BSOD after system setting idle for 8 hours

Hi Mitch, Pete

Yes I agree with Pete.

I would visit Winupdate and get up to date.

Then go to Event viewer and clear all logs. Immediately reboot and immediately go back to event logs and see what is there. The only things you will see now is any errors that occured during shutdown and bootup.

Let us know if you have errors. Some warnings are normal but scan them for anything suspicious!

Now test for issues and after confirmed OK do the SP3 update!

Now if you builtthe Slipstreamed SP3 CD when it is time to install SP3 you can just do another repair install and that will bring you up to SP3.

Mike

 

Mike, Pete; Thanks for the info. I read about the slipstreaming somewhere (maybe here or at microsoft) sure will make it easier. at microsoft now getting updates. will report back on the event viewer. That may be later today - got off work about four hours ago - tired - need a little nap.



I'll be back.....

Mitch

 

Mitch hold off on actually installing anything yet.

Go ahead and get the stuff from M$.

I reviewed this entire post. Especially your dumps.

You either have a bad boy driver or bad memory!

If one of these dumps occur at the right place douring upgrade you could have a mess.

Clean boot XP
http://support.microsoft.com/kb/310353

See if issue is there with clean boot.

How many sticks of ram in this machine? If 2 try running with just one or if available try different ram.


Mike

 

Yeah I see, I was mostly looking at the dumps. Thanks pete.

But Mitch did not the problems begin again when you put back the second stick?

Did it ever fail with just the lone stick?

Mike

 

Probably the sound/audio driver here

 

I agree with Brian. A very good possibility!

Unless it ran OK with only the 1st stick of RAM then I would disable it in Device mgr reboot and run Monopoly to test.

Mike

 

Mike, It crashed on each stick in each bank. Jim (the guy who owns the machine is ready and willing to buy new RAM but wanted him to hold off until we isolate the problem)

 

Clean booted. Will run for a while like this to see what happens.

Mitch

 

OK now I understand!

If it does it while running under a clean boot, then before you revert it back go to device manager and disable the sound card and continue testing with the sound card disabled.

Mike

 

Crash under clean boot

Played monopoly for 45 minutes (went bankrupt). Closed monoply and started Spybot S&D (since it has crashed more than once on this) and it crashed. Dump Log is below. So,, do we assume then the memory is the culprit?

Mitch

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini052008-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Tue May 20 13:53:51.576 2008 (GMT-5)
System Uptime: 0 days 1:00:00.132
Loading Kernel Symbols
............................................................................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {4, 2, 0, 804e6617}

Probably caused by : memory_corruption ( nt!MiRemovePageByColor+6a )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804e6617, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!MiRemovePageByColor+6a
804e6617 8b4804 mov ecx,dword ptr [eax+4]

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f7b64788 -- (.trap 0xfffffffff7b64788)
.trap 0xfffffffff7b64788
ErrCode = 00000000
eax=00000000 ebx=00000001 ecx=432d3336 edx=81a53000 esi=cde1fd10 edi=00000004
eip=804e6617 esp=f7b647fc ebp=f7b64818 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!MiRemovePageByColor+0x6a:
804e6617 8b4804 mov ecx,dword ptr [eax+4] ds:0023:00000004=????????
.trap
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e6617 to 804e187f

STACK_TEXT:
f7b64788 804e6617 badb0d00 81a53000 00000030 nt!KiTrap0E+0x233
f7b64818 804e7cf4 00000000 00008000 00000000 nt!MiRemovePageByColor+0x6a
f7b64844 8069dbbd 84fca920 00000000 00000044 nt!MmZeroPageThread+0x9a
f7b64dac 8057be15 80087000 00000000 00000000 nt!Phase1Initialization+0x1144
f7b64ddc 804fa4da 8069f086 80087000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiRemovePageByColor+6a
804e6617 8b4804 mov ecx,dword ptr [eax+4]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiRemovePageByColor+6a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiRemovePageByColor+6a

BUCKET_ID: 0xA_nt!MiRemovePageByColor+6a

Followup: MachineOwner
---------

eax=ffdff13c ebx=00000002 ecx=00000000 edx=40000000 esi=804e6617 edi=00000004
eip=804e187f esp=f7b64770 ebp=f7b64788 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiTrap0E+0x233:
804e187f f7457000000200 test dword ptr [ebp+70h],20000h ss:0010:f7b647f8=00010202
ChildEBP RetAddr Args to Child
f7b64788 804e6617 badb0d00 81a53000 00000030 nt!KiTrap0E+0x233 (FPO: [0,0] TrapFrame @ f7b64788)
f7b64818 804e7cf4 00000000 00008000 00000000 nt!MiRemovePageByColor+0x6a (FPO: [Non-Fpo])
f7b64844 8069dbbd 84fca920 00000000 00000044 nt!MmZeroPageThread+0x9a (FPO: [Non-Fpo])
f7b64dac 8057be15 80087000 00000000 00000000 nt!Phase1Initialization+0x1144 (FPO: [Non-Fpo])
f7b64ddc 804fa4da 8069f086 80087000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name
804d7000 806eb100 nt ntoskrnl.exe Tue Mar 01 18:59:37 2005 (42250FF9)
806ec000 806ffd80 hal halacpi.dll Wed Aug 04 00:59:04 2004 (41107B28)
bf800000 bf9c1180 win32k win32k.sys Wed Oct 05 19:05:44 2005 (43446A58)
bf9c2000 bf9d3580 dxg dxg.sys Wed Aug 04 01:00:51 2004 (41107B93)
bf9d4000 bfd1f380 vtdisp vtdisp.dll Mon Mar 07 20:50:05 2005 (422D12DD)
f0e7d000 f0ea6f00 kmixer kmixer.sys Wed Aug 04 01:07:46 2004 (41107D32)
f0f47000 f0f87280 HTTP HTTP.sys Thu Mar 16 18:33:09 2006 (441A03C5)
f12b4000 f12b7b20 aswRdr aswRdr.SYS Thu May 15 18:15:26 2008 (482CC40E)
f12f8000 f134a180 srv srv.sys Wed Aug 04 01:14:44 2004 (41107ED4)
f1463000 f148f400 mrxdav mrxdav.sys Wed Aug 04 01:00:49 2004 (41107B91)
f1675000 f1689400 wdmaud wdmaud.sys Wed Aug 04 01:15:03 2004 (41107EE7)
f17b2000 f17c0d80 sysaudio sysaudio.sys Wed Aug 04 01:15:54 2004 (41107F1A)
f18e2000 f18f7680 aswMon2 aswMon2.SYS Thu May 15 08:27:44 2008 (482C3A50)
f1948000 f1958200 EAPPkt EAPPkt.sys Thu Mar 31 20:43:01 2005 (424CB535)
f1a65000 f1a68280 ndisuio ndisuio.sys Wed Aug 04 01:03:10 2004 (41107C1E)
f5b61000 f5b78480 dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f5b79000 f5b90000 aswSP aswSP.SYS Thu May 15 18:20:30 2008 (482CC53E)
f5b90000 f5bb0f00 ipnat ipnat.sys Wed Aug 04 01:04:48 2004 (41107C80)
f5bb1000 f5c1e680 mrxsmb mrxsmb.sys Wed Oct 27 20:14:16 2004 (418047E8)
f5c47000 f5c71a00 rdbss rdbss.sys Wed Oct 27 20:13:57 2004 (418047D5)
f5c72000 f5c93d00 afd afd.sys Wed Aug 04 01:14:13 2004 (41107EB5)
f5c94000 f5cbbc00 netbt netbt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f5cbc000 f5d13a80 tcpip tcpip.sys Wed Aug 04 01:14:39 2004 (41107ECF)
f5d14000 f5d26400 ipsec ipsec.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f6d96000 f6dc9200 update update.sys Wed Aug 04 00:58:32 2004 (41107B08)
f6e6a000 f6e7ae00 psched psched.sys Wed Aug 04 01:04:16 2004 (41107C60)
f6e7b000 f6e91680 ndiswan ndiswan.sys Wed Aug 04 01:14:30 2004 (41107EC6)
f6e92000 f6ea5900 parport parport.sys Wed Aug 04 00:59:04 2004 (41107B28)
f6ea6000 f6ec9980 portcls portcls.sys Wed Aug 04 01:15:47 2004 (41107F13)
f6eca000 f6efbb80 vinyl97 vinyl97.sys Sun Oct 08 23:58:46 2006 (4529D706)
f6efc000 f6f1e680 ks ks.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f6f1f000 f6f41e80 USBPORT USBPORT.SYS Wed Aug 04 01:08:34 2004 (41107D62)
f6f42000 f6f55780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f6f56000 f6f80200 vtmini vtmini.sys Mon Mar 07 20:50:15 2005 (422D12E7)
f6f89000 f6f8b900 Dxapi Dxapi.sys Fri Aug 17 15:53:19 2001 (3B7D843F)
f7598000 f75b2580 Mup Mup.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f75b3000 f75dfa80 NDIS NDIS.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f75e0000 f766c480 Ntfs Ntfs.sys Wed Aug 04 01:15:06 2004 (41107EEA)
f766d000 f7683780 KSecDD KSecDD.sys Wed Aug 04 00:59:45 2004 (41107B51)
f7684000 f7695f00 sr sr.sys Wed Aug 04 01:06:22 2004 (41107CDE)
f7696000 f76b5780 fltmgr fltmgr.sys Mon Aug 21 04:14:57 2006 (44E97991)
f76b6000 f76cd480 atapi atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f76ce000 f76ec880 ftdisk ftdisk.sys Fri Aug 17 15:52:41 2001 (3B7D8419)
f76ed000 f76fda80 pci pci.sys Wed Aug 04 01:07:45 2004 (41107D31)
f76fe000 f772bd80 ACPI ACPI.sys Wed Aug 04 01:07:35 2004 (41107D27)
f774d000 f7755c00 isapnp isapnp.sys Fri Aug 17 15:58:01 2001 (3B7D8559)
f775d000 f7767500 MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f776d000 f7779c80 VolSnap VolSnap.sys Wed Aug 04 01:00:14 2004 (41107B6E)
f777d000 f7785e00 disk disk.sys Wed Aug 04 00:59:53 2004 (41107B59)
f778d000 f7799200 CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f779d000 f77a7e80 uagp35 uagp35.sys Wed Aug 04 01:07:43 2004 (41107D2F)
f781d000 f7826200 amdk7 amdk7.sys Wed Aug 04 00:59:19 2004 (41107B37)
f782d000 f7839180 cdrom cdrom.sys Wed Aug 04 00:59:52 2004 (41107B58)
f783d000 f784b080 redbook redbook.sys Wed Aug 04 00:59:34 2004 (41107B46)
f784d000 f7857380 imapi imapi.sys Wed Aug 04 01:00:12 2004 (41107B6C)
f785d000 f786bb80 drmk drmk.sys Wed Aug 04 01:07:54 2004 (41107D3A)
f786d000 f7877a00 fetnd5bv fetnd5bv.sys Mon Feb 25 23:54:01 2008 (47C3A979)
f787d000 f788cd80 serial serial.sys Wed Aug 04 01:15:51 2004 (41107F17)
f788d000 f7899e00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f789d000 f78a9880 rasl2tp rasl2tp.sys Wed Aug 04 01:14:21 2004 (41107EBD)
f78ad000 f78b7200 raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f78bd000 f78c8d00 raspptp raspptp.sys Wed Aug 04 01:14:26 2004 (41107EC2)
f78cd000 f78d5900 msgpc msgpc.sys Wed Aug 04 01:04:11 2004 (41107C5B)
f78dd000 f78e6f00 termdd termdd.sys Wed Aug 04 00:58:52 2004 (41107B1C)
f78ed000 f78f6480 NDProxy NDProxy.SYS Fri Aug 17 15:55:30 2001 (3B7D84C2)
f78fd000 f790b100 usbhub usbhub.sys Wed Aug 04 01:08:40 2004 (41107D68)
f791d000 f7925360 aswTdi aswTdi.SYS Thu May 15 18:14:09 2008 (482CC3C1)
f792d000 f7935700 netbios netbios.sys Wed Aug 04 01:03:19 2004 (41107C27)
f793d000 f7945880 Fips Fips.SYS Fri Aug 17 20:31:49 2001 (3B7DC585)
f794d000 f7955700 wanarp wanarp.sys Wed Aug 04 01:04:57 2004 (41107C89)
f799d000 f79ac900 Cdfs Cdfs.SYS Wed Aug 04 01:14:09 2004 (41107EB1)
f79cd000 f79d3200 PCIIDEX PCIIDEX.SYS Wed Aug 04 00:59:40 2004 (41107B4C)
f79d5000 f79d9900 PartMgr PartMgr.sys Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f7a25000 f7a2a000 usbuhci usbuhci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f7a2d000 f7a33800 usbehci usbehci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f7a35000 f7a3c000 fdc fdc.sys unavailable (00000000)
f7a3d000 f7a42a00 mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7a45000 f7a4b000 kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7a4d000 f7a51880 TDI TDI.SYS Wed Aug 04 01:07:47 2004 (41107D33)
f7a55000 f7a59580 ptilink ptilink.sys Fri Aug 17 15:49:53 2001 (3B7D8371)
f7a5d000 f7a61080 raspti raspti.sys Fri Aug 17 15:55:32 2001 (3B7D84C4)
f7a65000 f7a6a000 flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f7a75000 f7a7a200 vga vga.sys Wed Aug 04 01:07:06 2004 (41107D0A)
f7a7d000 f7a81a80 Msfs Msfs.SYS Wed Aug 04 01:00:37 2004 (41107B85)
f7a85000 f7a8c880 Npfs Npfs.SYS Wed Aug 04 01:00:38 2004 (41107B86)
f7a95000 f7a99a80 Aavmker4 Aavmker4.SYS Thu May 15 18:13:22 2008 (482CC392)
f7aa5000 f7aa9500 watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f7ab5000 f7abd000 aswFsBlk aswFsBlk.sys Thu May 15 08:28:04 2008 (482C3A64)
f7b5d000 f7b60000 BOOTVID BOOTVID.dll Fri Aug 17 15:49:09 2001 (3B7D8345)
f7be1000 f7be4c80 serenum serenum.sys Wed Aug 04 00:59:06 2004 (41107B2A)
f7be5000 f7be7980 gameenum gameenum.sys Wed Aug 04 01:08:20 2004 (41107D54)
f7be9000 f7beb580 ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f7bf9000 f7bfcc80 mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f7c25000 f7c27280 rasacd rasacd.sys Fri Aug 17 15:55:39 2001 (3B7D84CB)
f7c2d000 f7c2ff00 ws2ifsl ws2ifsl.sys Fri Aug 17 15:55:58 2001 (3B7D84DE)
f7c4d000 f7c4eb80 kdcom kdcom.dll Fri Aug 17 15:49:10 2001 (3B7D8346)
f7c4f000 f7c50100 WMILIB WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7c51000 f7c52500 viaide viaide.sys Wed Aug 04 00:59:42 2004 (41107B4E)
f7c67000 f7c68100 swenum swenum.sys Wed Aug 04 00:58:41 2004 (41107B11)
f7c69000 f7c6a280 USBD USBD.SYS Fri Aug 17 16:02:58 2001 (3B7D8682)
f7c6b000 f7c6cf00 Fs_Rec Fs_Rec.SYS Fri Aug 17 15:49:37 2001 (3B7D8361)
f7c6d000 f7c6e080 Beep Beep.SYS Fri Aug 17 15:47:33 2001 (3B7D82E5)
f7c6f000 f7c70080 mnmdd mnmdd.SYS Fri Aug 17 15:57:28 2001 (3B7D8538)
f7c71000 f7c72080 RDPCDD RDPCDD.sys Fri Aug 17 15:46:56 2001 (3B7D82C0)
f7c77000 f7c78100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7cf7000 f7cf8a80 ParVdm ParVdm.SYS Fri Aug 17 15:49:49 2001 (3B7D836D)
f7db2000 f7db2c00 audstub audstub.sys Fri Aug 17 15:59:40 2001 (3B7D85BC)
f7dea000 f7dead00 dxgthk dxgthk.sys Fri Aug 17 15:53:12 2001 (3B7D8438)
f7dfd000 f7dfdb80 Null Null.SYS Fri Aug 17 15:47:39 2001 (3B7D82EB)

Unloaded modules:
f0e7d000 f0ea7000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f1628000 f1652000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7e35000 f7e36000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f1652000 f1675000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f19a1000 f19ae000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f19b1000 f19bf000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7cc9000 f7ccb000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7a6d000 f7a72000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7c21000 f7c24000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

No not yet!

Clear the event logs now, then disable the sound device in device manager.

Stay in clean boot mode and try again.

If it fails again after it comes back up check the event logs for anything related to this.

Mike

EDIT: but your dumps are pointing to memory more and more!

 

Ok, will report back

Mitch

 

Played monoply for over an hour. Then quit monoply and started spybot S&D(it seems to always crash when I do this) and sure enough it crashed. Here is the log.

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini052008-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Tue May 20 20:14:16.006 2008 (GMT-5)
System Uptime: 0 days 1:35:07.561
Loading Kernel Symbols
......................................................................................................
Loading User Symbols
Loading unloaded module list
..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, 84e1c928, 84e1cb50, a45535f}

GetUlongFromAddress: unable to read from 80562970
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 84e1c928, The pool entry we were looking for within the page.
Arg3: 84e1cb50, The next pool entry.
Arg4: 0a45535f, (reserved)

Debugging Details:
------------------

GetUlongFromAddress: unable to read from 80562970

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: 84e1c928

CUSTOMER_CRASH_COUNT: 3

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e

STACK_TEXT:
f1536c50 8054b741 00000019 00000020 84e1c928 nt!KeBugCheckEx+0x1b
f1536ca0 805688e4 84e1c930 00000000 f1536d64 nt!ExFreePoolWithTag+0x2be
f1536d4c 804de7ec ffffffff 0012f560 0012f564 nt!NtFreeVirtualMemory+0x4a1
f1536d4c 7c90eb94 ffffffff 0012f560 0012f564 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f554 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054b741 83f801 cmp eax,1

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExFreePoolWithTag+2be

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be

BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+2be

Followup: MachineOwner
---------

eax=ffdff13c ebx=84e1c928 ecx=00000000 edx=00000000 esi=84e1c928 edi=00260000
eip=8053331e esp=f1536c38 ebp=f1536c50 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
8053331e 5d pop ebp
ChildEBP RetAddr Args to Child
f1536c50 8054b741 00000019 00000020 84e1c928 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f1536ca0 805688e4 84e1c930 00000000 f1536d64 nt!ExFreePoolWithTag+0x2be (FPO: [Non-Fpo])
f1536d4c 804de7ec ffffffff 0012f560 0012f564 nt!NtFreeVirtualMemory+0x4a1 (FPO: [Non-Fpo])
f1536d4c 7c90eb94 ffffffff 0012f560 0012f564 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f1536d64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f554 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806eb100 nt ntoskrnl.exe Tue Mar 01 18:59:37 2005 (42250FF9)
806ec000 806ffd80 hal halacpi.dll Wed Aug 04 00:59:04 2004 (41107B28)
bf800000 bf9c1180 win32k win32k.sys Wed Oct 05 19:05:44 2005 (43446A58)
bf9c2000 bf9d3580 dxg dxg.sys Wed Aug 04 01:00:51 2004 (41107B93)
bf9d4000 bfd1f380 vtdisp vtdisp.dll Mon Mar 07 20:50:05 2005 (422D12DD)
f1186000 f11c6280 HTTP HTTP.sys Thu Mar 16 18:33:09 2006 (441A03C5)
f122f000 f1232b20 aswRdr aswRdr.SYS Thu May 15 18:15:26 2008 (482CC40E)
f13cf000 f1421180 srv srv.sys Wed Aug 04 01:14:44 2004 (41107ED4)
f149a000 f14c6400 mrxdav mrxdav.sys Wed Aug 04 01:00:49 2004 (41107B91)
f17e7000 f17fc680 aswMon2 aswMon2.SYS Thu May 15 08:27:44 2008 (482C3A50)
f19b5000 f19c5200 EAPPkt EAPPkt.sys Thu Mar 31 20:43:01 2005 (424CB535)
f1a3a000 f1a3d280 ndisuio ndisuio.sys Wed Aug 04 01:03:10 2004 (41107C1E)
f5b2e000 f5b45480 dump_atapi dump_atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f5b46000 f5b5d000 aswSP aswSP.SYS Thu May 15 18:20:30 2008 (482CC53E)
f5b5d000 f5b7df00 ipnat ipnat.sys Wed Aug 04 01:04:48 2004 (41107C80)
f5b7e000 f5beb680 mrxsmb mrxsmb.sys Wed Oct 27 20:14:16 2004 (418047E8)
f5c14000 f5c3ea00 rdbss rdbss.sys Wed Oct 27 20:13:57 2004 (418047D5)
f5c3f000 f5c60d00 afd afd.sys Wed Aug 04 01:14:13 2004 (41107EB5)
f5c61000 f5c88c00 netbt netbt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f5c89000 f5ce0a80 tcpip tcpip.sys Wed Aug 04 01:14:39 2004 (41107ECF)
f5ce1000 f5cf3400 ipsec ipsec.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f6e03000 f6e36200 update update.sys Wed Aug 04 00:58:32 2004 (41107B08)
f6e37000 f6e47e00 psched psched.sys Wed Aug 04 01:04:16 2004 (41107C60)
f6e48000 f6e5e680 ndiswan ndiswan.sys Wed Aug 04 01:14:30 2004 (41107EC6)
f6e5f000 f6e72900 parport parport.sys Wed Aug 04 00:59:04 2004 (41107B28)
f6e73000 f6e95680 ks ks.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f6e96000 f6eb8e80 USBPORT USBPORT.SYS Wed Aug 04 01:08:34 2004 (41107D62)
f6eb9000 f6ecc780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 01:07:04 2004 (41107D08)
f6ecd000 f6ef7200 vtmini vtmini.sys Mon Mar 07 20:50:15 2005 (422D12E7)
f6f18000 f6f1af00 ws2ifsl ws2ifsl.sys Fri Aug 17 15:55:58 2001 (3B7D84DE)
f7598000 f75b2580 Mup Mup.sys Wed Aug 04 01:15:20 2004 (41107EF8)
f75b3000 f75dfa80 NDIS NDIS.sys Wed Aug 04 01:14:27 2004 (41107EC3)
f75e0000 f766c480 Ntfs Ntfs.sys Wed Aug 04 01:15:06 2004 (41107EEA)
f766d000 f7683780 KSecDD KSecDD.sys Wed Aug 04 00:59:45 2004 (41107B51)
f7684000 f7695f00 sr sr.sys Wed Aug 04 01:06:22 2004 (41107CDE)
f7696000 f76b5780 fltmgr fltmgr.sys Mon Aug 21 04:14:57 2006 (44E97991)
f76b6000 f76cd480 atapi atapi.sys Wed Aug 04 00:59:41 2004 (41107B4D)
f76ce000 f76ec880 ftdisk ftdisk.sys Fri Aug 17 15:52:41 2001 (3B7D8419)
f76ed000 f76fda80 pci pci.sys Wed Aug 04 01:07:45 2004 (41107D31)
f76fe000 f772bd80 ACPI ACPI.sys Wed Aug 04 01:07:35 2004 (41107D27)
f774d000 f7755c00 isapnp isapnp.sys Fri Aug 17 15:58:01 2001 (3B7D8559)
f775d000 f7767500 MountMgr MountMgr.sys Wed Aug 04 00:58:29 2004 (41107B05)
f776d000 f7779c80 VolSnap VolSnap.sys Wed Aug 04 01:00:14 2004 (41107B6E)
f777d000 f7785e00 disk disk.sys Wed Aug 04 00:59:53 2004 (41107B59)
f778d000 f7799200 CLASSPNP CLASSPNP.SYS Wed Aug 04 01:14:26 2004 (41107EC2)
f779d000 f77a7e80 uagp35 uagp35.sys Wed Aug 04 01:07:43 2004 (41107D2F)
f786d000 f7876200 amdk7 amdk7.sys Wed Aug 04 00:59:19 2004 (41107B37)
f787d000 f7889180 cdrom cdrom.sys Wed Aug 04 00:59:52 2004 (41107B58)
f788d000 f789b080 redbook redbook.sys Wed Aug 04 00:59:34 2004 (41107B46)
f789d000 f78a7380 imapi imapi.sys Wed Aug 04 01:00:12 2004 (41107B6C)
f78ad000 f78b7a00 fetnd5bv fetnd5bv.sys Mon Feb 25 23:54:01 2008 (47C3A979)
f78bd000 f78ccd80 serial serial.sys Wed Aug 04 01:15:51 2004 (41107F17)
f78cd000 f78d9e00 i8042prt i8042prt.sys Wed Aug 04 01:14:36 2004 (41107ECC)
f78dd000 f78e9880 rasl2tp rasl2tp.sys Wed Aug 04 01:14:21 2004 (41107EBD)
f78ed000 f78f7200 raspppoe raspppoe.sys Wed Aug 04 01:05:06 2004 (41107C92)
f78fd000 f7908d00 raspptp raspptp.sys Wed Aug 04 01:14:26 2004 (41107EC2)
f790d000 f7915900 msgpc msgpc.sys Wed Aug 04 01:04:11 2004 (41107C5B)
f791d000 f7926f00 termdd termdd.sys Wed Aug 04 00:58:52 2004 (41107B1C)
f792d000 f7936480 NDProxy NDProxy.SYS Fri Aug 17 15:55:30 2001 (3B7D84C2)
f793d000 f794b100 usbhub usbhub.sys Wed Aug 04 01:08:40 2004 (41107D68)
f795d000 f7965360 aswTdi aswTdi.SYS Thu May 15 18:14:09 2008 (482CC3C1)
f796d000 f7975700 netbios netbios.sys Wed Aug 04 01:03:19 2004 (41107C27)
f797d000 f7985880 Fips Fips.SYS Fri Aug 17 20:31:49 2001 (3B7DC585)
f798d000 f7995700 wanarp wanarp.sys Wed Aug 04 01:04:57 2004 (41107C89)
f79ad000 f79bc900 Cdfs Cdfs.SYS Wed Aug 04 01:14:09 2004 (41107EB1)
f79cd000 f79d3200 PCIIDEX PCIIDEX.SYS Wed Aug 04 00:59:40 2004 (41107B4C)
f79d5000 f79d9900 PartMgr PartMgr.sys Fri Aug 17 20:32:23 2001 (3B7DC5A7)
f7a2d000 f7a32000 usbuhci usbuhci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f7a35000 f7a3b800 usbehci usbehci.sys Wed Aug 04 01:08:34 2004 (41107D62)
f7a3d000 f7a44000 fdc fdc.sys unavailable (00000000)
f7a45000 f7a4aa00 mouclass mouclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7a4d000 f7a53000 kbdclass kbdclass.sys Wed Aug 04 00:58:32 2004 (41107B08)
f7a55000 f7a59880 TDI TDI.SYS Wed Aug 04 01:07:47 2004 (41107D33)
f7a5d000 f7a61580 ptilink ptilink.sys Fri Aug 17 15:49:53 2001 (3B7D8371)
f7a65000 f7a69080 raspti raspti.sys Fri Aug 17 15:55:32 2001 (3B7D84C4)
f7a6d000 f7a72000 flpydisk flpydisk.sys Wed Aug 04 00:59:24 2004 (41107B3C)
f7a7d000 f7a82200 vga vga.sys Wed Aug 04 01:07:06 2004 (41107D0A)
f7a85000 f7a89a80 Msfs Msfs.SYS Wed Aug 04 01:00:37 2004 (41107B85)
f7a8d000 f7a94880 Npfs Npfs.SYS Wed Aug 04 01:00:38 2004 (41107B86)
f7aa5000 f7aa9a80 Aavmker4 Aavmker4.SYS Thu May 15 18:13:22 2008 (482CC392)
f7aad000 f7ab1500 watchdog watchdog.sys Wed Aug 04 01:07:32 2004 (41107D24)
f7ab5000 f7abd000 aswFsBlk aswFsBlk.sys Thu May 15 08:28:04 2008 (482C3A64)
f7b5d000 f7b60000 BOOTVID BOOTVID.dll Fri Aug 17 15:49:09 2001 (3B7D8345)
f7be1000 f7be3900 Dxapi Dxapi.sys Fri Aug 17 15:53:19 2001 (3B7D843F)
f7c05000 f7c08c80 serenum serenum.sys Wed Aug 04 00:59:06 2004 (41107B2A)
f7c09000 f7c0b980 gameenum gameenum.sys Wed Aug 04 01:08:20 2004 (41107D54)
f7c0d000 f7c0f580 ndistapi ndistapi.sys Fri Aug 17 15:55:29 2001 (3B7D84C1)
f7c1d000 f7c20c80 mssmbios mssmbios.sys Wed Aug 04 01:07:47 2004 (41107D33)
f7c49000 f7c4b280 rasacd rasacd.sys Fri Aug 17 15:55:39 2001 (3B7D84CB)
f7c4d000 f7c4eb80 kdcom kdcom.dll Fri Aug 17 15:49:10 2001 (3B7D8346)
f7c4f000 f7c50100 WMILIB WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7c51000 f7c52500 viaide viaide.sys Wed Aug 04 00:59:42 2004 (41107B4E)
f7c69000 f7c6a100 swenum swenum.sys Wed Aug 04 00:58:41 2004 (41107B11)
f7c6b000 f7c6c280 USBD USBD.SYS Fri Aug 17 16:02:58 2001 (3B7D8682)
f7c6d000 f7c6ef00 Fs_Rec Fs_Rec.SYS Fri Aug 17 15:49:37 2001 (3B7D8361)
f7c6f000 f7c70080 Beep Beep.SYS Fri Aug 17 15:47:33 2001 (3B7D82E5)
f7c71000 f7c72080 mnmdd mnmdd.SYS Fri Aug 17 15:57:28 2001 (3B7D8538)
f7c73000 f7c74080 RDPCDD RDPCDD.sys Fri Aug 17 15:46:56 2001 (3B7D82C0)
f7c75000 f7c76100 dump_WMILIB dump_WMILIB.SYS Fri Aug 17 16:07:23 2001 (3B7D878B)
f7ce9000 f7ceaa80 ParVdm ParVdm.SYS Fri Aug 17 15:49:49 2001 (3B7D836D)
f7d61000 f7d61c00 audstub audstub.sys Fri Aug 17 15:59:40 2001 (3B7D85BC)
f7e01000 f7e01b80 Null Null.SYS Fri Aug 17 15:47:39 2001 (3B7D82EB)
f7e9f000 f7e9fd00 dxgthk dxgthk.sys Fri Aug 17 15:53:12 2001 (3B7D8438)

Unloaded modules:
f7a75000 f7a7a000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7c45000 f7c48000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

Mitch

Spybot is starting to show some consistency! May be something else!

Uninstall Spybot reboot run ccleaner and atf cleaner.

Download fresh Spybot and install.

Also go here get us a HJT and DSS logs (both)
http://www.windowsbbs.com/announcement.php?f=41

also get

http://www.malwarebytes.org/mbam.php

Install and update Spybot and Malware bytes antimalware but run them in safe mode.

Mike

 

Well Mike, There is something strange in there.....

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:48 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172003704917
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172715836890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 4118 bytes


DSS Log:

Deckard's System Scanner v20071014.68
Run by James Whinery on 2008-05-21 00:53:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as James Whinery.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:59 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JAMESW~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172003704917
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172715836890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--
End of file - 3625 bytes

-- Files created between 2008-04-21 and 2008-05-21 -----------------------------

2008-05-21 00:29:47 0 dr-h----- C:\Documents and Settings\James Whinery\Recent
2008-05-20 12:46:13 0 d-------- C:\Program Files\ACW
2008-05-20 12:35:05 0 d-------- C:\WINDOWS\Prefetch
2008-05-20 12:33:07 139536 --a------ C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-05-20 12:33:07 46352 --a------ C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
2008-05-20 04:07:59 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-20 04:07:59 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-20 04:07:59 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-20 04:07:59 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-20 04:07:59 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-20 04:07:59 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-20 04:07:59 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-20 04:07:59 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-20 04:07:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-20 04:07:59 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-20 04:07:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-20 04:07:59 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-05-20 04:07:59 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-20 04:07:59 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-19 09:18:58 0 d-------- C:\Program Files\S3
2008-05-17 19:58:06 0 d-------- C:\AOC
2008-05-15 12:18:21 0 d-------- C:\Program Files\Western Digital Technologies
2008-05-14 23:24:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 16:44:55 0 d-------- C:\Documents and Settings\James Whinery\Application Data\Corel
2008-05-13 04:09:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-13 04:09:57 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-12 17:57:11 0 d-------- C:\Program Files\Alwil Software
2008-05-12 17:55:19 0 d-------- C:\Program Files\CCleaner
2008-05-12 14:18:08 0 d-------- C:\Program Files\Windows Resource Kits
2008-05-12 13:03:22 0 d-------- C:\Program Files\Trend Micro
2008-05-12 06:30:42 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-05-12 06:13:48 0 d-------- C:\Program Files\VIA
2008-05-12 05:51:11 23600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-05-12 05:40:21 0 d-------- C:\symbols
2008-05-12 05:21:42 0 d-------- C:\symcache
2008-05-12 05:19:11 0 d-------- C:\Program Files\Debugging Tools for Windows (x86)
2008-05-01 19:03:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-25 06:31:50 4194304 --a------ C:\Documents and Settings\James Whinery\ntuser.dat
2008-04-22 16:00:00 66048 --a------ C:\WINDOWS\system32\drivers\EAPPkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>


-- Find3M Report ---------------------------------------------------------------

2008-05-20 12:14:09 0 d-------- C:\Program Files\Messenger
2008-05-20 12:11:44 0 d-------- C:\Program Files\Movie Maker
2008-05-20 12:11:22 0 d-------- C:\Program Files\Windows NT
2008-05-20 05:31:09 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-20 05:16:12 22720 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-05-16 20:57:44 0 d-------- C:\Program Files\DebugDiag
2008-05-16 12:44:19 0 d-------- C:\Documents and Settings\James Whinery\Application Data\Lavasoft
2008-05-13 20:24:51 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-13 16:44:58 61678 --a------ C:\Documents and Settings\James Whinery\Application Data\PFP110JPR.{PB
2008-05-13 16:44:58 12358 --a------ C:\Documents and Settings\James Whinery\Application Data\PFP110JCM.{PB


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]
"KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []
"VTTimer "= "VTTimer.exe" [03/08/2005 03:33 AM C:\WINDOWS\system32\VTTimer.exe]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "




-- End of Deckard's System Scanner: finished at 2008-05-21 00:54:24 ------------

Now here is the "Strange stuff "

Spybot S&D result [run in safe mode]

Error during check!: CoolWWWSearch.HomeSearch [102] (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) ()


Error during check!: CoolWWWSearch.HomeSearch [103] (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) ()


Error during check!: CoolWWWSearch.HomeSearch [104] (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) ()


Error during check!: CoolWWWSearch.HomeSearch [105] (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) ()


Error during check!: CoolWWWSearch.HomeSearch [107] (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) ()


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-05-21 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi (*)
2008-05-14 Includes\AdwareC.sbi (*)
2008-05-14 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-14 Includes\DialerC.sbi (*)
2008-05-14 Includes\HeavyDuty.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-05-14 Includes\HijackersC.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-05-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-05-14 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-05-14 Includes\PUPSC.sbi (*)
2008-05-14 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-05-14 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-05-14 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-05-14 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-30 Includes\Trojans.sbi (*)
2008-05-14 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.12
Database version: 772

Scan type: Full Scan (C:\|)
Objects scanned: 82202
Time elapsed: 50 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Waiting instructions....


Mitch

 

Hi Mitch

We may be onto something here!

Yes those (Access violation at address 7C80D263 in module 'kernel32.dll'. Read of address 01FE3000) () probably would cause a dump in full mode.

Lets take this a step or two further.

D/L Xclean_Micro http://www.xblock.com/download/xclean_micro.exe
No install, run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

D/L install update and run HazardShield http://www.orbitech.org/hazardshield.html
use full with registry scan

Let me know what they found.

D/L Adaware 2008 final http://majorgeeks.com/Ad-Aware_2008__d5947.html
Full scan

Update it and boot to safe mode and run it. Let me know the results.

After the above reboot and post new HJT and DSS logs.

We will then handle those strange items if any are left.

Mike

 

Will get those taken care of right now, Mike.

Report back soon.

Mitch