Jump to content


Photo

"Memory could not be 'read'"? Hijackthis log included.


  • This topic is locked This topic is locked
27 replies to this topic

#1 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 16 December 2005 - 11:52 AM

Lately, I've been plagued by a recurring error. Happens most often in Firefox, but I've also seen it hit stunnel (a proxy allowing me to use K9 with a secure POP account), and most recently svchost, which kept killing my web access (but, oddly, not my network connection). It's not a constant thing, and there seems to be no pattern in regards to when it hits. I've run AdAware, Microsoft AntiSpyware, Spybot S&D, I keep Norton AV '05 up to date and scan regularly. Nothing is turned up. I thought maybe a stick of ram was going bad, so I ran the MS memtest from a boot disc overnight. After about 30 or so passes on the extended range of tests, no errors had turned up.

The error (as I saw it last, but I think it's always the same (-edit- it's not, both values change)) follows;

The instruction at "0x7c911f6c" referenced memory at "0x00000184". The memory could not be "read".

I'm at a loss, and the problem seems to be getting slowly worse. Not sure where else to turn, so thought maybe someone here would have an idea. Ran HJT sort of hoping it might expose something, but sort of getting this sinking feeling that it's somehow something uglier than spyware/malware/adware/virus/etc.

Thanks in advance for any guidance or suggestions.

HijackThis v1.98.2
Logfile of HijackThis v1.98.2
Scan saved at 12:41:29 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\stunnel\stunnel.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG511U Smart Wizard.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url=http://go.microsoft.com/fwlink/?linkid=39204]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - [url=http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab]http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url=http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130794550687]http://update.microsoft.com/microsoftupdat...b?1130794550687[/url]
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - [url=http://dcon.futuremark.com/global/msc37.cab]http://dcon.futuremark.com/global/msc37.cab[/url]

Edited by wbryant, 22 December 2005 - 09:34 PM.


#2 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 18 December 2005 - 05:55 PM

Just to update a bit, as I haven't run into it the last few days; it's the type of thing that may hit me 6-7 times in a single day, then not happen for 2-3 days straight before happening again.

The only things that were 'new' to the laptop in question were Windows Media Connect, and something called Venturi Client, which allows me to get a net connection through my cell phone. I'll probably be removing the latter soon, and I really don't *need* the former (it's for file sharing with the xbox360), but when I go to remove it, it says ugly threatening things;

"Setup detected the following programs on your computer:
Security Update for Windows XP (KB905915)
Update for Windows XP (KB910437)
GnuWin32: Pcre-6.4
If WMCSetup is removed, these programs might not run properly. Do you want to continue?"


To date, I've been chicken and said 'no'.

Anyway, hard to imagine either of these two being the culprit, but they and a couple games are all that are new to the machine since this started happening. One of the games had a relatively malignant copy protection package included (Star-Force), perhaps that's somehow involved. I've since removed the game, but the S-F stuff seems to have dug in like a hungry tick.

Thanks in advance for any help.

Edited by wbryant, 18 December 2005 - 05:59 PM.


#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 20 December 2005 - 02:43 PM

I did see that you have this program running. You can possibly disable the application.
C:\Program Files\stunnel\stunnel.exe, it may not be compatible with the other application you wish to use.

Close all windows and browsers and fix this items while at it.

O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Restart the computer to reset the registry.

Then, download, install, update and scan your system with the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful"). Close Ewido.
  • Please download CCleaner, install it but do not run it yet.
  • Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Run CCleaner and clean out your Temporary and Temporary Internet Files. This will reduce your ewido log considerably.
  • Run ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.
  • Reboot in Normal mode.
  • Run HijackThis and post a new log along with the ewido report.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 December 2005 - 07:10 PM

First, thanks a ton for the help and direction.

Interestingly, the "memory could not be read" deal happened again just before doing all of this.

The two logs follow;

Ewido:
---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:			7:59:37 PM, 12/20/2005
 + Report-Checksum:		774E85F9

 + Scan result:

	HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
	C:\Documents and Settings\Will\My Documents\SORT ME\Will's Desktop Files\History\water.exe -> Trojan.Happyday : Cleaned with backup


::Report End

HiJackThis v1.98.2
Logfile of HijackThis v1.98.2
Scan saved at 8:06:51 PM, on 12/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\stunnel\stunnel.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG511U Smart Wizard.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url=http://go.microsoft.com/fwlink/?linkid=39204]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - [url=http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab]http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url=http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130794550687]http://update.microsoft.com/microsoftupdat...b?1130794550687[/url]
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - [url=http://dcon.futuremark.com/global/msc37.cab]http://dcon.futuremark.com/global/msc37.cab[/url]

Edited by wbryant, 22 December 2005 - 09:35 PM.


#5 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 20 December 2005 - 10:37 PM

Just had the error/crash again. So now it's happened to Firefox dozens of times, stunnel several times, Thunderbird several, svchost a few times, various other programs once. Really starting to get frustrated, can't figure out what's causing this.

This time in a game (WoW), which at least provided more info;

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: C:\Program Files\World of Warcraft\WoW.exe
Exception: 0xC00000005 (ACCESS_VIOLATION) at 001B:7C93426D

The instruction at "0x7C93426D" referenced memory at "0x00080008".
The memory could not be "read".

Press OK to terminate the application.


==============================================================================
World of WarCraft (build 4878)

Exe: C:\Program Files\World of Warcraft\WoW.exe
Time: Dec 20, 2005 11:30:46.109 PM
User: Will
Computer: BRYANT_2K5
------------------------------------------------------------------------------

This application has encountered a critical error:

ERROR #132 (0x85100084) Fatal Exception
Program: C:\Program Files\World of Warcraft\WoW.exe
Exception: 0xC0000005 (ACCESS_VIOLATION) at 001B:7C93426D

The instruction at "0x7C93426D" referenced memory at "0x00080008".
The memory could not be "read".


WoWBuild: 4878
------------------------------------------------------------------------------

----------------------------------------
x86 Registers
----------------------------------------

EAX=00080008 EBX=000003CF ECX=01B022A0 EDX=00000000 ESI=01B003D8
EDI=01B00420 EBP=0957F7EC ESP=0957F5CC EIP=7C93426D FLG=00010246
CS =001B DS =0023 ES =0023 SS =0023 FS =003B GS =0000


----------------------------------------
Stack Trace (Manual)
----------------------------------------

Address Frame Logical addr Module

7C93426D 0957F7EC 0001:0003326D C:\WINDOWS\system32\ntdll.dll

----------------------------------------
Stack Trace (Using DBGHELP.DLL)
----------------------------------------

7C93426D ntdll.dll RtlInitializeContext+492 (0x01B00000,0x00000001,0x00000040,0x01B0CC2C)


----------------------------------------
Loaded Modules
----------------------------------------

0x00320000 - 0x003B0000 C:\Program Files\World of Warcraft\fmod.dll
0x00400000 - 0x00C72000 C:\Program Files\World of Warcraft\WoW.exe
0x01AE0000 - 0x01AF3000 C:\WINDOWS\system32\vlsp.dll
0x0C190000 - 0x0C2A8000 C:\Program Files\World of Warcraft\dbghelp.dll
0x10000000 - 0x10069000 C:\Program Files\World of Warcraft\DivxDecoder.dll
0x4FDD0000 - 0x4FF76000 C:\WINDOWS\system32\d3d9.dll
0x5AD70000 - 0x5ADA8000 C:\WINDOWS\system32\UXTHEME.DLL
0x5B0A0000 - 0x5B0A7000 C:\WINDOWS\system32\umdmxfrm.dll
0x5B860000 - 0x5B8B4000 C:\WINDOWS\system32\NETAPI32.dll
0x5CD70000 - 0x5CD77000 C:\WINDOWS\system32\serwvdrv.dll
0x5D090000 - 0x5D127000 C:\WINDOWS\system32\COMCTL32.dll
0x5ED00000 - 0x5EDCC000 C:\WINDOWS\system32\OPENGL32.dll
0x605D0000 - 0x605D9000 C:\WINDOWS\system32\mslbui.dll
0x66000000 - 0x660A1000 C:\Program Files\AlienGUIse\WBlind.dll
0x662B0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x66500000 - 0x6650A000 C:\WINDOWS\system32\wbsys.dll
0x66600000 - 0x66617000 C:\Program Files\AlienGUIse\wbhelp.dll
0x68B20000 - 0x68B40000 C:\WINDOWS\system32\GLU32.dll
0x6D990000 - 0x6D996000 C:\WINDOWS\system32\d3d8thk.dll
0x71A50000 - 0x71A8F000 C:\WINDOWS\system32\mswsock.dll
0x71A90000 - 0x71A98000 C:\WINDOWS\System32\wshtcpip.dll
0x71AA0000 - 0x71AA8000 C:\WINDOWS\system32\WS2HELP.dll
0x71AB0000 - 0x71AC7000 C:\WINDOWS\system32\WS2_32.dll
0x71AD0000 - 0x71AD9000 C:\WINDOWS\system32\WSOCK32.dll
0x71BF0000 - 0x71C03000 C:\WINDOWS\system32\SAMLIB.dll
0x722B0000 - 0x722B5000 C:\WINDOWS\system32\sensapi.dll
0x72D10000 - 0x72D18000 C:\WINDOWS\system32\msacm32.drv
0x72D20000 - 0x72D29000 C:\WINDOWS\system32\wdmaud.drv
0x73760000 - 0x737A9000 C:\WINDOWS\system32\DDRAW.dll
0x73BC0000 - 0x73BC6000 C:\WINDOWS\system32\DCIMAN32.dll
0x73EE0000 - 0x73EE4000 C:\WINDOWS\system32\KsUser.dll
0x73F10000 - 0x73F6C000 C:\WINDOWS\system32\dsound.dll
0x74720000 - 0x7476B000 C:\WINDOWS\system32\MSCTF.dll
0x76380000 - 0x76385000 C:\WINDOWS\system32\msimg32.dll
0x76390000 - 0x763AD000 C:\WINDOWS\system32\IMM32.dll
0x769C0000 - 0x76A73000 C:\WINDOWS\system32\USERENV.dll
0x76B40000 - 0x76B6D000 C:\WINDOWS\system32\WINMM.dll
0x76C30000 - 0x76C5E000 C:\WINDOWS\system32\WINTRUST.dll
0x76C90000 - 0x76CB8000 C:\WINDOWS\system32\IMAGEHLP.dll
0x76D60000 - 0x76D79000 C:\WINDOWS\system32\iphlpapi.dll
0x76E80000 - 0x76E8E000 C:\WINDOWS\system32\rtutils.dll
0x76E90000 - 0x76EA2000 C:\WINDOWS\system32\rasman.dll
0x76EB0000 - 0x76EDF000 C:\WINDOWS\system32\TAPI32.dll
0x76EE0000 - 0x76F1C000 C:\WINDOWS\system32\RASAPI32.DLL
0x76F20000 - 0x76F47000 C:\WINDOWS\system32\DNSAPI.dll
0x76F60000 - 0x76F8C000 C:\WINDOWS\system32\WLDAP32.dll
0x76FB0000 - 0x76FB8000 C:\WINDOWS\System32\winrnr.dll
0x76FC0000 - 0x76FC6000 C:\WINDOWS\system32\rasadhlp.dll
0x77120000 - 0x771AC000 C:\WINDOWS\system32\OLEAUT32.dll
0x771B0000 - 0x77256000 C:\WINDOWS\system32\WININET.dll
0x77260000 - 0x772FF000 C:\WINDOWS\system32\urlmon.dll
0x773D0000 - 0x774D2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0x774E0000 - 0x7761D000 C:\WINDOWS\system32\ole32.dll
0x77690000 - 0x776B1000 C:\WINDOWS\system32\NTMARTA.DLL
0x77A80000 - 0x77B14000 C:\WINDOWS\system32\CRYPT32.dll
0x77B20000 - 0x77B32000 C:\WINDOWS\system32\MSASN1.dll
0x77BD0000 - 0x77BD7000 C:\WINDOWS\system32\midimap.dll
0x77BE0000 - 0x77BF5000 C:\WINDOWS\system32\MSACM32.dll
0x77C00000 - 0x77C08000 C:\WINDOWS\system32\VERSION.dll
0x77C10000 - 0x77C68000 C:\WINDOWS\system32\MSVCRT.dll
0x77C70000 - 0x77C93000 C:\WINDOWS\system32\msv1_0.dll
0x77D40000 - 0x77DD0000 C:\WINDOWS\system32\USER32.dll
0x77DD0000 - 0x77E6B000 C:\WINDOWS\system32\ADVAPI32.dll
0x77E70000 - 0x77F01000 C:\WINDOWS\system32\RPCRT4.dll
0x77F10000 - 0x77F57000 C:\WINDOWS\system32\GDI32.dll
0x77F60000 - 0x77FD6000 C:\WINDOWS\system32\SHLWAPI.dll
0x77FE0000 - 0x77FF1000 C:\WINDOWS\system32\Secur32.dll
0x7C800000 - 0x7C8F4000 C:\WINDOWS\system32\kernel32.dll
0x7C900000 - 0x7C9B0000 C:\WINDOWS\system32\ntdll.dll
0x7C9C0000 - 0x7D1D5000 C:\WINDOWS\system32\SHELL32.dll


----------------------------------------
Memory Dump
----------------------------------------

Code: 16 bytes starting at (EIP = 7C93426D)

7C93426D: 8B 00 3B 42 04 0F 85 13 01 00 00 3B C1 0F 85 0B ..;B.......;....


Stack: 1024 bytes starting at (ESP = 0957F5CC)

* = addr ** *
0957F5C0: 00 00 4A 08 10 00 00 00 08 01 00 00 FC FA 57 09 ..J...........W.
(snip -- I can provide all of this if it's helpful)
0957F9C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


------------------------------------------------------------------------------

======================================================================
Hardware/Driver Information:
Processor: 0x0
Page Size: 4096
Min App Address: 0x10000
Max App Address: 0x7ffeffff
Processor Mask: 0x3
Number of Processors: 2
Processor Type: 586
Allocation Granularity: 65536
Processor Level: 15
Processor Revision: 772

Percent memory used: 40
Total physical memory: 2145550336
Free Memory: 1266098176
Page file: -1
Total virtual memory: 2147352576

Edited by wbryant, 20 December 2005 - 10:41 PM.


#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 21 December 2005 - 09:42 AM

The error is always at the same address. That could possibly mean that you have some bad RAM.

Check your version of the ntdll.dll file against Microsoft's database. Make sure you have the proper version for your system.
http://support.micro...l&S=1&x=10&y=12

Download the latest HijackThis version from this site, the program will install in a good and viable location on your hard disk.
http://www.merijn.or...ackthis_sfx.exe

Then remove the previous version.

Submit a fresh HijackThis log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 December 2005 - 12:17 PM

I seem to have 5.1.2600.2180 of ntdll.dll, which appears to be right for XP Pro SP2.

I did run the MS memtest overnight in extended range mode without any errors. Can you think of another way I might 'expose' the problem if it's one of the sticks of RAM?

Thanks, nasdaq, for all the help. I know this doesn't seem to be a case of malware, adware or spyware, so I fear I might have strayed outside the scope of SpywareInfo -- but I do greatly and genuinely appreciate the assistance, as this error has been driving me mad.

What follows is the new HTJ output as directed;

Hijackthis v1.99.1
Logfile of HijackThis v1.99.1
Scan saved at 1:49:51 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\stunnel\stunnel.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG511U Smart Wizard.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url=http://go.microsoft.com/fwlink/?linkid=39204]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - [url=http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab]http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url=http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130794550687]http://update.microsoft.com/microsoftupdat...b?1130794550687[/url]
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - [url=http://dcon.futuremark.com/global/msc37.cab]http://dcon.futuremark.com/global/msc37.cab[/url]
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe" -service -install (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

Edited by wbryant, 22 December 2005 - 09:37 PM.


#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 21 December 2005 - 02:41 PM

The cause may also be non compatibility with other programs.
When your play World of Warcraft disable one at a time some other running processes.
That may give you some clues and identify the culprit.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 21 December 2005 - 06:08 PM

The cause may also be non compatibility with other programs.
When your play World of Warcraft disable one at a time some other running processes.
That may give you some clues and identify the culprit.


Safe to assume I'm otherwise clean now though? Just want to make sure it's time to move on to existing software and hardware issues. :(

Windows Media Connect installed .NET, I'm wondering if there was something in there the system is unhappy with. The error has now basically impacted every single piece of software I'm running on the machine. Nothing seems to be totally safe from it. I don't know (at all) how ram works, but is it possible that the one 'address' on a single chip is bad, and any program that tries to make use of that chokes? Doesn't make a lot of theoretical sense, I suppose, otherwise the memtest would have exposed that.

Thanks again for all the help, nas.

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 22 December 2005 - 09:22 AM

Before closing out let me see both of these results.

Download Silent Runners - http://www.silentrun....org/index.html
Place it in it's own folder.
Double-click "Silent Runners.vbs", it will create a text file.
Note: if you get a pop-up warning about a "script" file, ignore and allow it to run completely.
Post the content of the text file back to this thread.

  • Please download dllcompare (A scanner to locate hidden DLL files) from this locations:
  • When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan you entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
  • Click on "Locate.com" and allow the scan to complete.
  • After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
  • If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
  • When prompted to "View Log File" click on "Yes".
  • Notepad will open with the log file contents.
  • In Notepad, click on "Edit" => "Select All" => "Edit" = "Copy" and post the contents as a reply to this message.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 December 2005 - 08:12 PM

Had the error several times today, I have noticed that the function and address have changed. Last time it was 0x7c911f6c at 0x00343033. So it's not one location, which is just more confusing.

The results you requested follow;

Silent Runners:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = (empty string)
"Eraser" = "C:\Program Files\Eraser\eraser.exe -hide" ["-"]
"Gaim" = "C:\Program Files\Gaim\gaim.exe" [null data]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"Venturi Configurator" = "C:\Program Files\Venturi2\Configurator\ventcfg.exe" ["Venturi Wireless"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
"{C24F2651-31E7-4213-B14A-00420304F10B}" = "SecExMD5+"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SecExMD5\SecexMD5Shell.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WB\DLLName = "C:\Program Files\AlienGUIse\fastload.dll" ["Stardock"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
SecExMD5+\(Default) = "{C24F2651-31E7-4213-B14A-00420304F10B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SecExMD5\SecexMD5Shell.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\UltraEdit\ue32ctmn.dll" [empty string]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zipn.dll" ["Igor Pavlov"]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"]
SecExMD5+\(Default) = "{C24F2651-31E7-4213-B14A-00420304F10B}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SecExMD5\SecexMD5Shell.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Will\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Will" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Will\Start Menu\Programs\Startup
"Launch K9" -> shortcut to: "C:\Program Files\KeirNet\K9\K9.exe" ["KeirNet"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"NETGEAR WG511U Smart Wizard" -> shortcut to: "C:\Program Files\NETGEAR\WG511U Configuration Utility\wlancfgu.exe" ["NETGEAR"]
"NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Will" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
vlsp.dll ["Venturi Wireless"], 01 - 17, 36 - 37
%SystemRoot%\system32\mswsock.dll [MS], 18 - 21, 24 - 35
%SystemRoot%\system32\rsvpsp.dll [MS], 22 - 23


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SmartLinkService, SLService, "slserv.exe" [" "]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Venturi2 Client, Venturi2, "C:\Program Files\Venturi2\Client\ventc.exe" ["Venturi Wireless"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 76 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 8 seconds.
---------- (total run time: 118 seconds)


DLLCompare:
*	DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

6,496 items found:  6,495 files, 1 directory.
Total of file sizes:  1,992,569,644 bytes	  1.86 G

Administrator Account =  True

AppInit_DLLs value = wbsys.dll (not hidden)
--------------------End log---------------------

Thanks again.

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 22 December 2005 - 08:49 PM

The Saga continues.

Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

p.s. other the the BSOB do you get any other text error messages?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 December 2005 - 09:29 PM

p.s. other the the BSOB do you get any other text error messages?


Nope, no other messages whatsoever. This stated problem aside, I have zero issues with the machine.

I've been running without different processes, in the hopes that might reveal the culprit, but so far, nothing has made a difference. In firefox, it seems to happen most often when I'm filling out a form, but that could be completely coincidental.

RootkitRevealer:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Paragon Poker Pal	12/15/2005 6:15 AM	0 bytes	Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Paragon Poker Pal	12/12/2005 10:49 PM	0 bytes	Key name contains embedded nulls (*)
C:\Documents and Settings\Will\Application Data\K9\Emails\Recent\49C9858C.kml	12/22/2005 10:34 PM	2.53 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Application Data\K9\Emails\Recent\BD0F7C8B.kml	12/20/2005 10:45 PM	7.35 KB	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Application Data\K9\Emails\Recent\D69D3B43.kml	12/20/2005 10:25 PM	2.03 KB	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Application Data\K9\Emails\Spam\BD0F7C8B.kml	12/22/2005 10:50 PM	7.35 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Application Data\K9\Emails\Spam\D69D3B43.kml	12/22/2005 10:33 PM	2.03 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\FlashGot.exe	12/22/2005 9:15 PM	96.00 KB	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\parent.lock	12/22/2005 9:15 PM	0 bytes	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\02100748d01	12/22/2005 10:45 PM	43.23 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\148810E2d01	12/22/2005 9:15 PM	82.84 KB	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\24F8DD49d01	12/22/2005 10:44 PM	16.00 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\36B054C9d01	12/22/2005 10:34 PM	26.63 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\43D00B09d01	12/22/2005 10:40 PM	29.57 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\5B5054B1d01	12/22/2005 10:35 PM	26.19 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\82C48A15d01	12/22/2005 10:46 PM	178.08 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\86C054B1d01	12/22/2005 10:37 PM	27.42 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\C2BEF543d01	12/22/2005 10:46 PM	59.08 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\E3B87318d01	12/22/2005 10:37 PM	33.72 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\EF71FE13d01	12/22/2005 10:40 PM	16.23 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Application Data\Mozilla\Firefox\Profiles\iqolyzfk.default\Cache\FFE13C6Dd01	12/22/2005 10:46 PM	124.69 KB	Hidden from Windows API.
C:\Documents and Settings\Will\Local Settings\Temp\flashgot.iqolyzfk.default	12/22/2005 9:15 PM	0 bytes	Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Will\Local Settings\Temp\flashgot.iqolyzfk.default\FlashGot.exe.test	12/22/2005 9:15 PM	973 bytes	Visible in Windows API, but not in MFT or directory index.

Edited by wbryant, 22 December 2005 - 09:56 PM.


#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 23 December 2005 - 06:20 AM

Nothing suspicious in that rootkit.

I suggest you clear all FF cache (tools>options>privacy>Clear ALL!)
Reboot and see if the problem is reproduced.

Try this tool. It will free you cache from the RAM much faster then the present operating system. Fingers crossed.
FreeRAM XP Pro http://www.yourwaresolutions.com/
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 December 2005 - 12:28 PM

Nothing suspicious in that rootkit.

I suggest you clear all FF cache (tools>options>privacy>Clear ALL!)
Reboot and see if the problem is reproduced.

Try this tool. It will free you cache from the RAM much faster then the present operating system. Fingers crossed.
FreeRAM XP Pro http://www.yourwaresolutions.com/


Sadly, it's still happening. Different addresses each time. Different programs. :( So confused.

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 23 December 2005 - 02:24 PM

I have referred you case to our Experts.

Will get back to you.

Edited by nasdaq, 24 December 2005 - 08:09 AM.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 December 2005 - 08:44 PM

I have referred you case to our Experts.

Will get back to your.


Really appreciate all the time, nasdaq.

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 24 December 2005 - 09:28 AM

From one of our respected experts.

My bet would be a full hard drive test. using Manufacturers tools.


You will need to know the Manufacturer's name and see if they have a tool to scan their product.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 24 December 2005 - 09:43 AM

Trying to find utilities now.

Here's what's in the machine, fyi:

Promise 2+0 Stripe/RAID0 SCSI Disk Device
Model: Promise 2+0 Stripe/RAID0 SCSI Disk Device
Size: 120GB
Total Heads: 255
Total Cylinders: 14591
Total Tracks: 3720705
Tracks Per Cylinder: 255
--
WinXP Promise FastTrak 378 ™ Controller
WinXP Primise RAID Console SCSI Processor Device

-edit1-

On http://www.promise.com now, and not finding anything. In fact, can't even find mention of the FastTrak 378 yet. I realize that's the controller but not the HDD, but not seeing model info on that. Their website is poor.

Still looking though. I might have to call Alienware to see if they have anything.

-edit2-
Apparently Promise doesn't provide support for OEM products. Alienware offers the following;

Hitachi Drive Fitness Test
This utility creates a self-booting DOS diskette to run the DFT utility. The Drive Fitness Test (DFT) provides a quick, reliable method to test SCSI and IDE hard disk drives, including Serial-ATA IDE drives.

Seagate SeaTools Desktop Edition
SeaTools Desktop Edition features:
Creates self-booting diskette
Data safe tests
Tests most ATA and SCSI drives
Creates a log of results
Error code explanations available on Seagate Web site
Examines file structure analysis

Western Digital Data Lifeguard Diagnostic
The Data Lifeguard Diagnostic Tools are used primarily for determining the physical condition of your hard drive. If you are having computer problems which you suspect are hard drive related, you can test your drive with this tool. This version creates a bootable diskette.


Not sure if any of those are appropriate given it's a laptop, but all seem to support other manufacturers/"most" drives.

I'm going to wait for guidance from you all (in case there's a better test to run somewhere) before doing anything.

Edited by wbryant, 24 December 2005 - 10:04 AM.


#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 24 December 2005 - 02:56 PM

Information submitted to the Experts.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 25 December 2005 - 08:17 AM

I'm not a hardware person. Here is what I got from the same source.
Hope you can make out what he says.

Its a laptop with SCSI? weird.. He may want to check bios if he is saavy enough to be sure.. My bet its ide, not enough room in a lappie to do raid.. But anyway.. if he is not sure what drive ( maybe if he watches post screen it may say Through the hitachi at it and see what happens.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 December 2005 - 01:25 AM

I'm not a hardware person. Here is what I got from the same source.
Hope you can make out what he says.

Its a laptop with SCSI? weird.. He may want to check bios if he is saavy enough to be sure.. My bet its ide, not enough room in a lappie to do raid.. But anyway.. if he is not sure what drive ( maybe if he watches post screen it may say Through the hitachi at it and see what happens.


Yeah, raid in a laptop, it's something of a mobile desktop really. 17" screen, full sized keyboard with numpad, two optical drives, two HDDs, 2gb ram, etc.

http://www.alienware...ode=SKU-DEFAULT

It's RAID 0, the drives are OEM, made by Promise, who also made the SCSI controller. I'll d/l and run the Hitachi scanner like he said and see what happens.

Who knows, RAID 0 itself could be part of the problem. My understanding is it's not incredibly reliable, I might have to figure out how to switch it to RAID 1. I'm not a hardware (or software) type myself though.

Will post the Hitachi results tomorrow.

Edited by wbryant, 26 December 2005 - 01:28 AM.


#23 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 26 December 2005 - 09:10 PM

Unfortunately, the Hitachi program looks for specific Adaptec SCSI controllers, and ultimately fails to recognize the drives. So I can't use that to scan. I tried one of the others, with the same results.

Is there a generic-type scanner I might find somewhere that would do this? Are there specific issues with the drives/SCSI controller that we're looking for, that I could call Alienware and ask about? Their tech support isn't something I look forward to dealing with (at all), but if it's a hardware problem, not sure what my alternatives are.

Probably pointless, but I defragged the drives with the XP system utilities (they weren't bad at all), and that didn't expose any errors.

Edited by wbryant, 26 December 2005 - 09:15 PM.


#24 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 27 December 2005 - 07:01 AM

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]


I went back to all of what we did and found this.

sbsys.dll is good it belongs to Windows Blinds, an application by Stardock.net.
http://www.stardock....s/windowblinds/

Are you still using this as I do not see it in any of your logs.

=*=

Is there a generic-type scanner

I do not think so they are very hardware specific. I would be very suspicious if an other scanner found something, what if its a false positive...

=*=

Do you know about Google's groups
http://groups.google...378&qt_s=Search

This groups searches the various forums you may find it interesting.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#25 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 27 December 2005 - 02:03 PM

I went back to all of what we did and found this.

sbsys.dll is good it belongs to Windows Blinds, an application by Stardock.net.
http://www.stardock....s/windowblinds/

Are you still using this as I do not see it in any of your logs.


I'm using AlienGUIse, which (I believe) is just their version of Stardock's Windows Blinds.

I'll check Google groups for HDD scanner info.

#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 29 December 2005 - 07:28 AM

More feedback from the experts.

I am not aware of any "generic" scanners but the user can download Belarc Advisor and it will tell him the make, model, serial number, etc., for his hard drive. Then he can go to the manufacturers website to check for available utilities.

URL for Belarc, http://www.belarc.co...e_download.html

Bart's Stuff Test for hard drives: http://www.nu2.nu/bst/

Memory test: http://www.memtest.org/

Run both of the last two links.
=====
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 wbryant

wbryant

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 31 December 2005 - 05:00 PM

Will do, should have results tomorrow. Going to let memtest run a lot of passes.


More feedback from the experts.

I am not aware of any "generic" scanners but the user can download Belarc Advisor and it will tell him the make, model, serial number, etc., for his hard drive. Then he can go to the manufacturers website to check for available utilities.

URL for Belarc, http://www.belarc.co...e_download.html

Bart's Stuff Test for hard drives: http://www.nu2.nu/bst/

Memory test: http://www.memtest.org/

Run both of the last two links.
=====



#28 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,347 posts

Posted 14 January 2006 - 08:05 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button