First time visitor here

Status
Not open for further replies.
S

salamander

New member
I have a recent problem on my PC, running XP64bit Windows. At the end of boot-up, after I select User (happens to both of us) I get a Windows - No Disk Exception Message c-0000013 etc etc message. It clears after two presses of the Continue key BUT is repeatedly triggered by SpyBot S&D during testing. I run Avast4 AV which cannot find anything, nor can Ad-AWare, and SpyBot doesn't show anything. All my AV, OS etc are fully updated.
Event Viewer shows a Service Control Manager error involving ZDPNDIS5 NDIS which I believe can hide malware on occasion. A bootlog record shows repeated "did not load driver" for this item.
The net is full of contradictory advice on this error message. Can anyone please help me here. I have a HiJack This log, but it exceeds the allowed attachment size.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

From the information you have provided, I can not tell if I can help or not. Strange messages are often the results of poorly written malware, but I can not rule out other issues. If you want me to see what I can do, are patient enough to give me the time I need to do it, I will be glad to take a look and advise you. If I can not help, I will be able to tell you that also. If this works for you, read the directions pinned to the top of the forum and posted above and post the HJT log and Kaspersky scan results requested. Use the number of posts you need to accomplish this.

Happy Holidays:santa:
 
Exception Error no disc message

PSKelley Thank you for your help offer

I am attaching the HJT log as 4 separate pages - sorry I'm at my limits doing this. Will PDF be okay?

The error manifests as a pop up box Windows - No Disc detailed as Exception Processing Message c0000013 Parameter 7c7d5f8e92ff1187c7df5f87c7d5f8. It appears after boot up, when I select the user and clears if Continue is pressed twice. If I run SpyBot S&D it continually pops up, stopping the process. No other AV or security program seems to trigger it.

My event viewer reports an error under Application with ID105 saying Creative Service for CDR was started while System has repeated error messages saying that ZDPNDIS5 NDIS Protocol Driver failed to start.

A Boot Log shows several pages of "Did not load driver \??\F:\WINDOWS\system32\ZDNDIS5.SYS". A search for this file, however, shows it located in SYSWOW64, not in WINDOWS32.

I cannot see any evidence of Malware, but I don't seem to be in full control of my PC. Attempts to recover to Restore Points are denied and my Administrator Password appears to be invalid. I have Avast 4 installed and have run a Shield Up test which did not show any unprotected ports.

Please ask for anything else if you feel it can help

Many thanks. A belated Happy Xmas and wishing you all a good 2008
 
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page
Click to expand...

Quoting my instructions above, please read them. I am limited in my knowledge about your Operating System, but I will do my best to help if you will follow the directions, starting with this one:

All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
When adding posts to your topic, do so by clicking ADD REPLY
Click to expand...

Check your error messages, I use Google to research them and the one you posted returned nothing. Google will almost always return a result if the error message is correct and word for word.

Thanks
 
Sorry. Try again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:02:34, on 23/12/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.1830)
Boot mode: Normal

Running processes:
F:\Program Files (x86)\Thomson SpeedTouch\ST330\service\st330service.exe
F:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\SysWOW64\CTsvcCDA.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\WINDOWS\system32\spool\DRIVERS\x64\3\E_S4I0S2.EXE
F:\Program Files (x86)\SpeedTouch\Dr SpeedTouch\drst.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\spool\DRIVERS\x64\3\E_FATIBIE.EXE
F:\WINDOWS\SysWOW64\rundll32.exe
F:\WINDOWS\SysWOW64\ctfmon.exe
F:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files (x86)\WLAN\XPC 802.11b+g Wireless Kit\ZDWlan.exe
F:\Program Files (x86)\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
F:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [diagnostics] "F:\Program Files (x86)/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "F:\Program Files (x86)\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX6000 Series] F:\WINDOWS\system32\spool\DRIVERS\x64\3\E_FATIBIE.EXE /FU "F:\WINDOWS\TEMP\E_S8F.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = F:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: XPC 802.11b+g Wireless Utility.lnk = F:\Program Files (x86)\WLAN\XPC 802.11b+g Wireless Kit\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174685366421
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - F:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - F:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - F:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - F:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - F:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - F:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - F:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - F:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - F:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - F:\Program Files (x86)/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - F:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - F:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - F:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7422 bytes


This is the HiJack This log - think I've done it right this time. (Incidentally it says I am running a version of NT - I My system is on 64 bit XP (SP2))

I have been playing around a bit and following the Microsoft support notes. The error message does seem to refer to this ZDPNDIS5.SYS file. In System Information under Software - Drivers it shows it located in \??\F:\system32\Zdpndis5.sys. I think I am correct in assuming that \??\ implies some form of faulty path designation. In fact it is located according to Search, in the F;\Windows\SysWOW64 directory.
I made a copy into system32 directory and used RegEdt32 to change the image path to this location.
The error message still appears, but now states that the said file has incorrect syntax, rather than not being located.
Does anyone know why SpyBot should be so insistent on trying to find it? Nothing else does. Does SpyBot try to reach the part that other programs don't?
 
Thanks for returning your information, to clean the air, you need to know that questions about Spybot belong here: http://forums.spybot.info/forumdisplay.php?f=4

This is the HiJack This log - think I've done it right this time. (Incidentally it says I am running a version of NT - I My system is on 64 bit XP (SP2))
Click to expand...
Platform: Windows 2003 SP2 (WinNT 5.02.3790) <<< this is what you are running, If you wish to check, right click MyComputer and click Properties. You Operating System is near the top of the System Properties Windows.

The error message does seem to refer to this ZDPNDIS5.SYS file. <<< this does not help me, I need to read "the error message says this" and then the messsge word for word.
See this : http://www.google.com/search?hl=en&q=+ZDPNDIS5.SYS+file&btnG=Google+Search
http://www.google.com/search?hl=en&q=SysWOW64&btnG=Search

The only questionable item I see is accociated with a Service and it may or may not be bad. Use one or mor of these free online scanners to see what it is and post the information for me to view.

You will probably need to enable all files and folders to find it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
F:\WINDOWS\system32\services.exe <<< scan that file

Since I lack knowledge about your OS, having never seen it or worked on it, I suggest you would be better off looking for a Windows 2003 forum:
http://www.google.com/search?hl=en&q=Windows+2003+forum&btnG=Search

Thanks
 
Status
Not open for further replies.
Back
Top