BSOD IRQ Conflict

My co-worker's home machine keeps crashing on him. I took a look at it and it seems there is an IRQ conflict somewhere. I am aware that XP allows peripherals to share IRQs but his problem is (i believe) as follows:

His clearwire modem and his Graphics Card are sharing the same IRQ. He had called Clearwire and they walked him through setting this IRQ for the modem in CMOS. He has several other peripherals sharing this same IRQ.

I thought the modem was just an attachment to the NIC which has its own IRQ (if I remember correctly). Should the Clearwire modem need an IRQ? My Xanadoo modem does not.

He has some free IRQs above #9, can I move the modem to another IRQ to help fix the problem?

Anyone have any ideas or had a similar problem?????

Thanks

Mitchell

 

The error message is likely an IRQL message, and has nothing to do with IRQs.

The most common are 0x0A -- IRQL was less than equal, or 0xD1 -- the IRQL was too high.

Please post back the message, including error # and error text.

 

thanks, he has gone out of town for a couple of days so it will probably be later in the week before I get to his machine.

Mitchell

 

Well, I went to my friend's house today to try to get some information for you. I tried to load the debugger to create a log file and it said it need the tools. I downloaded the tools (in safe mode as that was the only way to surf the net without it crashing). and then tried to install the file (in standard mode) and it BSOD'd.

I tried to write down as much of the error text as I could but it rebooted on me.

I took the memory diagnostics tool with me on a floppy but his system could not read the diskette.

So, on the off chance there might be some malicious file causing the problem I ran SpyBot S&D and BSOD'd three quarters of the way through. Then I tried AVG and it did the same only sooner.

The Blue Screen error is not the same each time. There was what appeared to be a general error, then an IRQL error, then a Registry Error, Then another general error.

I tried to email the memory dump files to myself so I could try to create a log file to post but when we went to yahoo to send them to me it BSOD's as I was trying to attach the files.

I don't know what to do to keep his system stable enough to get the information I need to post.

Can you suggest anything?

Thanks for any help

Mitchell

 

Hi Mitchell

Before we get into that lets do something else to clean the slate so to speak.

Has it ever failed in safe mode?

Since it works in Safe Mode.

download install the below.

ATF-Cleaner http://www.atribune.org/content/view/25/2/
when run check select all run twice or more until nothing else found
===================================================

CCleaner get the slim version http://www.ccleaner.com/download/builds.aspx
Click bottom right Run Cleaner twice
then in left panel click issues then below Scan for issues run twice or until no more found
====================================================

Clean all user profiles at once.

http://ezpcfix.net/download.aspx?dlo...x-1-0-0-16.exe

http://ezpcfix.net/download.aspx?dlo...-16/Plugin.inf

The above need to be downloaded and need no install but need to be put together in the same folder.

So download them create a folder I recommend Program Files\EzPcFix and run them from there.

This seems to be a simple and basic program at first but I advise you not tinker with too many of it's other features unless you know what you are doing. As it has some extremely powerful features but looks so harmless.

Here are the steps:

1. Run the program
2. Click Load Hives
3. Double click Delete temp files
4. Select the optional check boxes if you want
5. If you Checked _Restore /System Volume information\_Restore then you should create a new restore point via System Restore.
6. I usually close the Hives before exit

Even better run in Safe Mode.
=================================================

Download install and run
http://www.xblock.com/download/xclean_micro.exe

This is an advanced cleaner that goes after (not everything) but only the worst most prolific and damaging malware and some viri.

Delete ALL it finds no exceptions, if after cleaning an incident, it advises a reboot, say no during the process, but do so when the program ends before continuing with next step below.

I use this as preclean before SpyBot and AdAware.

Then

Now that you have spybot installed and updated run it also in Safe Mode.

Then test it in full mode to see if it has same problem.

Mike

 

It only failed once in safe mode and that was when I was trying to run SpyBot S&D. Otherwise I was able to browse and do just about whatever I wanted without too much difficulty.

I'll report back tomorrow

Mitchell

 

For tomorrow.

Do you feel it was it the same or perhaps a different kind of problem like SpyBot hitting a badboy?

Mike

 

It found two bad boys then hit something that caused it to return a red and white triangle and an error message in the "problems found dialog" several lines deep. I updated spybot and ran it again in standard mode - no errors but BSOD.

Mitchell

 

New Strange Behavior

Mike,

I think I got the BSOD problem fixed. He has been up and running for two days with no BSOD. His system was ate up......

but, everytime I tried to install the debugger tools from Microsoft, or Updates, or anything else, I got a message that the windows installer was not running - but it was....

I ran windows file protection and it fixed several files on his system but we got another BSOD. He decided he wanted to try to re-install XP. So we did that. Downloaded sygate firewall, spybot S&D, AVG, and Popup Stopper.

Now he has some strange things going on

He is getting Windows Messenger popups constantly
( "your registry is infected..... ")
( "your system is not protected..... ")
etc

Some quotes from his emails:

"that messenger thing keeps comming up every 5 min driving me nuts "
"puter still doing weird things has restarted 7 or 8 times by its self
today . avg wants a number that i dont have . pop up message still trying to get past pop up stopper . some things load real slow like my yahoo mess after restart. no blue screen yet "
"just sent a e-mail to u system doing weird things restarted 7 or 8 times today all by its self some things load real slow and some other things "
"i did the immunize thing found 7 problems it fixed all 7 so far so good still getting that pop up message thing although pop up stopper catching it went to bed last night when i got up there was 35 messages stacked on top of each other all the same thing "

Should this be moved to "Removing Spyware and Viruses "? or is there something I didn't catch or reset or something.

I am not experienced with XP and don't want to mess things up for him. I did information systems work for the Air Force a decade or so ago but moved on to something different and just havent kept up to date.

Thanks for any help.

Mitchell

 

OK Mitch

Not clear to me.

Did you do all the steps I recommended?

We may have gotten to the point of my recomendation of a repair install which is what I hope you did.

But as long as it would run in safe mode it would have been the goal to get it as clean as possible before a repair install.

A full clean install would not require this.

Don't sound like he is really clean

You may need to go thru them again escpeially the Xclean spybot and adaware which should be easier if you have fixed the BSOD.

For the Messenger do the below.

Start-Run
type
cmd
type
services.msc
find messenger in this list
click and stop the service
then
dbl click
set to disabled


Mike

 

Mike,

I got through everything to the point of Installing Adaware, that is where I got the first "windows installer error ".

When we reinstalled XP I asked him if he wanted to repair the installation or do whole new install (explained he would lose quite a bit of presets and need to re-register, etc). He was so frustrated he didn't want to take a chance on it not working.

I know he still has problems

Any advice or instructions will be followed to the T.

Mitchell

 

Hi Mitch

If you did a clean install then to maintain and keep it clean.

I would still download and install the items in post #5 and #7

BUT! going by you last report. I believe it was not a clean install but an added installation.

Is there now a c:\Windows and a c:\Winnt folder on the c drive. If so all the old stuff is still there.

Are you sure the drive was formatted?

Mike

 

The answer is - no I am not sure. I will look at his system, probably tomorrow. I need to get him back to normal as soon as I can. He is just happy not to have a BSOD every 20 minutes or so.

I will report back from his system as soon as I can. Pls be patient with me - he and I work nights and sometimes it is hard to get together to fix this stuff. Talk to you soon.

BTW, I will go through ALL those steps on my next trip to his house.

Mitchell

 

Hi Mitch

That is what I am concerned about! These issues should not be there already if a clean install.

The steps we needed for before the reinstall, should not need to be done now.

Or

1. There is a site or some way he has already been contaminated again quickly.

2. This is hardware problem

The good new would be he did not actually do do a clean install. That would explain it!

Mike

 

Hope to have something for this in about a week. His system is working ocassionally - now it just restarts. I have time scheduled with him this weekend.

Mitchell

 

Mitch

One way to tell if he did a clean install is to browse the c: drive and look for file dates before the install.

Also if his My Documents and Emails exist from before then it was not a clean install.

Mike

 

Well, finally got to Jim's house to work on his system. Ran all the cleaners you recommended. Spybot did find something called WindowsAntivirusOveride, then it crapped out on ZLob.ZCodec - error message was "access violation at address 0040247F Read of address BB992468 "

Hijackthis log and Silent runners is included here. this was a clean install but the drive was not formatted. His personal files were elsewhere on the drive but under the same Windows directory.

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:05:35 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\DOCUME~1\JAMESW~1.JIM\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169075777935
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169162739510
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Silent Runners:

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ "Safer Networking Limited"]
"Yahoo! Pager" = " "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" [ "Yahoo! Inc."]
"PopUpStopperFreeEdition" = " "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" " [ "Panicware, Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" [ "GRISOFT, s.r.o."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" [ "Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button "
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" [ "Yahoo! Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension "
-> {HKLM...CLSID} = "AVG7 Find Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail "
-> {HKLM...CLSID} = "YMailShellExt Class "
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [ "Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499} "
-> {HKLM...CLSID} = "YMailShellExt Class "
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" [ "Yahoo! Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} "
-> {HKLM...CLSID} = "AVG7 Shell Extension Class "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" [ "GRISOFT, s.r.o."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\James Whinery.JIMBOS-PUTER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google "
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" [ "Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services "
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} "
-> {HKLM...CLSID} = "Yahoo! IE Services Button "
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" [ "Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [ "GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" [ "GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" [ "GRISOFT, s.r.o."]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" [ "Sygate Technologies, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 39 seconds, including 8 seconds for message boxes)


I have been on his system now for about 10 minutes with no shutdown. It seems the last three times it shut down on me was when I was trying to correct a bad install of AVG.?????

I will keep working as long as I can. Will await your advice.

Two other things though: He suggested reformatting the harddrive with fdisk - are we at that point yet? And, he has a 25mb FAT partition on his computer and it appears an old install of windows is in there......should we get rid of that FAT partition?????

Thanks

Mitchell

 

Hi Mitch

Glad you got back to let us finish as I am trying to close all my threads and am not doing any new ones.

Nothing bad in the HJT log but I would reccomend dumping the Yahoo Toolbar and go with the Google toolbar.Use Google's Popup stopper.
Not a good idea to have 2 big competing Toolbars, Dump the panicware popup stoper.

Even without the Yahoo toolbar you can still use yahoo messenger an mail.

Before we do much more do the following to make sure about the Virus and Malware.

Download AVG AntiSpyware
http://free.grisoft.com/softw/70free/setup/avgas-setup-7.5.0.50.exe

Mcafee stand alone virus cleaner
http://i1.edskes.com/m/mcafee_20070216.exe

Update Spybot and Adaware and run all the above in Safe Mode.

Mike

 

bsod log file

I have a log file from the most recent minidump. Here it is. On my way home, gotta get ready for work. will be back on line at about 3:00a.m.

Minidump log file:

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini021807-10.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun Feb 18 16:51:06.480 2007 (GMT-6)
System Uptime: 0 days 0:01:10.030
Loading Kernel Symbols
........................................................................................................................
Loading User Symbols
Loading unloaded module list
....
*** ERROR: Module load completed but symbols could not be loaded for avg7rsxp.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 1, ecf2c998, 0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for avg7rsw.sys -
Probably caused by : avg7rsxp.sys ( avg7rsxp+24e8 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000001, The address that the exception occurred at
Arg3: ecf2c998, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+1
00000001 ?? ???

TRAP_FRAME: ecf2c998 -- (.trap ffffffffecf2c998)
.trap ffffffffecf2c998
ErrCode = 00000000
eax=bc65beb0 ebx=841c2a30 ecx=00000000 edx=84095020 esi=83d96e28 edi=83d96fdc
eip=00000001 esp=ecf2ca0c ebp=ecf2ca24 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000001 ?? ???
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 10

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: TeaTimer.exe

LAST_CONTROL_TRANSFER: from f78614e8 to 00000001

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ecf2ca08 f78614e8 f7ad59f0 83d96e28 840950d8 0x1
ecf2ca24 f78607eb 84095020 841c2a00 ecf2cb3c avg7rsxp+0x24e8
ecf2ca34 f7ad5436 84095020 83d96e28 83d96e38 avg7rsxp+0x17eb
ecf2cb3c 8056316c 8437ce30 00000000 83ff08d0 avg7rsw!AvgWrapAllocatePoolWithTag+0x48
ecf2cbc4 8056729a 00000000 ecf2cc04 00000040 nt!ObpLookupObjectName+0x56a
ecf2cc18 80570b73 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
ecf2cc94 80570c42 0190fc48 80100080 0190fbe8 nt!IopCreateFile+0x407
ecf2ccf0 80570d78 0190fc48 80100080 0190fbe8 nt!IoCreateFile+0x8e
ecf2cd30 804de7ec 0190fc48 80100080 0190fbe8 nt!NtCreateFile+0x30
ecf2cd30 7c90eb94 0190fc48 80100080 0190fbe8 nt!KiFastCallEntry+0xf8
0190fc40 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
avg7rsxp+24e8
f78614e8 83c9ff or ecx,0FFFFFFFFh

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: avg7rsxp+24e8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: avg7rsxp

IMAGE_NAME: avg7rsxp.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44965e88

FAILURE_BUCKET_ID: 0x8E_avg7rsxp+24e8

BUCKET_ID: 0x8E_avg7rsxp+24e8

Followup: MachineOwner
---------

eax=bc65beb0 ebx=841c2a30 ecx=00000000 edx=84095020 esi=83d96e28 edi=83d96fdc
eip=00000001 esp=ecf2ca0c ebp=ecf2ca24 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000001 ?? ???
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
ecf2ca08 f78614e8 f7ad59f0 83d96e28 840950d8 0x1
ecf2ca24 f78607eb 84095020 841c2a00 ecf2cb3c avg7rsxp+0x24e8
ecf2ca34 f7ad5436 84095020 83d96e28 83d96e38 avg7rsxp+0x17eb
ecf2cb3c 8056316c 8437ce30 00000000 83ff08d0 avg7rsw!AvgWrapAllocatePoolWithTag+0x48
ecf2cbc4 8056729a 00000000 ecf2cc04 00000040 nt!ObpLookupObjectName+0x56a (FPO: [Non-Fpo])
ecf2cc18 80570b73 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb (FPO: [Non-Fpo])
ecf2cc94 80570c42 0190fc48 80100080 0190fbe8 nt!IopCreateFile+0x407 (FPO: [Non-Fpo])
ecf2ccf0 80570d78 0190fc48 80100080 0190fbe8 nt!IoCreateFile+0x8e (FPO: [Non-Fpo])
ecf2cd30 804de7ec 0190fc48 80100080 0190fbe8 nt!NtCreateFile+0x30 (FPO: [Non-Fpo])
ecf2cd30 7c90eb94 0190fc48 80100080 0190fbe8 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ ecf2cd64)
0190fc40 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806eb100 nt ntoskrnl.exe Tue Mar 01 18:59:37 2005 (42250FF9)
806ec000 806ffd80 hal halacpi.dll Wed Aug 04 00:59:04 2004 (41107B28)
bf800000 bf9c0500 win32k win32k.sys Tue Mar 01 19:06:42 2005 (422511A2)
bf9c1000 bf9d2580 dxg dxg.sys Wed Aug 04 01:00:51 2004 (41107B93)
bf9d3000 bfb45780 vtdisp vtdisp.dll Sat Jun 07 03:43:10 2003 (3EE1A59E)
ec692000 ec6d2280 HTTP HTTP.sys Thu Mar 16 18:33:09 2006 (441A03C5)
ecb5b000 ecbac480 srv srv.sys Mon Aug 14 05:34:39 2006 (44E051BF)
ecc9d000 eccc9400 mrxdav mrxdav.sys Wed Aug 04 01:00:49 2004 (41107B91)
ece62000 ece8c180 kmixer kmixer.sys Wed Jun 14 03:47:45 2006 (448FCD31)
ecf2d000 ecf4fc80 aec aec.sys Fri Oct 01 12:00:21 2004 (415D8D25)
ecf50000 ecf64400 wdmaud wdmaud.sys Wed Jun 14 04:00:44 2006 (448FD03C)
ecff5000 ed004900 Cdfs Cdfs.SYS Wed Aug 04 01:14:09 2004 (41107EB1)
ed175000 ed181e80 DMusic DMusic.sys Wed Aug 04 01:07:37 2004 (41107D29)
ed185000 ed192400 swmidi swmidi.sys Fri Aug 17 16:00:42 2001 (3B7D85FA)
ed1d5000 ed1d7120 wg6n wg6n.sys Wed Oct 13 18:56:34 2004 (416DC0B2)
ed1d9000 ed1db120 wg5n wg5n.sys Wed Oct 13 18:56:33 2004 (416DC0B1)
ed1dd000 ed1df120 wg4n wg4n.sys Wed Oct 13 18:56:32 2004 (416DC0B0)
ed1e1000 ed1e3120 wg3n wg3n.sys Wed Oct 13 18:56:30 2004 (416DC0AE)
ed205000 ed213d80 sysaudio sysaudio.sys Wed Aug 04 01:15:54 2004 (41107F1A)
ed2d9000 ed2dc280 ndisuio ndisuio.sys Wed Aug 04 01:03:10 2004 (41107C1E)
f57ed000 f5804480 dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f5805000 f5828000 Fastfat Fastfat.SYS Wed Aug 04 01:14:15 2004 (41107EB7)
f5828000 f58ef4a0 avg7core avg7core.sys Wed Sep 27 08:27:37 2006 (451A7C49)
f5d65000 f5d85f00 ipnat ipnat.sys Wed Aug 04 01:04:48 2004 (41107C80)
f5d86000 f5df4a00 mrxsmb mrxsmb.sys Fri May 05 04:41:42 2006 (445B1DD6)
f5e1d000 f5e47a00 rdbss rdbss.sys Fri May 05 04:47:55 2006 (445B1F4B)
f5e48000 f5e69d00 afd afd.sys Wed Aug 04 01:14:13 2004 (41107EB5)
f5e6a000 f5e91c00 netbt netbt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f5e92000 f5ee9d80 tcpip tcpip.sys Thu Apr 20 06:51:47 2006 (444775D3)
f5eea000 f5efc400 ipsec ipsec.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f6f45000 f6f78200 update update.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7030000 f7040e00 psched psched.sys Wed Aug 04 01:04:16 2004 (41107C60)
f7041000 f7057680 ndiswan ndiswan.sys Wed Aug 04 01:14:30 2004 (41107EC6)
f7058000 f706b900 parport parport.sys Wed Aug 04 00:59:04 2004 (41107B28)
f706c000 f708f980 portcls portcls.sys Wed Aug 04 01:15:47 2004 (41107F13)
f7090000 f70c1b80 vinyl97 vinyl97.sys Sun Oct 08 23:58:46 2006 (4529D706)
f70c2000 f70e4680 ks ks.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f70e5000 f7107e80 USBPORT USBPORT.SYS Wed Aug 04 01:08:34 2004 (41107D62)
f7108000 f71c9be0 USR1806 USR1806.SYS Tue Jul 10 18:52:12 2001 (3B4B952C)
f71ca000 f71dd780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f71de000 f721d380 vtmini vtmini.sys Sat Jun 07 03:43:25 2003 (3EE1A5AD)
f7222000 f7224280 rasacd rasacd.sys Fri Aug 17 15:55:39 2001 (3B7D84CB)
f737d000 f7397580 Mup Mup.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f7398000 f73b5000 Teefer Teefer.sys Fri Oct 15 20:17:00 2004 (4170768C)
f73b5000 f73e1a80 NDIS NDIS.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f73e2000 f746e480 Ntfs Ntfs.sys Wed Aug 04 01:15:06 2004 (41107EEA)
f746f000 f7485780 KSecDD KSecDD.sys Wed Aug 04 00:59:45 2004 (41107B51)
f7486000 f7497f00 sr sr.sys Wed Aug 04 01:06:22 2004 (41107CDE)
f7498000 f74b7780 fltmgr fltmgr.sys Mon Aug 21 04:14:57 2006 (44E97991)
f74b8000 f74cf480 atapi atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f74d0000 f74ee880 ftdisk ftdisk.sys Fri Aug 17 15:52:41 2001 (3B7D8419)
f74ef000 f74ffa80 pci pci.sys Wed Aug 04 01:07:45 2004 (41107D31)
f7500000 f752dd80 ACPI ACPI.sys Wed Aug 04 01:07:35 2004 (41107D27)
f754f000 f7557c00 isapnp isapnp.sys Fri Aug 17 15:58:01 2001 (3B7D8559)
f755f000 f7569500 MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f756f000 f757bc80 VolSnap VolSnap.sys Wed Aug 04 01:00:14 2004 (41107B6E)
f757f000 f7587e00 disk disk.sys Wed Aug 04 00:59:53 2004 (41107B59)
f758f000 f759b200 CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f759f000 f75a9e80 uagp35 uagp35.sys Wed Aug 04 01:07:43 2004 (41107D2F)
f75cf000 f75d7700 netbios netbios.sys Wed Aug 04 01:03:19 2004 (41107C27)
f75df000 f75e7880 Fips Fips.SYS Fri Aug 17 20:31:49 2001 (3B7DC585)
f75ef000 f75f7700 wanarp wanarp.sys Wed Aug 04 01:04:57 2004 (41107C89)
f765f000 f7668200 amdk7 amdk7.sys Wed Aug 04 00:59:19 2004 (41107B37)
f766f000 f767b180 cdrom cdrom.sys Wed Aug 04 00:59:52 2004 (41107B58)
f767f000 f768d080 redbook redbook.sys Wed Aug 04 00:59:34 2004 (41107B46)
f768f000 f7699380 imapi imapi.sys Wed Aug 04 01:00:12 2004 (41107B6C)
f769f000 f76adb80 drmk drmk.sys Wed Aug 04 01:07:54 2004 (41107D3A)
f76af000 f76b9600 fetnd5bv fetnd5bv.sys Wed Dec 15 23:36:28 2004 (41C11EDC)
f76bf000 f76ced80 serial serial.sys Wed Aug 04 01:15:51 2004 (41107F17)
f76cf000 f76dbe00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f76df000 f76eb880 rasl2tp rasl2tp.sys Wed Aug 04 01:14:21 2004 (41107EBD)
f76ef000 f76f9200 raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f76ff000 f770ad00 raspptp raspptp.sys Wed Aug 04 01:14:26 2004 (41107EC2)
f770f000 f7717900 msgpc msgpc.sys Wed Aug 04 01:04:11 2004 (41107C5B)
f772f000 f7738f00 termdd termdd.sys Wed Aug 04 00:58:52 2004 (41107B1C)
f773f000 f7748480 NDProxy NDProxy.SYS Fri Aug 17 15:55:30 2001 (3B7D84C2)
f776f000 f777d100 usbhub usbhub.sys Wed Aug 04 01:08:40 2004 (41107D68)
f77bf000 f77c8000 wpsdrvnt wpsdrvnt.sys Fri Oct 15 20:18:45 2004 (417076F5)
f77cf000 f77d5200 PCIIDEX PCIIDEX.SYS Wed Aug 04 00:59:40 2004 (41107B4C)
f77d7000 f77db900 PartMgr PartMgr.sys Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f77f7000 f77f8000 fdc fdc.sys unavailable (00000000)
f77ff000 f7804a00 mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7807000 f780d000 kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f780f000 f7813880 TDI TDI.SYS Wed Aug 04 01:07:47 2004 (41107D33)
f7817000 f781b580 ptilink ptilink.sys Fri Aug 17 15:49:53 2001 (3B7D8371)
f781f000 f7823080 raspti raspti.sys Fri Aug 17 15:55:32 2001 (3B7D84C4)
f782f000 f7834000 flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f783f000 f7844200 vga vga.sys Wed Aug 04 01:07:06 2004 (41107D0A)
f7847000 f784ba80 Msfs Msfs.SYS Wed Aug 04 01:00:37 2004 (41107B85)
f784f000 f7856880 Npfs Npfs.SYS Wed Aug 04 01:00:38 2004 (41107B86)
f785f000 f7865f00 avg7rsxp avg7rsxp.sys Mon Jun 19 03:21:28 2006 (44965E88)
f787f000 f7883500 watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f7947000 f794e580 Modem Modem.SYS Wed Aug 04 01:08:04 2004 (41107D44)
f794f000 f7954000 usbuhci usbuhci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f7957000 f795d800 usbehci usbehci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f795f000 f7962000 BOOTVID BOOTVID.dll Fri Aug 17 15:49:09 2001 (3B7D8345)
f79d3000 f79d5900 Dxapi Dxapi.sys Fri Aug 17 15:53:19 2001 (3B7D843F)
f79e3000 f79e6c80 serenum serenum.sys Wed Aug 04 00:59:06 2004 (41107B2A)
f79e7000 f79e9980 gameenum gameenum.sys Wed Aug 04 01:08:20 2004 (41107D54)
f79eb000 f79ed580 ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f79fb000 f79fec80 mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f7a4f000 f7a50b80 kdcom kdcom.dll Fri Aug 17 15:49:10 2001 (3B7D8346)
f7a51000 f7a52100 WMILIB WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7a53000 f7a54500 viaide viaide.sys Wed Aug 04 00:59:42 2004 (41107B4E)
f7a8d000 f7a8e900 splitter splitter.sys Wed Jun 14 03:47:46 2006 (448FCD32)
f7ab5000 f7ab6a80 ParVdm ParVdm.SYS Fri Aug 17 15:49:49 2001 (3B7D836D)
f7ac1000 f7ac2360 avgtdi avgtdi.sys Thu Aug 25 04:59:58 2005 (430D969E)
f7ac3000 f7ac4100 swenum swenum.sys Wed Aug 04 00:58:41 2004 (41107B11)
f7ac5000 f7ac6280 USBD USBD.SYS Fri Aug 17 16:02:58 2001 (3B7D8682)
f7ac7000 f7ac9000 i2omgmt i2omgmt.SYS Wed Aug 04 01:00:50 2004 (41107B92)
f7acb000 f7accf00 Fs_Rec Fs_Rec.SYS Fri Aug 17 15:49:37 2001 (3B7D8361)
f7acd000 f7ace080 Beep Beep.SYS Fri Aug 17 15:47:33 2001 (3B7D82E5)
f7acf000 f7ad0080 mnmdd mnmdd.SYS Fri Aug 17 15:57:28 2001 (3B7D8538)
f7ad1000 f7ad2080 RDPCDD RDPCDD.sys Fri Aug 17 15:46:56 2001 (3B7D82C0)
f7ad5000 f7ad6080 avg7rsw avg7rsw.sys Tue Jul 26 07:10:51 2005 (42E6284B)
f7ae7000 f7ae8100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7b45000 f7b45c00 audstub audstub.sys Fri Aug 17 15:59:40 2001 (3B7D85BC)
f7bdb000 f7bdbd00 dxgthk dxgthk.sys Fri Aug 17 15:53:12 2001 (3B7D8438)
f7c26000 f7c26b80 drmkaud drmkaud.sys Wed Aug 04 01:07:56 2004 (41107D3C)
f7c39000 f7c39b80 Null Null.SYS Fri Aug 17 15:47:39 2001 (3B7D82EB)
f7c3a000 f7c3af80 avgclean avgclean.sys Mon Aug 21 17:55:15 2006 (44EA39D3)

Unloaded modules:
f7837000 f783c000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7ac9000 f7acb000 Changer.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7226000 f7229000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f779f000 f77a8000 lbrtfdc.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt



System seems to be stable for a while and then just restarts. Won't complete AVG at all.

System can be just idling and it will restart........I'm confused....

Mitchell

 

Hi Mitch

A clean install would format the XP boot drive usually C:.

The install you describe is just a new install over an existing installation.

That is the reason the Virus was already there.

This is such a mess that in order to tell if there is actually a hardware problem here, that it is time for a real clean install. That means formatting and installing from scratch.

If you don't this could go on and on.

The ZLob.ZCodec is an especially nastie critter, that even if cleaned leaves damge.

Clean install it disconnected from the internet. Install the virus scanner and scan the other partitions immediately even before MS updates.

Run it clean for a few days without putting all the toolbars etc on it. If it then runs ok then load it up with the rest.

Mike