Last resort asking for help ;-)

[Elise]

<duplicate>

[Elise]

Do you have a windows CD at hand?

[highlevel]

No... not for XP home edition. I have several for XP pro. One that was released before any SPs and a couple of the SP2 versions.

[Elise]

Its no problem, you can try the following with any XP CD.

• Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
  
• If your PC is not booting from the CD, you need to change the boot order:
  
  • Restart your PC
    
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    
  • The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    

  [*]Your PC should now boot from your XP-CD.

  Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  [*]When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  [*]When prompted to choose a windows installation, type 1 and press enter.

  [*]When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  [*]A command prompt will open

Type chkdsk /r and press enter.

When done type exit and press enter.

Let me know if things have improved now.

[highlevel]

OK Thank you.

Well... I was able to run it and the scan completed. Said that it fixed more than one error, however. absolutely no change in behavior. Still recieved the same BSOD. Tried to run MBs and the computer rebooted after a minute or so into the scan.

My theory is that there is a virus. It has corrupted one or more windows drivers. The virus will not allow a normal windows environment or a full system scan from a spyware, virus, or rootkit detector to run. It will not allow a repair of the corrupted driver, or it can duplicate the corruption. At one point last week the computer would shut down when I was typing the word malwarebytes into a Google search. So... it seems to know all of the "main stream" detectors. And, when they get to a certain point in their scans (actual detection) it crashes the system.

I am wondering if there is a way to correct the problems by access from another computer and using this drive as a slave drive. That way Windows wouldn't be running?? Don't know and it is pretty frustrating. If I had a XP home CD I think it would be all over. Although I do like to solve problems.

[Elise]

I do not think this problem is caused by malware, rather by hardware. What manufacturer is this computer? Based on manufacturer we can run some hardware diagnostics and see if maybe a component is failing. Unfortunately what this sounds like (which is an impression for now, not a fact ) is harddisk failure. As this is a serious problem and may cause data-loss I want to investigate that first. Just to be on the safe side I also recommend you to back up any important data.

[highlevel]

At first I thought the very same thing... that this is a hard drive problem. I'm sure you know a lot more about this stuff than I do but I really don't think this it is.

I can leave the computer on over night and it will still be running the next morning. I can use the computer to search the internet. I can use the computer to do other things and it will run fine... except if I run virus/malware scans. I run any of those and the computer stops within minutes. There have only been two instances in the past week that a quick scan was able to complete. I get an error message when I attempt to run Kapersky's rootkit buster so it won't even run. HJT isn't even allowed to install.

It is a Dell 5150. As you probably know Dell has utilities accessable on start up. I ran every single hardware diagnostics test. I did the hard drive tests two times because I thought the same thing. I also had pulled the hard drive out and put it another computer. I ran virus and malware scans to check the had drive from that machine. The scans completed. During the Malwarebytes full scan Avast stopped a Trojan, yet, when I checked quarantine no new files were listed. I then ran Avast and it did not find anything during a full system scan. But again, this was done while the hard drive was in the other machine. That is what leads me to believe that it is a virus. I relayed this information during the first 5 posts. Also back at that point I was able to access windows without having to boot into safe mode every single time.

All important data has been saved.

Are there other diagnostic utilities to run on the hard drive? Or should I run those again?

[Elise]

It is strange indeed, because typically the problems you describe (scans crashing with BSOD) are caused by file system errors. Another possibility is a native windows/hardware driver causing a conflict resulting in a crash.

Could you rerun BlueScreenView and post me the new log?

[highlevel]

Yes... strange. It really is almost like someone else is running the computer when the detection software is run. I am wondering about the botnet thing?

I actually tried running bluescreenview a couple of times over the past few days to see what, if anything, had changed. Only the files it (bluescreenview) generated on 4-22-12 were there. So, I erased the minidump files and now no new files get generated.

[Elise]

If your computer is part of a botnet it exhibits other symptoms. I'd like to see the state of some services to see if that can help us determine the cause of the BSOD.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

[highlevel]

Yes... I have been doing some research and I was just reaching on the botnet possibility. I don't exhibit slow internet connection speeds on a regular basis... other than the normal slow down at certain highly visited sites or my local network.

I did download and try Avast again. I think the DL through CNET might have been corrupted becasue I changed DL location and Avast installed correctly and was able to run a quick scan. Of course nothing was detected. And... as soon as I attempted to run the full system scan... same scenario... 2 minutes in and the system crashed.

Here's the requested information. Thanks again for your help and time!

Farbar Service Scanner Version: 24-04-2012

Ran by Administrator (administrator) on 28-04-2012 at 11:37:01

Running from "C:\Documents and Settings\Administrator.PLEAUCOMPUTER.000\Desktop"

Microsoft Windows XP Home Edition Service Pack 3 (X86)

Boot Mode: Nerwork

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

wscsvc Service is not running. Checking service configuration:

The start type of wscsvc service is OK.

The ImagePath of wscsvc service is OK.

The ServiceDll of wscsvc service is OK.

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is OK.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:

The start type of BITS service is set to Demand. The default start type is Auto.

The ImagePath of BITS service is OK.

The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:

The start type of EventSystem service is OK.

The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".

The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".

Windows Autoupdate Disabled Policy:

============================

File Check:

========

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit

C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit

C:\WINDOWS\system32\netman.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\srsvc.dll => MD5 is legit

C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit

C:\WINDOWS\system32\wscsvc.dll => MD5 is legit

C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit

C:\WINDOWS\system32\wuauserv.dll => MD5 is legit

C:\WINDOWS\system32\qmgr.dll => MD5 is legit

C:\WINDOWS\system32\es.dll => MD5 is legit

C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit

C:\WINDOWS\system32\svchost.exe => MD5 is legit

C:\WINDOWS\system32\rpcss.dll => MD5 is legit

C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

=======

aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)

0x080000000400000001000000020000000300000008000000050000000600000007000000

IpSec Tag value is correct.

**** End of log ****

[Elise]

Can you see what file is being scanned before it crashes?

Please press Windows key + R, type sfc /scannow and press enter. Let the system file checker run unhindered. When done reboot and let me know if anything has changed.

[highlevel]

Well... after running the scan like 25 times I was able to write down the file. The first 3 times I ran the Avast scan it seemed to crash at "SEV: dmload\c:windowssystem\drivers\dmload.exe" (I'm not sure that is exact but it is close). The next 15 or more times it crashed at "C:\file_store_32\Sprites\SIDEICONS 7.jag" (that one I am sure about). There were a few times that the scan made it to the next file but it was a bundle of numbers and letters and it happened so fast there was no way to get it.

File Protection scan would run. I could see a flash of a command window but then nothing happened after that. I tried it several times with no luck. :-(

[Elise]

In the runbox, type cmd and press enter. At the command prompt type sfc /scannow and press enter. Let me know what comes back.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  dmload*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[highlevel]

From the command window...

Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x0000006ba [The RPC server is unavailable.]

[Elise]

At the command prompt execute the following two commands and let me know what comes back for each of them:

sc query rpcss

sc query plugplay

[highlevel]

SystemLook 30.07.11 by jpshortstuff

Log created at 06:27 on 29/04/2012 by Administrator

Administrator - Elevation successful

========== filefind ==========

Searching for "dmload*"

C:\cmdcons\DMLOAD.SY_ --a---- 2859 bytes [20:58 17/08/2001] [20:58 17/08/2001] 5ACB957591C3666670511D2607B665C3

C:\i386\dmload.sys --a---- 5888 bytes [19:23 27/07/2006] [10:00 04/08/2004] E9317282A63CA4D188C0DF5E09C6AC5F

C:\i386\dmloader.dll --a---- 35840 bytes [19:23 27/07/2006] [10:00 04/08/2004] 1DCD6D98FE3FFEBD6F9B01D9D00E166B

C:\WINDOWS\$NtServicePackUninstall$\dmloader.dll -----c- 35840 bytes [16:26 01/10/2008] [10:00 04/08/2004] 1DCD6D98FE3FFEBD6F9B01D9D00E166B

C:\WINDOWS\ServicePackFiles\i386\dmloader.dll ------- 35840 bytes [00:17 27/09/2008] [00:11 14/04/2008] 67370BDD46D642B3196C46E3B72CDAD4

C:\WINDOWS\system32\dmloader.dll --a---- 35840 bytes [17:50 10/08/2004] [00:11 14/04/2008] 67370BDD46D642B3196C46E3B72CDAD4

C:\WINDOWS\system32\drivers\dmload.sys --a---- 5888 bytes [17:50 10/08/2004] [10:00 04/08/2004] E9317282A63CA4D188C0DF5E09C6AC5F

-= EOF =-

[highlevel]

SERVICE_NAME: rpcss

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

<NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN>

WIN32_EXIT_CODE : 0 <0x0>

SERVICE_EXIT_CODE : 0 <0x0>

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: plugplay

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

<NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN>

WIN32_EXIT_CODE : 0 <0x0>

SERVICE_EXIT_CODE : 0 <0x0>

CHECKPOINT : 0x0

WAIT_HINT : 0x0

[Elise]

Please click Start > Run, type services.msc and press enter.

Scroll down to Remote Procedure Call, right click that and select Properties.

Look on the Logon tab and let me know what is listed under "Log on as".

[highlevel]

OK... under Lon on as:

"Local System account" is not checked

"This acount" is checked in the line next to this is liste "NT Authoriy/NetworkService"

Under "Password" just a line of bullets

Under "Confirm Password" just a line of bullets

[Elise]

Please type the following at the command prompt, press enter and restart the computer. Let me know if you notice any change (try sfc /scannow again).

sc config rpcss type=share

[highlevel]

No joy.

Same message as before.

[Elise]

Hi again,

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

[highlevel]

Hi Elise,

OK... I did as you suggested.

Two lines came up after GMER did its opening scan

On the first line uner Type: Code Name: mbamchameleon.sys Value: KelnsertQueueApc

Second line Type: AttachedDevice Name: \Driver|T cpip\DeviceTcp Value: AswRdr.SYS (avast! TDI Redirect Driver/Avast Software

I clicked on "Scan" and nothing happened. So I foolishly closed the program and tried again. As soon as I attempted to run GMER the system crashed.

I renamed the exe file and GMER opened and ran that initial scan with the same results. I then pressed "Scan" and it started the scan but the system crashed within 15 seconds.

UGH!

[highlevel]

Should I uninstall MBs and Avast?