fnillc
asked on
Why am I getting a 0x0000007f (0x7f) STOP error code / Blue Screen of Death when I try to boot XP Pro SP2 in Normal mode, but not Safe mode?
The computer in question is a Dell Dimension 9200, Core 2 Duo 6600 @ 2.4GHz. 1 GB RAM (2 x 512 MB DIMMs). The OS is Windows XP Pro w/SP2.
The problem started a few days ago for no apparent reason. The user complained of the computer shutting down suddenly with a flash of a blue screen.
When I try to boot the PC into Normal mode (or Last Known Good Config), it gets to the Windows loading screen, then the blank, light blue screen with the mouse for about 3-5 seconds, then it blue screens. Even though "automatic restart after system failure" is disabled, the blue screen lasts for about half a second.
The error message is "The computer has rebooted from a bugcheck. Â The bugcheck was: 0x1000007f (0x00000008, 0x80042000, 0x00000000, 0x00000000)."
(The error code is 0x0000007f in the blue screen itself, not 0x1000007f).
I looked up 0x7f and most sites said it was a hardware problem. I ran Dell's hardware diagnostics utility and it came up with no problems. Memtest86 showed no problems. I swapped the sticks of RAM, tried with just one in, and the other in, and tried the different set of memory slots. All produced the same problem. I downloaded and installed the latest Intel Chipset drivers, and tried to install the latest BIOS update, but it wouldn't let me in Safe mode.
I also tried in VGA mode, to see if it was video card driver-related, but I get the same exact blue screen at the same point.
I can load XP all the way in Safe Mode w/Networking just fine, no blue/STOP screens, everything [that Safe Mode loads] is functional. Spybot 1.6 w/latest definitions (as of 2008-09-02) detected Antivirus XP 2008, and My Web Search, and a couple other things (CouponBar, can't remember the rest, but they seemed fairly benign, like cookies, registry entries). I removed these and now Spybot is reporting nothing, but I still get the blue screen when I try to boot in normal mode.
So the fact that I can boot up and run the PC just fine in Safe Mode w/Networking suggests the problem lies with some piece of software or .dll or .exe or driver that is loading in Normal Mode but not Safe Mode... rather than a motherboard/processor (which is not overclocked, by the way) issue.
Symantec AV Corporate Edition (latest definitions) is installed on this computer, as is Acrobat 8 Pro, and Peachtree accounting software.
Here's the log of the latest HiJackThis! scan (disregard the DOMAIN-REMOVED.com, that's because this PC is on a Windows Server 2003 Active Directory domain, and I renamed the domain for privacy purposes ---- also, Spybot removed several things but apparently has to boot into Normal Mode to delete the last remnants, which it can't do because I can't get into Normal mode, but I already removed these items manually -- so that's why it says "SpybotDeleting"):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:43 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Lavasoft\Ad-Aware\aa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\mmc.ex
C:\Program Files\Spybot - Search &Â Destroy\SpybotSD.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O1 - Hosts: 199.41.56.5 dcsprod.phx-dc.dhl.com # port 7000 ICS production host
O1 - Hosts: 199.41.254.207 xmlpi.dhl-usa.com # port 80 XML services for tracking
O1 - Hosts: 199.41.238.32 www.dhl-usa.com # port 80 www.dhl-usa.com for services
O1 - Hosts: 199.41.254.110 dhlconnect.dhl-usa.com # port 80 AWB range request HTTP server
O1 - Hosts: 199.41.238.52 track.dhl-usa.com
O1 - Hosts: 199.41.238.63 webship.dhl-usa.com
O1 - Hosts: 65.114.156.130 aesdirect.gov
O1 - Hosts: 65.114.156.130 www.aesdirect.gov
O1 - Hosts: 199.41.254.163 xmlshippingtest.dhl-usa.co
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEAC
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\RunOnce: [wdl] C:\Program Files\Dell\Chipset Software Installer\setup.exe -S
O4 - HKLM\..\RunOnce: [SpybotDeletingA4985] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8993] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2516] command /c del "C:\WINDOWS\system32\CbEvt
O4 - HKLM\..\RunOnce: [SpybotDeletingC8824] cmd /c del "C:\WINDOWS\system32\CbEvt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\RunOnce: [SpybotDeletingB5678] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1094] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2453] command /c del "C:\WINDOWS\system32\CbEvt
O4 - HKCU\..\RunOnce: [SpybotDeletingD1768] cmd /c del "C:\WINDOWS\system32\CbEvt
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O21 - SSODL: QWdraQm - {6CB65C17-C61C-F6BD-1EC9-B
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12040 bytes
The problem started a few days ago for no apparent reason. The user complained of the computer shutting down suddenly with a flash of a blue screen.
When I try to boot the PC into Normal mode (or Last Known Good Config), it gets to the Windows loading screen, then the blank, light blue screen with the mouse for about 3-5 seconds, then it blue screens. Even though "automatic restart after system failure" is disabled, the blue screen lasts for about half a second.
The error message is "The computer has rebooted from a bugcheck. Â The bugcheck was: 0x1000007f (0x00000008, 0x80042000, 0x00000000, 0x00000000)."
(The error code is 0x0000007f in the blue screen itself, not 0x1000007f).
I looked up 0x7f and most sites said it was a hardware problem. I ran Dell's hardware diagnostics utility and it came up with no problems. Memtest86 showed no problems. I swapped the sticks of RAM, tried with just one in, and the other in, and tried the different set of memory slots. All produced the same problem. I downloaded and installed the latest Intel Chipset drivers, and tried to install the latest BIOS update, but it wouldn't let me in Safe mode.
I also tried in VGA mode, to see if it was video card driver-related, but I get the same exact blue screen at the same point.
I can load XP all the way in Safe Mode w/Networking just fine, no blue/STOP screens, everything [that Safe Mode loads] is functional. Spybot 1.6 w/latest definitions (as of 2008-09-02) detected Antivirus XP 2008, and My Web Search, and a couple other things (CouponBar, can't remember the rest, but they seemed fairly benign, like cookies, registry entries). I removed these and now Spybot is reporting nothing, but I still get the blue screen when I try to boot in normal mode.
So the fact that I can boot up and run the PC just fine in Safe Mode w/Networking suggests the problem lies with some piece of software or .dll or .exe or driver that is loading in Normal Mode but not Safe Mode... rather than a motherboard/processor (which is not overclocked, by the way) issue.
Symantec AV Corporate Edition (latest definitions) is installed on this computer, as is Acrobat 8 Pro, and Peachtree accounting software.
Here's the log of the latest HiJackThis! scan (disregard the DOMAIN-REMOVED.com, that's because this PC is on a Windows Server 2003 Active Directory domain, and I renamed the domain for privacy purposes ---- also, Spybot removed several things but apparently has to boot into Normal Mode to delete the last remnants, which it can't do because I can't get into Normal mode, but I already removed these items manually -- so that's why it says "SpybotDeleting"):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:43 PM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\Lavasoft\Ad-Aware\aa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\mmc.ex
C:\Program Files\Spybot - Search &Â Destroy\SpybotSD.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O1 - Hosts: 199.41.56.5 dcsprod.phx-dc.dhl.com # port 7000 ICS production host
O1 - Hosts: 199.41.254.207 xmlpi.dhl-usa.com # port 80 XML services for tracking
O1 - Hosts: 199.41.238.32 www.dhl-usa.com # port 80 www.dhl-usa.com for services
O1 - Hosts: 199.41.254.110 dhlconnect.dhl-usa.com # port 80 AWB range request HTTP server
O1 - Hosts: 199.41.238.52 track.dhl-usa.com
O1 - Hosts: 199.41.238.63 webship.dhl-usa.com
O1 - Hosts: 65.114.156.130 aesdirect.gov
O1 - Hosts: 65.114.156.130 www.aesdirect.gov
O1 - Hosts: 199.41.254.163 xmlshippingtest.dhl-usa.co
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEAC
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\RunOnce: [wdl] C:\Program Files\Dell\Chipset Software Installer\setup.exe -S
O4 - HKLM\..\RunOnce: [SpybotDeletingA4985] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8993] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2516] command /c del "C:\WINDOWS\system32\CbEvt
O4 - HKLM\..\RunOnce: [SpybotDeletingC8824] cmd /c del "C:\WINDOWS\system32\CbEvt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [EPSON Stylus CX9400Fax Series] C:\WINDOWS\System32\spool\
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\RunOnce: [SpybotDeletingB5678] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1094] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2453] command /c del "C:\WINDOWS\system32\CbEvt
O4 - HKCU\..\RunOnce: [SpybotDeletingD1768] cmd /c del "C:\WINDOWS\system32\CbEvt
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {4871A87A-BFDD-4106-8153-F
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O21 - SSODL: QWdraQm - {6CB65C17-C61C-F6BD-1EC9-B
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingServ
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc3
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12040 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
C:\WINDOWS\system32\wijl.d
You can fix those runonce entries belonging to Spybot.
Also try Malwarebytes' to remove any remnants, as already suggested.
download Anti-Malware to your desktop and check for Updates before scanning.
http://www.malwarebytes.org/mbam.php
You can fix those runonce entries belonging to Spybot.
Also try Malwarebytes' to remove any remnants, as already suggested.
download Anti-Malware to your desktop and check for Updates before scanning.
http://www.malwarebytes.org/mbam.php
Try booting without the mouse or if you have a LAN card, make sure that it is disabled and try to reboot, as strange as it may sound, those might be giving problems as well. I had a mysterious BSOD after upgrading my Ethernet card driver.
ASKER
Thank you very much! The Malwarebytes Anti-Malware tool found more than Spybot/Ad-Aware (rootkits and trojans) and removed it all completely. I rebooted and everything was back to normal.
ASKER
Malwarebytes' free Anti-Malware scanner software was the solution to my problem. It found more rootkits and trojans that Spybot and Ad-Aware did not find, and removed them. Once I rebooted the computer was back to normal, no blue screens.
Thank you for all your help.
Thank you for all your help.
ASKER
Thanks for the info. Yeah the line:
O21 - SSODL: QWdraQm - {6CB65C17-C61C-F6BD-1EC9-B
...looked suspicious to me, too. So I removed it after I posted the question... didn't change anything.
Yes the computer is part of a Windows Server 2003 AD Domain, and I changed the real domain to DOMAIN-REMOVED.com.
The remnants of the virus you mention are actually just Spybot entries that are trying to remove those remnants, which I manually removed. Those are just shortcut entries anyway, and they no longer exist.
Ad-Aware found some more malware that Spybot missed so that may be the problem. I am running a full system scan, and TrendMicro's HouseCall online scanner. I'll try your other suggestions when I have more time tomorrow (Wed). I may also try running a repair install of XP, then apply SP3 if that works.