Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD except when Crypto Services is disabled


  • This topic is locked This topic is locked
6 replies to this topic

#1 wgk-eagle

wgk-eagle

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 28 June 2011 - 04:35 PM

My XP SP3 system started to BSOD more than 2 weeks ago. BSOD shortly after logging in. The BSOD displays for so short a time, it is hard to get anything off it, but it was about a "k71.sys" and Stop: 00000050 and a descriptor of "Fault in non-paged area". I tried Last Known Good...same results. I tried restoring to several earlier checkpoints...same results. Thinking hardware memory issues, I booted with the HP Insight (xw8400 workstation) diagnostics and ran a successful quick scan and the complete hardware system tests (3 full passes over 7 hours). Tried in SAFE mode to locate a k71.sys file but couldn't locate any such file.

Since the BSOD comes 30-45 seconds after logging in, I imagined the Zonelabs A/V might be catching something as it started up. In SAFE mode, I set the ZLclient to not be enabled in start up, but it BSODed. Same when I turned off both Truevector and ZoneAlarm, too. Ran Malwarebytes in SAFE mode. It found "Crypt.disabled" and I ran Malwarebytes again after that clean. XP came up and posted "serious" error recovery windows asking if I wanted to send reports to Microsoft...I said yes and it tried but the dump records were corrupt and it failed to send them. Somehow, it finally did another BSOD...I think something I did tried to start Crypt Services again. So, I went into SAFE and in MSCONFIG disabled system services. Similar recovery error messages and corrupt MS dump send messages. Left the system up until it finally hibernated. Used MSCONFIG to isolate the Crypto Service...if I DISABLE the Crypto Service (in Services) it will come up again. In the lamed reboot, I ran MalwareBytes DEEP scan and it finished and hibernated. Restarted, logged in and it had found "Disabled.Crypt" again...blasted that and before rebooting, tried enabling all the NON-MS services in MSCONFIG (selective restart). BSOD and the "System has recovered from a serious error..." and the corrupted error reports again. MalwareByes again found Disabled.Crypt.

In SAFE mode I ran SFC (MS System Files Checker to restore unsigned or changed system files) and it completed without asking for the CD or reporting any "bad" files. With Crypt Service DISABLED, the Selective boot let me realize that Zone Alarm was looking like it started, but actually the user interface was hung starting up. This was because Crypto Services were disabled, of course. I uninstalled Zone Alarm and reinstalled Zone Alarm. On reboot the Crypto Service had been set back to MANUAL startup and it started and BSODed again.

HOWEVER, if I can get the selective boot to get up without starting Crypt Services (with them set to DISABLED in the Services panel), it seems like whatever is killing Zone Alarm is bypassed...whatever it is seems like it is being started under the "SVCHOST.EXE" process at the reboot when Crypt Services aren't DISABLED. Also, though, it appears that something else might be able to kick it off and cause the BSOD after it has been running a while, but I don't know what.

I've downloaded and run a huge bunch of scan tools...MalwareBytes, SuperAntiSpyware, EmsiSoftEmergencyKit, SpywareBlaster, HitmanPro and more without catching this sleazy bug and am ALMOST willing to give up and reformat and install XP and the bazillion updates and applications all over again.

Is anyone willing to guide this very, very weary Internet victim in ONE LAST DITCH EFFORT?

Thanks for reading this...and for your help should you feel like you've got a clue from this saga.

Attached Files

  • Attached File  logs.zip   10.76KB   8 downloads

Edited by hamluis, 28 June 2011 - 05:36 PM.
Moved from XP to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:41 AM

Posted 10 July 2011 - 03:08 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 wgk-eagle

wgk-eagle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 11 July 2011 - 11:33 AM

Thanks for your response Elise. The DDS data is in the zipped attachment to the original post. If you could put an eye on that and see if there is something that tells us what this bandit was, I would appreciate the information. Also, if you know how to lengthen the time that the OS crash keeps the BSOD on screen in situations like this, that would be helpful, as well. BSOD stayed on screen not long enough to read. I am thinking that it only stays displayed until the OS dumps and maybe the bug was smart enough to defer or damage the dumps. I also tried to find BSOD info in the event logs, but I didn't find anything that had that k71.sys info in it, either.

Unfortunately, I needed this system to be productive again after waiting...a long time. I really wanted to figure this thing out, too. I narrowed it down by using the msconfig utility to selectively start processes, but I didn't have the skill to figure out what to do after I had isolated the devil to whatever starts (or starts with) the Crypto process.

Your follow up is most appreciated and you are free to close this thread as I have already rebuilt the OS.

regards,

wgk-eagle

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:41 AM

Posted 11 July 2011 - 12:08 PM

Do you remember if the file mentioned in the bsod might have been kl1.sys?

If so, most likely Kaspersky and another program (my bet is on zonealarm) had a conflict, which caused the BSOD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 wgk-eagle

wgk-eagle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 11 July 2011 - 01:26 PM

Yes. It easily might have been kl1.sys...I thought I was seeing k71.sys...it was on screen a very short time. I searched everywhere looking for k71.sys but never found it. Makes sense that it would be ZoneAlarm...it would hang starting it's GUI if Crypto service was disabled. But, after logging in with Crypto Service disabled I could START the Crypto manually and ZoneAlarm would function. I haven't reinstalled ZoneAlarm on the rebuilt system yet...can you suggest how I should approach this? FWIW the ZoneAlarm support site only referred me to a pretty vanilla list of malware tools...which I ran thru completely, BTW...that's where I started trying to figure this out. After doing their list I ended up at BleepingComputer for help.

wgk-eagle

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:41 AM

Posted 11 July 2011 - 01:45 PM

Hi, I usually do not recommend any third party firewall; most computers use a router to connect to the internet, which acts as a hardware firewall.

Personally I would go for one antivirus program, and one antispyware program for on-demand scanning.

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,317 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:41 AM

Posted 24 July 2011 - 04:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users