BleepingComputer.com: Spontaneous Reboot After Virus

To begin, I hope this is not a duplicate post. I tried to post previously and nothing showed up! I got a message when I posted of maintenance ongoing so I think I may have gotten lost in the shuffle. Anyway, trying again. Thanks...

Greetings. I'm having trouble with my HP Desktop running Windows XP Home. A virus brought my computer down a couple of days ago. The virus had the effect of redirecting me to commercial sites off of Google searches. This effect only seemed to be an issue with IE: Firefox didn't seem to be affected by it at all. After lots of scrubbing with a combo of anti-virus applications I was able to clear out my pc's infection. However, since then I've been experiencing intermittent reboots. Typically happens when I'm doing something memory intensive. It happened twice, for instance, when I was attempting to back up my hard disk. It's also knocked my active desktop out a few different times. I ran a scan on minidump files using WinDbg. Initially scans said problem with unknown driver. After adding diagnostic capacity to registry file however (altering registry so a specific error would print) and reexamining some of the earlier scans, I got an outcome of memory corruption. I tried to beat this by altering virtual memory: thought virus may have impacted virtual memory somehow. Changed virtual memory to XP control and this seemed to have benefits for performance... but I got another reboot when I tried another hard disk backup. I realize minidump readings for memory corruption can indicate RAM or other failure, but this was not an issue at all until the virus came and went. I can't believe it's simply coincidence that I'm experiencing this now. I never had reboots like this before. If anyone can help me get my beloved machine back to reliable form I'd be extremely thankful. Keeping my fingers crossed that someone can help. Thanks.

How To Disable Automatic Restarts When Windows Crashes - http://www.bleepingcomputer.com/forums/topic74644.html

Following the above procedures should result in readable BSOD error messages. Post the exact content of such and we'll see what we can do .

Louis

Thanks for the response, Louis. I must admit I'm a bit nervous about denying my pc the ability to restart: I'm hoping it won't crash and then lock me out altogether. Having said that, I understand the need for a diagnosis. I think it's also relevant to point out that someone brought to my attention that my pc has two anti-viruses running simultaneously and that this is troublesome for my system. I was aware that they were both running, but not that this was problematic. I'm learning! At any rate, it seems entirely reasonable to me that the dual anti-viruses is the cause of the spontaneous reboots. I certainly hope that's all it is. Easy enough to dump one of them, I'd think. Let's see now whether I can induce another reboot (I'll try performing a hard disk save -- that seems to do the trick).

Some persons are under the erroneous impression...that running two AV programs offers more protection. In fact, it just creates unnecessry, avoidable problems.

Take your pick but please uninstall one properly, using Add/Remove Programs.

And...be sure that what you classify as "AV programs" really are both AV programs and not programs which are not in conflict.

Louis

Thanks for the prompt reply, Louis. I did remove one of the two av's, ran an attempt at hard drive backup, and once again got a reboot. I was quite disappointed, to say the least. So I disabled auto restart as you suggested and got following blue screen:

Problem caused by the following file: ntoskrnl.exe

The driver used excessive number of system PTEs.

Technical Info:

*** STOP: 0x000000D8 (0x823FC3A0, 0x00040FB8, 0x000000A9, 0x00000D48D) ***

ntoskrnl.exe

The message then described a memory dump and suggested contacting sys admin or tech support groups for further assistance. Good advice, which I'm presently following.

Now I did do a bit of research and discovered that ntoskrnl.exe is related to boot file, and a light instantly went on for me (and I felt a bit more optimistic as well). When I was battling with my virus infection, the virus prevented me from going into Safe Mode presumably so I couldn't manually delete it (virus was winhelper.dll). I didn't realize initially however that it was the virus preventing me from going Safe Mode and just assumed my machine was being difficult, so I forced Safe Mode entry through MSConfig. Proved to be significant mistake as I was caught in a loop: couldn't get into Safe Mode, couldn't return to normal operations because I'd set an automatic entry into Safe through MSConfig. I'm sure this is exactly what those wonderful folks who designed virus had in mind. I did some research and discovered I could end Safe Mode loop by changing boot.ini file name in command prompt (changed it to boot.ini.bak). I did this and was able to escape the loop, thankfully, but when I went back into command prompt to change the boot.ini.bak file back to boot.ini, I got an error message stating boot.ini.bak couldn't be found. I did eventually repair the boot.ini file, I thought, through a process I can't presently recall. Given what's happening to my machine now though, I somehow get the impression that altering the boot.ini and my fix for that has been problematic. My optimism comes from the notion that boot.ini can be repaired or replaced without too much difficulty. Any help towards that end, and/or fixing this problem for good, which be much appreciated. Thanks.

FWIW: http://www.faultwire.com/solutions_bsod/Th...000D8-1216.html

Worth reading: http://www.computerhope.com/issues/ch000646.htm

A new boot.ini file can be generated fairly easily...but let's not go that route yet. For info purposes only: See item 3 under Create A Boot Floppy Disk at http://support.microsoft.com/kb/305595

I'd like you to follow these procedures: Removing the invalid entries from Boot.ini - http://windowsxp.mvps.org/bootopt.htm

Do you have a Windows XP install CD, with access to the Recovery Console?

Really...one of the best moves a user can take after a known infection...is to do a repair install of XP and hope that solves system problems resulting from being infected and (hopefully) taking proper care of such. But sometimes that doesn't do the job and a clean install is the ultimate solution.

We still have a few tricks to try...but ntoskrnl.exe errors don't seem to have much resolution when I come across such.

But you can retrieve the .dmp file which was created during the most recent BSOD...and then follow the procedures in Help Diagnosing BSODs And Crashes (BC) - http://www.bleepingcomputer.com/forums/topic176011.html

Louis

Hi, Louis. Thanks for responding. To answer your first question, I do have an XP install disk available and have Recovery Console on my machine. With respect to running a clean install, my preference is to not do that as I cannot presently do a local save on my machine. I do have an online save program but I haven't been able to verify that has been fully completed either. When you say ntoskrnl.exe errors don't have much resolution, I take that to mean that your experience is that such errors typically corrupt a system permanently. I certainly hope that isn't the case here. As I mentioned, I did alter the boot.ini file and was unable to correct it initially which makes me think that what's going on is simply that boot.ini was corrupted and a proper replacement of the file will solve the issue. Do you doubt this scenario? I did go ahead and perform the invalid boot.ini entries scan and there was an invalid entry found, which I removed from the file. I also performed a memory dump scan, which I'll post presently. Thanks.

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini081009-05.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Mon Aug 10 23:16:26.984 2009 (GMT-7)
System Uptime: 0 days 0:03:38.562
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 823476aa, f5108880, f510857c}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 823476aa, The address that the exception occurred at
Arg3: f5108880, Exception Record Address
Arg4: f510857c, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+16
823476aa 8b4814 mov ecx,dword ptr [eax+14h]

EXCEPTION_RECORD: f5108880 -- (.exr 0xfffffffff5108880)
ExceptionAddress: 823476aa
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014

CONTEXT: f510857c -- (.cxr 0xfffffffff510857c)
eax=00000000 ebx=00000000 ecx=00000018 edx=7ffd7000 esi=82005ba0 edi=00000000
eip=823476aa esp=f5108948 ebp=f510895c iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010207
823476aa 8b4814 mov ecx,dword ptr [eax+14h] ds:0023:00000014=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 5

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000014

READ_ADDRESS: 00000014

FOLLOWUP_IP:
+16
823476aa 8b4814 mov ecx,dword ptr [eax+14h]

FAILED_INSTRUCTION_ADDRESS:
+16
823476aa 8b4814 mov ecx,dword ptr [eax+14h]

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 82347cf9 to 823476aa

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f510895c 82347cf9 8234d1ec 00000000 000000b9 0x823476aa
f5108dac 8057be15 821cf020 00000000 00000000 0x82347cf9
f5108ddc 804fa4da 82347f20 821cf020 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

BUCKET_ID: BAD_STACK

Followup: MachineOwner
---------

<<When you say ntoskrnl.exe errors don't have much resolution, I take that to mean that your experience is that such errors typically corrupt a system permanently.>>

No...that just means that I'm often not smart enough to look at the data presented and make heads or tails of it .

There's nothing that corrupts a system permanently, since any operating system, program, file, or hardware component can be replaced or reinstalled.

There's no info that I can see...which points to a specific driver (I'm willing to guess that it's a driver issue, not a memory issue).

You've never really verified that your system is clean.

Users who have malware problems often think that all they have to do is delete a few files and all is well. It's not that easy because the user has no idea of what has been done to the system by the malware or during the cleanup effort.

I can't go any farther with what I'm presented with, I don't have any expertise of any sort.

But...if I ever had a system that was infected with unknown effects...I would surely do a clean install.

Let's see what others have to offer.

Louis

Fair enough, Louis. Thanks for trying to help. As an update, I was told I was running an older version of HijackThis and that I should update and run a new scan, which I've done. I'll add that here just in case someone recognizes something that may be a problem. I've also been able to verify that an online backup of my machine was a success, so I can do a fresh install without Armageddon. I'd appreciate anyone who might have something to offer chirping in. Thanks. Hijack scan from updated Hijack to follow.

EDIT: Was advised to remove HijackThis scan because it violated forum protocol.

This post has been edited by Deke2400: 11 August 2009 - 02:56 PM

Posting an HJT log in this forum...will result in your thread being moved to one of the BC malware forums.

If that is what you want, leave your last post as it is.

If you do not want that, I suggest you edit that post and remove the HJT log.

Louis

Okay. You did mention that I hadn't verified that my machine wasn't infected. But that's fine. Certainly want to comply with the rules.

This is not...a malware forum.

There is a whole different set of persons and knowledge that malware forums are composed of. HJT logs are a malware tool, to be provided at the proper forum to persons who can use the data on such...to assist those with malware problems.

It's a simple concept...have you ever noticed how many different forums exist here at BC?

The right tool...for the right task...seems to be the premise.

Louis

I reiterate: You mentioned that I hadn't verified that my machine wasn't infected. A reasonable person might respond to this sort of remark by offering verification. If verification of a clean system wasn't wanted, why mention such verification at all? To confuse the issue further? Or to allow yourself the opportunity to offer up a huffy, patronizing ego response?