hyperfil infected

saraelfar · 2009/12/12

hi there,

I'm running windows XP service pack 2
and every time my laptop goes on shutting down, restart , and even a standby mode, it performs normally starting taking the actions then shows a blue screen for a second and suddenly restarts.

I've done a Avast Scan it shows nothing (running on XP), and when i schedules a boot scan it shows that my hyperfil is infected, and cannot be repaired, moved to chest ,deleted or whatever.

what can I do, I do not want to re-install the operating system , can anyone help me with this.

PeteC · 2009/12/12

Welcome to WindiwsBBS

First .....

Go into Control Panel > Power Options and disable Hibernation. Then delete hiberfil.sys, reboot.

If you wish to use hibernation - not recommended - re-enable it in Power Options.

Then ....

Set up the computer so that it does not automatically restart on system failure .....

Control Panel > System > Advanced > Startup and Recovery > Settings ....

Under System failure uncheck 'Automatically restart' and under Write debugging information select 'Kernel memory dump' from the dropdown list and OK out.

The computer will now show the BSOD in the event of a System failure giving details of the Stop message and the contents of the memory will be dumped to disk.

Run the dump data through our Dump Data Collection Tool and post the log here (copy/paste).

Unfortunately these logs require expert knowledge to analyze and there are currently no members that have the depth of knowledge necessary. Members can only make observations and suggestions as to how you might proceed toward finding the cause .....
Click to expand...

saraelfar · 2009/12/12

first of all, thanks much for your help.

about the hipernate issue, hibernate disabled, but still cannot delete the file

and about the dump tools, i'm downloading it right now, and will feed back to you.

when i ran the avast scan the hyperfil error had a code >>> 0xc0000043
I've notice it' similar to the form of the blue screen errors, i do not know if this would help.

the blue screen error was (Driver_Power_state_Failure)
0x0000009f ( 0x00000500, 0x00000002, 0x89e59ef8, 0x8a057850)

another point, i've performed many scans to the system:
malwarebytes, panda security, spybot, ESET, avira, and many others (one on a time to make sure no conflict) since this thing started, and all keep telling me NO Infections.

I've performed HIJACKTHIS and it shows an undefined operation that connect to a certain IP address, which i I disabled every time, and it comes back when the system start all over again, and a missing DLL file called >> ACNotify.dll

The same happens with Registry booster, with the start up, it locate a registry error within the system, and repair it, and it's here again next time I start up my computer.

the registry error is :

Scan subsection: ActiveX, OLE, COM sections
Entries found: 1
Entries:
Entry: HKEY_CLASSES_ROOT\TypeLib\{B96BCBE1-F886-11D0-9C63-A06801C10627}\1.2\HELPDIR
Value name:
Value:
Reason: The key HKEY_CLASSES_ROOT/TypeLib/{B96BCBE1-F886-11D0-9C63-A06801C10627}/1.2/HELPDIR is empty
Scan subsection: Invalid file associations

******************************************************************************

I have the logs for mbam, hijackthis, root repeal, and OTL if you want me to post them.

another issue started 2 days ago.. as i log on my mail address, i have to re-enter the password - as it is always wrong PW at the 1st time- even i'm sure that i entered it on the way it should be.

thx again for the help.

saraelfar · 2009/12/12

a- I've downloaded the debug tool from Microsoft web site

2 versions of it, tried to install it, but I get the same massage every time for both versions telling that the installation package cannot be opened , and I should be contacting the application vendor to verify it's a valid package.

b- I've disabled the hibernate option from the power setting , and the HyperFil is gone by it's own, but i still have the blue screen error as I mentioned before.

PeteC · 2009/12/13

Your BSOD is consistent with the problems you first posted ....

every time my laptop goes on shutting down, restart , and even a standby mode, it performs normally starting taking the actions then shows a blue screen for a second and suddenly restarts.
Click to expand...

0x0000009F: DRIVER_POWER_STATE_FAILURE
A driver is in an inconsistent or invalid power state. Typically occurs during events that involve power state transitions, such as shutting down, or moving into or out of standby or hibernate mode.
Click to expand...

Discussed in ....

Troubleshooting a Stop 0x9F Error in Windows XP

This error can occur because of a device driver, but it can also occur because of a file system filter driver (for example, a driver that is installed by an antivirus, remote control, or backup program).
Click to expand...

Which begs the question how many antivirus programs do you have installed and how many of those are active? You should only run one antivirus program on your computer to avoid conflicts and I suggest that you settle on one and uninstall the others.

I think the 'infected' hyberfil.sys is unrelated and for the moment resolved.

ACNotify.dll is a component of the ThinkPad Communications program so I guess you are running a Thinkpad. Although it is said to be non critical to system operation it may be causing your password problem - just guessing here.

I would strongly recommend that you stay well clear of Registry Cleaners, Boosters and the like. The Registry is critical for the operation of the OS - ptograms such as I mentioned do no good whatsoever and may, in the wrong hands, render the computer unbootable. There is no performance gain to be achieved by cleaning or tuning the registry except in very exceptional and rare circumstances.

I've downloaded the debug tool from Microsoft web site .....
Click to expand...

v6.8.4.0 is the one you require - I wonder if you have a problem with your Windows Installer ....

Windows Installer 4.5 Redistributable

saraelfar · 2009/12/13

A- i agree with you about the hyperfil

B- about the antiviruses, i used them, one by one, i install one, scan my computer, uninstall it, the, install the other, and so on.

now i have the avast and malewarebytes on my system.

C- i followed the instructions on microsoft web site, and perform a sigverify check, and it shows LOTS of files that's not signed.. (i hope i can post that log file so you help me with all these files, which ones should be there and which should be deleted)
and about the driver log:

[c:\windows\system32\drivers]
msftwdf_user_01_07_0msft_user_pccswpddri[c:\windows\system32\urttemp]
mscoree.dll.local [c:\windows\temp\_avast4_]
webshlock.txt The process cannot access the file because it is being used by another process.
[c:\windows\debug\setup\backup]
hdaudio_backup.bak [c:\windows\softwaredistribution\datastore\logs]
tmp.edb The file is not installed.
[c:\windows\system32\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}]
catdb The process cannot access the file because it is being used by another process.
[c:\windows\system32\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}]
catdb The process cannot access the file because it is being used by another process.
[c:\windows\system32\drivers\umdf]
msftwdf_user_01_00_0[c:\windows\system32\macromed\flash]
uninstall_activex.exuninstall_plugin.exe[c:\windows\system32\config\systemprofile\sendto]
compressed (zipped) desktop (create shormail recipient.mapimmy documents.mydocs

************
i did not know what to do with it.

D- downloading the windows installer and the debug tool in progress.

saraelfar · 2009/12/13

i do not know how to create a dump file?? or if it's created by default, where is it located??

PeteC · 2009/12/13

Use our wizard as I posted earlier - the dump log will be saved in the root of C:\ - screenshots.

We have found that the path for the log file in the revised version of the Debug Wizard is incorrect. Please follow these instructions to correct the path and run the Wizard ....

Browse to the location of your dump file and select it.

Tick the Advanced button and edit the first part of the 'Command string to pass to debugger' (Screenshots) .....

Replace -logo c:temp\debuglog.txt with -logo c:\debuglog.txt

i.e. remove temp

saraelfar · 2009/12/14

thanks much for the help

I've noticed that i have many files of the extension DMP, one is the MEMORY.dmp located on the windows folder.

and many others have the name mini-some numbers.dmp located in a folder named MiniDump

I've used the tool to analyse the MEMORY.DMP file, and here is the LOG file.

Opened log file 'c:debuglog.txt'

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_qfe.090804-1435
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c720
Debug session time: Sun Dec 13 21:43:21.937 2009 (GMT+2)
System Uptime: 0 days 0:18:01.642
Loading Kernel Symbols
.......................................................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 9F, {500, 2, 89e54bf8, 8a057970}

*** ERROR: Module load completed but symbols could not be loaded for xusbdfwu.sys

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
Probably caused by : xusbdfwu.sys

Followup: MachineOwner
---------

1: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_POWER_STATE_FAILURE (9f)
A driver is causing an inconsistent power state.
Arguments:
Arg1: 00000500, The device object completed the irp for the system power
state request, but failed to call PoStartNextPowerIrp.
Arg2: 00000002
Arg3: 89e54bf8, Optional Target device's DEVICE_OBJECT
Arg4: 8a057970, DeviceObject

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

DRVPOWERSTATE_SUBCODE: 500

DEVICE_OBJECT: 89e54bf8

DRIVER_OBJECT: 89e58ab8

IMAGE_NAME: xusbdfwu.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 460c6880

MODULE_NAME: xusbdfwu

FAULTING_MODULE: babf0000 xusbdfwu

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x9F

PROCESS_NAME: winlogon.exe

LAST_CONTROL_TRANSFER: from 80651cc2 to 804f9f0d

STACK_TEXT:
b9dee594 80651cc2 0000009f 00000500 00000002 nt!KeBugCheckEx+0x1b
b9dee5d4 806523df 005049e0 00000001 00000000 nt!PopWaitForSystemPowerIrp+0x3c0
b9dee5fc 806510b2 00000000 b9dee6e4 b9dee768 nt!PopSetDevicesSystemState+0x1a9
b9dee6d0 805413fc 00000002 00000004 20000000 nt!NtSetSystemPowerState+0x27e
b9dee6d0 80500ff1 00000002 00000004 20000000 nt!KiFastCallEntry+0xfc
b9dee754 80650e99 00000002 00000004 20000000 nt!ZwSetSystemPowerState+0x11
b9dee830 805413fc 00000002 00000004 20000000 nt!NtSetSystemPowerState+0x65
b9dee830 7c90e514 00000002 00000004 20000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006f2a0 00000000 00000000 00000000 00000000 0x7c90e514

STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x9F_IMAGE_xusbdfwu.sys_DATE_2007_03_30

BUCKET_ID: 0x9F_IMAGE_xusbdfwu.sys_DATE_2007_03_30

Followup: MachineOwner
---------

eax=bab3813c ebx=00000002 ecx=00000000 edx=80550050 esi=8a057970 edi=00000000
eip=804f9f0d esp=b9dee57c ebp=b9dee594 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
804f9f0d 5d pop ebp
ChildEBP RetAddr Args to Child
b9dee594 80651cc2 0000009f 00000500 00000002 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
b9dee5d4 806523df 005049e0 00000001 00000000 nt!PopWaitForSystemPowerIrp+0x3c0 (FPO: [Non-Fpo])
b9dee5fc 806510b2 00000000 b9dee6e4 b9dee768 nt!PopSetDevicesSystemState+0x1a9 (FPO: [Non-Fpo])
b9dee6d0 805413fc 00000002 00000004 20000000 nt!NtSetSystemPowerState+0x27e (FPO: [Non-Fpo])
b9dee6d0 80500ff1 00000002 00000004 20000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b9dee6e4)
b9dee754 80650e99 00000002 00000004 20000000 nt!ZwSetSystemPowerState+0x11 (FPO: [3,0,0])
b9dee830 805413fc 00000002 00000004 20000000 nt!NtSetSystemPowerState+0x65 (FPO: [Non-Fpo])
b9dee830 7c90e514 00000002 00000004 20000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b9dee844)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006f2a0 00000000 00000000 00000000 00000000 0x7c90e514
start end module name
804d7000 806e2000 nt ntkrpamp.exe Tue Aug 04 15:01:46 2009 (4A78232A)
806e2000 80702c80 hal halmacpi.dll Thu Sep 29 02:35:25 2005 (433B28BD)
a6f49000 a6f72f00 kmixer kmixer.sys Wed Aug 04 09:07:46 2004 (41107D32)
a7475000 a7498000 Fastfat Fastfat.SYS Wed Aug 04 09:14:15 2004 (41107EB7)
a7e5b000 a7e6f400 wdmaud wdmaud.sys Wed Aug 04 09:15:03 2004 (41107EE7)
a7ef0000 a7efed80 sysaudio sysaudio.sys Wed Aug 04 09:15:54 2004 (41107F1A)
a81e8000 a81ebb00 aswRdr aswRdr.SYS Wed Nov 25 01:48:56 2009 (4B0C70E8)
a8438000 a843be80 XPC4DRVR XPC4DRVR.SYS Wed Sep 29 01:50:05 2004 (4159EA9D)
a8444000 a8447100 tvtfilter tvtfilter.sys Sat Jul 15 00:27:21 2006 (44B80C39)
a85a0000 a85f1580 srv srv.sys Thu Dec 11 13:57:18 2008 (4941001E)
a86e2000 a870e400 mrxdav mrxdav.sys Wed Aug 04 09:00:49 2004 (41107B91)
a8967000 a897c580 aswMon2 aswMon2.SYS Tue Sep 15 13:56:12 2009 (4AAF72CC)
a8ac9000 a8acc900 ndisuio ndisuio.sys Wed Apr 20 01:54:03 2005 (42659A1B)
a8c05000 a8c08100 s24trans s24trans.sys Wed Aug 02 11:27:47 2006 (44D06203)
a8d3d000 a8d54480 dump_atapi dump_atapi.sys Wed Aug 04 08:59:41 2004 (41107B4D)
a8d7d000 a8d95a80 bthpan bthpan.sys Wed Aug 04 08:58:37 2004 (41107B0D)
a8d96000 a8db7000 aswSP aswSP.SYS Tue Sep 15 13:55:29 2009 (4AAF72A1)
a8db7000 a8e25c00 mrxsmb mrxsmb.sys Fri Oct 24 13:10:39 2008 (4901AD2F)
a8e26000 a8e50a00 rdbss rdbss.sys Thu Oct 28 03:13:57 2004 (418047D5)
a8f11000 a8f32c80 afd afd.sys Thu Aug 14 12:48:50 2008 (48A3FF82)
a8f33000 a8f5ac00 netbt netbt.sys Wed Aug 04 09:14:36 2004 (41107ECC)
a8f5b000 a8f7bf00 ipnat ipnat.sys Thu Sep 30 01:28:36 2004 (415B3714)
a8fa4000 a8ffc200 tcpip tcpip.sys Fri Jun 20 13:44:40 2008 (485B8A18)
a8ffd000 a900f400 ipsec ipsec.sys Wed Aug 04 09:14:27 2004 (41107EC3)
a9030000 a9a03b80 snp2sxp snp2sxp.sys Tue May 23 10:39:03 2006 (4472BC17)
a9a04000 a9a21980 ATSwpDrv ATSwpDrv.sys Fri Jul 14 22:39:16 2006 (44B7F2E4)
a9a22000 a9a43680 MpFilter MpFilter.sys Thu Jun 11 04:04:25 2009 (4A305819)
a9a44000 a9a86700 bthport bthport.sys Fri Jun 13 16:10:50 2008 (485271DA)
a9aab000 a9aad900 Dxapi Dxapi.sys Fri Aug 17 23:53:19 2001 (3B7D843F)
a9aaf000 a9bca7c0 AGRSM AGRSM.sys Wed Aug 30 21:52:55 2006 (44F5DE87)
a9bcb000 a9bec700 portcls portcls.sys Tue Mar 16 20:58:17 2004 (40574E49)
a9bed000 a9c13000 ADIHdAud ADIHdAud.sys Thu Aug 18 22:26:13 2005 (4304E0D5)
b9cfb000 b9d2a6e0 windrvr6 windrvr6.sys Mon Oct 16 12:35:15 2006 (45336063)
b9d2b000 b9d5e200 update update.sys Wed Aug 04 08:58:32 2004 (41107B08)
b9dff000 b9e0fe00 psched psched.sys Wed Aug 04 09:04:16 2004 (41107C60)
b9e10000 b9e26680 ndiswan ndiswan.sys Wed Aug 04 09:14:30 2004 (41107EC6)
b9e27000 b9e49680 ks ks.sys Wed Aug 04 09:15:20 2004 (41107EF8)
b9e4a000 b9e79240 SynTP SynTP.sys Sat May 20 00:24:20 2006 (446E3784)
b9e7a000 b9ec5700 rixdptsk rixdptsk.sys Tue Nov 01 11:07:59 2005 (4367306F)
b9ec6000 b9ed6800 sdbus sdbus.sys Wed Aug 04 09:07:47 2004 (41107D33)
b9ed7000 b9eeae00 Rtnicxp Rtnicxp.sys Sun Feb 26 23:46:21 2006 (440221AD)
b9eeb000 b9f0e000 USBPORT USBPORT.SYS Wed Apr 19 13:50:49 2006 (44462419)
b9f0e000 b9f33000 HDAudBus HDAudBus.sys Sat Jan 08 03:07:15 2005 (41DF3243)
b9f33000 b9f46780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 09:07:04 2004 (41107D08)
b9f47000 ba063e00 ialmnt5 ialmnt5.sys Thu Mar 23 22:47:04 2006 (44230948)
ba070000 ba072580 n558 n558.sys Wed Aug 15 10:27:16 2007 (46C2AAD4)
ba5e2000 ba5fc580 Mup Mup.sys Wed Aug 04 09:15:20 2004 (41107EF8)
ba5fd000 ba629a80 NDIS NDIS.sys Wed Aug 04 09:14:27 2004 (41107EC3)
ba62a000 ba6b6480 Ntfs Ntfs.sys Wed Aug 04 09:15:06 2004 (41107EEA)
ba6b7000 ba6c9f80 WudfPf WudfPf.sys Sat Jan 19 07:52:49 2008 (47919031)
ba6ca000 ba6e0980 KSecDD KSecDD.sys Mon Jun 22 14:35:42 2009 (4A3F6C8E)
ba6e1000 ba6f2f00 sr sr.sys Wed Aug 04 09:06:22 2004 (41107CDE)
ba6f3000 ba712780 fltMgr fltMgr.sys Tue Feb 21 05:01:46 2006 (43FA829A)
ba713000 ba72a480 atapi atapi.sys Wed Aug 04 08:59:41 2004 (41107B4D)
ba72b000 ba749880 ftdisk ftdisk.sys Fri Aug 17 23:52:41 2001 (3B7D8419)
ba74a000 ba767480 pcmcia pcmcia.sys Wed Aug 04 09:07:45 2004 (41107D31)
ba768000 ba778a80 pci pci.sys Wed Aug 04 09:07:45 2004 (41107D31)
ba779000 ba7a6d80 ACPI ACPI.sys Wed Aug 04 09:07:35 2004 (41107D27)
ba8a8000 ba8b0c00 isapnp isapnp.sys Fri Aug 17 23:58:01 2001 (3B7D8559)
ba8b8000 ba8c2500 MountMgr MountMgr.sys Wed Aug 04 08:58:29 2004 (41107B05)
ba8c8000 ba8d4c80 VolSnap VolSnap.sys Wed Aug 04 09:00:14 2004 (41107B6E)
ba8d8000 ba8e0e00 disk disk.sys Wed Aug 04 08:59:53 2004 (41107B59)
ba8e8000 ba8f4200 CLASSPNP CLASSPNP.SYS Wed Aug 04 09:14:26 2004 (41107EC2)
ba8f8000 ba900b20 PxHelp20 PxHelp20.sys Fri May 05 01:14:58 2006 (445A7CE2)
ba908000 ba916e80 ohci1394 ohci1394.sys Wed Aug 04 09:10:05 2004 (41107DBD)
ba918000 ba925000 1394BUS 1394BUS.SYS Wed Aug 04 09:10:03 2004 (41107DBB)
ba938000 ba947180 nic1394 nic1394.sys Wed Dec 08 20:14:13 2004 (41B74475)
ba948000 ba9518c0 aswTdi aswTdi.SYS Wed Nov 25 01:49:06 2009 (4B0C70F2)
ba958000 ba960700 wanarp wanarp.sys Wed Aug 04 09:04:57 2004 (41107C89)
ba968000 ba976d80 arp1394 arp1394.sys Wed Aug 04 08:58:28 2004 (41107B04)
ba978000 ba980700 netbios netbios.sys Wed Aug 04 09:03:19 2004 (41107C27)
ba9a8000 ba9b0880 Fips Fips.SYS Sat Aug 18 04:31:49 2001 (3B7DC585)
ba9c8000 ba9d6900 rfcomm rfcomm.sys Wed Aug 04 09:10:38 2004 (41107DDE)
ba9d8000 ba9e1480 bthmodem bthmodem.sys Wed Aug 04 09:10:38 2004 (41107DDE)
ba9e8000 ba9f7900 Cdfs Cdfs.SYS Wed Aug 04 09:14:09 2004 (41107EB1)
baa08000 baa10d00 intelppm intelppm.sys Wed Aug 04 08:59:19 2004 (41107B37)
baa18000 baa24880 rimsptsk rimsptsk.sys Fri Sep 08 11:01:18 2006 (4501234E)
baa28000 baa34e00 i8042prt i8042prt.sys Wed Aug 04 09:14:36 2004 (41107ECC)
baa38000 baa42400 imapi imapi.sys Fri Aug 13 20:17:15 2004 (411CF79B)
baa48000 baa54180 cdrom cdrom.sys Wed Aug 04 08:59:52 2004 (41107B58)
baa58000 baa66080 redbook redbook.sys Wed Aug 04 08:59:34 2004 (41107B46)
baa68000 baa74880 rasl2tp rasl2tp.sys Wed Aug 04 09:14:21 2004 (41107EBD)
baa78000 baa82200 raspppoe raspppoe.sys Wed Aug 04 09:05:06 2004 (41107C92)
baa88000 baa93d00 raspptp raspptp.sys Wed Aug 04 09:14:26 2004 (41107EC2)
baa98000 baaa0900 msgpc msgpc.sys Wed Aug 04 09:04:11 2004 (41107C5B)
baaa8000 baab1f00 termdd termdd.sys Wed Aug 04 08:58:52 2004 (41107B1C)
baac8000 baad1480 NDProxy NDProxy.SYS Fri Aug 17 23:55:30 2001 (3B7D84C2)
baae8000 baaf6b80 drmk drmk.sys Wed Aug 04 09:07:54 2004 (41107D3A)
bab08000 bab16200 usbhub usbhub.sys Thu Sep 16 23:06:45 2004 (4149F255)
bab18000 bab23e00 STREAM STREAM.SYS Wed Aug 04 09:07:58 2004 (41107D3E)
bab28000 bab2e200 PCIIDEX PCIIDEX.SYS Wed Aug 04 08:59:40 2004 (41107B4C)
bab30000 bab34900 PartMgr PartMgr.sys Sat Aug 18 04:32:23 2001 (3B7DC5A7)
bab60000 bab64ba0 AegisP AegisP.sys Tue Jun 20 17:50:51 2006 (44980B4B)
baba0000 baba5080 usbuhci usbuhci.sys Wed Apr 19 13:50:50 2006 (4446241A)
baba8000 babaf580 usbehci usbehci.sys Wed Apr 19 13:50:49 2006 (44462419)
babb0000 babb7100 rimmptsk rimmptsk.sys Thu Nov 17 04:28:31 2005 (437BEACF)
babb8000 babbe000 kbdclass kbdclass.sys Wed Aug 04 08:58:32 2004 (41107B08)
babc0000 babc5a00 mouclass mouclass.sys Wed Aug 04 08:58:32 2004 (41107B08)
babc8000 babcd200 iviaspi iviaspi.sys Thu Sep 11 09:36:53 2003 (3F601805)
babd0000 babd4500 tvtpktfilter tvtpktfilter.sys Mon Jan 16 04:51:11 2006 (43CB0A1F)
babd8000 babdc880 TDI TDI.SYS Wed Aug 04 09:07:47 2004 (41107D33)
babe0000 babe4580 ptilink ptilink.sys Fri Aug 17 23:49:53 2001 (3B7D8371)
babe8000 babec080 raspti raspti.sys Fri Aug 17 23:55:32 2001 (3B7D84C4)
babf0000 babf4380 xusbdfwu xusbdfwu.sys Fri Mar 30 03:31:44 2007 (460C6880)
babf8000 babff580 Modem Modem.SYS Wed Aug 04 09:08:04 2004 (41107D44)
bac00000 bac04a00 BTHUSB BTHUSB.sys Wed Aug 04 09:10:33 2004 (41107DD9)
bac28000 bac2e100 SNCAMD SNCAMD.SYS Thu Apr 27 14:43:13 2006 (4450BC61)
bac30000 bac35200 vga vga.sys Wed Aug 04 09:07:06 2004 (41107D0A)
bac40000 bac44a80 Msfs Msfs.SYS Wed Aug 04 09:00:37 2004 (41107B85)
bac50000 bac57880 Npfs Npfs.SYS Wed Aug 04 09:00:38 2004 (41107B86)
bac68000 bac6e000 TSMAPIP TSMAPIP.SYS Fri Jun 28 06:59:23 2002 (3D1BDF1B)
bac78000 bac7c160 TPHKDRV TPHKDRV.SYS Tue Feb 28 04:23:56 2006 (4403B43C)
bac88000 bac8cc40 Aavmker4 Aavmker4.SYS Wed Nov 25 01:47:53 2009 (4B0C70A9)
bac90000 bac94280 BthEnum BthEnum.sys Wed Aug 04 09:10:38 2004 (41107DDE)
baca0000 baca4500 watchdog watchdog.sys Wed Aug 04 09:07:32 2004 (41107D24)
bacb0000 bacb8000 aswFsBlk aswFsBlk.sys Tue Sep 15 13:55:18 2009 (4AAF7296)
bacb8000 bacbb000 BOOTVID BOOTVID.dll Fri Aug 17 23:49:09 2001 (3B7D8345)
bacbc000 bacbe480 compbatt compbatt.sys Fri Aug 17 23:57:58 2001 (3B7D8556)
bacc0000 bacc3700 BATTC BATTC.SYS Fri Aug 17 23:57:52 2001 (3B7D8550)
bacc4000 bacc6d80 ACPIEC ACPIEC.sys Fri Aug 17 23:57:55 2001 (3B7D8553)
bad4c000 bad4e280 rasacd rasacd.sys Fri Aug 17 23:55:39 2001 (3B7D84CB)
bad6c000 bad6ed00 ANC ANC.SYS Mon Mar 22 07:08:44 2004 (405E74DC)
bad7c000 bad7f700 CmBatt CmBatt.sys Wed Aug 04 09:07:39 2004 (41107D2B)
bad88000 bad8a580 ndistapi ndistapi.sys Fri Aug 17 23:55:29 2001 (3B7D84C1)
bad90000 bad93c80 mssmbios mssmbios.sys Wed Aug 04 09:07:47 2004 (41107D33)
bad94000 bad96800 PMHler PMHler.sys Wed Dec 21 08:09:49 2005 (43A8F1AD)
bada8000 bada9b80 kdcom kdcom.dll Fri Aug 17 23:49:10 2001 (3B7D8346)
badaa000 badab100 WMILIB WMILIB.SYS Sat Aug 18 00:07:23 2001 (3B7D878B)
badc4000 badc5280 USBD USBD.SYS Sat Aug 18 00:02:58 2001 (3B7D8682)
badc6000 badc7100 swenum swenum.sys Wed Aug 04 08:58:41 2004 (41107B11)
badcc000 badce000 i2omgmt i2omgmt.SYS Wed Aug 04 09:00:50 2004 (41107B92)
badd4000 badd5f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 23:49:37 2001 (3B7D8361)
badd8000 badd9080 Beep Beep.SYS Fri Aug 17 23:47:33 2001 (3B7D82E5)
baddc000 baddd080 mnmdd mnmdd.SYS Fri Aug 17 23:57:28 2001 (3B7D8538)
bade0000 bade1080 RDPCDD RDPCDD.sys Fri Aug 17 23:46:56 2001 (3B7D82C0)
bade4000 bade5780 IBMBLDID IBMBLDID.sys Thu Jan 12 17:33:21 2006 (43C676C1)
bade6000 bade7100 dump_WMILIB dump_WMILIB.SYS Sat Aug 18 00:07:23 2001 (3B7D878B)
bae32000 bae332e0 EGATHDRV EGATHDRV.SYS Mon Aug 23 19:22:04 2004 (412A19AC)
bae3a000 bae3b400 pmemnt pmemnt.sys Tue May 04 19:13:04 2004 (4097C110)
bae70000 bae70d00 pciide pciide.sys Fri Aug 17 23:51:49 2001 (3B7D83E5)
bae71000 bae71d80 OPRGHDLR OPRGHDLR.SYS Fri Aug 17 23:57:55 2001 (3B7D8553)
baea3000 baea3b80 Null Null.SYS Fri Aug 17 23:47:39 2001 (3B7D82EB)
baecf000 baecfc00 audstub audstub.sys Fri Aug 17 23:59:40 2001 (3B7D85BC)
baef3000 baef3d00 dxgthk dxgthk.sys Fri Aug 17 23:53:12 2001 (3B7D8438)
bafaa000 bafaaf80 smi2 smi2.sys Sat Feb 12 00:27:28 2005 (420D3150)
bf800000 bf9c5f00 win32k win32k.sys Fri Aug 14 14:22:01 2009 (4A8548D9)
bf9c6000 bf9d7580 dxg dxg.sys Wed Aug 04 09:00:51 2004 (41107B93)
bf9d8000 bf9e7000 ialmrnt5 ialmrnt5.dll Thu Mar 23 22:38:48 2006 (44230758)
bf9e7000 bfa09000 ialmdnt5 ialmdnt5.dll Thu Mar 23 22:38:40 2006 (44230750)
bfa09000 bfa433c0 ialmdev5 ialmdev5.DLL Thu Mar 23 22:38:28 2006 (44230744)
bfa44000 bfb34000 ialmdd5 ialmdd5.DLL Thu Mar 23 22:45:53 2006 (44230901)
bffa0000 bffe5c00 ATMFD ATMFD.DLL Wed Aug 04 10:56:56 2004 (411096C8)

Unloaded modules:
bab88000 bab8f000 USBSTOR.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
a7013000 a703d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
a7de6000 a7e10000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
baf19000 baf1a000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
a7ed0000 a7edd000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
a867a000 a8688000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
a7e10000 a7e33000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
badf4000 badf6000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
bae3c000 bae3e000 WAM.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba998000 ba9a1000 processr.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ba988000 ba998000 serial.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
bac20000 bac25000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
ba074000 ba077000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:debuglog.txt

Arie · 2009/12/14

DRIVER_POWER_STATE_FAILURE (9f)
A driver is causing an inconsistent power state.

IMAGE_NAME: xusbdfwu.sys
Click to expand...

xusbdfwu.sys seems to be associated with Xilinx Multilink, so try removing the software if you don't use it, or if you do use it you'll need to update the driver or contact them for support.

saraelfar · 2009/12/15

I have removed the program, but the blue screen error still here.

i've searched the windows directory for the file you mentioned (xusbdfwu.sys) it still there on the path : C:/windows/system32/drivers

should i manually delete the file !! or what to do !!

Arie · 2009/12/15

"saraelfar said: ↑

i've searched the windows directory for the file you mentioned (xusbdfwu.sys) it still there on the path : C:/windows/System32/drivers

should i manually delete the file !! or what to do !!
Click to expand...

I would 1st search your registry for the file & prevent it from loading by deleting the entries (if found). Next I'd reneme the file (xusbdfwu.$$$) to prevent it from loading.

Please make sure you have a plan if Windows would become unbootable. There is a chance this could happen.

You could also try checking in msconfig or Services to see if it still loads that driver.

saraelfar · 2009/12/19

the file xusbdfwu.sys not loaded on the services- msconfig , I had checked that.

but I do not know how to check my Registry if it contains the file.

and I'm backing up my system right now, just in case it became unbootable.

PeteC · 2009/12/19

I do not know how to check my Registry if it contains the file.
Click to expand...

Start > Run > regedit > Enter

The Registry Editor opens.

Edit > Find - Find what - enter xusbdfwu.sys > Find

If present the registry string will come up.

Press F3 to Find Next - occurrence of xusbdfwu.sys

saraelfar · 2009/12/20

Regestry searched

it shows the following List:

Name___________type_________________Data
________________________________________________
(Default)...........REG_SZ..................(value not set)
Error Control......REG_DWORD............0x00000001 (1)
ImagePath........RegEXPAND_SZ........system32/drivers/xusbdfwu.sys
start................REG_DWORD............0x00000003(3)
type................REG_DWORD............0x00000001(1)

with the marked KEY highlighted and the following string at grey bar at the bottom of the window:

my computer\H_KEY_LOCAL_MACHINE\system\CurrentControlSet\sevices\xilinxFirmwareLoader

now what ?

PeteC · 2009/12/20

Highlight xilinxFirmwareLoader in the left hand column and go File > Export - call it Xlinx and save to the desktop where it will appear as Xlinx.reg.

If you need to replace the entry later all you need to do is double click on the .reg file to merge it back into the Registry.

Then right click on xilinxFirmwareLoader (in the left hand column) > Delete and reboot.

saraelfar · 2009/12/22

registry Key deleted.. but..

same problem still here.

Log in or Sign up

hyperfil infected

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

Attached Files:

Debuglog.jpg

Debugwiz 1.jpg

saraelfar Inactive Thread Starter

Arie Administrator Administrator Staff

saraelfar Inactive Thread Starter

Arie Administrator Administrator Staff

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

Share This Page

Log in or Sign up

hyperfil infected

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

Attached Files:

Debuglog.jpg

Debugwiz 1.jpg

saraelfar Inactive Thread Starter

Arie Administrator Administrator Staff

saraelfar Inactive Thread Starter

Arie Administrator Administrator Staff

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

PeteC SuperGeek Staff

saraelfar Inactive Thread Starter

Share This Page

Useful Searches