BSOD Please help!!

J

jbrdbr111x

New Member
On my wife's PC, when she tries to open certain programs, she gets a BSOD with the following information...

DRIVER_IRQL_NOT_LESS_OR_EQUAL

STOP: 0x000000D1 (0xBF849B03, 0x00000002, 0x00000000, 0xB931872F)


***win32k.sys - Address BF849B03 base at BF800000, DateStamp 41107f7a

***dump_wmimmc.sys - Address B931872F base at B9311000, DateStamp 47e0c113

Beginning dump of physical memory


I had tried reformatting her drive and reinstalling windows and everything and this error went away for a bit but came back... I've run CCleaner, Spybot S&D, and She has daily scans with AVG and nothing comes up... This is so frustrating anyone got any ideas besides another reformat ?? :confused: :(
 
Check the transfer cable to the hard drive???
What is it IDE or SATA???
How old is the drive???
What are the specs of the hard???
What programs make the computer go BSOD??
What version of windows are you using???

Post a Hijackthis Log

  • Download Hijackthis from here
  • Open Hijackthis
  • Click on "Do a system Scan Only"
  • Click on "save log"
  • A notepad window will open
  • Hit Ctrl + A
  • Copy + paste in a forum reply

Then we can go from there.
 
cohen said:
Check the transfer cable to the hard drive???
What is it IDE or SATA???
How old is the drive???
What are the specs of the hard???
What programs make the computer go BSOD??
What version of windows are you using???

Post a Hijackthis Log

  • Download Hijackthis from here
  • Open Hijackthis
  • Click on "Do a system Scan Only"
  • Click on "save log"
  • A notepad window will open
  • Hit Ctrl + A
  • Copy + paste in a forum reply

Then we can go from there.
Click to expand...

IDE
Drive is a few years old, but it's in great shape..
20GB 4800rpm I think.. NTFS Format..
Any programs that use GameGuard, Ie MapleStory, Mabinogi, etc..
using Windows XP SP2
below is my HJT Info...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:12 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\Xfire\xfire.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1212795814037
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4871 bytes
 
Put a check next to this:

O20 - AppInit_DLLs: avgrsstx.dll

it is a threat, view details here

And pls run a combo fix log:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

And pls post a fresh hijackthis log along with it
 
Hello, I think we'll be able to get this through.
If this BSoD is software caused, it may be because of your dump-rep system.
Please open your HijackThis again and choose Do a system scan only.
Place a check next to these items:
  • O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  • O20 - AppInit_DLLs: avgrsstx.dll

Now click Fix checked and reboot your computer.
Should you receive another BSoD, let us know.
 
Ok, I ran HJT, Fixed those entries, and then ran combofix and here's the log from Combofix...

ComboFix 08-06-16.5 - Cortney's PC 2008-06-17 12:43:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.504 [GMT -4:00]
Running from: C:\Documents and Settings\Cortney's PC\My Documents\My Received Files\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 02:29 . 2008-06-17 02:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-17 01:57 . 2008-06-17 01:57 <DIR> d-------- C:\Program Files\CCleaner
2008-06-17 01:53 . 2008-06-17 01:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-16 13:38 . 2008-06-16 13:38 <DIR> d-------- C:\Documents and Settings\Cortney's PC\WINDOWS
2008-06-16 13:38 . 1997-04-08 20:08 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-16 13:38 . 2008-06-16 13:42 173 --a------ C:\WINDOWS\LEXSTAT.INI
2008-06-13 11:30 . 2008-06-13 11:30 <DIR> d-------- C:\WINDOWS\Sun
2008-06-13 01:36 . 2005-12-19 16:02 86,082 --a------ C:\WINDOWS\system32\ftdiunin.exe
2008-06-13 01:36 . 2005-12-19 16:02 60,572 --a------ C:\WINDOWS\system32\drivers\ftser2k.sys
2008-06-13 01:36 . 2005-12-19 16:02 28,449 --a------ C:\WINDOWS\system32\drivers\ftdibus.sys
2008-06-13 01:36 . 2005-12-02 13:12 110 --a------ C:\WINDOWS\system32\ftdiun2k.ini
2008-06-13 01:31 . 2008-06-13 01:31 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 01:31 . 2008-06-13 01:36 <DIR> d-------- C:\Program Files\ACNielsen
2008-06-13 01:31 . 2005-12-19 16:02 77,890 --a------ C:\WINDOWS\system32\FTLang.dll
2008-06-13 01:31 . 2005-12-19 16:02 48,625 --a------ C:\WINDOWS\system32\ftserui2.dll
2008-06-13 01:30 . 2008-06-13 01:30 <DIR> d-------- C:\Documents and Settings\Cortney's PC\Application Data\InstallShield
2008-06-10 23:14 . 2008-06-10 23:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-06-06 22:17 . 2008-06-06 22:17 <DIR> d-------- C:\Documents and Settings\Cortney's PC\Application Data\Nexon
2008-06-06 22:16 . 2008-06-06 22:16 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-06-06 22:16 . 2003-07-20 14:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-06-06 22:16 . 2005-01-04 05:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-06-06 22:14 . 2008-06-06 22:14 <DIR> d-------- C:\Nexon
2008-06-06 21:26 . 2008-06-06 21:27 1,160 --a------ C:\WINDOWS\mozver.dat
2008-06-06 21:22 . 2008-06-06 21:22 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-06 21:22 . 2008-06-06 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-06 21:18 . 2008-06-17 00:28 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-06 21:18 . 2008-06-06 21:18 <DIR> d-------- C:\Program Files\AVG
2008-06-06 21:18 . 2008-06-06 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-06 21:18 . 2008-06-06 21:18 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-06 21:18 . 2008-06-06 21:18 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-06 21:15 . 2008-06-06 21:16 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-06 21:13 . 2008-06-06 21:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-06 21:12 . 2008-06-10 23:02 <DIR> d-------- C:\Program Files\Xfire
2008-06-06 21:12 . 2008-06-17 02:03 <DIR> d-------- C:\Documents and Settings\Cortney's PC\Application Data\Xfire
2008-06-06 21:11 . 2008-06-06 21:11 <DIR> d-------- C:\Program Files\Siber Systems
2008-06-06 21:11 . 2008-06-06 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-06-06 20:55 . 2008-06-06 20:55 <DIR> d-------- C:\Program Files\Java
2008-06-06 20:55 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-06 20:54 . 2008-06-06 20:54 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-06 20:52 . 2008-06-06 20:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-06 20:51 . 2008-06-14 18:05 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-06 20:51 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-06-06 20:51 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-06-06 20:47 . 2008-06-06 20:47 <DIR> d-------- C:\WINDOWS\nview
2008-06-06 20:47 . 2008-06-06 20:47 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-06 20:47 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-06 20:47 . 2008-06-17 02:40 182,038 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-06 20:47 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-06 20:47 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-06 20:47 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-06 20:47 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-06 20:47 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-06 20:45 . 2008-06-06 20:45 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-06 20:45 . 2008-04-30 17:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-06 20:44 . 2008-06-06 20:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-06 20:44 . 2008-06-06 20:44 <DIR> d-------- C:\NVIDIA
2008-06-06 20:21 . 2008-06-06 20:40 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-06-06 20:20 . 2008-06-06 20:20 <DIR> d-------- C:\WINDOWS\provisioning
2008-06-06 20:20 . 2008-06-06 20:20 <DIR> d-------- C:\WINDOWS\peernet
2008-06-06 20:19 . 2008-06-06 20:19 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-06 20:16 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-06 20:14 . 2008-06-06 20:14 <DIR> d-------- C:\WINDOWS\EHome
2008-06-06 20:06 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-06-06 20:06 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-06-06 20:06 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-06-02 20:56 . 2008-06-02 20:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 23:34 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-06 21:18 1177368]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 14:30 2064384]

C:\Documents and Settings\Cortney's PC\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-02 20:56:46 3017040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-06 21:18]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-06 21:18]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 01:31]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 12:44:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 12:45:11
ComboFix-quarantined-files.txt 2008-06-17 16:45:08

Pre-Run: 12,821,323,776 bytes free
Post-Run: 12,835,422,208 bytes free

123

My question is what is that avgrsstx.dll is it a virus, is it spyware, or what? Thanks...
 
Oh and forgot to say tried some programs and they open with no BSOD at the moment, But now there seems to be a display issue.. There's like a black border around the game screen and it's full mode only.. It's only within the game and the screen looks fine when you tab out...
 
Must be caused by ComboFix. I was too late to see that Cohen suggested a ComboFix.
On a clean computer, it's pointless and may do some tiny damage.
I have no idea how to solve your problem now.
You could try System Restore to the previous day and repeat the HijackThis fixes.

Please tell us if you receive another BSoD.

Cohen, in future, please don't try helping people especially not with the ComboFix.
I know I'm not a mod or an admin but I think you should at least have some minimum knowledge about the tools you're using. Enjoy the learning on MalwareRemoval and be sure to read ALL the articles.
 
You must log in or register to reply here.
Back
Top