Expert: Brian Benosky - 7/13/2009

Question
QUESTION: hi Brian,
i don't think this is a malware problem--hence i'm doing the HJT log. I'm really hoping you can help though--a few years ago , you helped me remove a lot of spyware from this very laptop!
Basically, over the past days, every time i try to upload personal photos and videos from my SD card--i get the BSOD. it has happened 4 times already--twice today.
At first, i thought it was the picasa 3 that was causing the problem so i removed it..including the database--and reinstalled it --and with another BSOD, removed picasa again.
i then tried to upload the pictures with the windows picture viewer and it crashed again with BSOD.
Also, about  a week ago i had downloaded and run spybot--i  saved a registry. But after the first BSOD, i removed that program as well and system restored to an earlier date.
i had also previously removed all the canon camera software as i never used it.
I have a Dell XPS M140 with Windows xps media center edition. i tried to update the intel driver--but after i downloaded it, my computer said that it was not authorized.

Otherwise my computer runs fine--though it has slowed down during start-up.
i would really appreciate any help.
thanks!
prerna

ANSWER: Hi Prerna

What anti-virus and firewall programs are you running?  These card readers have been known to hang with Norton installed.  Try disabling your AV and firewall for a bit (disconnect from the internet first), then use the SD card reader.  Let me know if that makes a difference or not.

Brian

---------- FOLLOW-UP ----------

QUESTION: hi brian,
so sorry to post a follow-up--i think that this might be critical--windows website after BSOD suggested that i update my drivers --BIOS and chipset and video display. so i downloaded them from dell.com--however for all of them i got the following message--"cannot start application.application missing required files. contact vendor for assistance"
on clicking details i got the following--
PLATFORM VERSION INFO
  Windows          : 5.1.2600.196608 (Win32NT)
  Common Language Runtime    : 2.0.50727.832
  System.Deployment.dll       : 2.0.50727.832 (QFE.050727-8300)
  mscorwks.dll          : 2.0.50727.832 (QFE.050727-8300)
  dfdll.dll          : 2.0.50727.42 (RTM.050727-4200)
  dfshim.dll          : 2.0.50727.42 (RTM.050727-4200)

SOURCES
  Deployment url         : file:///C:/Documents%20and%20Settings/prerna/Desktop/DellDriverDownloadManager(2).application

IDENTITIES
  Deployment Identity      : DellDriverDownloadManager.application, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c8a6012355de1b2d, processorArchitecture=msil

APPLICATION SUMMARY
  * Installable application.
  * Trust url parameter is set.
ERROR SUMMARY
  Below is a summary of the errors, details of these errors are listed later in the log.
  * Activation of C:\Documents and Settings\prerna\Desktop\DellDriverDownloadManager(2).application resulted in exception. Following failure messages were detected:
     + Downloading file:///C:/Documents and Settings/prerna/Desktop/Application%20Files/DellDriverDownloadManager_1_0_0_0/DellDriverDownloadManager.exe.manifest did not succeed.
     + Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.
     + Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.
     + Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
  No transaction error was detected.

WARNINGS
  There were no warnings during this operation.

OPERATION PROGRESS STATUS
  * [7/12/2009 4:41:20 PM] : Activation of C:\Documents and Settings\prerna\Desktop\DellDriverDownloadManager(2).application has started.
  * [7/12/2009 4:41:20 PM] : Processing of deployment manifest has successfully completed.
  * [7/12/2009 4:41:20 PM] : Installation of the application has started.

ERROR DETAILS
  Following errors were detected during this operation.
  * [7/12/2009 4:41:20 PM] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
     - Downloading file:///C:/Documents and Settings/prerna/Desktop/Application%20Files/DellDriverDownloadManager_1_0_0_0/DellDriverDownloadManager.exe.manifest did not succeed.
     - Source: System.Deployment
     - Stack trace:
        at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
        at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
        at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
        at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
        at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
        at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
        at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState subState, ActivationDescription actDesc)
        at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut)
        at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
     --- Inner Exception ---
     System.Net.WebException
     - Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.
     - Source: System
     - Stack trace:
        at System.Net.FileWebRequest.EndGetResponse(IAsyncResult asyncResult)
        at System.Net.FileWebRequest.GetResponse()
        at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
     --- Inner Exception ---
     System.Net.WebException
     - Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.
     - Source: System
     - Stack trace:
        at System.Net.FileWebResponse..ctor(FileWebRequest request, Uri uri, FileAccess access, Boolean asyncHint)
        at System.Net.FileWebRequest.GetResponseCallback(Object state)
     --- Inner Exception ---
     System.IO.DirectoryNotFoundException
     - Could not find a part of the path 'C:\Documents and Settings\prerna\Desktop\Application%20Files\DellDriverDownloadManager_1_0_0_0\DellDriverDownloadManager.exe.manifest'.
     - Source: mscorlib
     - Stack trace:
        at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
        at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
        at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, Boolean useAsync)
        at System.Net.FileWebStream..ctor(FileWebRequest request, String path, FileMode mode, FileAccess access, FileShare sharing, Int32 length, Boolean async)
        at System.Net.FileWebResponse..ctor(FileWebRequest request, Uri uri, FileAccess access, Boolean asyncHint)

COMPONENT STORE TRANSACTION DETAILS
  No transaction information is available.



ANSWER: Hi Prerna

Quickly, while going through the log, I noticed the error came from a problem with Dell Driver Application Manager.  This is a new program which Dell has forced upon users.  I was reading some of the Dell forums, and folks are having all sorts of trouble with this.  Here's some info on using DDAM:
You must have Microsoft .NET 3.5 Service Pack 1 installed, you can download it from http://www.microsoft.com/downloads/details.aspx?FamilyID=ab99342f-5d1a-413d-8319
You must also have Microsoft .NET Assistant version 1.1 installed which can be downloaded from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cecc62dc
Also, try installing without DDAM:
When you first try to download a file you will be presented with a pop up page displaying 2 options. Download via Driver Download Manager or Download via Internet Browser. If you choose the second option your files will be downloaded as per normal.
If you happened to choose the first option for the Driver Download Manager and you no longer wish to use it. It can be removed via Add Remove programs in Windows. To enable the pop up page again to view the two options as above please empty your cookies.
Read more here:
http://en.community.dell.com/blogs/direct2dell/archive/2009/07/01/dell-driver-do
Keep me updated.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi brian,
i was able to update the drivers using your method--but no luck --the dreaded BDOS returned as soon as i popped in the SD card.
Do you think its spyware/malware?--my comodo antivirus did quarantine a couple of trojans a few weeks ago.
I did a HJT scan and am posting the log alongside--other than that, i'm not sure what to do. thanks for your prompt replies--prerna

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:06 PM, on 7/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Comodo\Comodo AntiVirus\CAVSubmit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/forgotPassword.asp?affid=105-72&langid=1&close=true&RW
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.ooxtv.com/livetv.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

--
End of file - 7344 bytes


Answer
Hi Prerna

There could be some corruption to Windows system files left over from the trojans you had.  Let's run a ComboFix scan to make sure everything is gone.  Please download ComboFix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Important: Save it to your Desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. Follow the prompts and be sure to install the Windows Recovery Console if asked to. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Copy and paste that log to me and include a new HJT log.

Brian