Computer Keeps Crashing

==================================================
Dump File         : Mini020512-02.dmp
Crash Time        : 05/02/2012 04:45:11
Bug Check String  : ATTEMPTED_WRITE_TO_READONLY_MEMORY
Bug Check Code    : 0x000000be
Parameter 1       : 0x835b0d01
Parameter 2       : 0x43d02121
Parameter 3       : 0x88f6fa50
Parameter 4       : 0x0000000b
Caused By Driver  : netbt.sys
Caused By Address : netbt.sys+26d01
File Description  : MBT Transport driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.0.6002.18005 (lh_sp2rtm.090410-1830)
Processor         : 32-bit
Crash Address     : ntkrnlpa.exe+98379
Stack Address 1   : ntkrnlpa.exe+4ddd4
Stack Address 2   : netbt.sys+26d01
Stack Address 3   : TDI.SYS+2f02
Computer Name     :
Full Path         : C:\Windows\Minidump\Mini020512-02.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 139,080
==================================================

==================================================
Dump File         : Mini020512-01.dmp
Crash Time        : 05/02/2012 03:58:04
Bug Check String  : MEMORY_MANAGEMENT
Bug Check Code    : 0x0000001a
Parameter 1       : 0x00000030
Parameter 2       : 0x86d5d968
Parameter 3       : 0xa7056000
Parameter 4       : 0x8b804030
Caused By Driver  : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+cdb3f
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.0.6002.18533 (vistasp2_gdr.111025-0338)
Processor         : 32-bit
Crash Address     : ntkrnlpa.exe+cdb3f
Stack Address 1   : ntkrnlpa.exe+1e0fa8
Stack Address 2   : ntkrnlpa.exe+203838
Stack Address 3   : ntkrnlpa.exe+7cb68
Computer Name     :
Full Path         : C:\Windows\Minidump\Mini020512-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 139,080
==================================================

[Malware Removal Specialist]

Please do this even if you don't have your OS disk. Please let me know what happens.

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

I followed the instructions above, when complete it gave the following message:

Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS.Log.  For example C:\Windows\Logs\CBS\CBS.log

(I was not asked to provide the disk)

I located the file, but it's too big to attach, should I post here?

[Malware Removal Specialist]

I followed the instructions above, when complete it gave the following message:

Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS.Log.  For example C:\Windows\Logs\CBS\CBS.log

(I was not asked to provide the disk)

I located the file, but it's too big to attach, should I post here?

Yes, please. I would like to see it. You may need to break it up into multiple posts if it's that large.

Tried to post in the message but am having problems, as it's cutting out bits,  so I have attached in two parts to two messages, hope that is OK.

Part 2

[Malware Removal Specialist]

Is your computer still crashing? Do you have the OS disk or can you borrow one? It will have to be the same OS that's on your machine.

Yes still crashing.  I have a Vista re-installation disk which came with the machine.

[Malware Removal Specialist]

Yes still crashing.  I have a Vista re-installation disk which came with the machine.

Boot from the disk and see if you can do a repair.

Ok, I changed the settings to boot from disc, and re-started the machine but it is struggling to boot from the re-install disc (also tried selecting to boot from disc (F12) when re-starting ).  When it can't it just runs Windows as normal. 

Initially I was unable to see the disc in Computer/E:, but it shows up fine now and I can explore what's on the disc, but still will not allow me to boot from it at start-up.


I don't think that there is a problem with the DVD/CD Drive as I've tried other discs in it and it plays all of them fine.  Any other ideas please?

[Malware Removal Specialist]

I will check with a colleague to see if he has any suggestions.

[Malware Removal Specialist]

Open the Start Menu.

2. Click on the Computer button.

3. Right click on your hard drive and click on Properties.

4. Click on the Tools tab.

5. Click on Check Now under the Error checking section. (See circled in red below)



. Click on Continue in the UAC prompt.

7. Make sure both options are checked. (See screenshot below)
NOTE: The Automatically fix file system errors box will be checked by default.

8. Click on the Start button.



9. You will get a pop-up window saying, "Windows can't check this disk while it's use". (See screenshot below)

10. Click on the Schedule disk check button for chkdsk to run the next time you restart your computer.



11. Restart your computer.
********************************************
Download Combofix from any of the links below, and save it to your desktop. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Thanks for your reply,

My machine came partitioned, so I have (C:) with my files on and (D:) Recovery with the system files, I ran Check Disc on (D:) a few days ago:  Tools > Check Now, etc (No re-scheduled disc check/restart asked for)  and when it completed it said that it had found and fixed some errors.

I ran it again on both drives  this morning and this was the result:

(D:) After clicking on the Check Now button, checking the box and starting, the check ran and I received a message box telling me that no faults were found.

(C:) As per your description it asked for a re-scheduled restart, when I re-started the machine Check Disc ran, got to 73% and stopped.  I ran this twice and both times stopped at exactly the same point.

I downloaded and installed ComboFix, text file content posted below:


ComboFix 12-02-09.04 - Jewelz 10/02/2012   7:25.1.2 - x86
Running from: c:\users\Jewelz\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jewelz\Desktop\msg.txt
c:\windows\security\Database\tmp.edb
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-10 to 2012-02-10  )))))))))))))))))))))))))))))))
.
.
2012-02-10 07:32 . 2012-02-10 07:32   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-02-10 07:23 . 2012-02-10 07:23   29904   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC2CA020-99FA-422A-89BC-F4989B237BF3}\MpKsl7a499d79.sys
2012-02-09 21:56 . 2012-01-17 04:39   6557240   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC2CA020-99FA-422A-89BC-F4989B237BF3}\mpengine.dll
2012-02-06 20:04 . 2012-01-17 04:39   6557240   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-05 01:50 . 2011-10-04 17:22   703824   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF20F389-2B2F-4D64-8273-01AECBA278C1}\gapaengine.dll
2012-02-05 01:43 . 2012-02-05 01:44   --------   d-----w-   c:\program files\Microsoft Security Client
2012-02-05 01:42 . 2010-04-05 20:00   221568   ----a-w-   c:\windows\system32\drivers\netio.sys
2012-02-03 20:16 . 2012-02-03 20:16   --------   d-----w-   c:\programdata\Kaspersky Lab
2012-02-02 21:04 . 2012-02-05 09:20   40776   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-02 07:44 . 2012-02-02 07:44   --------   d-----w-   C:\found.000
2012-02-01 21:59 . 2012-02-01 21:59   --------   d--h--w-   c:\programdata\Common Files
2012-02-01 21:56 . 2012-02-05 01:32   --------   d-----w-   c:\programdata\MFAData
2012-02-01 02:16 . 2012-02-01 02:16   56200   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE294A22-1FDF-4B31-B650-EB71856DD724}\offreg.dll
2012-02-01 02:12 . 2012-01-06 04:19   6557240   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{BE294A22-1FDF-4B31-B650-EB71856DD724}\mpengine.dll
2012-01-26 00:49 . 2012-01-26 00:49   --------   d-----w-   c:\users\Jewelz\AppData\Roaming\Template
2012-01-25 21:39 . 2011-11-16 16:23   278528   ----a-w-   c:\windows\system32\schannel.dll
2012-01-25 21:39 . 2011-11-17 06:48   440192   ----a-w-   c:\windows\system32\drivers\ksecdd.sys
2012-01-25 21:39 . 2011-11-16 16:21   1259008   ----a-w-   c:\windows\system32\lsasrv.dll
2012-01-25 21:39 . 2011-11-16 16:23   377344   ----a-w-   c:\windows\system32\winhttp.dll
2012-01-25 21:39 . 2011-11-16 16:23   72704   ----a-w-   c:\windows\system32\secur32.dll
2012-01-25 21:39 . 2011-11-16 14:12   9728   ----a-w-   c:\windows\system32\lsass.exe
2012-01-25 15:14 . 2011-11-10 05:54   476904   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-01-13 07:52 . 2012-01-13 07:53   --------   d-----w-   c:\users\Jewelz\AppData\Roaming\Maxthon3
2012-01-13 07:52 . 2012-01-13 07:52   --------   d-----w-   c:\program files\Maxthon3
2012-01-12 19:36 . 2012-01-30 03:03   --------   d-----w-   c:\users\Jewelz\AppData\Local\Apple Computer
2012-01-12 19:35 . 2012-01-12 19:35   --------   d-----w-   c:\program files\Safari
2012-01-11 16:49 . 2011-10-14 16:03   189952   ----a-w-   c:\windows\system32\winmm.dll
2012-01-11 16:49 . 2011-10-14 16:00   23552   ----a-w-   c:\windows\system32\mciseq.dll
2012-01-11 16:49 . 2011-11-18 20:23   1205064   ----a-w-   c:\windows\system32\ntdll.dll
2012-01-11 16:49 . 2011-11-18 17:47   66560   ----a-w-   c:\windows\system32\packager.dll
2012-01-11 16:49 . 2011-11-25 15:59   376320   ----a-w-   c:\windows\system32\winsrv.dll
2012-01-11 16:49 . 2011-12-01 15:21   2409784   ----a-w-   c:\program files\Windows Mail\OESpamFilter.dat
2012-01-11 16:49 . 2011-10-25 15:58   1314816   ----a-w-   c:\windows\system32\quartz.dll
2012-01-11 16:49 . 2011-10-25 15:58   497152   ----a-w-   c:\windows\system32\qdvd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-11-29 03:11   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-01-12 19:06 . 2011-11-29 04:16   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 15:24 . 2011-11-30 13:38   20464   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-12-03 17:55 . 2011-12-03 17:55   161792   ----a-w-   c:\windows\system32\msls31.dll
2011-12-03 17:55 . 2011-12-03 17:55   86528   ----a-w-   c:\windows\system32\iesysprep.dll
2011-12-03 17:55 . 2011-12-03 17:55   76800   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2011-12-03 17:55 . 2011-12-03 17:55   74752   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2011-12-03 17:55 . 2011-12-03 17:55   63488   ----a-w-   c:\windows\system32\tdc.ocx
2011-12-03 17:55 . 2011-12-03 17:55   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2011-12-03 17:55 . 2011-12-03 17:55   367104   ----a-w-   c:\windows\system32\html.iec
2011-12-03 17:55 . 2011-12-03 17:55   74752   ----a-w-   c:\windows\system32\iesetup.dll
2011-12-03 17:55 . 2011-12-03 17:55   23552   ----a-w-   c:\windows\system32\licmgr10.dll
2011-12-03 17:55 . 2011-12-03 17:55   152064   ----a-w-   c:\windows\system32\wextract.exe
2011-12-03 17:55 . 2011-12-03 17:55   150528   ----a-w-   c:\windows\system32\iexpress.exe
2011-12-03 17:55 . 2011-12-03 17:55   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-12-03 17:55 . 2011-12-03 17:55   142848   ----a-w-   c:\windows\system32\ieUnatt.exe
2011-12-03 17:55 . 2011-12-03 17:55   11776   ----a-w-   c:\windows\system32\mshta.exe
2011-12-03 17:55 . 2011-12-03 17:55   101888   ----a-w-   c:\windows\system32\admparse.dll
2011-12-03 17:55 . 2011-12-03 17:55   35840   ----a-w-   c:\windows\system32\imgutil.dll
2011-12-03 17:55 . 2011-12-03 17:55   110592   ----a-w-   c:\windows\system32\IEAdvpack.dll
2011-11-23 13:37 . 2011-12-13 22:04   2043904   ----a-w-   c:\windows\system32\win32k.sys
2011-11-21 04:21 . 2011-11-29 02:12   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-22 159744]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-22 4907008]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-14 29744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-12-09 74752]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Jewelz^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Jewelz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 03:59   17920   ----a-w-   c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaSuite.exe]
2011-11-01 15:40   1053056   ----a-w-   c:\program files\Nokia\Nokia Suite\NokiaSuite.exe
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-02-22 77824]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL7A499D79
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 02:10]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-29 02:10]
.
2012-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900899137-3597166765-57595471-1000Core.job
- c:\users\Jewelz\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-29 03:26]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1900899137-3597166765-57595471-1000UA.job
- c:\users\Jewelz\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-29 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=2080614
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Jewelz\AppData\Roaming\Mozilla\Firefox\Profiles\5ato6w99.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 07:32
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-10  07:35:08
ComboFix-quarantined-files.txt  2012-02-10 07:34
.
Pre-Run: 115,614,625,792 bytes free
Post-Run: 115,545,063,424 bytes free
.
- - End Of File - - BAC03D71C12A54AD819D612ED5E600F2