Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD With Multiple Stop Error Codes


  • Please log in to reply
16 replies to this topic

#1 Fielding Melish

Fielding Melish

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 July 2009 - 11:04 AM

Hello,
I'm hoping I can find some help here, and apologize in advance if I provide way too much info below...

About a week ago I started receiving Blue Screen of Death Stop errors (with a variety of error codes). There doesnt seem to be any consistency in terms of when the errors occur or what were doing to trigger them. The PC never restarts on its own it displays the BSOD until we manually shut down and restart.

We get one every time we try to use the PC sometimes within a few seconds of starting Windows, other times were able to work for 20-30 minutes before the crash. We are able to work in Safe Mode indefinitely, so I was able to back up all our data files to an external hard drive.

The Stop error messages seem to indicate a driver problem and Ive tried updating a few things, but didnt want to go too far down that road without some closer guidance.

As far as I know, there were no hardware or software changes that might have triggered the errors (I guess its possible the kids may have installed or run something).

Details on the error codes, actions Ive taken so far, and other symptoms are below. I followed the how-to guide on this site for diagnosing blue screens and crashes. The minidump analysis is at the end of this post.

Sorry for the length of this, but I wanted to post as much information as possible up front. Id be happy to run any additional scans or provide additional information if needed, but really dont have the expertise to now what to try next.

System Info
Dell XPS410
Windows XP Professional SP3
Intel Core 2 CPU 6600 @ 2.40GHz
Warranty exprired

Stop Error Codes
These are the codes I receive, roughly in order of frequency

1) 0x0000007E
no file or driver associations indicated

2) A kernel thread has terminated while holding a mutex 0x40000008A
- no file or driver associations indicated

3) INVALID_WORK_QUEUE_ITEM 0x00000096
NDIS.SYS Address B9D59BFO base at B9D53000 Date Stamp 48025d03)

4) PAGE_FAULT_IN_NONPAGED_AREA 0x00000050
- no file or driver associations indicated

5) 0x000000CS
- no file or driver associations indicated

Upon restart, an error log is created. When I send it to Microsoft, the diagnostics come back indicating a driver problem (nothing specific), though some come back indicating a corrupted error report.

What Ive Done So Far
1) Run a full Malware Bytes scan no problems found
2) Run a McAfee virus scan no problems found
3) Tried a System Restore to a point prior to this did not seem to help anything
3) Run chksdk no problems found
4) Updated the BIOS
5) Installed all Windows Updates
6) Updated the driver for the display adapter (NVIDIA GeForce 7900 GS), as that seemed to be the most likely culprit based on what Ive googled

I didnt want to go much farther without some more specific diagnostics and/or guidance. I didnt want to just start randomly replacing drivers if there is a way to track down the specific culprit.

Other Symptoms
In addition to the crashes, a couple other things have been going on:

1) When I restarted after the first crash, there was an icon in the Notification Area of the Taskbar from McAfee (Comcast version) indicating that my computer was not protected. When I launched the Security Center, it indicated a number of problems, including the anti-virus file definitions were out of date. I clicked the Fix button for these errors, but eventually received a message indicating that the problem could not be fixed because of an error. After attempting this a number of times, I uninstalled McAfee, re-downloaded it from Comcast, then reinstalled. It has been fine ever since.

2) After the first crash, we were no longer able to connect to AOL via broadband. The sign-in process would appear do start, but before it completed, AOL would disconnect and display a message indicating that AOL could not connect. Oddly, we were also unable to connect to AOL via the web when we would try to sign on to our account, we got an error indicating that Internet Explorer had a problem and had to shut down. This is the only site we had this problem with Internet access seemed to work fine for everything else. Eventually, I uninstalled AOL, downloaded version 9 from the website and installed it. It has worked fine since then.

3) When we are able to work on the system for an extended period without a crash, it often locks up - things dont completely freeze (were still able to move the mouse cursor), but are unable to click on anything.

Most Recent MiniDump Analysis

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072209-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Jul 22 09:20:29.609 2009 (GMT-5)
System Uptime: 0 days 0:32:56.342
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
.....................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 0, aa3ff790, aa3ff48c}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: aa3ff790, Exception Record Address
Arg4: aa3ff48c, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+14
00000000 ?? ???

EXCEPTION_RECORD: aa3ff790 -- (.exr 0xffffffffaa3ff790)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

CONTEXT: aa3ff48c -- (.cxr 0xffffffffaa3ff48c)
eax=00000000 ebx=890f6060 ecx=00000000 edx=00000000 esi=8a28dc58 edi=00000000
eip=00000000 esp=aa3ff858 ebp=aa3ff878 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000000 ?? ???
Resetting default scope

CUSTOMER_CRASH_COUNT: 3

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
+14
00000000 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+14
00000000 ?? ???

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from 0100a8c0 to 00000000

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa3ff854 0100a8c0 00000004 8817e7f0 804fc97c 0x0
aa3ff878 890ca1c5 00000000 00000000 00000000 0x100a8c0
aa3ff87c 00000000 00000000 00000000 00000000 0x890ca1c5


STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE

BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:15 AM

Posted 22 July 2009 - 12:10 PM

Hi :thumbsup:.

The best (IMO) source of info re STOP errors is at http://www.aumha.org/a/stop.htm

0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
A system thread generated an exception which the error handler did not catch. There are numerous individual causes for this problem, including hardware incompatibility, a faulty device driver or system service, or some software issues. Check Event Viewer (EventVwr.msc) for additional information.

0x00000005: INVALID_PROCESS_ATTACH_ATTEMPT
Generally, use the General Troubleshooting of STOP Messages checklist to troubleshoot this problem. A specific problem is known to exist with Win XP SP2 and Server 2003 in combination with certain antivirus programs, firewalls, and similar software. See http://support.microsoft.com/?kbid=887742&sd=RMVP

Have you tried getting any clues from errors posted in Event Viewer? I would be looking for errors in specific programs that are launched/running (AV, etc.) rather than any indication of hardware errors. I would also try to focus on errors indicating a hard drive problem (Disk0, Disk1, etc.).

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

FWIW: Updating drivers when such errors occurs...is, IMO, most useful when the old driver is first removed (because it's probably damaged) and then a new one is installed. I suspect that trying to install a new file on top of a damaged file...often results in negative results.

Are there any indications that your CMOS battery may need replacing?

CMOS Battery Replacement - http://www.liverepair.com/encyclopedia/art...cmosreplace.asp

CMOS Checksum Errors - http://www.pcguide.com/ts/x/sys/booterrGBER08-c.html

Louis

#3 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 22 July 2009 - 08:09 PM

Louis,
Thanks for the suggestions. I had checked http://www.aumha.org/a/stop.htm before posting, but wasn't able to resolv anything.

I haven't seen any indication that the CMOS battery needs replacing (no lost time or error messages). Is there some way to tell?

I looked at Event Viewer, and while I have a lot of entries they don't mean much to me. Here are the entries from the Application log from the time of the crash:

Type Date Time Source Category Event User Computer
Information 7/22/2009 7:34:23 PM iPod Service None 0 N/A DD2BGRB1
Information 7/22/2009 7:33:51 PM gusvc None 0 N/A DD2BGRB1
Information 7/22/2009 7:33:09 PM McLogEvent None 5000 SYSTEM DD2BGRB1
Information 7/22/2009 7:32:57 PM SecurityCenter None 1800 N/A DD2BGRB1
Warning 7/22/2009 7:32:57 PM MSSQL$MICROSOFTSMLBIZ (8) 19011 N/A DD2BGRB1
Information 7/22/2009 7:32:55 PM sprtsvc_dellsupportcenter None 1 N/A DD2BGRB1
Information 7/22/2009 7:32:51 PM Intuit Update Service None 0 N/A DD2BGRB1
Information 7/22/2009 7:32:49 PM gusvc None 0 N/A DD2BGRB1
Information 7/22/2009 7:32:48 PM Bonjour Service None 1 N/A DD2BGRB1
Information 7/22/2009 7:19:13 PM gusvc None 0 N/A DD2BGRB1

The detail for the Warning above is:
Event Type: Warning
Event Source: MSSQL$MICROSOFTSMLBIZ
Event Category: (8)
Event ID: 19011
Date: 7/22/2009
Time: 7:32:57 PM
User: N/A
Computer: DD2BGRB1
Description:
The description for Event ID ( 19011 ) in Source ( MSSQL$MICROSOFTSMLBIZ ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: (SpnRegister) : Error 1355.

Here are the entries from the System Log from prior to the crash:
Information 7/22/2009 7:32:49 PM Tcpip None 4201 N/A DD2BGRB1
Information 7/22/2009 7:32:24 PM Tcpip None 4202 N/A DD2BGRB1
Information 7/22/2009 7:32:41 PM Save Dump None 1001 N/A DD2BGRB1
Information 7/22/2009 7:32:40 PM eventlog None 6005 N/A DD2BGRB1
Information 7/22/2009 7:32:40 PM eventlog None 6009 N/A DD2BGRB1
Information 7/22/2009 7:19:13 PM Service Control Manager None 7036 N/A DD2BGRB1
Information 7/22/2009 7:18:01 PM Service Control Manager None 7036 N/A DD2BGRB1
Information 7/22/2009 7:18:00 PM Service Control Manager None 7035 SYSTEM DD2BGRB1
Information 7/22/2009 6:22:04 PM Service Control Manager None 7035 SYSTEM DD2BGRB1
Warning 7/22/2009 6:18:37 PM disk None 51 N/A DD2BGRB1

The detail on the Warning is:
Event Type: Warning
Event Source: Disk
Event Category: None
Event ID: 51
Date: 7/22/2009
Time: 6:18:37 PM
User: N/A
Computer: DD2BGRB1
Description:
An error was detected on device \Device\Harddisk5\D during a paging operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 33 00 04 80 ....3..€
0010: 2d 01 00 00 00 00 00 00 -.......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 be 03 00 00 00 00 00 .......
0028: 8f 5f 03 00 00 00 00 00 _......
0030: ff ff ff ff 03 00 00 00 ....
0038: 40 00 00 84 02 00 00 00 @......
0040: 00 20 0a 12 80 01 20 40 . ..€. @
0048: 00 00 00 00 0a 00 00 00 ........
0050: 00 d0 40 88 d0 27 29 89 .@')
0058: 00 00 00 00 10 e7 2a 8a .....*
0060: 00 00 00 00 df 01 00 00 .......
0068: 2a 00 00 00 01 df 00 00 *......
0070: 08 00 00 00 00 00 00 00 ........
0078: 70 00 02 00 00 00 00 0a p.......
0080: 00 00 00 00 04 02 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........

And the detail on the Save Dump entry is:
Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 7/22/2009
Time: 7:32:41 PM
User: N/A
Computer: DD2BGRB1
Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x1000007e (0xc0000005, 0x00000004, 0xa8e8d7b0, 0xa8e8d4ac). A dump was saved in: C:\WINDOWS\Minidump\Mini072209-17.dmp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Here is the MiniDump analysis for this crash:

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072209-17.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Jul 22 19:31:10.625 2009 (GMT-5)
System Uptime: 0 days 2:10:07.329
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 4, a8e8d7b0, a8e8d4ac}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000004, The address that the exception occurred at
Arg3: a8e8d7b0, Exception Record Address
Arg4: a8e8d4ac, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+0
00000004 ?? ???

EXCEPTION_RECORD: a8e8d7b0 -- (.exr 0xffffffffa8e8d7b0)
ExceptionAddress: 00000004
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000004
Attempt to execute non-executable address 00000004

CONTEXT: a8e8d4ac -- (.cxr 0xffffffffa8e8d4ac)
eax=c0000001 ebx=00000000 ecx=6fff0011 edx=6ffe0010 esi=89375b30 edi=a8e8d88c
eip=00000004 esp=a8e8d878 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
00000004 ?? ???
Resetting default scope

CUSTOMER_CRASH_COUNT: 17

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000004

WRITE_ADDRESS: 00000004

FOLLOWUP_IP:
+0
00000004 ?? ???

FAILED_INSTRUCTION_ADDRESS:
+0
00000004 ?? ???

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from a8e8d980 to 00000004

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
a8e8d874 a8e8d980 00e8d980 c0000001 00000000 0x4
00000000 00000000 00000000 00000000 00000000 0xa8e8d980


STACK_COMMAND: kb

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

BUCKET_ID: BAD_STACK

Followup: MachineOwner
---------

Any additional help would be appreciated!

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:15 AM

Posted 23 July 2009 - 11:47 AM

When using Event Viewer...items requiring attention are denoted as errors. Little point in reviewing any information items, IMO (I don't, anyway).

I don't see anything upon which to base any real opinion...the errors could be caused by a driver that's damaged or poorly written, could be any number of things.

<>

What do you mean...no error messages? What do you think those BSODs are :thumbsup:?

I've seen two indicators for considering the replacement of the CMOS battery:

a. The obvious...time/date data is not accurate.

b. System begins to receive varied BSOD messages that don't necessarily tie together or point to a common denominator.

When I encounter either of the two situations listed above...I replace the CMOS battery. For a small (less than $5) investment, I can eliminate something and possibly right whatever is wrong. I don't mind taking $5 gambles :flowers:.

I suppose that you might as well test your RAM modules. Please read the documentation for testing which accompanies the link to download the diagnostic.

Methodology for testing for me...I initially test all modules as presently installed. If I get errors during that, I then resort to testing 1 module in a specific RAM motherboard slot...if no errors on that one, I then test the other module in the same slot. If no errors, I then remove the RAM from previously tested slot and move it to the next...and so on.

Errors during testing...may possibly be eliminated by altering the system bus clock in the BIOS.

http://en.wikipedia.org/wiki/Underclocking

And...bear in mind that the RAM may be fine. It's called "troubleshooting" because it is not an exact science, but much trial-and-error.

Icrontic Diagnose with Memtest86+ - http://icrontic.com/articles/diagnose_with_memtest86

MemTest Manual - http://hcidesign.com/memtest/manual.html Outdated but still useful, IMO.

Memtest86 - Wikipedia, the free encyclopedia - http://en.wikipedia.org/wiki/Memtest See comments about weaknesses of using anything other the Memtest86+ version.

Memtest86+ - Advanced Memory Diagnostic Tool - http://www.memtest.org/#downiso

On general principle...it's always good to run a diagnostic on the hard drive when things seem to go wrong...since that is where all the files are. When doing so, please use the appropriate diagnostic from the hard drive manufacturer's website...and run the extended/long test where a long and a short is offered. The long test is more exhaustive and a better indicator.

Hard Drive Installation and Diagnostic Tools - http://www.bleepingcomputer.com/forums/t/28744/hard-drive-installation-and-diagnostic-tools/

Louis

FWIW: It's probably more effective to install critical updates...before any suspicion of malware problems. If the damage has been done prior to installation, I would not expect any positive results from locking the door after the intruder has possibly gained entrance. Ditto for AV and other malware-defense programs.

Edited by hamluis, 23 July 2009 - 11:51 AM.


#5 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 24 July 2009 - 11:16 AM

Thanks for your additional input, Louis.

I haven't had the chance to test the RAM as you described yet, but have had a couple developments to add to the list of symptoms -- I'm now wondering if this is a virus/trojan infection:

1) The other night, out of desperation, I decided to run another McAfee scan (nothing had been found when I ran it earlier). I ran it in Safe Mode, though I neglected to turn off System Restore before running it. This time, it found one file infected with a "Generic Downloader.z" trojan, which it quarantined. I also ran a MalwareBytes quick scan in Safe Mode and nothing was found.

2) When I rebooted back to normal mode after the scans, I received the same Stop error that I had been receiving earlier - 0x0000007E, with no file association. Upon rebooting again, I immediately received an INVALID_WORK_QUEUE_ITEM (0x00000096) stop error specifying the file NDIS.SYS. I rebooted again and this time received the "A kernal thred has terminated while holding a mutex" (0x4000008A) error. After another reboot, I was able to get into Windows.

3) Shortly after that, I received a McAfee pop-up baloon in my Task bar indicating "Your computer is not protected". I launched the McAfee Security Center and the detail indicated the same set of problems it did after my initial crash (listed in the "Other Symptoms" section of my first post). As with that time, the "Fix" button for the errors returned the message "The problems could not be fixed because of an error". Last time, I had to reinstall McAfee in order to resolve the issues. The system was trying to download updates to the virus definitions, but never seemed to complete - it seemed like my access to update was being blocked.

4) I rebooted to Safe mode and attempted to run another McAfee virus scan, but I received an error message indicating the scan could not be started. I downloaded the Stinger application from McAfee's website and ran that in Safe mode, but nothing was found. I also ran a full MalwareBytes scan, which found nothing.

5) Since there appeared to be a problem with McAfee, I rebooted to Safe Mode with Networking and tried to run a free scan from TrendMirco. While it was running, I received the same 0x0000007E stop error I'd received earlier. A second attempt - also in Safe Mode with Networking - resulted in the 0x00000096 stop error that always seems to follow a reboot after the 0x0000007e error.

Do the problems/corruption of McAfee point more toward a virus/trojan rather than a hardware or driver problem? On the other hand, does the fact that I can work indefinitely in Safe mode, but when I switch to Safe Mode with Networking, I receive the same stop errors I do in Normal mode indicate anything?

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:15 AM

Posted 24 July 2009 - 11:52 AM

<<Do the problems/corruption of McAfee point more toward a virus/trojan rather than a hardware or driver problem?>>

As one who formerly used McAfee products :thumbsup:, I can say that corruption of that program is not necessarily linked with the presence of malware. File corruption can occur in a program for any number of reasons.

I will also point out that McAfee, like any other AV program, has drivers. "Corruption of drivers" compels many to think solely of system hardware...but I also think about all the programs (AV, firewall, graphics editors, etc.) that employ drivers.

So an "obvious" driver problem...normally encompasses more possibilities than just video, audio, NIC, etc.

<<On the other hand, does the fact that I can work indefinitely in Safe mode, but when I switch to Safe Mode with Networking, I receive the same stop errors I do in Normal mode indicate anything?>>

Well...if I knew what loaded with each...I might be able to give a guess. The obvious difference is that the drivers for the NIC are loaded in one, while not in the other.

http://www.file.net/process/ndis.sys.html For general info...you might take note of the first comment also. I also see that a number of reported NDIS.sys errors relate to NIC problems/situations.

FWIW: Anytime that a user has any indication that a file/program has corruption/damage...it seems prudent to remove the damaged program/file and reinstall an undamaged copy or update.

Louis

#7 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 July 2009 - 12:27 AM

Over the past couple days, I've followed up on my suspicion that this was a virus or trojan. I rescanned in Safe mode with both McAfee and MalwareBytes, neither found anything.

I followed that up by scanning with SUPERAntiSpyware in safe mode, and it identified Trojan.Fake-Alert/Trace in the registry, and apparently cleaned it successfully.

Next, I scanned with Dr. Web CureIt, which located two occurances of Backdoor.MaosBoot in the Master Boot Record. When removing them, I was prompted with a message "Virus did not save original Boot Sector. Write Standard Boot Sector?". I replied Yes. After a moment, the system rebooted and immediately went into CHKSDK, which indicated "The volume is dirty". CHKDSK seemed to complete OK, with all three stages (files, indexes, and security descriptors) completing successfully.

After that, the system booted into Windows, and I've been up and running, fully functional, ever since - over three hours, with no BSOD, which is much longer than I've been able to make it in quite a while (I would usually get BSOD after 10-15 minutes).

I'm cautiously optomistic that removing the Master Boot Record trojan has fixed my problems, but want to be sure I got it all. Is there a way to ensure Dr Web CureIt completely removed the trojan and it won't reinstall itself?

David

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 55,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:15 AM

Posted 29 July 2009 - 09:48 AM

IMO...the best place for advice/suggestions re malware problems/situations...is BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

I will make an admistrative suggestion that this thread be moved to that forum...right now.

Louis

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 29 July 2009 - 09:58 AM

Hello and welcome. I will move this to the Am I infected from the XP forum.

I would like for you to UN install then reinatall,update and run a MalwareBytes scan.. (in Normal Mode)



Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 July 2009 - 10:08 AM

Thanks, Louis, for you help and advice throughout.

Boopme: I will follow your instructions and post the requested logs this evening after work. Quick question - I had downloaded and run ATF Cleaner and SUPERAntiSpyware a the day before yesterday, before Dr Web identified the Backdoor.MaosBoot trojan. Should I uninstall and re-download them, or can I just run the versions I've got?

Thanks in advance!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 29 July 2009 - 10:34 AM

Hello.. you need only to update the SAS before running.
Now some info about this sinowal trojan.
http://www.eset.sk/buxus/generate_page.php?page_id=20689

Advice I would like you to consider...
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 July 2009 - 03:48 PM

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Thank you for the additional information. We do use the computer for online banking, etc., so unless there is something we can check on that would indicate a significantly mitigated risk, I'm leaning toward the reformat/reinstall. I guess I'd rather not go through that process, but ultimately I want to be sure we're safe. We do have McAfee Firewall running, however as I indicated in an earlier post, there were a couple times during this experience when McAfee indicated the computer was not "fully protected" and I had to re-install McAfee each time. I suppose we were vulnerable at those points.

I do have two external (USB) hard drives, and I backed up most of our data files earlier when we were receiving the BSOD and I was worried the PC might become unbootable at some point. Is it possible that those drives are now infected as well, and what will I need to do to ensure they're safe?

Finally, should I go ahead with your recommended scans (MalwareBytes, ATF, SAS) in oreparation for a reformat, or are those only if we're attempting to clean the PC without reformat/reinstall?

Thanks again!

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 29 July 2009 - 07:50 PM

Hello Fielding Melish,Ok You will need to run Flash Disintector on your USB drives and any PC they connected to in case they are carrying the infection.

Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

No scanning will be needed if you are to reformat ..


Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Not an unwise decision to make and the one I would with my machine. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Fielding Melish

Fielding Melish
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 July 2009 - 09:33 PM

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.


I tried to download Flash Disinfector, but get blocked by McAfee with the following message

McAfee has automatically blocked and quarantined an infected file on your computer. You can restore quarantined files from the Restore pane in SecurityCenter.

About this Trojan
Detected: New Malware.jj (Trojan)
Quarantined From: C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\MQUZLYVX\Flash_Disinfector[1].exe

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer.


Is this just the case of McAfee being overzelous? I assume so, but figured I'd better check first before disabling it to download Flash Disinfector.

Thanks...

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 30 July 2009 - 12:53 PM

In a word,Yes. In a lot of words....
FlashDisinfector is not malware. However, certain embedded files that are part of legitimate programs or specialized fix tools such as FlashDisinfector may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's Heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive". Either have your anti-virus ignore the detection or temporarily disable it until you run the tool.


Alternatively, you can download and use Panda USB Vaccine. Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users