nicdonati

When i first got my computer and when i first used to turn it on after like 5-10 mins i used to get a flash of this blue screen if ever i ran a demanding program or multiple programmes (like a game or multitasking). However after the first crash it never used to happen again while the computer was "warm" so to say, it only ever happened the first time i booted it up after not using it for a while (say overnight). So i just got used to this problem and i figured out how to manage it! Anyways recently my computer got infected with some virus which you friend dorts has been helping me sort out (Suspected Virus/trojan/worm)

Since the virus has been got of rid of i am getting more frequently these blue screens and now they stay up for more than just a second infact at the bottom it says dumping physical memory and that counts up to 100 before it restarts so i have plenty of time to read what it says. and it goes something along the lines of

A problem has been detected and windows has been shut down to prevent damge to your computer.

Then there is the error which has been either Driver_IRQL_NOT_LESS_OR_EQUAL
or
BAD_POOL_ERROR

then there is some stuff about recently installed hardware (which i havent done) and then some tech info which says:

***STOP: 0x0000008E (then some more stuff it has changed each time but lots of 0's)

And the last time it had this message at the bottom

d347bus.sys -Address F86C4F47 base at F863000, date stamp 4128a0ld.

Now there was a stage about when i wasnt getting these messages at all, the computer wasnt crashing with a blue screen at all. It would just switch off and reboot, i thought this probably had something to do with cooling so i opened up the laptop and there was like an inch of dust around the copper cooler since removing that i have not had the problem with the computer just restarting, infact i wasnt having any problems until we did this major cleanup of my system due to the virus and now these blue screens have returned. I thought i would give you all the background, any ideas as to what is going on?

nicdonati

I am using Windows XP Sp1 ( i was gonna update but i thought i would try and sort this out first).

Geekgirl

Lets test some hardware for failure. First test your memory, then your video and then your harddrive.

Try Windows Memory Diagnostic Test
http://oca.microsoft.com/en/windiag.asp


The Windows Memory Diagnostic tests the Random Access Memory (RAM) on your computer for errors. The diagnostic includes a comprehensive set of memory tests. If you are experiencing problems while running Windows, you can use the diagnostic to determine whether the problems are caused by failing hardware, such as RAM or the memory system of your motherboard. Windows Memory Diagnostic is designed to be easy and fast. On most configurations, you can download the diagnostic, read the documentation, run the test and complete the first test pass in less than 30 minutes.


Or you can try memtest



Try the Video Card Stability Test

The test heats up the processor of a video card if in 10-30 minutes the video card does not hang and there are no artefacts, everything is all right.


Find the manufacturer of your hard drive and run their Hard Drive Diagnostics Utility.

nicdonati

The memory diagnostics check gave the all clear. I ran the Video stability thingy for more than 30 mins with no problems and it reported a 285 benchmark for an ATI Mobility Radeon 9000. So that all seems ok. I am having some problems with the diagnostics programmes for the hard drive. I have a fujitsu mht2060at, that is what it says when i go to the hard drive and right click on properties. But i cant work either of the diagnostic tools.

I ran the Fujitsu ATA hard disk drive diagnostic tool version 6.30 and get this message
---------------------WARNING------------------------
No hard Disk Drive has been identified in your system.
The following are the possible causes:
-HDD POWER CABLE IS NOT PROPOERLY ATTACHED
-HDD INTERFACE CABLE IS NOT PROPERLY ATTACHED TO THE HDD
-HDD MASTER-SLAVE SETTING IS INCORRECT

Please powerdown your PC system, chack the above items, and then restart the program. If after checking the possible causes, the problem persists, it is possible the HDD itself is faulty

My HDD is internal and seems to be working fine so i dont think it is anything to do with the cable! i dont know what the master-slave system is or how to check it.

I then tried to run the SDIAG extended edtion but i get an error message when i open it up which says

ASPI, LoadlibraryEx(wnaspi32) Failed!!

And then it closes the program.

Any ideas???

dorts

Try this:

Go to Start > Run and type in

sfc /scannow

Note there IS a space after "sfc".

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. You may need your Windows disk.

nicdonati

I did that sfc /scanner and it did its thing. However the same things happened when i tried to run the diagnostics programme for my Fujitsu Hard drive it gave the same error messages and when i tired to install either the Windows installer or Wpsetup it gave the same error messages as before. Essentially it didnt change anything! ANy other ideas?

dorts

Did it prompt to insert your Windows disk?

nicdonati

yes, and i did.

Girderman

d347bus.sys is a driver file for Daemon Tools. I am very familiar with this file and have spent many hours wrestling with it like a fat pig in a mud hole.

First, more than likely the problem is not Daemon Tools, which I assume you either have or have had installed. My problem is that a windows update for one of my motherboards hard drive controller card (which I don't even use) conflicted with this file. And it was either one or the other. Either Daemon Tools had to go, or I couldn't install the update. I kept Daemon Tools and hid the update so I don't have to look at it anymore.

Unfortunately, once the error happens you have to completely remove Daemon Tools (for me, anyways). Even if this is not your problem I would still recommend doing this because it is something you can always reinstall later, after everything else is running.

sfc is a good idea, but I think getting Daemon off first is best. Also, sometimes it doesn't-want-to-...-go-...

Hangs on desparately demanding manual removal from the registry. If necessary, download RegSeeker and do a search for D347bus.sys and delete every key that has it (except for those "file" keys that do things like store your search history etc...) I'm talking about real registry keys that tell windows you have it installed when you really don't (cause you deleted it from the Program Files directory.


Here's a linkie so you can hear another soap opera about the evils of d347bus.sys :

http://www.daemon-tools.cc/dtcc/blue-screen-caused-d347bus-sys-t4619.html

Have you had Alcohol 120 % installed ? If so, your problems may get further complicated. If you search for the D347* file, also do a search for Alcohol's A347* counterpart as (I suspect) my problems were really caused by that rather than Daemon. They're all actually quite good, in general. They just don't like to share the same computer.

nicdonati

yeah i have removed daemon tools now im not really sure what u mean about deleting it out of the registry how exactly would i do that. Aslo that was one error message i consistently get different blue screen error messages today i just got a Bad_Pool_Error, and it took AGES to dump physical memroy.

Girderman

Work in small steps, stay focused on the immediate goal.

Downlaod, install & run RegSeeker and have it find the registry entries that have the "d347bus.sys" text in them. Then run it's "autoclean" function.

Check Hardware Manager and look for conflicts after a reboot, & report any yellow or red flags.

nicdonati

yeah sorry i thought i had unistalled but apparantly i havent and now im having problmes with the windows installer program (see link here with more details about my problem Suspected Virus/trojan/worm)

When i go to try and unistall Daemon tools it says Windows installer cannot be accessed, this can either be cos u are in Safe Mode (im not) or its not installed properly.

The problme is dorts has been trying to help me fix it but i cant!!

Girderman

Dorts is an analyst and you are in good hands. Follow his gentle instructions as if they were coming from the Lord God Himself, and all will be well.



Seriously, let him help you get rid of the malware first, and if it's still an issue we can work on getting rid of Daemon Tools and whatever problems it may be causing afterwards. It's possible that all of your problems are being caused by the malware, and that Daemon Tools is a patsy, framed to take the fall for some other software's crimes.

dorts

Hi Girderman,

Thanks for your kind words. Actually, he is free of malware already. As the infection he had was a real nasty one, what I am afraid is that the infection may have damaged some of his OS components, such as Windows Installer etc.

Girderman

So are you thinking sfc, or a Repair Install ?

dorts

Tried sfc but according to nicdonati, doesn't help. Repair Install would be my last resort.

nicdonati

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BitComet" = ""D:\Program Files\BitLord\BitLord.exe"" ["www.BitLord.com"]
"SpybotSD TeaTimer" = "C:\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"QKeys" = ""D:\Program Files\QKeys\QKeys.EXE"" ["Taiwan"]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = ""D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = ""D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"(Default)" = "(empty string)" [file not found]
"SCDEmuApp.exe" = ""D:\Program Files\PowerISO\SCDEmuApp.exe"" ["PowerISO Computing, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"WinampAgent" = ""D:\Program Files\Winamp3\winampa.exe"" [file not found]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"AdaptecDirectCD" = ""D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Acrobat Assistant 7.0" = ""D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "D:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{81559C35-8464-49F7-BB0E-07A383BEF910}" = (no title provided)
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "D:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "D:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "D:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "D:\Program Files\PowerISO\PowerISOShell.dll" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\Documents and Settings\Nic\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Nic\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\ssmypics.scr" [MS]

nicdonati

Do we know what the problem is? My computer is actring kinda funny it keeps crashing and is running slowly. It was good straight after we cleaned it but is getting worse again.

Girderman

Nico, it appears you have BitLord, a varient of BitComet a P2P downloading software.

As you know P2P filesharing is very risky, and it is quite possible that you have become reinfected as a result of this activity.

It was suggested that you do a manual removal of the Daemon Tools registry entries (which is difficult) and you have not asked for help for doing that. It was also suggested that a it may be time for a Repair Install and you've not made any mention of that option either.

5 days later, after having failed to respond to several very good suggestions you come back with what might be a completely-reinfected computer, asking for more help, and posting some kind of diagnostic log which (to my knowledge) was not asked for byt a company that I am personally unfamiliar with.

What is this report supposed to tell us ?

You've had several suggestions here already, and I suggest you respond to at least one of them. Further I think it would be wise for you to report if you are continuing your P2P activites, as that may provide some sense of how likely a long-term solution for your problems can be found.

Kalim

Daemon Tools drivers conflict with many other application drivers. Many times it conflicts with Alcohol 120% as Girderman said and at many other times others i.e. you may just download/install it and get a BSoD instantly. You'll see this as when its driver loads and shows up on the screen after choosing SafeMode after POST, the screen will probably freeze or you may get another BSoD.

First follow Girderman's advice on using RegSeeker to delete all d347bus.sys entries.

There is another temporary solution and a check, but I don't want to tred in the mud right now.