Question
-
Topic
-
Crash when updating windows
LockedAll,
I am new to this so bear with me if I make protocol mistakes. I do repair computers so I know my way around windows.
I am having trouble with what I suspect spyware. I started fixing a system form a friend that had trouble booting. I used Lavasoft Adaware and spybot in safe mode to clean before I started the update. All came up clean and the system was working well so I started the updates. This started after the sp2 install. The system crashes every time it tries to install windows updates. Also the firewall will not allow me to turn it off.
I get a blue screen and and a memory dump of :
*** STOP: 0x0000008E (0xc0000005,0xEFCDD896,0xEEA69A20,0x00000000)
*** system32:hy32.sys -address EFCDD896 base at EFCD8000, DATESTAMP 45E30bb8I suspected smitfraud so I downloaded and ran smitfraudfix in safe mode with no fix. I also ran HTJ see logs below:
SmitFraudFix v2.147
Scan done at 3:47:27.90, Sun 03/04/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] – Windows_NT
The filesystem type is NTFS
Fix run in normal mode???????????????????????? hosts
???????????????????????? C:\
???????????????????????? C:\WINDOWS
???????????????????????? C:\WINDOWS\system
???????????????????????? C:\WINDOWS\Web
???????????????????????? C:\WINDOWS\system32
???????????????????????? C:\Documents and Settings\Owner
???????????????????????? C:\Documents and Settings\Owner\Application Data
???????????????????????? Start Menu
???????????????????????? C:\DOCUME~1\Owner\FAVORI~1
???????????????????????? Desktop
???????????????????????? C:\Program Files
???????????????????????? Corrupted keys
???????????????????????? Desktop Components
???????????????????????? Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll???????????????????????? AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=””???????????????????????? Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=””???????????????????????? pe386-msguard-lzx32-huy32
huy32 detected, use a Rootkit scanner
???????????????????????? Scanning wininet.dll infection
???????????????????????? End
Here is my HTJ log:
Logfile of HijackThis v1.98.1
Scan saved at 3:40:27 AM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
J:\Downloads\Utilities\Adaware\HijackThis.exeR1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\Program Files\Spybot – Search & Destroy\SDHelper.dll
O2 – BHO: (no name) – {549B5CA7-4A86-11D7-A4DF-000874180BB3} – (no file)
O2 – BHO: (no name) – {5A07192F-605D-4A12-B5EE-C30F3031C24C} – (no file)
O2 – BHO: NAV Helper – {BDF3E430-B101-42AD-A544-FADC6B084872} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 – BHO: Still Image – {E8656DAF-0229-BA16-E97D-31557D631863} – C:\WINDOWS\system\mtstct32.dll
O2 – BHO: (no name) – {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} – (no file)
O3 – Toolbar: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} – C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [AOLDialer] “C:\Program Files\Common Files\AOL\ACS\AOLDial.exe”
O4 – HKLM\..\Run: [AOL Spyware Protection] “C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe”
O4 – HKLM\..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 – HKLM\..\Run: [SunKistEM] “C:\Program Files\Digital Media Reader\shwiconem.exe”
O4 – HKLM\..\Run: [sysdrv] C:\WINDOWS\svchosts.exe
O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 – HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 – Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 – Extra context menu item: &AOL Toolbar search – res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – (no file)
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – (no file)
O9 – Extra button: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O9 – Extra ‘Tools’ menuitem: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:\WINDOWS\System32\Shdocvw.dll
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O12 – Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 – Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 – Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 – IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 – DPF: {01111F00-3E00-11D2-8470-0060089874ED} – http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172942335343
O21 – SSODL: KrkgmShzCdjj – {206E1394-8AC4-B93E-232B-376859CD0C9C} – (no file)Mind you the system still boots and all systems are working except windows update.
Thanks in advance any ideas would be helpful.