1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Bsod

Discussion in 'Windows XP' started by timeoutgang, 2006/12/04.

  1. 2006/12/10
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Hi again, timeoutgang. :)

    Please forgive me. I am not trying to overwhelm you with information. I am providing the information below in case anyone else will use the information to assist with solving your issue(s).

    I used Bleeping Computer's File Database to try to identify all the files in timeoutgang's BSOD modules list in his/her most recently reported BSOD.

    The modules marked with ? resulted in "The file or search term that you are looking for can not be found. "

    I Googled filenames marked below with ? and edited this post with my findings (links) in blue. :)

    ntkrnlpa.exe - Microsoft NT Kernel & System
    halaacpi.dll - Microsoft Hardware Abstraction Layer DLL
    kmixer.sys - Microsoft Kernel Mode Audio Mixer
    RDPWD.SYS - Microsoft RDP Terminal Stack Driver (US/Canada Only, Not for Export)
    tmcomm.sys - TrendMicro Common Module

    secdrv.sys - ? Macrovision SafeDisk Driver (used by games to authenticate CD)???
    Locations according to Bleeping Computer's File Database:
    • C:\WINDOWS\system32\drivers\
    • C:\Program Files\Maxis\The Sims Creator\
    • E:\Wizardry 8\

    wdmaud.sys - Microsoft MMSYSTEM Wave/Midi API mapper
    srv.sys - Microsoft Server driver
    HTTP.sys - Microsoft HTTP Protocol Stack
    mrxdav.sys - Microsoft Windows NT WebDav Minirdr
    sysaudio.sys - Microsoft System Audio WDM Filter
    mdmxsdk.sys - Conexant Diagnostic Interface DRIVER
    ndisuio.sys - Microsoft NDIS User mode I/O Driver
    ipfltdrv.sys - Microsoft IP FILTER DRIVER
    s24trans.sys - ? Intel WLAN Packet Driver???
    AegisP.sys - ? AEGIS IEEE 802.1X Protocol Driver???
    tfsnudfa.sys - ? Sonic Solutions or VERITAS "Drive Letter Access Component or Direct Access Component "???
    tfsnudf.sys - ? Sonic Solutions Drive Letter Access Component???
    tfsnifs.sys - ? Sonic Solutions or VERITAS "Drive Letter Access Component or Direct Access Component "???
    tfsnopio.sys - ? Sonic Solutions Drive Letter Access Component???
    dxg.sys - Microsoft DirectX Graphics Driver
    nv4_disp.dll - NVIDIA Compatible Windows 2000 Display driver, Version 43.45
    win32k.sys - Microsoft Multi-User Win32 Driver
    dump_atapi.sys - ? Microsoft IDE port driver???
    avg7core.sys - GRISOFT AVG Scanning Engine
    ipnat.sys - Microsoft IP Network Address Translator
    mrxsmb.sys - Microsoft Windows NT SMB Minirdr
    rdbss.sys - Microsoft Redirected Drive Buffering SubSystem Driver
    usbkbd.sys - ?
    afd.sys - Microsoft Ancillary Function Driver for WinSock
    netbt.sys - Microsoft MBT Transport driver
    tcpip.sys - Microsoft TCP/IP Protocol Driver
    ipsec.sys - Microsoft IPSec Driver
    Dxapi.sys - Microsoft DirectX API Driver
    update.sys - Microsoft Update Driver
    psched.sys - Microsoft MS QoS Packet Scheduler
    ndiswan.sys - Microsoft MS PPP Framing Driver (Strong Encryption)
    iwca.sys - ? Intel Wireless Connection Agent???
    Apfiltr.sys - ? Alps Touch Pad Driver or Alps Pointing-device Driver???
    HSF_CNXT.sys - Conexant WinACHSF driver
    HSF_DP.sys - ? Conexant HSF_DP driver???
    HSFHWICH.sys - ? Conexant HSFHWICH WDM driver???
    ks.sys - Microsoft Kernel CSA Library
    portcls.sys - Microsoft Port Class (Class Driver for Port/Miniport Devices)
    STAC97.sys - ? SigmaTel Audio Driver (WDM)???
    w29n51.sys - ? Intel® Wireless LAN Driver???
    sdbus.sys - Microsoft SecureDigital Bus Driver
    USBPORT.SYS - Microsoft USB 1.1 & 2.0 Port Driver
    VIDEOPRT.SYS - Microsoft Video Port Driver
    nv4_mini.sys - NVIDIA Compatible Windows 2000 Miniport Driver, Version 43.45
    mssmbios.sys - Microsoft System Management BIOS Driver
    serenum.sys - Microsoft Serial Port Enumerator
    Mup.sys - Microsoft Multiple UNC Provider driver
    NDIS.sys - Microsoft NDIS 5.1 wrapper driver
    Ntfs.sys - Microsoft NT File System Driver
    KSecDD.sys - Microsoft Kernel Security Support Provider Interface
    drvmcdb.sys - VERITAS Device Driver
    sr.sys - Microsoft System Restore Filesystem Filter Driver
    fltMgr.sys - Microsoft Filesystem Filter Manager
    atapi.sys - Microsoft IDE/ATAPI Port Driver
    ftdisk.sys - Microsoft FT Disk Driver
    pcmcia.sys - Microsoft PCMCIA Bus Driver
    pci.sys - Microsoft NT Plug and Play PCI Enumerator
    ACPI.sys - Microsoft ACPI Driver for NT
    isapnp.sys - Microsoft PNP ISA Bus Driver
    MountMgr.sys - Microsoft Mount Manager
    VolSnap.sys - Microsoft Volume Shadow Copy Driver
    disk.sys - Microsoft PnP Disk Driver
    CLASSPNP.SYS - Microsoft SCSI Class System Dll
    ohci1394.sys - Microsoft 1394 OpenHCI Port Driver
    1394BUS.SYS - Microsoft 1394 Bus Device Driver
    nic1394.sys - Microsoft IEEE1394 Ndis Miniport and Call Manager
    redbook.sys - Microsoft Redbook Audio Filter Driver
    VcommMgr.sys - ? Bluetooth VcommMgr driver???
    rasl2tp.sys - Microsoft RAS L2TP mini-port/call-manager driver
    raspppoe.sys - Microsoft RAS PPPoE mini-port/call-manager driver
    raspptp.sys - Microsoft Peer-to-Peer Tunneling Protocol
    msgpc.sys - Microsoft MS General Packet Classifier
    termdd.sys - Microsoft Terminal Server Driver
    NDProxy.SYS - Microsoft NDIS Proxy
    usbhub.sys - Microsoft Default Hub Driver for USB
    netbios.sys - Microsoft NetBIOS interface driver
    Fips.SYS - Microsoft FIPS Crypto Driver
    wanarp.sys - Microsoft MS Remote Access and Routing ARP Driver
    arp1394.sys - Microsoft IP/1394 Arp Client
    drvnddm.sys - ? Sonic Solutions or Software Architects or VERITAS "Device Driver Manager or NULLO "???
    tfsncofs.sys - ? Sonic Solutions or VERITAS "Drive Letter Access Component or Direct Access Component "???
    Cdfs.SYS - Microsoft CD-ROM File System Driver
    intelppm.sys - Microsoft Processor Device Driver
    bcm4sbxp.sys - ? Broadcom Corporation NDIS 5.1 ethernet driver???
    drmk.sys - Microsoft Microsoft Kernel DRM Descrambler Filter
    i8042prt.sys - Microsoft
    "The I8042prt.sys is a system function driver found in Microsoft Windows 2000 and later versions for PS/2-style keyboard and mouse devices. "
    imapi.sys - Microsoft IMAPI Kernel Driver
    cdrom.sys - Microsoft SCSI CD-ROM Driver
    PCIIDEX.SYS - Microsoft PCI IDE Bus Driver Extension
    PartMgr.sys - Microsoft Partition Manager
    extfs.sys - ?
    PxHelp20.sys - Sonic Solutions Px Engine Device Driver for Windows 2000/XP
    BTHidMgr.sys - ? Bluetooth HID Manager driver???
    symlcbrd.sys - ? Symantec Core Component???
    avg7rsxp.sys - GRISOFT AVG Resident Anti-Virus Shield
    TDTCP.SYS - Microsoft TCP Transport Driver
    watchdog.sys - Microsoft Watchdog Driver
    tfsnboio.sys - ? Sonic Solutions or VERITAS "Drive Letter Access Component or Direct Access Component "???
    usbuhci.sys - Microsoft UHCI USB Miniport Driver
    usbehci.sys - Microsoft EHCI eUSB Miniport Driver
    Modem.SYS - Microsoft Modem Device Driver
    mouclass.sys - Microsoft Mouse Class Driver
    kbdclass.sys - Microsoft Keyboard Class Driver
    TDI.SYS - Microsoft TDI Wrapper
    ptilink.sys - Parallel Technologies DirectParallel IO Library
    raspti.sys - Microsoft PTI DirectParallel(R) mini-port/call-manager driver
    VComm.sys - ? AOL (America Online)???
    omci.sys - ? Dell OMCI Device Driver???
    ssrtln.sys - ? Sonic Solutions or VERITAS "Shared Driver Component "???
    vga.sys - Microsoft VGA/Super VGA Video Driver
    Msfs.SYS - Microsoft Mailslot driver
    Npfs.SYS - Microsoft NPFS Driver
    tdiip.sys - ?
    BOOTVID.dll - Microsoft VGA Boot Driver
    compbatt.sys - ? Microsoft Composite Battery Driver???
    BATTC.SYS - Microsoft Battery Class Driver
    rasacd.sys - Microsoft RAS Automatic Connection Driver
    APPDRV.SYS - ? Dell App Support Driver???
    CmBatt.sys - Microsoft Control Method Battery Driver
    ndistapi.sys - Microsoft NDIS 3.0 connection wrapper driver
    kdcom.dll - Microsoft Kernel Debugger HW Extension DLL
    WMILIB.SYS - Microsoft WMILIB WMI support library Dll
    intelide.sys - Microsoft Intel PCI IDE Driver
    sscdbhk5.sys - ? Sonic Solutions or Software Architects or VERITAS "Shared Driver Component or NULLO "???
    swenum.sys - Microsoft Plug and Play Software Device Enumerator
    USBD.SYS - Microsoft Universal Serial Bus Driver
    i2omgmt.SYS - Microsoft I2O Utility Filter
    Fs_Rec.SYS - Microsoft File System Recognizer Driver
    Beep.SYS - Microsoft BEEP Driver
    mnmdd.SYS - Microsoft Frame buffer simulator
    RDPCDD.sys - Microsoft RDP Miniport
    avg7rsw.sys - GRISOFT AVG Resident Shield Unload Helper
    dump_WMILIB.SYS - ? Microsoft WMI driver???
    tfsnpool.sys - ? Sonic Solutions or VERITAS "Drive Letter Access Component or Direct Access Component "???
    pciide.sys - Microsoft Generic PCI IDE Bus Driver
    audstub.sys - Microsoft AudStub Driver
    dxgthk.sys - Microsoft DirectX Graphics Driver Thunk
    Null.SYS - Microsoft NULL Driver
    avgclean.sys - ? (I am guessing this may be part of GRISOFT's AVG package.)
    tfsndres.sys - ? Sonic Solutions or VERITAS "Direct Access Component or Drive Letter Access Component "???
    tfsndrct.sys - ? Sonic Solutions "Drive Letter Access Component or Direct Access Component "???

    Unloaded modules:
    drmkaud.sys - Microsoft Kernel DRM Audio Descrambler Filter
    kmixer.sys - Microsorft Kernel Mode Audio Mixer
    DMusic.sys - Microsoft Microsoft Kernel DLS Synthesizer
    swmidi.sys - Microsoft GS Wavetable Synthesizer
    aec.sys - Microsoft Acoustic Echo Canceller
    splitter.sys - Microsoft Kernel Audio Splitter
    serial.sys - Microsoft Serial Device Driver
    Cdaudio.SYS - Microsoft CD-ROM Audio Filter Driver
    Sfloppy.SYS - Microsoft SCSI Floppy Driver
     
    Last edited: 2006/12/10
  2. 2006/12/10
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Here are links to some contradictory information from Prevx about usbkbd.sys, extfs.sys, and tdiip.sys:
    Therefore, we might be barking up the wrong tree looking for malware.

    Still, I am concerned you haven't been able to locate those files on your hard drive(s). Perhaps the modified search instructions in my post #20 above will help us determine the locations and properties for usbkbd.sys, extfs.sys, and tdiip.sys that are apparently on your laptop.

    Please let us know.
     
    Last edited: 2006/12/10

  3. to hide this advert.

  4. 2006/12/11
    timeoutgang

    timeoutgang Inactive Thread Starter

    Joined:
    2006/05/09
    Messages:
    148
    Likes Received:
    0
    Mailman, my apologies:rolleyes: . I didn't try Aries suggestion! Have downloaded the fix. How will I know if this has solved the issue.
    Sorry again mate.
     
  5. 2006/12/11
    timeoutgang

    timeoutgang Inactive Thread Starter

    Joined:
    2006/05/09
    Messages:
    148
    Likes Received:
    0
    Mailman, good news as you can see. Riched has been fixed, thankyou, lets hope the bsod has also gone.:)
    Event Type: Information
    Event Source: Windows File Protection
    Event Category: None
    Event ID: 64020
    Date: 08/12/2006
    Time: 20:04:57
    User: N/A
    Computer: D67TGY1J
    Description:
    Windows File Protection scan found that the system file c:\windows\system32\riched20.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.30.23.1221.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
  6. 2006/12/11
    timeoutgang

    timeoutgang Inactive Thread Starter

    Joined:
    2006/05/09
    Messages:
    148
    Likes Received:
    0
    No luck I'm afraid mailman. Still can't find usbkbd.
     
  7. 2006/12/11
    timeoutgang

    timeoutgang Inactive Thread Starter

    Joined:
    2006/05/09
    Messages:
    148
    Likes Received:
    0
    Ran a panda scan online & the following were found:-

    Elite, found in 2 locations,
    1) C:\Windows\system32\drivers\tdiip.sys
    2) C:\Windows\system32\windump.exe

    List.istbar, found in c:\windows\system32\mscache.sys

    Thespyguard, found in c:\windows\system32\winsrv32.exe

    Mywebsearch, found in hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}

    Com.com, found in C:\documents and settings\Dafydd\Cookies\dafydd@com[1].txt

    SCKeylog.AC, found in 10 locations,
    1) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 1 for scklpro.zip\scklpro.exe[klenA]
    2) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 1 for scklpro.zip\scklpro.exe[kllnA]
    3) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 2 for scklpro.zip\scklpro.exe[klenA]
    4) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 2 for scklpro.zip\scklpro.exe[kllnA]
    5) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 3 for scklpro.zip\scklpro.exe[klenA]
    6) C:\documents and settings\Dafydd\Local Settings\Temp\Temporary Directory 3 for scklpro.zip\scklpro.exe[kllnA]
    7) C:\documents and settings\Dafydd\My Documents\My Recieved Files\scklpro.zip[scklpro.exe][klenA]
    8) C:\documents and settings\Dafydd\My Documents\My Recieved Files\scklpro.zip[scklpro.exe][kllnA]
    9) C:\Program Files\SCKLPRO\klenA
    10) C:\Program Files\SCKLPRO\kllnA

    Eicar.Mod, found in C:\KAV\PersonalPro\CD French\data1.cab[eicar.html]

    Hack Tool/EvID, found in C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]

    Don't know where to turn next! Why haven't AVG, Spybot & AdAware picked these up?
    Please help, what now?
     
  8. 2006/12/11
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    I just used the 'search' function for the other thread in Spyware & Virus removal, and neither of these two files:
    winsrv32.exe
    mscache.sys
    appear in the search, so it looks to be newly injected. Of course I have no idea how good the search function is tho.

    I just checked manually for:
    SCKLPRO

    It also does not appear on any of the pages on that thread.

    It looks to me that somehow these things have been added. I'm going to do another search for these things later on tonite, when I'm unfettered by Jr and other things.

    Cookies of course are harmless.

    That reg key for MyWeb won't be causing these blue screens.

    Escar thing obviously a f\p, as it's located in your KAV folder.

    I'd like you to start a new threead over in S&V removal, so we can start some new searches. We had run the gamut of search tools in the other thread, to no avail.

    Most of these are new.
     
  9. 2006/12/12
    timeoutgang

    timeoutgang Inactive Thread Starter

    Joined:
    2006/05/09
    Messages:
    148
    Likes Received:
    0
    Have posted new thread on Removing S & V as requested.
     
  10. 2006/12/14
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Hi, timeoutgang.

    That's GREAT news that you made progress! :) Thanks for following up! I hope your BSODs are a thing of the past now that you apparently have riched20.dll replaced.

    Can you run Ad-Aware now with success?

    I think it would be a good idea to try to figure out how you seem to keep getting new malware installed on your system (as TeMerc pointed out). Also, once you clean your system again, I recommend you immediately change all your passwords you use (Windows login username and password, online passwords, etc.) since those keyloggers probably captured those passwords and possibly sent them to someone somewhere.

    I am following your new thread in the Removing Spyware & Viruses forum with interest.

    Good luck! Thanks again for your patience and for consistently following up.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.