AS base VDM: 0.0.0.0 1.111.0.0
AV base VDM: 0.0.0.0 1.111.0.0
AS delta VDM: 0.0.0.0 1.111.1045.0
AV delta VDM: 0.0.0.0 1.111.1045.0
Set DeltaUpdateFailure to 0
MpSigStub successfully updated Microsoft Security Essentials using the NIS Full package.
Original: Updated to:
NIS engine: 0.0.0.0 2.0.5854.0
NIS base VDM: 0.0.0.0 9.0.0.0
NIS full VDM: 0.0.0.0 9.285.0.0
Set NISDeltaUpdateFailure to 0
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\9.0.0.0_TO_9.285.0.0_NISFULL.VDM_SOURCE_NISBASE.VDM._P
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASDLTA.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVDLTA.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\NISBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\nisfull.vdm
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\mpengine.dll
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\GAPAENGINE.DLL
End time: 30-08-2011 15:11
----------------------------------------------------------------------------------
Malwarebytes' Anti-Malware didn't come up with anything. I ran both the quick and full scan.
Malwarebytes' Anti-Malware Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4062
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120
01-09-2011 01:00:47
mbam-log-2011-09-01 (01-00-47).txt
Scan type: Quick scan
Objects scanned: 126315
Time elapsed: 5 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I ran GMER.
GMER Log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-01 04:08:01
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 WDC_WD50 rev.01.0
Running: fn87dlu3.exe; Driver: C:\Users\THEFRA~1\AppData\Local\Temp\uwdiipog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8FE7C884]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8FE9DFA8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8FE97E42]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8FE9826A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8FEA26FE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8FE7D5B4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8FE9FA50]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8FE9F346]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8FE96C26]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8FEA041A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8FEA0658]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8FEA0B0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8FE7D16C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8FE9A358]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0x8FE99F46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8FEA14E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8FEA0DD4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8FEA1F40]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8FE83292]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8FE7D9BE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8FEA1A68]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8FE9EA6A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8FE98F66]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8FE98C96]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8FE986DE]
INT 0x51 ? 84F64BF8
INT 0x52 ? 8645DF00
INT 0x82 ? 84F63BF8
INT 0x92 ? 84F64BF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 1D9 824E795C 4 Bytes [84, C8, E7, 8F] {TEST AL, CL; OUT 0x8f, EAX}
.text ntkrnlpa.exe!KeSetEvent + 1E9 824E796C 4 Bytes [A8, DF, E9, 8F]
.text ntkrnlpa.exe!KeSetEvent + 209 824E798C 8 Bytes [42, 7E, E9, 8F, 6A, 82, E9, ...]
.text ntkrnlpa.exe!KeSetEvent + 215 824E7998 4 Bytes [FE, 26, EA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 2D1 824E7A54 8 Bytes [B4, D5, E7, 8F, 50, FA, E9, ...]
.text ...
? System32\Drivers\spjj.sys Den angivne sti blev ikke fundet. !
.text USBPORT.SYS!DllUnload 82F9A41B 5 Bytes JMP 8645D4E0
.text aaaq9zd8.SYS 8F1B5000 22 Bytes [82, F3, 40, 82, 6C, F2, 40, ...]
.text aaaq9zd8.SYS 8F1B5017 137 Bytes [00, 32, 37, 7A, 80, 3D, 35, ...]
.text aaaq9zd8.SYS 8F1B50A1 43 Bytes [40, 4E, 82, 74, 36, 48, 82, ...]
.text aaaq9zd8.SYS 8F1B50CE 10 Bytes [00, 00, 00, 00, 00, 00, 66, ...]
.text aaaq9zd8.SYS 8F1B50DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 00DB000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 00DC000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 004C000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 01F7000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 0208000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 01F6000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A6D2] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069A040] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A7FC] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8069A0BE] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069A13C] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806AA048] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortNotification] 24488B66
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUchar] E84D8966
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUlong] 83E84D8B
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 896602C1
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 488BEA4D
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 8DC80320
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUchar] 57500845
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortStallExecution] F0458D57
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetParentBusType] 00006850
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortRequestCallback] 458DB002
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 35FF50E8
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] [8F1DAFBC] \SystemRoot\System32\Drivers\aaaq9zd8.SYS (ATAPI IDE Miniport Driver/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteRequest] 57EC4D89
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortMoveMemory] 01F045C7
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] E8000000
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 0001E4E4
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 4675C73B
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUshort] 1DAFC8A1
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 8D526A8F
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortInitialize] 00009A88
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetDeviceBase] 48C08300
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8D076A50
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85D3A1F8
Device \FileSystem\fastfat \FatCdrom 876231F8
Device \Driver\netbt \Device\NetBT_Tcpip_{7BE1BC0C-7A11-4BFA-9F7A-5F5AD244094F} 8652B1F8
Device \Driver\volmgr \Device\VolMgrControl 85D351F8
Device \Driver\usbohci \Device\USBPDO-0 86478488
Device \Driver\usbehci \Device\USBPDO-1 864791F8
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\volmgr \Device\HarddiskVolume1 85D351F8
Device \Driver\volmgr \Device\HarddiskVolume2 85D351F8
Device \Driver\cdrom \Device\CdRom0 864831F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D371F8
Device \Driver\atapi \Device\Ide\IdePort0 85D371F8
Device \Driver\atapi \Device\Ide\IdePort1 85D371F8
Device \Driver\cdrom \Device\CdRom1 864831F8
Device \Driver\volmgr \Device\HarddiskVolume3 85D351F8
Device \Driver\cdrom \Device\CdRom2 864831F8
Device \Driver\volmgr \Device\HarddiskVolume4 85D351F8
Device \Driver\cdrom \Device\CdRom3 864831F8
Device \Driver\volmgr \Device\HarddiskVolume5 85D351F8
Device \Driver\cdrom \Device\CdRom4 864831F8
Device \Driver\volmgr \Device\HarddiskVolume6 85D351F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8652B1F8
Device \Driver\Smb \Device\NetbiosSmb 873C41F8
Device \Driver\USBSTOR \Device\00000079 875EA1F8
Device \Driver\nvstor32 \Device\RaidPort0 85D391F8
Device \Driver\PCI_PNP1416 \Device\0000005c spjj.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\iScsiPrt \Device\RaidPort1 864A5500
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\netbt \Device\NetBT_Tcpip_{65AA5710-5DE1-44FD-88B4-76FAC213BF3E} 8652B1F8
Device \Driver\usbohci \Device\USBFDO-0 86478488
Device \Driver\nvstor32 \Device\0000006c 85D391F8
Device \Driver\USBSTOR \Device\0000007a 875EA1F8
Device \Driver\usbehci \Device\USBFDO-1 864791F8
Device \Driver\USBSTOR \Device\0000007b 875EA1F8
Device \Driver\USBSTOR \Device\0000007c 875EA1F8
Device \Driver\sptd \Device\2506129424 spjj.sys
Device \Driver\USBSTOR \Device\0000007d 875EA1F8
Device \Driver\USBSTOR \Device\0000007e 875EA1F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target3Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target1Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target2Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target0Lun0 864A31F8
Device \FileSystem\fastfat \Fat 876231F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filsystem Filterstyring/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 87BF31F8
Device \Device\0000006a -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AACS-00ZUB#4&2caa503b&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0
---- Files - GMER 1.0.15 ----
File C:\Minidumps.zip 102526 bytes
File C:\MpSigStub.log 5818 bytes
---- EOF - GMER 1.0.15 ----
I ran Windows Memory Diagnostic to test if there was something wrong with my RAM. It didn't find anything.
I have included a zip with the 5 latest dump files from Windows.
Here's the link to the tech support post: https://www.techspot.com/vb/topic170141.html
I use Windows Vista. I would appreciate any help, please tell me if you additional details.
Windows comes up with this error message:
Problemsignatur:
Navn på problemhændelse: BlueScreen
OS-version: 6.0.6002.2.2.0.768.3
Landestandard-id: 1030
Flere oplysninger om problemet:
BCCode: 1000007e
BCP1: C0000005
BCP2: 870AC720
BCP3: 8B56FBB8
BCP4: 8B56F8B4
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Filer, der hjælper med til at beskrive problemet:
C:\Windows\Minidump\Mini083011-25.dmp
C:\Users\TheFracker\AppData\Local\Temp\WER-100917-0.sysdata.xml
C:\Users\TheFracker\AppData\Local\Temp\WER1360.tmp.version.txt
When the BSOD comes up it says IRQL_NOT_LESS_OR_EQUAL.
I posted in tech support and was asked to go here and follow the 6-step instructions. Route44 who helped me out suspected that conhost.exe is the problem. Conhost.exe is currently running in taskmanager and keeps starting up again when I close the process. Under the description it says bitcoin-miner. I have searched for conhost.exe on my computer and I can't find it.
All the scans have been done in Safe Mode, because I can't succesfully boot up in normal mode.
Avast scan didn't find anything.
Microsoft Security Essentials found Win32/CoinMaker and deleted it. It also found conhost.exe and couldn't verify wether it was harmful or not and therefore didn't do anything about it.
Microsoft Security Essentials Log:
----------------------------------------------------------------------------------
Command: MpSigStub.exe /program "C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe" ANTIMALWARE /q
Start time: 30-08-2011 15:10 (version 10.3.1781.0)
=================================== ProductSearch ==================================
Microsoft Security Essentials:
Status: Active
Product: 3.0.8402.0
Engine: Not found
Signatures: Not found
NIS Engine: Not found
NIS Signatures: Not found
================================ PackageDiscovery ================================
AM FE: NIS Full:
Engine: 1.1.7604.0 NIS engine: 2.0.5854.0
AS base VDM: 1.111.0.0 NIS base VDM: 9.0.0.0
AV base VDM: 1.111.0.0 NIS full VDM: 9.285.0.0
AS delta VDM: 1.111.1045.0
AV delta VDM: 1.111.1045.0
================================ PatchApplication ================================
Patched nisfull.vdm to 9.285.0.0
================================= MpUpdateEngine =================================
Updated from C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs (0x0)
================================= ValidateUpdate =================================
MpSigStub successfully updated Microsoft Security Essentials using the AM FE package.
Original: Updated to:
Engine: 0.0.0.0 1.1.7604.0
AS base VDM: 0.0.0.0 1.111.0.0
AV base VDM: 0.0.0.0 1.111.0.0
AS delta VDM: 0.0.0.0 1.111.1045.0
AV delta VDM: 0.0.0.0 1.111.1045.0
Set DeltaUpdateFailure to 0
MpSigStub successfully updated Microsoft Security Essentials using the NIS Full package.
Original: Updated to:
NIS engine: 0.0.0.0 2.0.5854.0
NIS base VDM: 0.0.0.0 9.0.0.0
NIS full VDM: 0.0.0.0 9.285.0.0
Set NISDeltaUpdateFailure to 0
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\9.0.0.0_TO_9.285.0.0_NISFULL.VDM_SOURCE_NISBASE.VDM._P
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPASDLTA.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\MPAVDLTA.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\NISBASE.VDM
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\nisfull.vdm
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\mpengine.dll
Deleted C:\Windows\Temp\FB84A858E00CF7243B12915059191B09-Sigs\GAPAENGINE.DLL
End time: 30-08-2011 15:11
----------------------------------------------------------------------------------
Malwarebytes' Anti-Malware didn't come up with anything. I ran both the quick and full scan.
Malwarebytes' Anti-Malware Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4062
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120
01-09-2011 01:00:47
mbam-log-2011-09-01 (01-00-47).txt
Scan type: Quick scan
Objects scanned: 126315
Time elapsed: 5 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I ran GMER.
GMER Log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-01 04:08:01
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 WDC_WD50 rev.01.0
Running: fn87dlu3.exe; Driver: C:\Users\THEFRA~1\AppData\Local\Temp\uwdiipog.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8FE7C884]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8FE9DFA8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8FE97E42]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8FE9826A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8FEA26FE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8FE7D5B4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8FE9FA50]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8FE9F346]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8FE96C26]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8FEA041A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8FEA0658]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8FEA0B0A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8FE7D16C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8FE9A358]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0x8FE99F46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8FEA14E0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8FEA0DD4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8FEA1F40]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8FE83292]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8FE7D9BE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8FEA1A68]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8FE9EA6A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8FE98F66]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8FE98C96]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8FE986DE]
INT 0x51 ? 84F64BF8
INT 0x52 ? 8645DF00
INT 0x82 ? 84F63BF8
INT 0x92 ? 84F64BF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 1D9 824E795C 4 Bytes [84, C8, E7, 8F] {TEST AL, CL; OUT 0x8f, EAX}
.text ntkrnlpa.exe!KeSetEvent + 1E9 824E796C 4 Bytes [A8, DF, E9, 8F]
.text ntkrnlpa.exe!KeSetEvent + 209 824E798C 8 Bytes [42, 7E, E9, 8F, 6A, 82, E9, ...]
.text ntkrnlpa.exe!KeSetEvent + 215 824E7998 4 Bytes [FE, 26, EA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 2D1 824E7A54 8 Bytes [B4, D5, E7, 8F, 50, FA, E9, ...]
.text ...
? System32\Drivers\spjj.sys Den angivne sti blev ikke fundet. !
.text USBPORT.SYS!DllUnload 82F9A41B 5 Bytes JMP 8645D4E0
.text aaaq9zd8.SYS 8F1B5000 22 Bytes [82, F3, 40, 82, 6C, F2, 40, ...]
.text aaaq9zd8.SYS 8F1B5017 137 Bytes [00, 32, 37, 7A, 80, 3D, 35, ...]
.text aaaq9zd8.SYS 8F1B50A1 43 Bytes [40, 4E, 82, 74, 36, 48, 82, ...]
.text aaaq9zd8.SYS 8F1B50CE 10 Bytes [00, 00, 00, 00, 00, 00, 66, ...]
.text aaaq9zd8.SYS 8F1B50DA 12 Bytes [00, 00, 02, 00, 00, 00, 25, ...]
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 00DB000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 00DC000A
.text C:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 004C000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtProtectVirtualMemory 77484B84 5 Bytes JMP 01F7000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!NtWriteVirtualMemory 774854C4 5 Bytes JMP 0208000A
.text C:\Windows\Explorer.EXE[1792] ntdll.dll!KiUserExceptionDispatcher 77485BF8 5 Bytes JMP 01F6000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8069A6D2] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069A040] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8069A7FC] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8069A0BE] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069A13C] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806AA048] \SystemRoot\System32\Drivers\spjj.sys
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortNotification] 24488B66
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUchar] E84D8966
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortUlong] 83E84D8B
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 896602C1
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 488BEA4D
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 8DC80320
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUchar] 57500845
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortStallExecution] F0458D57
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetParentBusType] 00006850
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortRequestCallback] 458DB002
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 35FF50E8
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] [8F1DAFBC] \SystemRoot\System32\Drivers\aaaq9zd8.SYS (ATAPI IDE Miniport Driver/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteRequest] 57EC4D89
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortMoveMemory] 01F045C7
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] E8000000
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 0001E4E4
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 4675C73B
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortUshort] 1DAFC8A1
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 8D526A8F
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortInitialize] 00009A88
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortGetDeviceBase] 48C08300
IAT \SystemRoot\System32\Drivers\aaaq9zd8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8D076A50
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 85D3A1F8
Device \FileSystem\fastfat \FatCdrom 876231F8
Device \Driver\netbt \Device\NetBT_Tcpip_{7BE1BC0C-7A11-4BFA-9F7A-5F5AD244094F} 8652B1F8
Device \Driver\volmgr \Device\VolMgrControl 85D351F8
Device \Driver\usbohci \Device\USBPDO-0 86478488
Device \Driver\usbehci \Device\USBPDO-1 864791F8
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\volmgr \Device\HarddiskVolume1 85D351F8
Device \Driver\volmgr \Device\HarddiskVolume2 85D351F8
Device \Driver\cdrom \Device\CdRom0 864831F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D371F8
Device \Driver\atapi \Device\Ide\IdePort0 85D371F8
Device \Driver\atapi \Device\Ide\IdePort1 85D371F8
Device \Driver\cdrom \Device\CdRom1 864831F8
Device \Driver\volmgr \Device\HarddiskVolume3 85D351F8
Device \Driver\cdrom \Device\CdRom2 864831F8
Device \Driver\volmgr \Device\HarddiskVolume4 85D351F8
Device \Driver\cdrom \Device\CdRom3 864831F8
Device \Driver\volmgr \Device\HarddiskVolume5 85D351F8
Device \Driver\cdrom \Device\CdRom4 864831F8
Device \Driver\volmgr \Device\HarddiskVolume6 85D351F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8652B1F8
Device \Driver\Smb \Device\NetbiosSmb 873C41F8
Device \Driver\USBSTOR \Device\00000079 875EA1F8
Device \Driver\nvstor32 \Device\RaidPort0 85D391F8
Device \Driver\PCI_PNP1416 \Device\0000005c spjj.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\iScsiPrt \Device\RaidPort1 864A5500
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\netbt \Device\NetBT_Tcpip_{65AA5710-5DE1-44FD-88B4-76FAC213BF3E} 8652B1F8
Device \Driver\usbohci \Device\USBFDO-0 86478488
Device \Driver\nvstor32 \Device\0000006c 85D391F8
Device \Driver\USBSTOR \Device\0000007a 875EA1F8
Device \Driver\usbehci \Device\USBFDO-1 864791F8
Device \Driver\USBSTOR \Device\0000007b 875EA1F8
Device \Driver\USBSTOR \Device\0000007c 875EA1F8
Device \Driver\sptd \Device\2506129424 spjj.sys
Device \Driver\USBSTOR \Device\0000007d 875EA1F8
Device \Driver\USBSTOR \Device\0000007e 875EA1F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target3Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target1Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target2Lun0 864A31F8
Device \Driver\aaaq9zd8 \Device\Scsi\aaaq9zd81Port4Path0Target0Lun0 864A31F8
Device \FileSystem\fastfat \Fat 876231F8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filsystem Filterstyring/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 87BF31F8
Device \Device\0000006a -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AACS-00ZUB#4&2caa503b&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0
---- Files - GMER 1.0.15 ----
File C:\Minidumps.zip 102526 bytes
File C:\MpSigStub.log 5818 bytes
---- EOF - GMER 1.0.15 ----
I ran Windows Memory Diagnostic to test if there was something wrong with my RAM. It didn't find anything.
I have included a zip with the 5 latest dump files from Windows.
Here's the link to the tech support post: https://www.techspot.com/vb/topic170141.html
I use Windows Vista. I would appreciate any help, please tell me if you additional details.