Tech Support banner

Status
Not open for further replies.
1 - 20 of 59 Posts

·
Registered
Joined
·
86 Posts
Discussion Starter #1 (Edited)
I was told to post here to make sure my system was clean before they would help with my BSOD. I'm really more interested in why my Safemode is acting the way it is. Here is my original post, and I have also attached the files requested of the board: Also when running Gmer I had to uncheck 'Devices' to keep it from reporting an error and terminating the app.

Safemode reverts all changes/BSOD in Windows

---------------------------------------------------------------------------
Hey guys, I hope you can assist me with my issue...

Vista Home 32 BIT
v6.0 Build 6002: SP2
3GB RAM
HP G60 OEM Notebook Original OS
Pentium Dual-Core T4200 @2GHz


On 2/25/11 I did a Malwarebytes scan and it found these few malwares. It repaired them successfully, and required a reboot. Listed below is what mbam found and repaired

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TJHTHX1O7X (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

After the reboot I got a BSOD when the desktop was 1st loading. I could see my background picture for about 3-5 seconds before the BSOD. The BSOD flashed then rebooted because I had the default set to 'Automatically Restart' on errors in System Properties. Every attempt to reboot into Windows would bring this BSOD, and at the same precise time. Sometimes I would see my wallpaper and sometimes it would crash right before I could see it, but always after the 'Welcome' is on the screen with the spinning circle/hourglass.

I tried Safemode, and it loaded just fine, in Networking, Standard, and Command Prompt. I ran more tests in Safemode and some minor cleanup work and pretty much everything looked or reported clean. I ran sfc /scannow and it came back with no errors or un-repairable errors. Reboots still BSOD when loading the regular Windows Desktop.

My biggest concern though, is Safemode is not running or acting like "true" Safemode. I have noticed that any changes other than data files, are not saved after I reboot, even rebooting directly back to Safemode. I have tried to disabled the 'Automatically Restart', but it is always still checked when I log back in Safemode, so I still don't know what STOP error it's reporting. Any desktop changes are always reverted back. I created another account in Safemode just to isolate a corrupted profile, and it creates the user, but the user is not listed in the 'User Accounts' after a reboot. The user is created though, verified on the hdd under Users. I also tried to re-enable the UAC, it was disabled, and after a reboot it is disabled again. Trying to run a chkdsk /r is useless since it requires a reboot to start the process, but b/c nothing is saved after rebooting, it never starts. I enabled the administrator account using the user net administrator active:yes, but after reboot it is not active.

I loaded a Vista Recovery disk, and ran some tests. Memory and hdd all passed. I was able to finally run a chkdsk /r from the recovery prompt. It came back with no errors. I tried the Restore option and it said it was successful, but still BSOD. I'm curious if it truly restored anything considering that everything reverts back. Is there any way to truly know if it restored to a previous date?

Also the current BSOD's are not being recorded, at least not in the Windows\Minidump or Windows directory. The last few BSOD's I had before this though, I was able to backup but I don’t think they relate to the current BSOD's. I have no idea what the current ones are b/c it flashes and restarts to quickly.

I have included a screen shot of Safemode first loading up. Every time Safemode loads up, but before explorer or the desktop is shown, the System Properties window pops up, and behind it is a message box regarding offline System Restore, click Ok.

Anyway I hope someone here might be able to make sense of this behavior problem of Safemode, and of course the BSOD that plagues this notebook.

I ran Avira Registry Cleaner, and it found and removed 18 remnants of Avira and Norton, but once again when I reboot to Safemode, their back.



DDS Copy and Paste:

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Carma at 14:04:46.15 on Mon 02/28/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2582 [GMT -5:00]

AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Carma\Desktop\ROOTKITS\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRunOnce: [SYMNRT] c:\program files\internet explorer\iexplore.exe Reinstalling your Norton product after you run the Norton Removal Tool | Norton Support
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoSearchFilesInStartMenu = 0 (0x0)
uPolicies-explorer: NoSearchProgramsInStartMenu = 0 (0x0)
uPolicies-explorer: NoSearchComputerLinkInStartMenu = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NAV;Norton AntiVirus;"c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe" /s "nav" /m "c:\program files\norton antivirus\engine\18.5.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton antivirus\engine\18.5.0.125\ccSvcHst.exe [?]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-27 00:02:27 -------- d-----w- c:\program files\CCleaner
2011-02-26 23:11:20 6144 ------w- c:\windows\system32\AC2A.tmp
2011-02-26 23:05:30 6144 ------w- c:\windows\system32\5469.tmp
2011-02-26 23:04:37 6144 ------w- c:\windows\system32\82D7.tmp
2011-02-26 04:46:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 04:46:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 04:36:39 -------- d-----w- c:\users\carma\appdata\local\Xenocode
2011-02-26 04:36:39 -------- d-----w- c:\program files\Xenocode
2011-02-16 20:58:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 02:32:12 -------- d-----w- c:\program files\iPod(148)
2011-02-10 02:32:11 -------- d-----w- c:\program files\iTunes(149)

==================== Find3M ====================


============= FINISH: 14:05:52.61 ===============
 

Attachments

·
Registered
Joined
·
86 Posts
Discussion Starter #3
Hey guys not sure if I've been missed or maybe just picked over but it's going on 5 or 6 days and I havn't heard from anybody. Please let me know if I have done something wrong so I can fix it, or if my issue is maybe to complicated and know one wants to help. The reason I ask is b/c I noticed when doing searches on others, that they are usually replied to by 2 or 3 days, even some eariler than that.

Thanks
 

·
Registered
Joined
·
86 Posts
Discussion Starter #4
Seriously though, any reason no one has acknowledged my post in 7 days?
I realize I can't expect to much, since this is free, but I thought I would get a response in a few days considering that is the time frame that is noted here.
 

·
Registered
Joined
·
86 Posts
Discussion Starter #5
moved]Safemode does not retain any changes - Virus at work???

I was told to post here to make sure my system was clean before they would help with my BSOD. I'm really more interested in why my Safemode is acting the way it is. Here is my original post, and I have also attached the files requested of the board: Also when running Gmer I had to uncheck 'Devices' to keep it from reporting an error and terminating the app.

Safemode reverts all changes/BSOD in Windows

---------------------------------------------------------------------------
Hey guys, I hope you can assist me with my issue...

Vista Home 32 BIT
v6.0 Build 6002: SP2
3GB RAM
HP G60 OEM Notebook Original OS
Pentium Dual-Core T4200 @2GHz


On 2/25/11 I did a Malwarebytes scan and it found these few malwares. It repaired them successfully, and required a reboot. Listed below is what mbam found and repaired

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TJHTHX1O7X (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

After the reboot I got a BSOD when the desktop was 1st loading. I could see my background picture for about 3-5 seconds before the BSOD. The BSOD flashed then rebooted because I had the default set to 'Automatically Restart' on errors in System Properties. Every attempt to reboot into Windows would bring this BSOD, and at the same precise time. Sometimes I would see my wallpaper and sometimes it would crash right before I could see it, but always after the 'Welcome' is on the screen with the spinning circle/hourglass.

I tried Safemode, and it loaded just fine, in Networking, Standard, and Command Prompt. I ran more tests in Safemode and some minor cleanup work and pretty much everything looked or reported clean. I ran sfc /scannow and it came back with no errors or un-repairable errors. Reboots still BSOD when loading the regular Windows Desktop.

My biggest concern though, is Safemode is not running or acting like "true" Safemode. I have noticed that any changes other than data files, are not saved after I reboot, even rebooting directly back to Safemode. I have tried to disabled the 'Automatically Restart', but it is always still checked when I log back in Safemode, so I still don't know what STOP error it's reporting. Any desktop changes are always reverted back. I created another account in Safemode just to isolate a corrupted profile, and it creates the user, but the user is not listed in the 'User Accounts' after a reboot. The user is created though, verified on the hdd under Users. I also tried to re-enable the UAC, it was disabled, and after a reboot it is disabled again. Trying to run a chkdsk /r is useless since it requires a reboot to start the process, but b/c nothing is saved after rebooting, it never starts. I enabled the administrator account using the user net administrator active:yes, but after reboot it is not active.

I loaded a Vista Recovery disk, and ran some tests. Memory and hdd all passed. I was able to finally run a chkdsk /r from the recovery prompt. It came back with no errors. I tried the Restore option and it said it was successful, but still BSOD. I'm curious if it truly restored anything considering that everything reverts back. Is there any way to truly know if it restored to a previous date?

Also the current BSOD's are not being recorded, at least not in the Windows\Minidump or Windows directory. The last few BSOD's I had before this though, I was able to backup but I don’t think they relate to the current BSOD's. I have no idea what the current ones are b/c it flashes and restarts to quickly.

I have included a screen shot of Safemode first loading up. Every time Safemode loads up, but before explorer or the desktop is shown, the System Properties window pops up, and behind it is a message box regarding offline System Restore, click Ok.

Anyway I hope someone here might be able to make sense of this behavior problem of Safemode, and of course the BSOD that plagues this notebook.

I ran Avira Registry Cleaner, and it found and removed 18 remnants of Avira and Norton, but once again when I reboot to Safemode, their back.



DDS Copy and Paste:

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Carma at 14:04:46.15 on Mon 02/28/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2582 [GMT -5:00]

AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Carma\Desktop\ROOTKITS\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRunOnce: [SYMNRT] c:\program files\internet explorer\iexplore.exe Reinstalling your Norton product after you run the Norton Removal Tool | Norton Support
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoSearchFilesInStartMenu = 0 (0x0)
uPolicies-explorer: NoSearchProgramsInStartMenu = 0 (0x0)
uPolicies-explorer: NoSearchComputerLinkInStartMenu = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NAV;Norton AntiVirus;"c:\program files\norton antivirus\engine\18.5.0.125\ccsvchst.exe" /s "nav" /m "c:\program files\norton antivirus\engine\18.5.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton antivirus\engine\18.5.0.125\ccSvcHst.exe [?]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-02-27 00:02:27 -------- d-----w- c:\program files\CCleaner
2011-02-26 23:11:20 6144 ------w- c:\windows\system32\AC2A.tmp
2011-02-26 23:05:30 6144 ------w- c:\windows\system32\5469.tmp
2011-02-26 23:04:37 6144 ------w- c:\windows\system32\82D7.tmp
2011-02-26 04:46:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 04:46:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 04:36:39 -------- d-----w- c:\users\carma\appdata\local\Xenocode
2011-02-26 04:36:39 -------- d-----w- c:\program files\Xenocode
2011-02-16 20:58:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 02:32:12 -------- d-----w- c:\program files\iPod(148)
2011-02-10 02:32:11 -------- d-----w- c:\program files\iTunes(149)

==================== Find3M ====================


============= FINISH: 14:05:52.61 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello Mike and our apologies for the oversight of your thread.

Due to the malware detected by MBAM, I feel it would be prudent to run another tool. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


===================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


__________________________
 

·
Registered
Joined
·
86 Posts
Discussion Starter #8
Hello Mike and our apologies for the oversight of your thread.

Due to the malware detected by MBAM, I feel it would be prudent to run another tool. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop
__________________________
Hey no problem, and thanks for assisting me with this. I will run the combo and report back.

thanks again :)
 

·
Registered
Joined
·
86 Posts
Discussion Starter #9
I'm running Combo now, and it says Warning that it has detected the following real time scanners to be active:
antivirus: Norton AntiVirus
antispyware: Norton AntiVirus

I have uninstalled Norton via the add remove programs and even ran Nortons own AntiVirus Removal Software. The Norton service is still listed under services, but it is not started. Just wanted to make you aware of this, since ComboFix has warned me a second time that Norton is still active.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Thanks. Go ahead and OK your way through the warnings.
 

·
Registered
Joined
·
86 Posts
Discussion Starter #11
Hello Mike and our apologies for the oversight of your thread.

Due to the malware detected by MBAM, I feel it would be prudent to run another tool. Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

__________________________

Here is the ComboFix log as requested, also I should note. There was an error regarding ComboFix after it was all said and done, and had closed out of ComboFix. About 5 seconds later after saving the log:

ComboFix.exe

Illegal operation attempted on a registry key that has been marked for deletion.

Not sure if it is a major concern, I just clicked ok, and went on transfering the log to my jump drive.


ComboFix 11-03-07.04 - Carma 03/07/2011 23:17:20.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2532 [GMT -5:00]
Running from: c:\users\Carma\Desktop\ComboFix.exe
AV: Norton AntiVirus *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Norton AntiVirus *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-08 04:23 . 2011-03-08 04:23 -------- d-----w- c:\users\Carma\AppData\Local\temp
2011-03-08 04:23 . 2011-03-08 04:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-27 00:02 . 2011-02-27 00:02 -------- d-----w- c:\program files\CCleaner
2011-02-26 23:11 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\AC2A.tmp
2011-02-26 23:05 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\5469.tmp
2011-02-26 23:04 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\82D7.tmp
2011-02-26 05:27 . 2011-02-26 05:27 -------- d-----w- c:\users\Test
2011-02-26 04:46 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-26 04:46 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-26 04:36 . 2011-02-26 04:36 -------- d-----w- c:\users\Carma\AppData\Local\Xenocode
2011-02-26 04:36 . 2011-02-26 04:36 -------- d-----w- c:\program files\Xenocode
2011-02-16 20:58 . 2011-02-26 04:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-10 02:32 . 2011-02-10 02:32 -------- d-----w- c:\program files\iPod(148)
2011-02-10 02:32 . 2011-02-10 02:32 -------- d-----w- c:\program files\iTunes(149)
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSearchFilesInStartMenu"= 0 (0x0)
"NoSearchProgramsInStartMenu"= 0 (0x0)
"NoSearchComputerLinkInStartMenu"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 04:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 09:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-10 22:27 170520 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-10 22:27 150040 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 17:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-10 22:27 145944 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-24 00:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-18 03:02 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-04-17 18:05 1049896 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-12-24 22:55 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-10-07 03:42 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3824035156-3403264416-3006528560-1000]
"EnableNotificationsRef"=dword:00000001
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SYMDS.SYS [x]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SYMEFA.SYS [x]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20101123.003\BHDrvx86.sys [x]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110106.003\IDSvix86.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Carma\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Carma\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.SYS [x]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1205000.07D\SYMTDIV.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [x]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\8AB1.tmp [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SASENUM;SASENUM;c:\users\Carma\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
*NewlyCreated* - NAV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2010-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-NAV - c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\2454B0AB\18.5.0.125\InstStub.exe
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-03-07 23:23
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avgntflt]
"ImagePath"="system32\DRIVERS\avgntflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\8AB1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-07 23:25:12
ComboFix-quarantined-files.txt 2011-03-08 04:25
.
Pre-Run: 238,267,260,928 bytes free
Post-Run: 238,224,551,936 bytes free
.
- - End Of File - - D7A878FE4D2C59DD6D3C6AC7A410F9EE
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Thanks, Mike.

Illegal operation attempted on a registry key that has been marked for deletion.
A reboot is all that is needed to remedy that. Please reboot and let Windows boot into Normal Mode. Are you still getting the bsod?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
And I take it the changes you make in Safe Mode don't stick?

I realize you said that bsod is not showing up in Mini Dumps, but I'd like to see what is showing in the Event Viewer. Download VEW.exe

  • Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run.
  • In the "Select log to query" section check:
  • Application
  • System

  • In the "Select type to list" section check:
  • Error

  • In the "Number or dates of events" section check :
  • Number of events... then enter any number from 1 thru 20 in the entry box -- enter 10.

  • Press the Run button.
When the process completes, it only takes a few seconds...
Notepad will open with a report file named: VEW.txt... located on %SystemDrive%\VEW.txt ... usually C:\VEW.txt. Please post the contents of the VEW.txt
 

·
Registered
Joined
·
86 Posts
Discussion Starter #15
And I take it the changes you make in Safe Mode don't stick?

I realize you said that bsod is not showing up in Mini Dumps, but I'd like to see what is showing in the Event Viewer. Download VEW.exe

  • Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run.
  • In the "Select log to query" section check:
  • Application
  • System

  • In the "Select type to list" section check:
  • Error

  • In the "Number or dates of events" section check :
  • Number of events... then enter any number from 1 thru 20 in the entry box -- enter 10.

  • Press the Run button.
When the process completes, it only takes a few seconds...
Notepad will open with a report file named: VEW.txt... located on %SystemDrive%\VEW.txt ... usually C:\VEW.txt. Please post the contents of the VEW.txt
Doesn't look good :(

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 08/03/2011 12:54:26 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Let's see if we get same results from dds.scr. Run it again, but only post the second log that it produces - the Attach.txt
 

·
Registered
Joined
·
86 Posts
Discussion Starter #17
Does the event service have to be running for VEV to report events? I ask b/c anytime I try to run MS Event Viewer in Safemode, I get:

Event Viewer cannot open event log or custom view. Verify that Event Log service is running. The request is not supported (50)
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
I'm not sure, I haven't tested it in Safe Mode and it's getting past my bedtime, so no time to test now. :)

Please run dds.scr and post only the Attach.txt
 

·
Registered
Joined
·
86 Posts
Discussion Starter #19 (Edited)
Let's see if we get same results from dds.scr. Run it again, but only post the second log that it produces - the Attach.txt
Says the Attach.txt must be zipped, then attached (not posted) to your forum.

Do you still want me to just post it, or should I attach it as it request?

N/m I see it's bed time, I will just attach it to be safe.

thanks
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
You can post it directly into the reply box.
 
1 - 20 of 59 Posts
Status
Not open for further replies.
Top