Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Of Death BSOD


  • Please log in to reply
14 replies to this topic

#1 ocktahedron

ocktahedron

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 01:40 PM

Hi everyone.

My friend has a laptop computer that she recently got the "fake windows security alert" on. So I booted the computer in safe mode and ran: CCleaner, AVG and Malwarebytes. Between the three scans it found lots of problems and fixed them......I thought. Then I restarted the computer and everything seemed fine. No fake windows security alert but then BOOM! BSOD! DRIVER_IRQL_NOT_LESS_OR_EQUAL. And the countdown began to the beginning dump of physical memory <whatever that means>. But it's a scary message so I just shut the computer down.

A bit of history. Two weeks ago she got the BSOD with the exact same error message and I gave the laptop to a friend of mine who then gave it to a guy at his work who "fixed it". It's worked fine up until she got the fake windows security alert virus. She didn't have a firewall at the time she got the virus but promptly went and bought AVG. From what I'm told the guy who fixed the Blue screen error the first time did a recovery. I know she doesn't have a windows xp cd but I read the forums and made one by burning the iso img. I hope this is right.

Can someone tell me what to do next please? My friend really needs her computer because she's going through a custody battle and divorce so she really can't be without it and can't afford to pay someone to fix it. Any help is GREATLY appreciated. Thanks.


Hey I just read How to receive help diagnosing Blue Screens and Windows crashes and I'm going to follow the steps and post the dump file information.

Edited by ocktahedron, 06 August 2009 - 01:59 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,726 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:08 PM

Posted 06 August 2009 - 02:21 PM

Hi :thumbsup:.

<<My friend has a laptop computer that she recently got the "fake windows security alert" on.>>

Is this what you are referring to? http://www.myantispyware.com/2009/07/17/ho...security-alert/

<<Then I restarted the computer and everything seemed fine. No fake windows security alert but then BOOM! BSOD! DRIVER_IRQL_NOT_LESS_OR_EQUAL.>>

AUMHA says:

"0x000000D1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
The system attempted to access pageable memory using a kernel process IRQL that was too high. The most typical cause is a bad device driver (one that uses improper addresses). It can also be caused by caused by faulty or mismatched RAM, or a damaged pagefile."

I would also add malware to the list of potential causes.

<<...countdown began to the beginning dump of physical memory <whatever that means>....>>

As I understand it...a physical memory dump is merely the reporting of a situation which has adversely impacted the system. Whatever bad occurred...has already happened and the "dump" is the report that contains what is considered pertinent data regarding the situation. Dr. Watson reports can be considered in the same light, the report itself is generated and the message that appears onscreen really just says "report coming."

I could be wrong :flowers:, but that's how I interpret it.

What the user should do next...is review the dump (there is a file with the .dmp file extension) and attempt to determine what the system thinks is wrong with itself. The following link attempts to provide guidance that will help decipher the .dmp file/message.

I equate a BSOD to a human regurgitating as the body tries to overcome whatever is making it sick. But a BSOD also reflects/contains useful information that is (hopefully) going to assist in the diagnosis of what is wrong.

<<...she doesn't have a windows xp cd but I read the forums and made one by burning the iso img.>>

Well...you probably did not make an XP CD...but you probably made a Recovery Console CD. The Recovery Console is one of the repair tools which can be used on XP...but it is not the complete set of XP install files, far from it.

As I see it, you have two issues:

a. The system may be infected. I will suggest that this post be moved to one of the malware forums that can assist in determining if it is and what to do about it (if it is).

b. Since this system is a laptop, it's made by someone who probably uses recovery/restore CDs. That manufacturer must be contacted and copies of said CDs obtained...if the intent is to effect any repairs to the system. The current XP files may be somewhat damaged or some may be missing and that cannot be addresses without a disk that contains said files. As you can see, they are worth having.

I am going to suggest that this post be moved to what I think is the proper malware forum, just stand by for further guidance.

Louis

#3 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 02:24 PM

Okay Louis. Thank you for your help. I will stand by for further guidance. So the recovery CD that I've created will not solve the problem??



BTW "I equate a BSOD to a human regurgitating as the body tries to overcome whatever is making it sick." That's funny Hahhaa@!

Amil

Edited by ocktahedron, 06 August 2009 - 02:28 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 06 August 2009 - 02:35 PM

Hello, I am moving this as needed from XP to the Am I Infected forum.
Let's get another MBAM scan.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 03:39 PM

Malwarebytes' Anti-Malware 1.40
Database version: 2571
Windows 5.1.2600 Service Pack 2 (Safe Mode)

8/6/2009 4:32:48 PM
mbam-log-2009-08-06 (16-32-48).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 161651
Time elapsed: 30 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruikhhaxbpj.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c65a590 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\334e67decab6a8147053beff34b6cc40 (Rogue.A360AntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruikhhaxbpj.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 06 August 2009 - 04:10 PM

Hello ,,yep you have backdoors and rootkits on here.. Let me ask you to read this first.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


The next step will be..

Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 04:18 PM

Well I don't have any of the OS disks so I will have to take the steps you outlined. Will do that now and report back.

Thank you very much.

#8 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 05:03 PM

ROOTREPEAL © AD, 2007-2009਍ഀ
==================================================਍ഀ
Scan Start Time: 2009/08/06 17:51਍ഀ
Program Version: Version 1.3.3.0਍ഀ
Windows Version: Windows XP SP2਍ഀ
==================================================਍ഀ
਍ഀ
Drivers਍ഀ
-------------------਍ഀ
Name: dump_atapi.sys਍ഀ
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys਍ഀ
Address: 0xF7DB1000 Size: 98304 File Visible: No Signed: -਍ഀ
Status: -਍ഀ
਍ഀ
Name: dump_WMILIB.SYS਍ഀ
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS਍ഀ
Address: 0xF8A6E000 Size: 8192 File Visible: No Signed: -਍ഀ
Status: -਍ഀ
਍ഀ
Name: hjgruiatbbtwmi.sys਍ഀ
Image Path: C:\WINDOWS\system32\drivers\hjgruiatbbtwmi.sys਍ഀ
Address: 0xF8020000 Size: 163840 File Visible: - Signed: -਍ഀ
Status: Hidden from the Windows API!਍ഀ
਍ഀ
Name: rootrepeal.sys਍ഀ
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys਍ഀ
Address: 0xF7909000 Size: 49152 File Visible: No Signed: -਍ഀ
Status: -਍ഀ
਍ഀ
Hidden/Locked Files਍ഀ
-------------------਍ഀ
Path: C:\windows\system32\hjgruidxvcbndr.dat਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\hjgruikdqxcjwn.dll਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\hjgruikhhaxbpj.dll਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\hjgruilog.dat਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\hjgruinfxumxeh.dat਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\pool.bin਍ഀ
Status: Visible to the Windows API, but not on disk.਍ഀ
਍ഀ
Path: C:\windows\Temp\hjgruisbwqvtunvf.tmp਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Path: C:\windows\system32\drivers\hjgruiatbbtwmi.sys਍ഀ
Status: Invisible to the Windows API!਍ഀ
਍ഀ
Stealth Objects਍ഀ
-------------------਍ഀ
Object: Hidden Module [Name: hjgruikdqxcjwn.dll]਍ഀ
Process: svchost.exe (PID: 1756) Address: 0x00650000 Size: 57344਍ഀ
਍ഀ
Object: Hidden Module [Name: hjgruikhhaxbpj.dll]਍ഀ
Process: svchost.exe (PID: 1756) Address: 0x10000000 Size: 28672਍ഀ
਍ഀ
Hidden Services਍ഀ
-------------------਍ഀ
Service Name: hjgruivucdelnn਍ഀ
Image Path: C:\WINDOWS\system32\drivers\hjgruiatbbtwmi.sys਍ഀ
਍ഀ
==EOF==

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 06 August 2009 - 07:11 PM

Ok,that's what we wanted.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\windows\system32\hjgruikdqxcjwn.dll
C:\windows\system32\hjgruikhhaxbpj.dll
C:\windows\system32\drivers\hjgruiatbbtwmi.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 06 August 2009 - 08:17 PM

I ran RootRepeal in SafeMode and C:\windows\system32\drivers\hjgruiatbbtwmi.sys was the only file of the three you listed. Also, when I wipe that file, nothing happens. It's still there and it's in red text. I will wait for further instruction before continuing.

Thanks.

Edited by ocktahedron, 06 August 2009 - 08:18 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 06 August 2009 - 09:37 PM

Rerun MBAM and psot the log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 07 August 2009 - 10:27 AM

Malwarebytes' Anti-Malware 1.40
Database version: 2571
Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/7/2009 11:18:42 AM
mbam-log-2009-08-07 (11-18-42).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 172313
Time elapsed: 40 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP11\A0003003.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B539E66-D85A-41E7-ACFD-AE0F6CD9DCE9}\RP11\A0003004.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 07 August 2009 - 10:31 AM

OK ,this looks good to go now..
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 ocktahedron

ocktahedron
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 08 August 2009 - 11:35 AM

Thank you very much Boopme. Your help has made the computer run again. I am extremely greatful to you and www.bleepingcomputer.com


Thanks to everyone who helped.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:08 PM

Posted 08 August 2009 - 07:12 PM

You're welcome from all of us, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users