Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Eacht time MBAM start scanning , pc shuts down.


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Good that we ran MBAR.

 

Looking at your event logs"

Applicatiefouten:
==================
Error: (02/07/2021 08:14:15 AM) (Source: chromoting) (EventID: 3) (User: )
Description: Toegang geweigerd voor client: [email protected]/chromoting_ftl_607fb2c4-e6b6-4ccd-99a9-41fd8b2c8cc4.

 

I think if you go into Chrome and click on the three dots in the upper right then on Settings then on Advanced then System you can turn off:
Continue running background apps when Google Chrome is closed
 
That might keep Chrome from starting at boot.  If not you can search for
msconfig
hit Enter
then select Startup tab
Uncheck the box in front of any entry that mentions Chrome.
 
There may also be an option to configure Chrome Remoting so that it doesn't start at login.  I don't use it so can't say.
 
 
 


Systeemfouten:
=============
Error: (02/07/2021 08:20:29 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: De Windows Update-service is bij het starten vastgelopen.
 

 

The fix for Windows Update problems is the oddly named:

System Update Readiness Tool for Windows 7

This link is for 64 bit:
https://www.microsof...s.aspx?id=20858

This will pretend that it is installing a KB.  Can take a few hours to complete.


Once that runs then get

 KB3083710 and KB3102810

https://support.micr...n-us/kb/3083710

https://support.micr...n-us/kb/3102810

 

(You want the one that says: All supported x64-based versions of Windows 7)  Each will take you to another page where you have to select your language before downloading.
 

 

Error: (02/07/2021 08:16:26 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Time-out (60000 seconden) tijdens het wachten op een reactie op een transactie van deze service: TeamViewer.

 

TeamViewer is still causing an error.  If you are using it just to work on your sister's PC you don't need it running at startup.  That's only if you want someone else to control your system. Run TeamViewer and on the main page is an option to Start TeamViever with Windows.  Uncheck it.  Close TeamViewer.
 

Error: (02/07/2021 08:13:11 AM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN-uitbreidingsmodule kan niet worden gestart.
 
Pad naar module: C:\Windows\system32\Rtlihvs.dll
Foutcode: 126

 

FRST did not see the file but it may be there a permission error.  Seems like I vaguely remember that being a problem with the file.  Rtlihvs.dll is actually a Realtek file but I think the TP-link Wireless adapter uses a Realtek chip.  We can try a quick fixlist to see if we can unlock it.

 

Attached File  fixlist.txt   230bytes   25 downloads

 

This one will be very quick and will not reboot.  You should be able to see in the fixlog whether it found the file or not.

 


Error: (02/07/2021 08:12:06 AM) (Source: atapi) (EventID: 11) (User: )
Description: Het stuurprogramma heeft een controllerfout gevonden in \Device\Ide\IdePort4.
 
Error: (02/07/2021 08:12:06 AM) (Source: atapi) (EventID: 11) (User: )
Description: Het stuurprogramma heeft een controllerfout gevonden in \Device\Ide\IdePort4.

 

 

I'm surprised to see an IDE controller but it may be for the DVD drive.  This may be related to your BSOD.  MBAM does some strange things with IDE controllers when it scans.  Early versions of MBAM would crash with the same indication as you are getting.  It's not supposed to be a problem these days but perhaps that's because there aren't a lot of IDE controllers.  I do have a fix for this error that is supposed to work:

 

"a. Right-click Computer, and then click Manage.

b. Double-click System Tools in the right pane, and then double-click Device Manager.

c. Double-click IDE ATA/ATAPI Controller in the right pane, and then double-click the appropriate controller. (The sequence will be like this: drive 1 - IdePort0, drive 2 - IdePort1, drive 3 - IdePort2, drive 4 - IdePort3, drive 5 - IdePort4)

d. On the Advanced Settings tab, click PIO Only in the Transfer Mode box.

e. Click OK, close the Computer Management window, and then reboot the computer. Check if it helps."

 

Above from: https://answers.micr...42-ec49afff79eb

 

Looking at your Process Explorer log:

Not too bad.  Chrome Remote is using some CPU but System Idle is almost 90%.   Interrupts is very good so drivers are pretty decent.  All but two files are signed and verified and the two that aren't never are.

The Junk file is just used if an SVCHOST file is using too much CPU.  It helps identify the Windows Service(s) that is(are) riding on the different svchosts.

 

Speccy shows no problems with overheating.  Your hard drive has a few bad sectors:

 

                                       C5
                                            Attribute name    Current Pending Sector Count
                                            Real value    1
                                            Current    200
                                            Worst    200
                                            Threshold    0
                                            Raw Value    0000000001
                                            Status    Good
                                        C6
                                            Attribute name    Uncorrectable Sector Count
                                            Real value    2
                                            Current    200
                                            Worst    200
                                            Threshold    0
                                            Raw Value    0000000002
                                            Status    Good

 

 

 

If these increase rapidly then the drive will need to be replaced but for now it looks OK.

 

Speccy did show a variable set by the infection we removed:

 


                User Variables
                    GPU_MAX_ALLOC_PERCENT    70

 

 

Right click the Computer icon on your desktop and choose Properties from the menu. Click on the Advanced system settings link and then click Environment Variables. Under the section System Variables, select the environment variable you want GPU_MAX_ALLOC_PERCENT , and click Delete.

 

If you have control of your router you can improve Wireless Performance by changing to a different channel.  Currently you use Channel 6.  Routers claim they will automatically pick the best channel but they seldom do.  There is another router on the same channel and its signal is almost as strong as the one you are using so you will be getting a lot of interference which will drop your bit rate.

 

Download inssider
https://www.techspot...6-inssider.html
Double click to install it. Then run it by right click and Run As Admin.

It will show you a graph in the bottom  that has your signal in blue and competing signals in orange and yellow.  It may also recommend a different channel which might have less interference or you can choose a channel based on what you see on the chart.

Moving to a different channel (by logging on to your router) can drastically improve performance.  If you have control of the router (password is often on the back or bottom) but don't know how to change the channel tell me the make and model.

 

Latency Monitor shows that dropbox is causing a lot of pagefaults.  Do you pay for it?  If not it would be wise to uninstall it.


  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Just a heads up that the forum software decided to post before I was done so I had to go back in and edit the previous post.


  • 0

#18
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

Which IDE controller? not sure which one to take, see photo.

Attached Thumbnails

  • IDE_CONTROLLER.JPG

  • 0

#19
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts
log avast boot: 
 
02/07/2021 15:37
Alle lokale stations scannen
 
Bestand C:\Users\omar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NRD8SVKQ\MeOptimum_x86[1].exe|>$INSTDIR\ws.zip|>amd64_86.exe is geïnfecteerd met Win32:Malware-gen, Verplaatst naar de kluis
Bestand C:\Users\omar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NRD8SVKQ\MeOptimum_x86[1].exe|>$INSTDIR\ws.zip|>mediatek_86.exe is geïnfecteerd met Win32:TrojanX-gen [Trj], Verplaatst naar de kluis
Bestand C:\Users\omar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NRD8SVKQ\MeOptimum_x86[1].exe|>$TEMP\radeon\r_.zip|>radeon86_64.exe is geïnfecteerd met Win32:Malware-gen, Verplaatst naar de kluis
Bestand C:\Users\omar\AppData\Local\Temp\Windows Loader v2.2.2.zip|>Windows+Loader+v2.2.2.zip|>Windows+Loader+v2.2.2.exe is geïnfecteerd met Win32:Evo-gen [Susp], Verplaatst naar de kluis
Bestand C:\$Recycle.Bin\S-1-5-21-2521950895-1173571020-801938669-1000\$RDDP3BP.crdownload|>$[38]\tvqsfiles.7z Fout 42145 {Het installatiearchief is beschadigd.}
Bestand C:\HEADERS|>$INSTDIR\ws.zip|>amd64_86.exe is geïnfecteerd met Win32:Malware-gen, Verplaatst naar de kluis
Bestand C:\HEADERS|>$INSTDIR\ws.zip|>mediatek_86.exe is geïnfecteerd met Win32:TrojanX-gen [Trj], Verplaatst naar de kluis
Bestand C:\HEADERS|>$TEMP\radeon\r_.zip|>radeon86_64.exe is geïnfecteerd met Win32:Malware-gen, Verplaatst naar de kluis
Bestand D:\DriveGoogle\PC_BACKUP_06022021_23U37\KINDEREN\Downloads\lsvb + wb 1ste tot 6de-20201130T045029Z-001.zip|>lsvb + wb 1ste tot 6de\5de leerjaar\OneDrive_1_14-05-2020.zip|>L5 Themabundel 10.docx|>word\media\image5.jpeg Fout 42125 {Het ZIP-archief is beschadigd.}
Bestand D:\DriveGoogle\PC_BACKUP_06022021_23U37\KINDEREN\Downloads\lsvb + wb 1ste tot 6de-20201130T045029Z-001.zip|>lsvb + wb 1ste tot 6de\5de leerjaar\thema_s cursussen.zip|>L5 Themabundel 10.docx|>word\media\image5.jpeg Fout 42125 {Het ZIP-archief is beschadigd.}
Bestand D:\DriveGoogle\PC_BACKUP_06022021_23U37\KINDEREN\Downloads\lsvb + wb 1ste tot 6de-20201130T045029Z-001.zip|>lsvb + wb 1ste tot 6de\5de leerjaar\2. geloofsleer\1. geloof in profeten\profeet moussa\K5.3.5 Het levensverhaal van profeet Moesa.docx|>word\media\image3.png Fout 42125 {Het ZIP-archief is beschadigd.}
Aantal doorzochte mappen: 42403
Aantal gecontroleerde bestanden: 686117
Aantal geïnfecteerde bestanden: 7

  • 0

#20
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

These two mention the harddisk /dvd ... controller 

 

Which one should I change the parameters?

 

or I should change ll the ATA  channels?

Attached Thumbnails

  • IDE_CONTROLLER_HARDDISK.JPG
  • IDE_CONTROLLER_DVD.JPG

  • 0

#21
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

and I don't see any transfer mode  , PIO only ... in the photo's in tab advanced settings, it shows 'turn on DMA'


  • 0

#22
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

THE FIXLIST to fix the TP link file, If I start the fixing, then an error ocures, see photo.

Attached Thumbnails

  • ERROR_FIXLIST.JPG

  • 0

#23
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

GPU_MAX_ALLOC_PERCENT  is not to be found under system veriables, but onder usersvariables, ok to delete it from here?


  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP
GPU_MAX_ALLOC_PERCENT  is not to be found under system veriables, but onder usersvariables, ok to delete it from here?
 
Yes.
 
I will report the FRST error to Farber.  Since that doesn't work try:
 
Please download GrantPerms.zip http://download.blee.../GrantPerms.zipand save it to your desktop.
Unzip the file and run GrantPerms.exe by right clicking and Run As Admin.
Copy and paste the following in the edit box:
 
   
 
C:\Windows\system32\Rtlihvs.dll
 
 
Click Unlock. When it is done click "OK".  If it says the file does not exist then stop.
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run. 
 
I think the IDE controller is the one for the CD-ROM.  I do not have a Win 7 with IDE anymore so I'm just going by what I find on the net.  If you right click on the ATA Channel 3 and Delete or uninstall then reboot it will reinstall it and sometimes that will fix the problem.
 
The Avast scan must have gotten a lot quicker.  Assume it moved everything  infected that it found to the chest?  I usually manually delete the files where it says: {Het ZIP-archief is beschadigd.}
The actual file name and path is everything to the left of the |.  Example:
Bestand C:\$Recycle.Bin\S-1-5-21-2521950895-1173571020-801938669-1000\$RDDP3BP.crdownload|>$[38]\tvqsfiles.7z Fout 42145 {Het installatiearchief is beschadigd.}

 

 
 
Delete:
C:\$Recycle.Bin\S-1-5-21-2521950895-1173571020-801938669-1000\$RDDP3BP.crdownload
 

  • 0

#25
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts
GrantPerms by Farbar 
Ran by omar (administrator) at 2021-02-07 19:44:40
 
===============================================
ERROR: Parsing the SD of <\\?\C:\Windows\system32\Rtlihvs.dll> failed with: Het systeem kan het opgegeven bestand niet vinden.
 
 
Operating system error message: Het systeem kan het opgegeven bestand niet vinden.

  • 0

Advertisements


#26
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

I dont have this folder: C:\$Recycle.Bin

 

and i have changed the settings to be able to see hidden folders

 

I do see $AV_ASW folder.

 

and the recycly bin on desktop, there is no such a file crdownload..


  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP
 
Follow these steps to cause Windows to show super hidden files.
 
Open My Computer,
Click on the “Organise” toolbar
Choose the “Folder and Search Options” menu
On the Folder Options dialog box, click the View tab.
In the Advanced Settings List, under “Hidden files and Folders”, select the option to show hidden files.
In the Advanced Settings List, remove the tick from “Hide protected operating system files (Recommended)”
Click Apply
 
See if FRST can find another copy of the Rtlihvs.dll file.  Put Rtlihvs.dll in the Search Box and then Search Files.  You will get one log please post.

  • 0

#28
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

I could not open the folder C:\$Recycle.Bin\S-1-5-21-2521950895-1173571020-801938669-1000\$RDDP3BP.crdownload

 

so I deleted the folder \S-1-5-21.... 


  • 0

#29
HaraMo

HaraMo

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 453 posts

Log searching for dll fille see below

 

 

I did everything your advised me to do. except the windows update, and the teamviewer and dropbox(maybe later uninstall dropbox)

 

I do need to be able to take over te pc of my sister whenever I can work on her pc.

 

as a backup I use teamvieer, as sometimes chrome remote suddenly ask for a complete reinstall.

 

Windows update is still working, now the optional updates I select them all except one that wanted to update nvidea, I thinkg the videocard? I did not select it, as you said that the drivers were ok.

 

and what I also see happening is a unknown device in device manager, and sometimes this list refreshes itself, at the same time a message in bottom right appers: that there is something wrong with the usb , butonly usb device in the pc is the WIFI  USB WLAN (with a usb cable ).

 

Now the channel 3 DVD is reinstalled, can I try to start MBAM full scan to see if the pc will shuts off again?

 

 

Farbar Recovery Scan Tool (x64) Versie: 07-02-2021 02
Gestart door omar (07-02-2021 20:22:04)
Gestart vanaf D:\OneDrive\Bureaublad
Boot Modus: Normal
 
================== Bestanden Zoeken: "Rtlihvs.dll" =============
 
 
====== Einde van Zoeken ======

Edited by HaraMo, 07 February 2021 - 01:34 PM.

  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,580 posts
  • MVP

Retry MBAM and see if it still crashes.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP