Jump to content


Photo

0x00000007F bluescreen when booting XP Pro SP2


  • This topic is locked This topic is locked
2 replies to this topic

#1 tomhatcher

tomhatcher

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 16 August 2005 - 02:48 AM

I was having a look on these forums the other day and found someone with a similar problem to mine: lots of spyware/trojans etc...
So i followed the advice of he was given, which was to reboot into safe mode and run cwshredder, aboutbuster, and ewido.

Having done that, and removed lots of spyware in the process, i have somehow disabled windows, in that whenever i boot to normal mode i get a bluescreen as described in the title. I am writing this from safe mode with networking support.

I will post some logs and hopefully someone can help me?

Logfile of HijackThis v1.97.7
Scan saved at 6:45:19 PM, on 16/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\ON DC\Ultimate Software DVD\utilities\spyware tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.monash.edu.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.monash.edu.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.its.monash.edu.au:8080;gopher=proxy.its.monash.edu.au:8080;http=proxy.its.monash.edu.au:8080;https=proxy.its.monash.edu.au:8080;socks=proxy.its.monash.edu.au:8080
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E92848F3-1020-400A-46C4-E137E0603588} - C:\WINDOWS\system32\sdkyu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [d3sy.exe] C:\WINDOWS\d3sy.exe
O4 - HKLM\..\Run: [sdkay32.exe] C:\WINDOWS\system32\sdkay32.exe
O4 - HKLM\..\Run: [sdkru.exe] C:\WINDOWS\system32\sdkru.exe
O4 - HKLM\..\Run: [ipft.exe] C:\WINDOWS\system32\ipft.exe
O4 - HKLM\..\Run: [netfq.exe] C:\WINDOWS\system32\netfq.exe
O4 - HKLM\..\Run: [sdkvm32.exe] C:\WINDOWS\system32\sdkvm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [MPG E-Time ] C:\Program Files\E-Time\ETime.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Permeo Security Driver Startup.lnk = C:\Program Files\Permeo\Security Driver\EBIcon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Research (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\permeo\security driver\s5spi.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://en.wikipedia.org
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBAC8A3C-DDC7-4F42-A80A-1AFC4A12D1A0}: NameServer = 10.0.0.2,10.0.0.1

^ That was a hijackthis log that i did just then, i.e. after i removed all the spyware.
v This is my one and only aboutbuster log.

AboutBuster 5.0 reference file 28
Scan started on [16/08/2005] at [4:35:05 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Active Setup Log.BAK:esowh
Removed Stream! C:\WINDOWS\clock.avi:bhqit
Removed Stream! C:\WINDOWS\Rhododendron.bmp:olksn
Removed Stream! C:\WINDOWS\winamp.ini:xvlbr
Removed Stream! C:\WINDOWS\wininit.ini:xvikv
Removed Stream! C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.BAK:dcaun
------------------------------------------------
Removed File! : C:\Windows\System32\ceiob.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:35:27 PM


v And my ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:44:47 PM, 16/08/2005
+ Report-Checksum: 188F0B29

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{C5E66D21-FF6E-2881-4046-8D0402A4597D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F80F0D50-2D6C-75C3-606A-3DFE0F4FC5D0} -> Spyware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\002257_.tmp:lbdjo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\002257_.tmp:vgtwr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addpd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apihm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appir32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appka32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apply.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appox.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appza.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlfs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cdplayer.ini:kzpfw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:mwktp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crme32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\DjVuDoc.ico:ugiwxh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\eReg.dat:pfqqc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:gbiaw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mozver.dat:hzagh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mscu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msdfmap.ini:hiixk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msmc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:darcn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\regopt.log:abqxt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkfb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\spupdsvc.log:bjhmq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysph32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32:fbaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addpg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apift.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apijf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appcu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appup.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atldb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlfp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlww32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iewc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipjr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaax32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javafp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javagg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaju32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcex32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcir.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mstp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netpz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netuz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winla.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tsoc.log:dbaxmk -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winamp.ini:molaq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winhx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winit.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:zetbcj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:semheu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.BAK:gvkeg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.BAK:prspl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.BAK:ptvie -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.BAK:zjhdf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.CDF:gvkeg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.CDF:prspl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.CDF:ptvie -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{00000001-00000000-00000008-00001102-00000002-80661102}.CDF:zjhdf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\Documents and Settings\Thomas Hatcher.THOMAS\Cookies\thomas hatcher@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup


::Report End


Any help greatly appreciated. Thanks in advance

#2 tomhatcher

tomhatcher

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 16 August 2005 - 03:35 AM

Just to clarify,

That bluescreen was the following:

0x000000F7 (0x00000F3, 0x00000F52, 0xFFFFF0AD, 0x00000000)

I have never seen it before, thats why i previously erroneously thought it was a 7F, which i have seen many times. I *think* i have successfully removed all my spyware, thanks to a number of things on these forums mostly, but yeah... just having a few problems booting back into windows.
One of my friends thought i should just reinstall windows, but its just such a great installation, its got all my programs on it, works fast, etc...

This is my backup hard drive im working on now, but it bluescreens all the time and is basically just a backup - with no decent software on it.

Sorry if im rambling... i'll shut up now.

#3 tomhatcher

tomhatcher

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 19 August 2005 - 11:16 PM

*Bump*

Anyone got any ideas here? This is a serious problem. My backup drive was playing up - not connecting to the internet, and crashing a bit. So i actually had to install windows on my 2nd backup drive - and thats what im writing from now.
If i can't get this problem fixed soon i think i'll run out of backup drives. The problem with the 1st backup drive is that when i try to connect to the internet (via firefox on a university proxy) it says Alert! The proxy server you have configured is unavailable. please check your proxy settings and try again.

But NOTHINGS CHANGED! it just does that. im getting worried because it did the same thing on my first hdd when in safe mode with networking, thats why i had to solely use my backup drive for internet until now. I don't know how long it will be until this one bites the dust either! and ideas?




Member of UNITE
Support SpywareInfo Forum - click the button