Blue Screen and Reboot During Full System Scan

When I run a full system scan, Avast goes to a variable point in the scan, and then stops; a blue screen appears; then the computer reboots. Can anyone tell me what’s happening, and more important, what I can and should do about it?

could u upload the dump files to ftp://ftp.avast.com/incoming for Avast! team to check it out? :slight_smile:

I’d be glad to do that; however, (1) I don’t know where the dump files would be, and (2) I don’t presently have an ftp client. The latter I can readily solve, but I’d need you to tell me where to find the dump files, and what they’re named.

send me (kurtin@avast.com) the latest minidump file from \Windows\Minidump folder, thanks

The latest dump file is on its way.

Yesterday I sent a copy of my most recent dumpfile to a gentleman on this forum who requested it; however, there has been no reply. Am I perhaps being too impatient?
Another question I have is, do I have to fill in those skewed letters at the bottom of each post when posting? If so, why? I am legally blind, and trying to read those letters is extremely stressful.
Well, it appears that those letters only appeared yesterday at the bottom of posts from page 1, since they aren’t here this time.

Hello, thanks for the minidump file. It seems, the bluescreen was caused by hardware fault (processor). Would you mind to check e.g. CPU temperature? Full scan can cause high CPU usage, so it could lead to this fault…

Speed fan will give an indication as to the temps

Download Speedfan and install it. Once it’s installed, run the program and post here the information it shows. The information I want you to post is the stuff that is circled in the example picture I have attached.
If you are running on a vista machine, please go to where you installed the program and run the program as administrator.

http://artellos.geekstogo.com/speedfan.png

(this is a screenshot from a vista machine)

Thank you all for your responses. I need to add here, however, that I have run MSERT (the Microsoft safety scanner), which reported three Win32 Trojans. The only one I can remember is “Malat”. The scanner reported partial removal of all three, but apparently could not delete the Trojans completely. I don’t know whether this has an effect on the problem here, but I suspect it might, since I ran a selective scan of “C:”, and got the Blue Screen treatment a few minutes ago.

What were the file names and locations that MS found ?

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

When downloading SpeedFan, I noted a disclaimer with the warning that the product could cause damage to a PC. I have a quad-core processor at 3 GB per core. I will download the aswmbr and run it to see what I get; however, I’d appreciate an answer as to the safety of SpeedFan for a quad-core processor. Thank you.

There are no known problems with a quad core set up, but some of the fan speeds may be a bit off

Here is the logfile from an aswMBR scan:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-24 14:07:33

14:07:33.015 OS Version: Windows 5.1.2600 Service Pack 3
14:07:33.015 Number of processors: 4 586 0x402
14:07:33.015 ComputerName: EVEREST UserName:
14:07:34.453 Initialize success
14:07:34.531 AVAST engine defs: 12032400
14:07:52.781 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T1L0-c
14:07:52.781 Disk 0 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
14:07:52.781 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Scsi\nvgts1Port2Path0Target0Lun0
14:07:52.781 Disk 1 Vendor: WDC_WD50 07.0 Size: 476940MB BusType: 3
14:07:52.781 Disk 2 \Device\Harddisk2\DR2 → \Device\Scsi\nvgts1Port2Path1Target1Lun0
14:07:52.781 Disk 2 Vendor: ST350084 3.AA Size: 476940MB BusType: 3
14:07:52.796 Disk 1 MBR read successfully
14:07:52.796 Disk 1 MBR scan
14:07:52.796 Disk 1 Windows XP default MBR code
14:07:52.796 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
14:07:52.796 Disk 1 scanning sectors +976752000
14:07:52.859 Disk 1 scanning C:\WINDOWS\system32\drivers
14:07:57.312 Service scanning
14:08:05.656 Modules scanning
14:08:10.406 Disk 1 trace - called modules:
14:08:10.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
14:08:10.421 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x8aaf0ab8]
14:08:10.421 3 CLASSPNP.SYS[f7637fd7] → nt!IofCallDriver → \Device\00000077[0x8aaf1920]
14:08:10.421 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Scsi\nvgts1Port2Path0Target0Lun0[0x8aa8da38]
14:08:11.812 AVAST engine scan C:\WINDOWS
14:08:24.578 AVAST engine scan C:\WINDOWS\system32
14:10:03.390 AVAST engine scan C:\WINDOWS\system32\drivers
14:10:32.687 AVAST engine scan C:\Documents and Settings\Administrator
14:20:20.171 AVAST engine scan C:\Documents and Settings\All Users
14:22:44.875 Scan finished successfully
14:25:12.859 Disk 1 MBR has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\MBR.dat”
14:25:12.859 The log file has been saved successfully to “C:\Documents and Settings\Administrator\Desktop\aswMBR Logfile.txt”

I have just run SpeedFan, and the result is sitting on my desktop; nowever, I don’t know how to transfer the data to my clipboard to post it here. How do I get the information to you?

A screenshot will do - what I am looking for is high GPU or CPU temperatures

Could you run OTL as well please. The aswMBR report looks OK

I’ll be more than happy to run it, IF I can find it! I’ve looked on the Net, and all the sites in Google that advertise “Download OTL” give you the run-around, and all the download icons take you to some other software. Could you possibly mail a copy to gottlob@frontier.com?

wHOSE “otl” SHOULD i BE LOOKING FOR, AND WHERE SHOULD i LOOK? oNE ENTRY IN gOOGLE SAYS THERE ARE 29 DIFFERENT FILES WITH THAT NAME, AND ONLY ONE IS SAFE.

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

C:\commands.txt echo list vol /raw /hide /c
/wait
C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Attached are the two logfiles.

There are some very suspect toolbars and search engines - Ilivid, Searchqu etc… There are also some failed windows updates - have you recieved any lately ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- C:\Program Files\Moon Secure Antivirus\msavcore.exe -- (msav) IE - HKCU\..\SearchScopes\{AE422668-27E8-6F60-04EE-4C2D5A6DDD73}: "URL" = http://bw.startnow.com/s/?q={searchTerms}&src=defsearch&provider=bing&provider_name=bing&provider_code=Z105&partner_id=339&product_id=679&affiliate_id=&channel=&toolbar_id=200&toolbar_version=2.1.0&install_country=US&install_date=20110731&user_guid=30AC861C4E384BE2BA31B4D37303422F&machine_id=e00f9b2f6c9f7148f16edc90d49998b2&browser=IE&os=win&os_version=5.1-x86-SP3&iesrc={referrer:source} IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=fmtgl FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&appid=119&systemid=406&sr=0&q=" FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 53495 [2011/08/31 19:58:14 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wqe7zq9n.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7} [2011/06/24 20:51:05 | 000,000,000 | ---D | M] (myBabylon EnglishBB Community Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wqe7zq9n.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}(2) [2012/03/21 18:47:49 | 000,000,000 | ---D | M] (Facemoods) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wqe7zq9n.default\extensions\ffxtlbr@Facemoods.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll File not found O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com) O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKLM..\Run: [DATAMNGR] C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe (Bandoo Media, inc) O4 - HKLM..\Run: [facemoods] C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe (facemoods.com) O4 - HKCU..\Run: [JP595IR86O] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Mb1.exe File not found O4 - HKCU..\Run: [XFSrPYgcG] C:\WINDOWS\System32\control.exe (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Desktop Alert.lnk = C:\Program Files\Desktop Alert\liveonline_3270223.exe () O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll) - C:\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll (Bandoo Media, inc) O20 - AppInit_DLLs: (C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll) - C:\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll (Bandoo Media, inc) O28 - HKLM ShellExecuteHooks: {4F07DA45-8170-4859-9B5F-037EF2970034} - No CLSID value found. [2012/03/21 19:10:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\facemoods.com [2012/03/21 18:47:46 | 000,000,000 | ---D | C] -- C:\Program Files\facemoods.com [2012/03/24 13:19:36 | 000,000,314 | -HS- | M] () -- C:\WINDOWS\tasks\NFNAZTHZ.job [2012/03/21 19:10:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\facemoods.com [2011/09/06 09:17:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PriceGong

:Files
ipconfig /flushdns /c
C:\Program Files\Windows iLivid Toolbar
C:\Program Files\facemoods.com
C:\Program Files\StartNow Toolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.