Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer blue-screens when using the internet


  • Please log in to reply
9 replies to this topic

#1 jlsaunders

jlsaunders

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 October 2009 - 03:57 AM

Hi,

My computer got infected with the koobface several weeks ago. I posted in the 'Am I infected? What do I do?' section and the Hijackthis logs section and we have used malwarebytes to remove the infected files, restored windows to the last known good configuration and used the XP system restore feature and updated security.

Unfortunately none of this has worked. After using the internet (through both IE and Firefox) for around 5 mins the window freezes so I have to close it down. My computer then blue screens and I receive the ***STOP: 0x0000000A message. After logging back on I receive the following message 'loading model error. load default model?'. If I log off before internet freezes I get this message 'the instruction at 0x000f2fc0 referenced memory at 0x000f2f0. The memory could not be written. Click ok to terminate the program. Click cancel to debug the program'.

The last time my computer blue screened I received an error report after logging back on. I thought the info could be of help. Please find all of the details below:

Error Report Contents
The following files will be included in the report
C:\DOCUME~1\JAIME-~1\LOCALS~1\Temp\WERc30b.dir00\Mini100409-01.dmp
C:\DOCUME~1\JAIME-~1\LOCALS~1\Temp\WERc30b.dir00\sysdata.xm

Error signature
BCCode : 1000000a BCP1 : 0000BA33 BCP2 : 00000002 BCP3 : 00000001
BCP4 : 806E4A8E OSVer : 5_1_2600 SP : 2_0 Product : 256_1 l

I've had the problem for a couple of months now and I'm keen to get it fixed asap. Please let me know if I should take it to a repair shop or reinstall windows.
Thanks
Jaime
Many thanks in advance for your help.

Jaime

BC AdBot (Login to Remove)

 


#2 starcraftmaster

starcraftmaster

  • Members
  • 1,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:australia
  • Local time:02:18 AM

Posted 06 October 2009 - 04:05 AM

quick fix: reinstall windows

dont take it to a repair shop
they wont do any thing more then we do lol

i would scan again with melwarebytes to make sure

Edited by starcraftmaster, 06 October 2009 - 04:06 AM.


#3 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:18 AM

Posted 06 October 2009 - 05:58 AM

I looked at your other posts and they seem to think that you are (or were) malware free and asked you to try here.

The error appears hardware/driver related.

I cannot find that error loading model error. load default model? exactly using a Google search and it looks like you are a diligent copier of what you see on the screen into your posts. I would ask you to double check since I will usually start with Google.

One similar post (but not exactly) was resolved by replacing the CMOS battery on the motherboard. That machine would not boot at all. Replacing the CMOS battery will also require the CMOS/BIOS be set up again, so in that situation, a couple things were done.

When you have this issue, can you restart immediately or need to wait a while (is it heat related).

It will not hurt to update/run MBAM again, then we may not know what it is, but we will know what it is not.

If this is a desktop (we'll find out shortly), are you comfortable doing a little interior maintenance - cleaning fans, reseating RAM, I/O cards, replacing battery, etc.? A #2 Phillips screwdriver may be required. It would be a shame for you to go to a shop to replace a $2 battery and spend $25 for a "blow out" as they call it around here. Battery life varies, but I would say 3-5 years (my desktop is 3.47 years).

Any other weirdness - messages on reboot from the BIOS, system date/time needing attention, etc.?

Since the problem has been going on for some time, here is a BC tutorial about computer hygiene which is a little overboard for me, but I live dangerously and it won't hurt anything.:

http://www.bleepingcomputer.com/tutorials/cleaning-the-inside-of-your-pc/

Anywho, please double check the error context, guesstimate your system/motherboard age in years and perform the following:

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select All, Copy and then paste

There will be some personal information (like System Name and User Name), and whatever appears to
be private information to you, just delete from the pasted information.

Your BSOD info is coming from the Event Log, which is fine. Do you notice the BCP numbers changing or are they always the same?

There is also other info on the screen which may have more clues:

Disable Automatic restart on system error to stop the error on your screen so you can see it:

Right click My Computer, Properties, Advanced, Startup and Recovery Settings.

In the System failure section, untick the Automatically restart box, OK, OK.

BSOD blue screen of death example information showing what you need to provide:

http://www.codinghorror.com/blog/images/Windows_XP_BSOD.png
http://techrepublic.com.com/i/tr/downloads/images/bsod_a.jpg

Send the information indicated by the red arrows (3-4 lines total). Skip the boring text unless it looks important to you. We know what a BSOD looks like, we need to know the other information that is specific to your BSOD.

Edited by joseibarra, 06 October 2009 - 06:02 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#4 jlsaunders

jlsaunders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 October 2009 - 07:26 AM

Hi

Thanks for your help.

The error message is exact. It also gives me the option of clicking 'yes' or 'cancel'. If I click yes the message reappears, if i select cancel it closes.

There isn't any other weirdness, just the problems/messages reported.

My computer is around 3 years old. I didn't use it for a year while i was away and would consider myself a light user.

The computer restarts fine after blue-screening so i don't think it's a prob with heat. I can use other features, word, excel etc for hours without the problems occuring. It's only when I use the internet.

I haven't performed any interior maintentance before but i'mhappy to give it a go.

I will run the report as requested and post in a couple of mins.

THanks
Jaime

#5 jlsaunders

jlsaunders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 October 2009 - 07:37 AM

Here's the system summary:

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name JL
System Manufacturer Dell Inc.
System Model Vostro 1000
System Type X86-based PC
Processor x86 Family 15 Model 104 Stepping 1 AuthenticAMD ~1695 Mhz
BIOS Version/Date Dell Inc. 2.4.1, 31/05/2006
SMBIOS Version 2.4
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
Time Zone GMT Daylight Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 1.30 GB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 3.72 GB
Page File C:\pagefile.sys

I haven't noticed any of the numbers changing.

#6 jlsaunders

jlsaunders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 October 2009 - 07:51 AM

Hi,

Sorry for sending 3 posts, I have to try to beat the blue-screen each time!

The technical info on the blue screen is as follows:

Top line:
IRQL_NOT_LESS_OR_EQUAL

Bottom line:
***STOP: OxOOOOOOOA (OxOOOOBA33, OxOOOOOOO2, OxOOOOOOO1, Ox8O6E6A8E)

All of the other text is identical to the examples you provided

Please let me know if you need anymore info.

THanks
Jaime

#7 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:18 AM

Posted 06 October 2009 - 08:41 AM

Thanks and I will read/think about it.

I see you have Firefox installed, so if that is your browser of choice, click Start, Programs and choose Mozilla FF in Safe Mode which will not load add ons and see if things last longer.

If you can bear the agony, try IE in Regular and Safe Mode from Start, Programs... (or have you already).

If we can find a method that does not crash, that will be good. You will have to try some things until you can hopefully say, it works great if I do this...

Have you tried booting in Safe Mode with Networking to see if your Internet access is more stable?

Start tapping the F8 key during a reboot and get a menu of options, choose Safe Mode with networking (so you can get in the Internet) and see how that works.

Things will look different, but should still be reasonably functional so see if it lasts longer that way.

Do you have any recollection of video (or any driver) driver updates, did you install SP3, prior to the issue? I am looking for the "It was working fine until I..." kind of ideas.

If you miss the F8 window of opportunity, you will have to reboot and try again.

Edited by joseibarra, 06 October 2009 - 08:51 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#8 jlsaunders

jlsaunders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 07 October 2009 - 05:12 AM

Hi,

I've tried running both FF and IE in safe mode, it lasts slightly longer but not much.

If I reboot in safe mode I can't connect to the internet.

I've run malware again and nothing shows up. I've also run Spyware Doctor and it detects:

adware.advertising (3 infections)
-Browser cookie
-atdmt.com/atdmt.com
-atdmt.com/atdmt.com
-atdmt.com/atdmt.com

Application.TrackingCookies (4 infections)
-Browser cookie
-clickbank.net/clickbank.net
-clickbank.net/clickbank.net

#9 jlsaunders

jlsaunders
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 07 October 2009 - 05:28 AM

sorry not sure what happened there. Here's the rest of the scan results:

Application.TrackingCookies (4 infections)
-Browser cookie
-clickbank.net/clickbank.net
-clickbank.net/clickbank.net
-doubleclick.net/doubleclick.net
-microsoftwindows.112.2o7.net/microsoftwindows.112.2o7.net

Adware.Sexxxpassport_com (3 infections)

Registry Value
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\}D2FAC024-92CO-42E5-A75B-7B4E3915CC50}\InprocServer32, (Default)

Registry Key
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\}D2FAC024-92CO-42E5-A75B-7B4E3915CC50}\InprocServer32, (Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\}D2FAC024-92CO-42E5-A75B-7B4E3915CC50}

I've copied it all out by hand as it doesn't seem to be possible to create a log.

Any advice on how to remove these would be greatly appreciated. I have to pay for registration to be able to remove them through Spyware Doctor.


I've also researched koobface on the internet and a couple of people have suggested that it doesn't always show up in logs. I've removed the files that did show up but I'm wondering if maybe I still have remnants of the infection which are undetected? Is it possible that the registry keys/values could still be infected?

Many thanks

#10 joseibarra

joseibarra

  • Members
  • 1,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:11:18 AM

Posted 07 October 2009 - 07:59 AM

I know of a few cases where issues come up, you run MBAM/SAS and it detects and cleans, but they cannot look at the registry and decide if the things it might find are legitimate changes or made by the malware, so it just leaves them. I can appreciate that. No tool seems to know about everything, so those are my favorites starting points.

Subsequent scans may be clean (you are no longer "infected"), but the problem in the registry is still there. It may not jump out at you either as it looks like so many other legit entries.

Or the malware uses a different method to create bogus entries with random names so if it was ever detected once, it will not be detected again. Pretty sneaky. Some of those I know how to fix, but I do not have a method for this situation.

There may be some other AV tools to run, but you still may end up having to do some things by hand, but I don't like guessing. I am not sure about this koobface thing.

What you last post shows is a Class ID (CLSID) which I do not have here, I can't use a tool to find it or find it in a Google search to know who it belongs to, my stuff in that areas of the registry does not show any empty entries like yours, and are they really identical (lines 1, 2, 3)? I know you typed them or copy/paste?

1. D2FAC024-92CO-42E5-A75B-7B4E3915CC50

2. D2FAC024-92CO-42E5-A75B-7B4E3915CC50
3. D2FAC024-92CO-42E5-A75B-7B4E3915CC50

Look at some of the many other CLSID entries - there is other "good" stuff in them, are these just some empty placeholders or is there really stuff under them? They are browser related.

I can't get to to you other posts on the other forum with your Hijackthis log to see if they are in there, but that is not a virus scanner, but you could delete them from that if they show up. I will try again later.

You can backup your registry with this:

http://www.larshederer.homepage.t-online.de/erunt/

And then export out that part of the registry (I would do both).

You could find the 3 entries that Spyware Doctor found and remove them yourself from the registry. They really don't make sense to me the way they are, but maybe SD only prints part of the info. If things get worse, put them back.

I also read that for your koobface infection these keys should be located and deleted if they exist (they don't exist for me).

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
\ZoneMap\Domains\mbsvalid1.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
\ZoneMap\Domains\mbsvalid2.com

The above might be an example where the scans deleted the mbsvalid1&2 files, but left the junk in the registry.

So, I am guessing :thumbsup: and I think if it was me, I would backup the reg, look for those mbsvalid things, whack them, export those CLSIDs, reboot, test if they are found. Then whack those CLSIDs, reboot and test. You can always put them back. I would not change two things at a time. If the mbsvalids are there, do them, test - then do the CLSID things which you know are there for sure.

You need to be sure you can undo things if you make changes and things get worse.

Or, hang out for some other ideas from somebody else.

Or put up a Hijackthis log and get moved again. Maybe I can look at your old log later - something is going on with BC right now I think.

Edited by joseibarra, 07 October 2009 - 08:14 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users