Windows XP SP3 keeps crashing

February 13, 2013 at 12:16:15
Specs: Windows XP, Intel Core 2 Duo E450D 3.25 GB RAM
Hello,
I have a friend's computer that was infected with a rogue antivirus software...I believe it was called Security Essentials, or something along those lines. It hid everything on the desktop, as well as the start menu, and shut down task manager, Microsoft Security Essentials, etc. I booted into safe mode and I was able to remove the infections using Malwarebytes and SuperAntiSpyware...I ran Rkill from bleepingcomputers.com first, and afterwards I ran RogueKiller to unhide the hidden folders, start-menu items etc.

Already before I had done this the computer was crashing, but I thought that this was probably just caused by the infection. But even after the infection has been removed, it still keeps doing this. I opened a crash-dump and it seems to point to http.sys. I've already ran checkdisc, as well as sfc /scanboot, and nothing has fixed the issue yet. I also tested the memory, but that all showed as being good.

I somewhat suspect a driver somewhere, because I never had it crash on me while running in safe-mode.

Computer Specs:
Windows XP Pro SP3
Dell Vostro 200
Intel Core 2 Duo E450D
3.25 GB RAM


I also have a hijackthis log, and the results from a crash dump that I opened in windows debugger if anybody would find them useful


See More: Windows XP SP3 keeps crashing

Report •

#1
February 13, 2013 at 12:45:31
There is a legitimate Anti-Virus/malware program by Microsoft called Microsoft Security Essentials.

Try posting the Hijack log at Trend Micro.

See the link below.

http://www.bleepingcomputer.com/vir...

edit

Normally I don't recommend using registry cleaners but in this case I would recommend you download an run both the cleaner an registry modules of CCleaner Slim. Do that AFTER you run Scannow SFC. See the two link below.

http://www.microsoft.com/resources/...

http://www.piriform.com/ccleaner/bu...


Report •

#2
February 13, 2013 at 12:52:31
If you're crashing, even in safe mode, you probably have a root kit. You'll need to remove the hard drive, and work on it from a known uninfected machine.

How To Ask Questions The Smart Way


Report •

#3
February 13, 2013 at 12:55:27
Razor, see the link above from bleeping computer.

Report •

Related Solutions

#4
February 13, 2013 at 14:40:29
Can you post the HJT log please.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#5
February 13, 2013 at 16:09:49
OtheHill: see the link above from bleeping computer.
Reading it now, but I'm not seeing your point.

How To Ask Questions The Smart Way


Report •

#6
February 13, 2013 at 16:21:58
From the original post it sounds like the supposed infection here is exactly the same as the description in the link. ".I believe it was called Security Essentials".

Report •

#7
February 13, 2013 at 16:40:55
"I also have a hijackthis log, and the results from a crash dump that I opened in windows debugger if anybody would find them useful"

Yes please, I will look at both.


Report •

#8
February 13, 2013 at 18:00:54
We don't know what other infections the machine has, and constant crashing after a machine has been compromised tells me something snook in to the kernel. Like a rootkit.

How To Ask Questions The Smart Way


Report •

#9
February 14, 2013 at 10:26:17
You may be right, Razor

Report •

#10
February 15, 2013 at 13:23:24
Sorry for the delay, I was gone for a few days...
.
Hijack This Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:54 AM, on 2/12/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\mom\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smal [...] bd=0080325
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unin [...] er=9.0.894
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\mom\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuit [...] plugin.cab
O16 - DPF: {0C3CAA1C-027B-40AF-B080-5880E96C5113} (VIVIDESKControlWeb Control) - http://install.cche.net/clint/inst [...] rolWeb.ocx
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/61....
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr [...] NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/micros [...] 8558035031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mi [...] 8789590031
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/d [...] DEXAXO.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ [...] ontrol.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.ado [...] nos/gp.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/ [...] eatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O16 - DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ [...] ontrol.cab
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\14.1.7\ViProtocol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - WIBU-SYSTEMS AG - C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Simply Accounting Database Connection Manager - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: vToolbarUpdater14.1.7 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe
O24 - Desktop Component 0: (no name) - http://www.americanprogress.org/im [...] Banner.gif
O24 - Desktop Component 1: (no name) - file:///CDOCUME~1/mom/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 2: (no name) - file:///CDOCUME~1/mom/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 12852 bytes


Report •

#11
February 15, 2013 at 13:24:23
and here are the results from the Windows Debugger..

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [L:\Minidump\Mini020813-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\debuggers\SymbolCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.120821-1629
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Fri Feb 8 11:05:52.687 2013 (UTC - 7:00)
System Uptime: 0 days 0:10:40.406
Loading Kernel Symbols
...............................................................
................................................................
...
Loading User Symbols
Loading unloaded module list
.....
Unable to load image HTTP.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for HTTP.sys
*** ERROR: Module load completed but symbols could not be loaded for HTTP.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 89ef0097, ba4ffa90, ba4ff78c}

Probably caused by : HTTP.sys ( HTTP+3b9ad )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 89ef0097, The address that the exception occurred at
Arg3: ba4ffa90, Exception Record Address
Arg4: ba4ff78c, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
+16
89ef0097 8b7610 mov esi,dword ptr [esi+10h]

EXCEPTION_RECORD: ba4ffa90 -- (.exr 0xffffffffba4ffa90)
ExceptionAddress: 89ef0097
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000010
Attempt to read from address 00000010

CONTEXT: ba4ff78c -- (.cxr 0xffffffffba4ff78c)
eax=89d50d04 ebx=00000000 ecx=89f01f10 edx=89d50c70 esi=00000000 edi=89f01e58
eip=89ef0097 esp=ba4ffb58 ebp=ba4ffbb4 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
89ef0097 8b7610 mov esi,dword ptr [esi+10h] ds:0023:00000010=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 2

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000010

READ_ADDRESS: 00000010

FOLLOWUP_IP:
HTTP+3b9ad
b171d9ad ?? ???

FAILED_INSTRUCTION_ADDRESS:
+3b9ad
89ef0097 8b7610 mov esi,dword ptr [esi+10h]

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from b171d9ad to 89ef0097

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba4ffbb4 b171d9ad 89f01e58 b1700264 89d46f38 0x89ef0097
ba4ffbe4 b171cc13 89d46f38 e1d8d202 00000000 HTTP+0x3b9ad
ba4ffc84 805813af 89d46f38 89e8c000 00000000 HTTP+0x3ac13
ba4ffd54 805814bf 80001200 00000001 00000000 nt!IopLoadDriver+0x66d
ba4ffd7c 80538819 80001200 00000000 8b132620 nt!IopLoadUnloadDriver+0x45
ba4ffdac 805cffbe b400ccf4 00000000 00000000 nt!ExpWorkerThread+0xef
ba4ffddc 805461ae 8053872a 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: HTTP+3b9ad

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: HTTP

IMAGE_NAME: HTTP.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4adde33f

STACK_COMMAND: .cxr 0xffffffffba4ff78c ; kb

FAILURE_BUCKET_ID: 0x7E_BAD_IP_HTTP+3b9ad

BUCKET_ID: 0x7E_BAD_IP_HTTP+3b9ad

Followup: MachineOwner
---------


Report •

#12
February 15, 2013 at 14:07:45
Re-run HighJackThis and check mark the following for fixing:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.com/

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe

C:\Program Files\AVG Secure Search\vprot.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;

O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\14.1.0.10\AVG Secure Search_toolbar.dll

O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-unin [...] er=9.0.894

O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\14.1.7\ViProtocol.dll

O23 - Service: vToolbarUpdater14.1.7 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe

Do you know what these are and are you happy to have these entries?

O16 - DPF: {0C3CAA1C-027B-40AF-B080-5880E96C5113} (VIVIDESKControlWeb Control) - http://install.cche.net/clint/inst [...] rolWeb.ocx

O24 - Desktop Component 0: (no name) - http://www.americanprogress.org/im [...] Banner.gif

O24 - Desktop Component 1: (no name) - file:///CDOCUME~1/mom/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

O24 - Desktop Component 2: (no name) - file:///CDOCUME~1/mom/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

Download AdwCleaner from this link:

http://www.bleepingcomputer.com/dow...
AdwCleaner Usage Instructions:
Using AdwCleaner is very simple. Simply download the program and run it. You will then be presented with a screen that contains a Search and Delete button. The Search button will cause AdwCleaner to search your computer for unwanted programs and then display a log showing the various files, folders, and registry entries used by these programs.
To delete these unwanted programs simply click on the Delete button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
Please include the log in your next reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#13
February 15, 2013 at 14:16:01
Can you please download and run the SecurityCheck tool download and include the log in your next reply please.
http://www.bleepingcomputer.com/dow...

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#14
February 15, 2013 at 14:32:35
You need to remove this from Add and Remove Programs:

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.1.7\ToolbarUpdater.exe

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#15
February 15, 2013 at 15:48:01
"and here are the results from the Windows Debugger.."
Thanks, can you upload the .dmp file to a site of your choice & give us the link please.

Report •

#16
February 15, 2013 at 19:18:39
I was just thinking & reread how you got the .dmp info. Here is how to get what I would like to see.

Copy & paste the dump (.dmp ) file onto your desktop & then upload it to a site of your choosing or use Image Uploader.
Minidump file is located in C:\Windows\Minidump
Kernel memory dump is located in C:\Windows\MEMORY.DMP
Startup and Recovery Settings
http://screenshots.leeindy.com/syst...
If the folders are empty > Right click on My Computer and select Properties.
Then select Advanced system settings Tab on the left menu.
Under the Startup and Recovery section, click on Settings.
Make sure "Write an event to the system log" is checked and "Automatically Restart" is unchecked. In the drop down menu under "Write Debugging Information," select Small memory dump (64KB or 128 KB) press OK and OK again.
Now next time the comp has a problem, get the EXACT error message off the screen & see if there is a .dmp file in the Minidump folder.
If it is still empty, repeat the process, but change > Small memory dump (128 KB) to > Kernel memory dump.
If a .dmp file is produced, upload it to a site of your choice or, use Image Uploader. Give us the link.
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru
How to use
http://i.imgur.com/C1qBB.gif
http://i.imgur.com/wqOKq.gif
http://i.imgur.com/PujnZ.gif


Report •

Ask Question