On-demand Smart Scan crashes system

Discussion in 'ESET NOD32 Antivirus' started by Quickening, May 20, 2010.

Thread Status:
Not open for further replies.
  1. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    I ran a smart scan the other day and it seemed like it found something on my system, but the computer crashed before I could see what it was. Now every time I try to run the scan, it crashes my computer when it gets to 99%. What can I do?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If by crash you mean BSOD, configure the system to create kernel or complete memory dumps per the instructions here and reproduce it. Let me know when done so that I can provide you with further instructions.
     
  3. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    Not a BSOD, the whole system just freezes. Can't even open Task Manager. I eventually have to shut it down manually.
     
  4. STRYDER

    STRYDER Registered Member

    Joined:
    Aug 21, 2008
    Posts:
    99
    Sounds ike previous AV conflict. Try http://www.appremover.com/ and see if it picks up anything.
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    is there anything inked in the OS / NOD logs hinting at the matter?
     
  6. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    Nothing in Detected Threats but there is a file in quarantine from Monday which is when this problem started.

    Under reason it says JS/Exploit.Pdfka.NYM trojan. Not sure if that has anything to do with it.
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    do you mind checking also windows logs (administrative and application) and NOD log on demand computer scan? and see whether anything related (timing) is showing up?
     
  8. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    Are these helpful? I guess I don't really know what I'm looking for.


    5/19/2010 2:24:07 PM Operating memory;C:\Boot sector; D:\Boot sector;C:\; D:\ 0 0 0 Scanning in progress
    5/17/2010 8:31:47 PM Operating memory;C:\Boot sector; D:\Boot sector;C:\; D:\ 0 0 0 Scanning in progress
    5/17/2010 5:27:34 PM Operating memory;C:\Boot sector; D:\Boot sector;C:\; D:\ 0 0 0 Scanning in progress
    5/17/2010 2:09:25 PM Operating memory;C:\Boot sector; D:\Boot sector;C:\; D:\ 0 0 0 Scanning in progress


    Log Name: Application
    Source: Application Hang
    Date: 5/17/2010 4:50:15 PM
    Event ID: 1002
    Task Category: (101)
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Tori-PC
    Description:
    The program egui.exe version 4.0.474.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: afc Start Time: 01caf4505a8fa68e Termination Time: 186
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Application Hang" />
    <EventID Qualifiers="0">1002</EventID>
    <Level>2</Level>
    <Task>101</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-17T23:50:15.000Z" />
    <EventRecordID>30069</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Tori-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>egui.exe</Data>
    <Data>4.0.474.0</Data>
    <Data>afc</Data>
    <Data>01caf4505a8fa68e</Data>
    <Data>186</Data>
    <Binary>55006E006B006E006F0077006E0000000000</Binary>
    </EventData>
    </Event>

    Log Name: Application
    Source: Windows Error Reporting
    Date: 5/17/2010 4:50:15 PM
    Event ID: 1001
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: Tori-PC
    Description:
    Fault bucket 1154253563, type 5
    Event Name: AppHangB1
    Response: None
    Cab Id: 0

    Problem signature:
    P1: egui.exe
    P2: 4.0.474.0
    P3: 4b010214
    P4: e11f
    P5: 0
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    C:\Users\Tori\AppData\Local\Temp\WERBB7F.tmp.version.txt
    C:\Users\Tori\AppData\Local\Temp\WER913.tmp.appcompat.txt

    These files may be available here:
    C:\Users\Tori\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report040d12b3
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-17T23:50:15.000Z" />
    <EventRecordID>30068</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Tori-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>1154253563</Data>
    <Data>5</Data>
    <Data>AppHangB1</Data>
    <Data>None</Data>
    <Data>0</Data>
    <Data>egui.exe</Data>
    <Data>4.0.474.0</Data>
    <Data>4b010214</Data>
    <Data>e11f</Data>
    <Data>0</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    C:\Users\Tori\AppData\Local\Temp\WERBB7F.tmp.version.txt
    C:\Users\Tori\AppData\Local\Temp\WER913.tmp.appcompat.txt</Data>
    <Data>C:\Users\Tori\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report040d12b3</Data>
    </EventData>
    </Event>

    Log Name: Application
    Source: Windows Error Reporting
    Date: 5/17/2010 5:24:30 PM
    Event ID: 1001
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: Tori-PC
    Description:
    Fault bucket 6412474, type 5
    Event Name: ServiceHang
    Response: None
    Cab Id: 0

    Problem signature:
    P1: CLCapSvc
    P2: CLCapSvc.exe"
    P3: 0.0.0.0
    P4: 110
    P5: 2
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ec9fc19\WERF076.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ec9fc19\WERF0D4.tmp.mdmp

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report047a9404
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-18T00:24:30.000Z" />
    <EventRecordID>30109</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Tori-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>6412474</Data>
    <Data>5</Data>
    <Data>ServiceHang</Data>
    <Data>None</Data>
    <Data>0</Data>
    <Data>CLCapSvc</Data>
    <Data>CLCapSvc.exe"</Data>
    <Data>0.0.0.0</Data>
    <Data>110</Data>
    <Data>2</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ec9fc19\WERF076.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ec9fc19\WERF0D4.tmp.mdmp</Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report047a9404</Data>
    </EventData>
    </Event>

    Log Name: Application
    Source: Windows Error Reporting
    Date: 5/17/2010 5:24:28 PM
    Event ID: 1001
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: Tori-PC
    Description:
    Fault bucket 253407748, type 5
    Event Name: MsSearchTerminateProcess
    Response: None
    Cab Id: 0

    Problem signature:
    P1: Microsoft Windows Search Filter Host
    P2: 7.0.6001.16503
    P3: 2
    P4:
    P5:
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report01f4abe9\Microsoft Windows Search Filter Host_1.kdmp
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report01f4abe9\WERAB6D.tmp.version.txt

    These files may be available here:

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-18T00:24:28.000Z" />
    <EventRecordID>30108</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Tori-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>253407748</Data>
    <Data>5</Data>
    <Data>MsSearchTerminateProcess</Data>
    <Data>None</Data>
    <Data>0</Data>
    <Data>Microsoft Windows Search Filter Host</Data>
    <Data>7.0.6001.16503</Data>
    <Data>2</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report01f4abe9\Microsoft Windows Search Filter Host_1.kdmp
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report01f4abe9\WERAB6D.tmp.version.txt</Data>
    <Data>
    </Data>
    </EventData>
    </Event>

    Log Name: Application
    Source: Windows Error Reporting
    Date: 5/17/2010 8:30:04 PM
    Event ID: 1001
    Task Category: None
    Level: Information
    Keywords: Classic
    User: N/A
    Computer: Tori-PC
    Description:
    Fault bucket 6412474, type 5
    Event Name: ServiceHang
    Response: None
    Cab Id: 0

    Problem signature:
    P1: CLCapSvc
    P2: CLCapSvc.exe"
    P3: 0.0.0.0
    P4: 110
    P5: 2
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ed9fb8d\WEREB48.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ed9fb8d\WEREBE5.tmp.mdmp

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report047e7d69
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Windows Error Reporting" />
    <EventID Qualifiers="0">1001</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-05-18T03:30:04.000Z" />
    <EventRecordID>30144</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Tori-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data>6412474</Data>
    <Data>5</Data>
    <Data>ServiceHang</Data>
    <Data>None</Data>
    <Data>0</Data>
    <Data>CLCapSvc</Data>
    <Data>CLCapSvc.exe"</Data>
    <Data>0.0.0.0</Data>
    <Data>110</Data>
    <Data>2</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ed9fb8d\WEREB48.tmp.version.txt
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0ed9fb8d\WEREBE5.tmp.mdmp</Data>
    <Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report047e7d69</Data>
    </EventData>
    </Event>
     
    Last edited by a moderator: May 20, 2010
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    sort of, it shows the egui.exe seems to be hanging. did you try to update to the latest 4.2.40 version and see if it solves the matter?

    also hanging seems the CLCapSvc.exe - that Video capture component of the CyberLink PowerCinema? did you try stopping it prior the scan?

    you mentioned earlier that you manually shut down, yet task manager is not working in the situation - then how to manually shut down, switch off the computer?
     
  10. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    I updated to the newest version, and still have the freeze.

    I don't know what CyberLink PowerCinema is, but it wasn't running in the task manager when I started the scan.

    When it freezes I have to turn off the machine with the power button. Task manager won't open at all.
     
  11. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that seems a bit odd/suspicious, maybe there is an infection preventing NOD from scanning. In this case would suggest you get Malwarebytes and give it shot, if you are lucky it may clean the infection. Else Eset has provided some recommendation on infected systems https://www.wilderssecurity.com/showthread.php?t=178177
     
  12. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    I ran Malwarebytes but it also hung up the system. So today I ran a Nod32 scan as directed in the tutorial sticky, and it hung on C:\\Windows\System32\DriverStore\FileRepository\nv_sz.inf_ef4cff38.

    After I rebooted, I scanned each file in the folder individually and it hung on nvlddmkm.sys which seems to be related to nVidia. But I don't have an nVidia card. Not really sure what to do about it.
     
  13. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    you got a bit of odd stuff there, nVidia driver but no hardware and probably a video capture component of the CyberLink PowerCinema (if it is not an infection), but you are not aware of PowerCinema on that machine...

    the nvidia driver you mentioned seems video related (nvidia is also producing other stuff) as well as the video capture component, coincidence? it is hard to judge from here what sort of machine you got and what is on it. would reckon to get rid of the nvidia driver, which by looking up the internet seems to be a nasty little bugger anyway, might be corrupted and thereby hanging the scanner, however this is to explain.
     
  14. Quickening

    Quickening Registered Member

    Joined:
    May 20, 2010
    Posts:
    7
    I think the PowerCinema was associated with HP Quick Play (I have an HP Pavilion). I never use it, so I uninstalled to see if it would help. Still have the problem, as the nVidia files are still there.

    I've tried deleting the driver, etc but the system hangs anytime that I interact with that file in any way.
     
  15. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    so good thing, it seems that you have deduced it down to the nvidia thing. try to upload it to http://www.virustotal.com and see whether other scanner do report anything on it. also for the interaction/deletion try to do it in safe mode or better boot up with a linux based rescue disk, make sure latter is able to handle your type of file system.

    be careful though with the removal, it may cause a blue screen during boot, in case the startup entries remaining in the system, such as registry or other files depending on the removed once failing to load.
     
Thread Status:
Not open for further replies.