Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware Suspected cause of xcpip.sys BSOD

Started by HDL , Jul 19 2012 02:23 AM

Please log in to reply

#16
RKinner

Posted 21 July 2012 - 08:18 AM

Malware Expert

Expert
24,625 posts

proquota works now. But we are still seeing a bunch of unsigned files. Let's see what sigcheck says:

Download Sigcheck from http://technet.micro...s/bb897441.aspx

Save it and then right click on it and Extract All. Copy sigcheck.exe to c:\

Start, Run, cmd, OK then type with an Enter after each line:

cd  \

sigcheck  -q  -i  c:\windows\system32\drivers\atapi.sys  >  \junk.txt

notepad  \junk.txt

copy and paste the text from notepad into a reply. Note the line that starts with catalog.

On my win 7 it says:

Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_2_for_KB2292867~31bf3856ad364e35~x86~~6.1.1.0.cat

I think this is pointing to the file which keeps the signature. Is the file there?

#17
HDL

Posted 21 July 2012 - 08:39 AM

Member

Topic Starter
Member
24 posts

Have I done it wrong? I only see

c:\windows\system32\drivers\atapi.sys:
Verified: Unsigned
File date: 19:40 13/04/2008
Publisher: Microsoft Corporation
Description: IDE/ATAPI Port Driver
Product: Microsoft® Windows® Operating System
Version: 5.1.2600.5512
File version: 5.1.2600.5512 (xpsp.080413-2108)

#18
RKinner

Posted 21 July 2012 - 09:16 AM

Malware Expert

Expert
24,625 posts

Copy the next line:

dir /a \windows\system32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} \junk.txt

Start, Run, cmd, OK to bring up a command window. Right click and Paste or Edit then Paste and the copied line should appear. Hit Enter. Then type with an Enter after the line:

notepad  \junk.txt

copy and paste the text from notepad into a reply.

#19
HDL

Posted 21 July 2012 - 09:47 AM

Member

Topic Starter
Member
24 posts

It didn't work the first couple of times I tried it so I tried "dir /a \windows\system32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} > \junk.txt" instead.

Volume in drive C is HDD
Volume Serial Number is B0C0-8360

Directory of C:\windows\system32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

21/07/2012 10:07 <DIR> .
21/07/2012 10:07 <DIR> ..
11/12/2002 19:37 7,179 asferr.CAT
05/02/2005 20:56 7,479 d3dx9_24_x86.CAT
18/03/2005 18:31 7,479 d3dx9_25_x86.CAT
26/05/2005 16:43 7,479 d3dx9_26_x86.CAT
22/07/2005 21:08 7,740 d3dx9_27_x86.CAT
05/12/2005 19:27 7,927 d3dx9_28_x86.CAT
03/02/2006 09:54 7,927 d3dx9_29_x86.CAT
31/03/2006 13:49 7,927 d3dx9_30_x86.CAT
28/09/2006 16:19 7,927 d3dx9_31_x86.CAT
08/12/2006 12:08 7,927 d3dx9_32_x86.CAT
14/04/2008 03:04 34,063 fp4.cat
10/08/2004 14:00 13,472 HPCRDP.CAT
10/08/2004 14:00 8,574 IASNT4.CAT
08/03/2009 14:23 47,422 ie8.cat
14/04/2008 03:04 16,535 ims.cat
15/07/2010 08:28 7,860 KB2079403.cat
15/06/2010 17:43 7,860 KB2115168.cat
18/06/2010 18:56 7,860 KB2121546.cat
04/08/2010 10:40 7,860 KB2141007.cat
23/06/2010 02:03 7,170 KB2158563.cat
28/06/2010 11:41 8,158 KB2160329.cat
24/06/2010 14:22 19,446 KB2183461-IE8.cat
15/06/2010 17:37 9,146 KB2229593.cat
28/06/2010 11:55 7,860 KB2259922.cat
01/09/2010 17:21 7,860 KB2279986.cat
27/07/2010 07:46 7,860 KB2286198.cat
23/08/2010 17:36 8,150 KB2296011.cat
28/10/2010 14:20 7,860 KB2296199.cat
07/09/2010 12:12 8,864 KB2345886.cat
17/08/2010 15:30 7,860 KB2347290.cat
10/09/2010 07:34 20,858 KB2360131-IE8.cat
16/08/2010 10:01 8,158 KB2360937.cat
06/09/2010 16:20 7,470 KB2378111.cat
18/09/2010 08:26 9,965 KB2387149.cat
09/12/2010 16:29 11,198 KB2393802.cat
23/10/2010 02:10 7,797 KB2412687.cat
06/11/2010 02:07 21,564 KB2416400-IE8.cat
09/11/2010 16:09 14,920 KB2419632.cat
20/10/2010 14:08 7,860 KB2423089.cat
26/10/2010 15:24 8,158 KB2436673.cat
03/11/2010 19:50 7,860 KB2440591.cat
19/11/2010 06:32 7,860 KB2443105.cat
05/11/2010 15:13 7,170 KB2443685.cat
02/11/2010 15:13 8,948 KB2447961.cat
20/11/2010 13:08 7,154 KB2467659.cat
01/03/2011 05:27 7,860 KB2476490.cat
09/12/2010 15:37 7,860 KB2476687.cat
20/12/2010 18:30 7,860 KB2478960.cat
22/12/2010 13:47 7,860 KB2478971.cat
31/12/2010 15:09 8,158 KB2479628.cat
02/02/2011 09:02 9,272 KB2481109.cat
21/12/2010 01:11 21,564 KB2482017-IE8.cat
21/01/2011 15:48 8,566 KB2483185.cat
07/01/2011 16:39 7,860 KB2485376.cat
21/12/2010 20:44 7,860 KB2485663.cat
23/02/2011 00:31 21,564 KB2497640-IE8.cat
07/03/2011 06:44 7,860 KB2503658.cat
08/02/2011 14:45 8,566 KB2506212.cat
03/03/2011 15:05 8,158 KB2506223.cat
16/02/2011 07:57 7,860 KB2507618.cat
26/04/2011 12:08 8,566 KB2507938.cat
15/03/2011 13:59 7,154 KB2508272.cat
18/02/2011 13:03 8,158 KB2508429.cat
03/03/2011 07:57 11,680 KB2509553.cat
04/03/2011 07:40 8,566 KB2510531-IE8.cat
18/02/2011 12:44 7,860 KB2511455.cat
19/03/2011 18:59 7,154 KB2524375.cat
21/04/2011 15:23 7,860 KB2535512.cat
15/07/2011 15:57 7,860 KB2536276-v2.cat
30/04/2011 04:05 7,860 KB2544521-IE8.cat
10/10/2011 15:27 7,860 KB2544893-v2.cat
26/09/2011 11:37 8,357 KB2564958.cat
08/07/2011 16:11 7,860 KB2566454.cat
02/08/2011 17:49 7,154 KB2570947.cat
20/11/2011 07:17 7,860 KB2584146.cat
16/11/2011 15:27 8,566 KB2585542.cat
18/08/2011 07:23 7,860 KB2592799.cat
14/10/2011 15:52 8,566 KB2598479.cat
03/11/2011 19:22 7,452 KB2603381.cat
17/01/2012 18:03 13,293 KB2604042.cat
06/11/2011 21:32 7,154 KB2618451.cat
28/10/2011 06:38 7,860 KB2620712.cat
01/11/2011 17:11 7,860 KB2624667.cat
03/11/2011 16:42 8,566 KB2631813.cat
08/11/2011 16:03 7,170 KB2633952.cat
25/11/2011 23:01 7,860 KB2646524.cat
29/02/2012 15:12 8,566 KB2653956.cat
04/06/2012 05:34 8,410 KB2655992.cat
27/04/2012 10:56 11,034 KB2656378.cat
09/02/2012 16:57 7,797 KB2659262.cat
11/01/2012 20:13 7,860 KB2661637.cat
11/04/2012 15:00 11,496 KB2676562.cat
02/05/2012 14:49 8,410 KB2685939.cat
19/04/2012 13:28 8,002 KB2686509.cat
08/06/2012 15:27 8,410 KB2691442.cat
02/04/2012 11:58 7,154 KB2695962.cat
28/05/2012 19:19 12,293 KB2698365.cat
16/05/2012 16:15 23,526 KB2699988-IE8.cat
05/05/2012 04:19 11,042 KB2707511.cat
13/06/2012 15:02 8,708 KB2718523.cat
31/05/2012 14:33 8,410 KB2718704.cat
05/06/2012 16:51 9,116 KB2719985.cat
10/01/2005 10:57 29,535 KB888111WXPSP2.cat
04/05/2005 14:45 29,493 KB893803v2_wxp.cat
04/05/2006 18:37 7,898 KB917734.cat
27/03/2009 08:59 13,937 KB923561.cat
13/02/2007 22:44 11,494 KB923689.cat
29/08/2006 16:29 8,824 KB923723.cat
21/05/2007 14:22 11,527 KB925398.cat
01/05/2007 02:27 10,335 KB936782.cat
19/12/2008 12:56 10,074 KB938464-v2.cat
27/10/2007 17:16 12,090 KB941569.cat
02/05/2008 16:01 12,431 KB946648.cat
24/04/2008 09:12 10,439 KB950760.cat
08/05/2008 22:25 12,431 KB950762.cat
07/07/2008 21:59 12,431 KB950974.cat
11/04/2008 20:18 12,431 KB951066.cat
16/06/2008 21:12 12,431 KB951376-v2.cat
07/05/2008 06:38 12,431 KB951698.cat
21/06/2008 11:36 18,785 KB951748.cat
19/06/2008 10:25 15,271 KB951978.cat
12/06/2008 16:35 19,491 KB952004.cat
16/12/2008 13:06 13,925 KB952069.cat
01/05/2008 16:30 12,431 KB952287.cat
24/06/2008 18:04 12,431 KB952954.cat
12/08/2009 16:03 11,723 KB953295.cat
27/05/2009 09:51 8,327 KB954155.cat
25/06/2008 17:46 11,380 KB954156.cat
10/09/2008 02:31 11,145 KB954459.cat
06/07/2008 13:06 16,633 KB954550-v5.cat
03/10/2008 11:46 10,200 KB954600.cat
10/09/2008 04:12 12,431 KB955069.cat
21/11/2009 18:03 11,111 KB955759.cat
23/10/2008 20:58 10,200 KB955839.cat
06/03/2009 19:33 29,707 KB956572.cat
19/06/2009 06:31 13,466 KB956744.cat
23/10/2008 14:26 10,200 KB956802.cat
14/08/2008 16:33 12,431 KB956803.cat
14/08/2008 16:33 17,099 KB956841.cat
23/06/2009 22:40 9,383 KB956844.cat
24/10/2008 16:06 10,200 KB957097.cat
16/10/2008 14:48 25,324 KB958215.cat
15/10/2008 18:47 10,200 KB958644.cat
11/12/2008 18:01 10,200 KB958687.cat
09/02/2009 16:10 10,511 KB958690.cat
13/08/2009 15:09 8,021 KB958869.cat
21/03/2009 18:26 11,612 KB959426.cat
05/12/2008 13:36 10,200 KB960225.cat
13/12/2008 05:46 10,200 KB960714.cat
15/01/2009 20:26 8,208 KB960715.cat
16/12/2008 14:52 10,200 KB960803.cat
01/07/2009 10:32 10,795 KB960859.cat
09/01/2009 20:19 8,208 KB961118.cat
16/06/2009 16:11 10,782 KB961371.cat
21/12/2008 01:08 10,200 KB961373.cat
07/05/2009 16:58 9,370 KB961501.cat
03/03/2009 04:33 28,148 KB963027.cat
10/02/2009 21:48 10,566 KB967715.cat
02/03/2009 14:38 8,097 KB968220-IE8.cat
02/07/2009 14:37 18,195 KB968389.cat
19/04/2009 21:40 10,713 KB968537.cat
15/06/2009 14:34 8,327 KB968816.cat
17/07/2009 17:52 9,370 KB969059.cat
13/05/2009 07:18 15,157 KB969897-IE8.cat
08/05/2009 22:40 7,378 KB969898.cat
14/08/2009 18:32 9,681 KB969947.cat
15/04/2009 16:54 10,511 KB970238.cat
21/10/2009 07:20 12,194 KB970430.cat
16/07/2009 05:28 7,394 KB970653-v3.cat
28/07/2009 01:02 11,148 KB971029.cat
04/01/2010 19:00 9,383 KB971468.cat
04/08/2009 19:04 14,051 KB971486.cat
10/06/2009 16:05 9,370 KB971557.cat
03/06/2009 20:43 9,370 KB971633.cat
10/06/2009 07:48 9,370 KB971657.cat
25/08/2009 10:59 9,383 KB971737.cat
22/06/2009 08:08 8,084 KB971961-IE8.cat
19/07/2009 17:08 18,258 KB972260-IE8.cat
15/10/2009 18:58 10,782 KB972270.cat
07/07/2009 06:47 7,378 KB973346.cat
10/07/2009 16:02 9,370 KB973354.cat
17/07/2009 22:21 9,370 KB973507.cat
10/09/2009 01:50 7,378 KB973525.cat
14/07/2009 16:33 8,625 KB973540.cat
31/07/2009 06:16 10,076 KB973687.cat
18/08/2009 10:59 8,222 KB973768.cat
05/08/2009 10:31 9,383 KB973815.cat
28/07/2009 00:53 9,383 KB973869.cat
21/11/2009 11:25 10,999 KB973904.cat
26/08/2009 09:28 9,370 KB974112.cat
12/10/2009 15:08 10,782 KB974318.cat
13/10/2009 12:23 9,370 KB974392.cat
29/08/2009 10:11 18,271 KB974455-IE8.cat
04/09/2009 22:35 9,383 KB974571.cat
01/09/2009 15:55 9,370 KB975025.cat
11/09/2009 16:03 9,723 KB975467.cat
05/04/2010 18:56 8,303 KB975558.cat
27/11/2009 18:51 10,795 KB975560.cat
24/10/2009 00:54 9,370 KB975561.cat
07/04/2010 17:36 9,383 KB975562.cat
08/12/2009 10:38 9,383 KB975713.cat
12/02/2010 17:18 7,109 KB976002-v5.cat
29/10/2009 03:21 7,407 KB976098-v2.cat
29/10/2009 10:53 18,271 KB976325-IE8.cat
09/12/2009 07:06 8,097 KB976662-IE8.cat
22/10/2009 10:37 8,084 KB976749-IE8.cat
09/12/2009 12:05 14,051 KB977165.cat
29/01/2010 15:58 8,803 KB977816.cat
27/11/2009 18:13 15,031 KB977914.cat
14/12/2009 08:47 9,383 KB978037.cat
05/01/2010 22:27 18,271 KB978207-IE8.cat
07/12/2009 06:43 9,383 KB978251.cat
08/01/2010 15:26 7,391 KB978262.cat
12/02/2010 05:57 10,795 KB978338.cat
29/01/2010 16:41 10,795 KB978542.cat
24/12/2009 08:18 9,383 KB978601.cat
14/04/2010 10:38 8,299 KB978695.cat
17/12/2009 09:22 9,383 KB978706.cat
23/01/2010 11:51 7,407 KB979306.cat
13/01/2010 15:22 9,383 KB979309.cat
07/04/2010 10:57 8,297 KB979332.cat
05/03/2010 16:26 9,383 KB979482.cat
02/05/2010 09:42 9,442 KB979559.cat
05/03/2010 17:30 14,349 KB979683.cat
16/07/2010 13:36 8,862 KB979687.cat
05/03/2010 11:30 7,886 KB979904.cat
25/02/2010 09:01 18,977 KB980182-IE8.cat
05/05/2010 06:25 7,152 KB980195.cat
20/04/2010 07:01 9,144 KB980218.cat
25/02/2010 13:51 9,383 KB980232.cat
30/06/2010 13:42 7,858 KB980436.cat
15/07/2010 14:10 7,858 KB981322.cat
10/03/2010 07:29 8,097 KB981332-IE8.cat
22/04/2010 23:33 7,168 KB981793.cat
18/06/2010 07:43 10,490 KB981852.cat
01/09/2010 17:21 8,156 KB981957.cat
21/06/2010 16:04 7,858 KB981997.cat
27/08/2010 09:30 7,858 KB982132.cat
21/06/2010 18:36 7,858 KB982214.cat
06/05/2010 12:36 19,444 KB982381-IE8.cat
17/06/2010 15:12 7,858 KB982665.cat
23/07/2010 07:18 8,156 KB982802.cat
10/08/2004 14:00 399,645 MAPIMIG.CAT
28/09/2004 02:09 185,192 MC05Upd1.cat
14/04/2008 03:04 34,747 mediactr.cat
14/04/2008 03:04 12,363 msmsgs.cat
14/04/2008 03:04 26,991 msn7.cat
14/04/2008 03:04 14,433 msn9.cat
14/04/2008 03:04 10,027 mstsweb.cat
06/07/2008 13:06 10,929 msxpsdrv.CAT
10/08/2004 14:00 37,484 MW770.CAT
14/04/2008 03:04 144,484 netfx.cat
14/04/2008 03:04 2,144,487 nt5.cat
10/08/2004 14:00 797,189 NT5IIS.CAT
14/04/2008 03:04 522,220 nt5inf.cat
09/01/2009 20:19 1,089,593 ntprint.cat
08/01/2004 17:33 8,492 oem0.CAT
19/12/2005 21:02 7,947 oem1.CAT
01/05/2003 13:52 7,696 oem10.CAT
29/11/2004 09:33 8,642 oem11.CAT
28/01/2002 12:56 7,164 oem12.CAT
14/12/2002 20:58 7,266 oem13.CAT
22/04/2004 13:42 7,405 oem14.CAT
10/05/2004 18:43 7,405 oem15.CAT
18/10/2002 02:32 7,172 oem16.CAT
04/09/2001 12:57 7,160 oem17.CAT
16/10/2008 14:24 45,886 oem18.CAT
29/02/2008 10:18 10,785 oem19.CAT
10/01/2003 16:13 7,592 oem2.CAT
06/08/2009 19:37 45,056 oem21.CAT
07/10/2010 15:28 8,607 oem22.CAT
03/06/2009 10:32 7,994 oem24.CAT
29/09/2010 07:36 11,933 oem25.CAT
16/04/2007 22:58 41,586 oem3.CAT
13/08/2004 11:32 7,579 oem36.CAT
02/06/2012 15:32 45,380 oem37.CAT
17/11/2006 15:41 89,339 oem4.CAT
27/10/2006 12:58 492,365 oem5.CAT
24/12/2003 10:02 8,367 oem6.CAT
18/12/2003 10:52 9,658 oem7.CAT
11/12/2002 23:51 8,092 oem8.CAT
27/09/2002 19:36 7,180 oem9.CAT
04/10/2001 12:05 7,046 OEMBIOS.CAT
10/08/2004 14:00 77,881 plus.cat
10/08/2004 14:00 17,916 sonic.cat
10/08/2004 14:00 106,147 SP2.CAT
14/04/2008 07:40 1,296,669 sp3.cat
14/04/2008 03:04 36,549 spdelta.cat
14/04/2008 03:10 112,918 tabletpc.cat
21/07/2012 15:36 8 TimeStamp
10/08/2004 14:00 7,334 wmerrenu.cat
06/11/2002 14:53 7,527 wmstypelib.CAT
29/06/2005 09:23 11,185 x10ufx2.CAT
31/03/2006 13:49 8,225 xact2_1_x86.CAT
31/05/2006 08:33 8,225 xact2_2_x86.CAT
28/07/2006 10:23 8,225 xact2_3_x86.CAT
28/09/2006 16:19 8,225 xact2_4_x86.CAT
08/12/2006 12:08 8,225 xact2_5_x86.CAT
24/01/2007 15:35 10,662 xact2_6_x86.CAT
03/02/2006 09:54 8,225 xact_x86.CAT
31/03/2006 13:49 7,927 xinput1_1_x86.CAT
28/07/2006 10:23 7,927 xinput1_2_x86.CAT
05/12/2005 19:27 7,927 xinput9_1_0_x86.CAT
303 File(s) 10,706,264 bytes
2 Dir(s) 64,475,435,008 bytes free

#20
RKinner

Posted 21 July 2012 - 10:44 AM

Malware Expert

Expert
24,625 posts

Sorry for the typo. Was using my netbook with a small screen and non standard keyboard. Glad you figured it out.

This line:

14/04/2008 03:04 2,144,487 nt5.cat

appears to be exactly the same as mine which is what my XP says is the catalog source for atapi.sys. I think they use this info to create the file Catdb

Which should be at:

\windows\system32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

The MS FixIt I asked you to run was supposed to recreate the database but it may not have worked so let's try it manually.

Start, Run, cmd, OK then type with an Enter after each line:

net  stop  cryptsvc

ren  \windows\System32\Catroot2  badcatroot2

net  start  cryptsvc

(DO NOT TOUCH CATROOT (without the 2))

Then reboot

Look in \windows\system32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ and see if you have a catdb with a recent date.

Then run sigcheck as before and see if the output is any different:

Start, Run, cmd, OK then type with an Enter after each line:

cd  \

sigcheck  -q  -i  c:\windows\system32\drivers\atapi.sys  >  \junk.txt

notepad  \junk.txt

#21
HDL

Posted 21 July 2012 - 10:54 AM

Member

Topic Starter
Member
24 posts

It's telling me that The Following Services are dependent on the cryptsvc service: Truevector Internet Monitor. Then it's asking me if I want to continue with the operation. When I type Y or YES it then says "The requested pause or stop is not valid for this service." And then more help is available by typing NET HELPMSG 2191

Should I still continue with the rest of what you've said to do?

- Oh never mind it's part of Zone Alarm. I turned Zone Alarm off and I can continue now.

Edited by HDL, 21 July 2012 - 10:58 AM.

#22
HDL

Posted 21 July 2012 - 11:10 AM

Member

Topic Starter
Member
24 posts

c:\windows\system32\drivers\atapi.sys:
Verified: Signed
Catalog: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\nt5.cat
Signers:
Microsoft Windows Component Publisher
Microsoft Windows Verification Intermediate PCA
Microsoft Root Authority
Signing date: 03:07 14/04/2008
Publisher: Microsoft Corporation
Description: IDE/ATAPI Port Driver
Product: Microsoft® Windows® Operating System
Version: 5.1.2600.5512
File version: 5.1.2600.5512 (xpsp.080413-2108)

#23
RKinner

Posted 21 July 2012 - 11:30 AM

Malware Expert

Expert
24,625 posts

I think that fixed it. Probably when you ran the fixit, ZoneAlarm kept it from working. Have to remember that.

If you run Combofix or TDSSKiller again I expect we won't see a lot of complaints about unsigned files.

Let's fix the out of date anti-virus now.

Download and save the AVG removal tool
http://download.avg....6_2011_1184.exe

Download and save the free Avast installer.
http://www.avast.com...ivirus-download
Uninstall AVG

Run the Avg Remover

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)
Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours so you may want to let it run tonight.

Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

I think on XP systems the log file can be found in text form in C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\boot.txt

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron

#24
HDL

Posted 21 July 2012 - 10:45 PM

Member

Topic Starter
Member
24 posts

Wow that took six hours.

07/21/2012 21:32
Scan of all local drives

File C:\Documents and Settings\All Users\Application Data\BigFishGamesCache\AssetDownloads\promo.zip|>default\en_US\images\ad_promo.jpg Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\Downloads\Internet_Antivirus_Pro_Fix.rar|>Internet_Antivirus_Pro_Fix.exe Error 42126 {RAR archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\huntingfrenzy_1.zip.dap|>hunting frenzy\hunting frenzy.exe Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallAbraAcademy.exe|>[Embedded_R#0001280]|>%MAINDIR%\product\musicsfx\wrong_click_2.ogg Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallLuxorQuestForTheAfterlife.exe.dap|>[Embedded_I#0001800]|>%MAINDIR%\product\data.npk Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallLuxorQuestForTheAfterlife.exe.dap|>[Embedded_I#0001800]|>Wise0021.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallLuxorQuestForTheAfterlife.exe.dap|>[Embedded_I#0001800]|>Wise0025.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallMyTribe.exe.dap|>[Embedded_I#0001800]|>%MAINDIR%\product\resource.dat Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallMyTribe.exe.dap|>[Embedded_I#0001800]|>Wise0100.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\InstallShamanOdysseyTropicAdventure.exe|>[Embedded_I#0001800]|>%MAINDIR%\product\data\textures\Map_05.png Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\Kudos_Rock_Legend-setup.exe|>[Embedded_I#002102d]|>data\{37CBEC2F-C1EA-4E7A-84AC-A3BE7D2F309A}\736\KudosRockLegend.exe is infected by Win32:Trojan-gen, Moved to chest
File C:\Documents and Settings\Owner\My Documents\My Completed Downloads\X6.dap|>MPE public demo\MarineParkEmpireDemo.exe Error 42125 {ZIP archive is corrupted.}
File C:\gPotato\Luna Online\USMC09052001.zip|>LUNAClient.exe Error 42125 {ZIP archive is corrupted.}
File C:\My Games\Big Island Blends\bigislandblends.rga|>skeleton.bin Error 42126 {RAR archive is corrupted.}
File C:\TDSSKiller_Quarantine\20.07.2012_09.25.42\mbr0000\mbr0000\tsk0000.dta is infected by Win32:MBRoot-J [Trj], Moved to chest
File C:\TDSSKiller_Quarantine\20.07.2012_09.25.42\mbr0000\mbr0000\tsk0001.dta is infected by Win32:MBRoot-J [Trj], Moved to chest
File C:\WINDOWS\Internet Logs\tvDebug.Zip Error 42110 {The file is a decompression bomb.}
Number of searched folders: 32408
Number of tested files: 1586850
Number of infected files: 3

#25
HDL

Posted 21 July 2012 - 10:53 PM

Member

Topic Starter
Member
24 posts

Vino's Event Viewer v01c run on Windows XP in English
Report run at 22/07/2012 05:48:48

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 22/07/2012 02:53:03
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AVGIDSHX

Log: 'System' Date/Time: 22/07/2012 02:53:02
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 18:38:31
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AVGIDSHX

Log: 'System' Date/Time: 21/07/2012 18:38:27
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 18:02:11
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 16:18:36
Type: error Category: 0
Event: 10010 Source: DCOM
The server {02D4B3F1-FD88-11D1-960D-00805FC79235} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 21/07/2012 16:17:39
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 15:11:26
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 13:22:32
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 12:26:28
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 09:57:42
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 09:52:31
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 21/07/2012 06:52:25
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 20/07/2012 18:47:07
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The AVGIDSAgent service hung on starting.

Log: 'System' Date/Time: 20/07/2012 18:45:28
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 20/07/2012 10:20:27
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 20/07/2012 09:29:33
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 20/07/2012 09:19:26
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The Automatic Updates service terminated with the following error: General access denied error

Log: 'System' Date/Time: 20/07/2012 09:00:21
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The AVGIDSAgent service hung on starting.

Log: 'System' Date/Time: 20/07/2012 08:58:35
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The npkcrypt service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 21/07/2012 08:11:02
Type: warning Category: 0
Event: 11050 Source: dnscache
The DNS Client service could not contact any DNS servers for a repeated number of attempts. For the next 30 seconds the DNS Client service will not use the network to avoid further network performance problems. It will resume its normal behavior after that. If this problem persists, verify your TCP/IP configuration, specifically check that you have a preferred (and possibly an alternate) DNS server configured. If the problem continues, verify network conditions to these DNS servers or contact your network administrator.

Log: 'System' Date/Time: 20/07/2012 18:30:52
Type: warning Category: 0
Event: 11050 Source: dnscache
The DNS Client service could not contact any DNS servers for a repeated number of attempts. For the next 30 seconds the DNS Client service will not use the network to avoid further network performance problems. It will resume its normal behavior after that. If this problem persists, verify your TCP/IP configuration, specifically check that you have a preferred (and possibly an alternate) DNS server configured. If the problem continues, verify network conditions to these DNS servers or contact your network administrator.

Log: 'System' Date/Time: 20/07/2012 08:45:44
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 20/07/2012 06:55:59
Type: warning Category: 0
Event: 11050 Source: dnscache
The DNS Client service could not contact any DNS servers for a repeated number of attempts. For the next 30 seconds the DNS Client service will not use the network to avoid further network performance problems. It will resume its normal behavior after that. If this problem persists, verify your TCP/IP configuration, specifically check that you have a preferred (and possibly an alternate) DNS server configured. If the problem continues, verify network conditions to these DNS servers or contact your network administrator.

Log: 'System' Date/Time: 15/07/2012 04:39:45
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 14/07/2012 10:37:52
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 13/07/2012 01:50:40
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 12/07/2012 01:50:54
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

***

Vino's Event Viewer v01c run on Windows XP in English
Report run at 22/07/2012 05:51:09

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 21/07/2012 16:18:36
Type: error Category: 8
Event: 4689 Source: COM+
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in f:\xpsp3\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80080005: InitEventCollector failed

Log: 'Application' Date/Time: 21/07/2012 15:38:15
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 15:38:09
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 15:37:59
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 09:43:23
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 09:43:13
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 09:43:05
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 09:30:18
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 21/07/2012 09:30:16
Type: error Category: 0
Event: 1013 Source: MsiInstaller
SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- SA_Error25101: StandardAction(0xC007620D): We have detected that ZoneAlarm is already installed on your system, therefore the installation can not continue. We recommend that you uninstall this product first and then try to launch the installation again.

Log: 'Application' Date/Time: 20/07/2012 09:22:32
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:32
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:32
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:31
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:31
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:31
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:31
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 20/07/2012 09:22:31
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Log: 'Application' Date/Time: 20/07/2012 09:22:01
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Log: 'Application' Date/Time: 20/07/2012 09:19:40
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

Log: 'Application' Date/Time: 20/07/2012 08:58:24
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The server name or address could not be resolved

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 21/07/2012 15:34:54
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 15:34:40
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 15:31:46
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 15:31:25
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 15:01:58
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 15:01:58
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 14:57:13
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 14:57:13
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 14:56:33
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 09:38:46
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 09:38:20
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 21/07/2012 09:33:35
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x800401F0

Log: 'Application' Date/Time: 20/07/2012 23:28:47
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel.activation already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 20/07/2012 23:28:47
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.runtime.serialization already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 20/07/2012 23:28:47
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'Application' Date/Time: 20/07/2012 23:28:47
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Could not detect IIS installation or IIS is disabled, skipping the Web Host Script Mappings component since it depends upon IIS to function properly. If you believe this message is an error, check your IIS installation to make sure it is installed properly.

Log: 'Application' Date/Time: 20/07/2012 23:25:29
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Log: 'Application' Date/Time: 20/07/2012 23:20:43
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Log: 'Application' Date/Time: 20/07/2012 23:12:29
Type: warning Category: 1
Event: 1020 Source: ASP.NET 2.0.50727.0
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Log: 'Application' Date/Time: 20/07/2012 22:50:54
Type: warning Category: 0
Event: 0 Source: System.ServiceModel.Install 3.0.0.0
Configuration section system.serviceModel.activation already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.

Log: 'System' Date/Time: 11/07/2012 05:01:43
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

#26
RKinner

Posted 21 July 2012 - 11:34 PM

Malware Expert

Expert
24,625 posts

I did tell you it would be better to let it run overnight. I'm not sure what it does with the corrupt files that it finds. If it doesn't remove them then you should delete them.

Looks like you tried to install AVG 2011. It and Zone Alarm do not like each other. I think they both have firewalls so if you want to install the latest AVG you need to uninstall ZA (and Avast) first.

Something seems to be blocking your automatic updates, your time updates and some installer. Expect it's ZA so another good reason to uninstall.

We are still seeing the npkcrypt service errors. Right click on My Computer and select Manage then Services and Applications then Services and then try to find the npkcrypt service. If you find it, right click on it and select Properties then change the Startup Type to Disabled. Also look for the npkcmsvc service and disable it too. If you don't find it there then Right click on My Computer and select Manage then Device Manager, View, Show Hidden Devices and look in the right pane under non-plug and play devices. IF you find it there then right click on it and Disable or uninstall.

After you uninstall ZA and kill off the npkcrypt and npkcmsvc then

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

Run VEW again as before and post the logs.

#27
HDL

Posted 22 July 2012 - 05:48 AM

Member

Topic Starter
Member
24 posts

The majority of the corrupt files are incomplete files from Download Accelerator.

I'll stick with Avast for now I think. I was never much of a fan of the new versions of AVG. I did try and install AVG yesterday I think since you'd said it was out of date and I hadn't realised you were going to get me to download Avast. I didn't think I had the AVG firewall turned on. Anyway AVG's gone now.

I'm trying to get rid of ZoneAlarm but it wouldn't uninstall. I'm searching around for a solution for that just now.

#28
HDL

Posted 22 July 2012 - 08:05 AM

Member

Topic Starter
Member
24 posts

Vino's Event Viewer v01c run on Windows XP in English
Report run at 22/07/2012 15:04:40

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 22/07/2012 13:10:38
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: AVGIDSHX

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vino's Event Viewer v01c run on Windows XP in English
Report run at 22/07/2012 15:05:21

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#29
RKinner

Posted 22 July 2012 - 08:21 AM

Malware Expert

Expert
24,625 posts

Looking much better now. Just one AVG service left:

AVGIDSAgent. The AVG Removal tool should have removed it. Don't know why it didn't. You should be able to Disable it in Services.

I assume you found out how to remove ZA? Are your automatic updates working now? How about your Security Center?

I was never fond of Download Accelerators. I would uninstall it and also make sure that ZA uninstalled its toolbars when you uninstalled it.

Stick with Avast for a while and see how you like it. Some people object to the voice notification of updates. To turn it off, click on the Avast ball then on Settings. Then on Sounds and uncheck Automatic Updates OK. (It will still update it just won't tell you about in a loud voice in the middle of the night.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Popups and change the first two to 1 second.

The registration is good for 12-14 months then you will need to register again. They will, of course, try to talk you into buying the product, but you can always register again for another year free.

If you want to replace ZA, you can try the free version of Online Armor. http://www.online-armor.com/ It's a lot smarter than ZA and doesn't seem to have as many problems and last time I looked did not install a bunch of Toolbars or an inferior anti-virus.

Any more BSOD's?

#30
HDL

Posted 22 July 2012 - 09:36 AM

Member

Topic Starter
Member
24 posts

Automatic Updates and the Security Centre look to be working now.

I found a removal tool to get rid of Zone Alarm which I hope's removed all of it.

Speaking of toolbar's Avast stuck something on my browsers. "avast! WebRep" I said no to the ones it wanted on Firefox but they went onto Chrome automatically. Should I just leave that there?

I haven't used Download Accelerator for years. I had it before because I had a very slow internet connection and I liked the ability to be able to pause and then resume downloads. It was extremely useful when I had dialup, and when I had an internet connection that frequently dropped. I don't need that anymore. I'll uninstall it once I clean up the improperly downloaded files.

I do remember having Avast in the past. The voices were why I uninstalled it and went back to AVG. I've already got them turned off this time and thanks for the advice on the popups.

I'll get that new firewall.

I've not had any BSOD's in a while, which is such a relief. I was really worried it was a hardware problem and I'd be forking out large sums of money for a new computer. It's running a lot better than it has in ages now.

I did, however, get bumped off the internet when I downloaded the firewall and was unable to reconnect. I got the message "Checking Network Protocol Connections TCP/IP CP Reported Error 32: A device attached to the system is not functioning." Restarting the system seems to have fixed it. Is that connected to the firewall or something else?

Thank you very much for all of your time and patience.