Solved: Blue screen error and Internet crashing

[kates2787]

Hi, I recently sent my laptop away to be fixed as it wasn't turning on 90% of the time and when I got it back they said it had loads of viruses and trojans which was the problem. I use AVG which I thought would have prevented this and I don't know how they fixed it but they said it was now clean.

The laptop was used with no problems for about 6 hours altogether before I installed a new external hard drive. Well, I say new but it's actually a Seagate Desktop 500gb that i had previously imstalled but the USB connecter fell off so I had to transfer it into a new case. After installing it into the new case it appeared in My Computer and I could access all my files again but the Seagate Device Manager did not recognise it. However, I soon began getting Blue Screen Errors regularly which directed me to this page after restarting: http://wer.microsoft.com/responses/...SGD=ae02b07a-f5c5-4299-9deb-d10735f4fb6f#here

I have tried all of the steps apart from the final one and nothing has worked. I started up the laptop with nothing connected to it and just left it for a few hours and when I returned to it again I got the same message telling me a serious error had occured and to visit the above page. I really dont know what else to try to fix this problem.

My second problem started about 5 days ago - my Internet Explorer keeps freezing. I have to close it down through Task Manager and then I send an error report and it takes me to this page: http://wer.microsoft.com/responses/...SGD=ab1b4831-0d60-44ac-add6-686297421abb#here

I have done the first 3 steps and can't do the last one as I dont have a Yahoo toolbar. I have used Internet Explorer with no add-ons at all and its Ok but quite slow and when I went to disable my add-ons there was loads. It would take me ages to go through each off them eliminating them and sometimes the Internet can work for an hour without freezing. Is there a way to delete them all? Ive deleted the ones I can but some of them I cant delete.

Im selling this laptop to my parents in 2 weeks and they don't have a clue about how to fix a computer problem so would like to have it sorted for them as soon as possible. Is it fixable or something seriously wrong with it?

Thanks in advance for any help,
kates2787

 

[HCD]

In the first instance - go to Start then press R and type in devmgmt.msc - post back if there are any devices with a red X or a yellow ? or !.
If all is okay on this screen, I would double check back with the repairers and ask if they did a clean reinstall or a repair with a spyware remover.

I would as a precaution look at the Security and HJT section of this forum and follow their advice for running a Hijack This log. If you do go this route - let us know on this thread so we can await the outcome of their advice.

 

[Rollin' Rog]

>> Regarding IE first -- you've tried "no add-ons" mode (step 4) and it still happens?

How about testing with another browser, say Firefox or Opera -- or perhaps with another User Account -- (guest account, formal Admin Account, or newly created one).

>> Regarding the Blue Screens, do this >

I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to c:\windows\minidump and copy the last few minidump files to that folder. *this assumes 'c' is your boot drive, if it is not, subsitute accordingly
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non Windows driver causing the error, if one exists for it.

>> Finally, post a HijackThis scanlog -- just so we can determine if it really looks "clean" >

Download and install HijackThis. Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis


And of course also do what HCD suggested.

 

[kates2787]

Hi, thanks for your help. I have posted in the HJT section and waiting on their reply.

HCD, I ran the program you suggested and everything was ok apart from one hidden file under the 'Non-plug and Play Drivers' heading called 'Serial'. It had a yellow exclamation mark next to it.

Rollin' Rog, IE has not frozen when I run it with no add-ons. I go to Start, Accessories, System Tools, Internet Explorer (No Add-Ons) to do this. Sometimes IE can run normally with add-ons for a few hours before freezing so I will use the no add-on version for a while to see if it will eventually freeze as well. Do I really need my add-ons? I would be more than hapy just to delete them if they cause more problems than good. The only one I think I use is the Google toolbar.

I have attached the 'dumpcheck folder' and this is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:14:43, on 06/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Secunia\PSI (RC3)\psi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=66028
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.strath.ac.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66028
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=66028
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Secunia PSI (RC3).lnk = C:\Program Files\Secunia\PSI (RC3)\psi.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://new.photobox.co.uk/assets/aurigma/ImageUploader4.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe


Thanks again, kates2787

 

[kates2787]

Oh, and I meant to say that the Blue Screen Error seems to be getting worse - it happened twice whilst only carrying out the tasks you requested.

 

[Rollin' Rog]

Ok, here are your BSODs >

Probably caused by : OAmon.sys ( OAmon+3818 )
>>> oamon.sys
OAMON.SYS is related to Online Armor Security Suite.

Probably caused by : TfFsMon.sys ( TfFsMon+31b3 )

tffsmon.sys
TFFSMON.SYS is related to ThreatFire Filesystem Monitor.
Manufacturer: PC Tools


All but the second were OAmon.sys.

I would personally uninstall both these programs and rely only on the Windows Firewall


For the IE problem you will have to troubleshoot the individual Add-ons by selectively disabling them; you can do that by halves much as you might do in Clean Boot troubleshooting.

They can be enabled or disabled through the Tools > Manage Add-Ons properties in IE

 

[kates2787]

Hi thanks. I've deleted Threat Fire and Online Armour and played around with my add-ons and everything seems to working fine now. Still waiting on reply from HJT section though. Was also going to ask how I can get rid of 'Crawler Search' that is next to my address bar in IE? I tried deleting it through control panel but it's still there. Is it safe? Thanks, kates2787

 

[Rollin' Rog]

I don't see any problems there as far as malware is concerned -- so if all seems well after some testing you could probably mark this thread "Solved".

If any of these lines still appear in your HijackThis scanlog, check and "fix" them with the browser closed, then reopen it >>

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66028
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=66028
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=66028
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=66028