Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Driver issue after infection removed


  • Please log in to reply
23 replies to this topic

#1 Imgran25

Imgran25

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 24 December 2011 - 08:27 PM

emachine T3256
Windows XP with SP3

After getting help with an infection, I am unable to start computer in anything but safe mode. Seem to now have a driver issue. See link for steps I’ve followed & logs created so far. Infected with possible rootkit &/or backdoor Trojan

BSOD gives
DRIVERS_IROL_NOT_LESS_OR_EQUAL

Stop: 0x000000D1 (0x804730E4, 0x000000FF, 0x00000000, 0xF0F4D3D9)

Note the last 4 digits have also been either the D3D9, C3D9, or E3D9.

Hoping someone can help me get computer back to normal. Thanks Imgran25



EDIT:Cleaned spaces~~boopme

Edited by boopme, 24 December 2011 - 10:58 PM.


BC AdBot (Login to Remove)

 


#2 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 24 December 2011 - 11:26 PM

Hi Imgran25,

Try starting with a clean boot.
How to configure Windows XP to start in a "clean boot" state

Check device manager and look for any red X's or yellow exclamation's..
Windows Device Manager-Tutorial


Pauline

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:08 AM

Posted 25 December 2011 - 12:14 AM

Let's also try this.

Download/install BlueScreenView, http://www.nirsoft.net/utils/blue_screen_view.html .

Double-click BlueScreenView.exe file.

When autoscan is done (screen comes up), click Edit/Select All...then File/Save Selected Items.

Save the report as BSOD.txt.

Open BSOD.txt...copy all content and paste it into your next reply.

Louis

#4 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 26 December 2011 - 07:28 PM

Hi to both a_cup & hamluis,
I tried to follow your steps, but could not do any of them. When I tried Method 1 - to use the Guided Help (tried both to save to desktop and to run) I got a message saying it cannot be downloaded right now, try again later. Went on to Method 2 - able to change system configuration to selective startup. When clicked on restart got BSOD that I have been getting. Restarted computer using F8 key and choose safe mode with network. Note: I did not receive the" You have used the System Configuration Utility etc." window so selecting "Don't show this message etc." was not an option.)
Step 4. When I cleared the load system services box & restarted I got BSOD that was different, last string was 0x0F0F733D9. When I restarted computer, it went back to previous BSOD (0xF0F4D3D9)
Device manager does not show any red X's or yellow exlamation's. When I check my indivual devices, I had 21 that said "Status not available when running in safe mode." (I can list them if you need me too) but most items were working normally.
Next tried to use BlueScreenView, but instructions there say I need to have small memory dump set up and when I checked it was not set up. I tried to configure as per instructions and received message that I can not do that unless the alerter service is running. I ran into this when working with Blade81 and when I tried to start the alerter service I could not.
I will warn you, I am only a newbie (and don't think I'll ever be anything but a newbie) so this has taken me all day. I can get pretty confused when I have to read too many instructions to do too many new things.
While trying to accomplish the above, I did stumble onto something I think was not right. Under Admin Tools -->Component Services --> Console Root and when I clicked on that I got a message that "Windows Firewall is blocking Microsoft Management Console" with option to keep blocking, quit blocking or ask me later. I chose keep blocking because I had never seen that before.
Don't know if any of the above info will help someone figure out what is going on or if I would be better off just shooting this bp and getting it over with. Any more ideas? Thanks Imgran25

Edited by Imgran25, 26 December 2011 - 07:59 PM.


#5 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 28 December 2011 - 10:43 PM

Hi Imgran25,

Look in event viewer and see what source the error is from..
How To Use the Event Viewer Applet


Pauline

#6 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 01 January 2012 - 08:15 PM

Hi Pauline,
It has taken me a while to get time to attempt to follow your instructions. The instructions seemed so simple as I read thru them, but when I actually started sitting at my computer and trying to follow them, things didn't act or look exactly like they should. I'm not sure I did this the right way, but hopefully I have enough info for someone to tell me where to go from here. (or tell me how to supply you with more info if needed) I did the event viewer errors as 2 files for application errors and 2 for system errors. As you will see there were quite a few errors for both categories, so I only expanded the first few for each category and included that as a secondary file for each category. There were no errors listed under the security categories. I hope this makes some sense to you. Thanks for bearing with me. Imgran25

Attached Files



#7 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 04 January 2012 - 06:39 PM

Hi Imgran25,

Sorry for the delay in responding.


Windows Firewall is blocking Microsoft Management Console"


The Microsoft Management Console is an admin tool. Event viewer, services etc are a part of the console

I am guilty of only scanning your 'infection post' and have went back and read it in its entirety.

After I did an Avast update, I was unable to start Windows normally

Have you uninstalled Avast to see if this caused the bluescreen?

I discovered permissions aren’t right, but if I try to change them I get a warning message. If I change them they revert back.

What is the warning message that you get? Are you under the admin account? If you do not have permissions chances are you cannot change to a clean boot

I noticed your logs showed sunbelt firewall installed. Are you using both the Windows and the Sunbelt firewalls?


Pauline

#8 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 06 January 2012 - 09:35 AM

Hi Pauline,

Before I answer your questions, I want to mention that when I first started my computer yesterday, I had a New Hardware Wizard screen for new hardware found (HP Printer) I selected next until the screen for insert install CD came up. I was unsure if I should try to install it or not, so I didn't attempt to. This is the first time since all this began that I have seen this screen, even though the printer was plugged in several times when I restarted the computer.

As far as the management console thing, I assume from your reply that it is something that is normal, I thought it probably was, but just mentioned that because I had not seen it before.

I'm not running the sunbelt firewall. I have not been able to start it since these problems started. I was able to start the Windows firewall, so I have been running that instead hoping to avoid any further infestations. So far anytime I check my security settings it says it's running.

Since this problem began, anytime I have started the computer I only have 2 accounts showing to log on, so I have been using the administrator account exclusively. It's interesting that the programs security tab shows 5 accounts. The 4 that are supposed to be there (administrators, everyone, system, and users) and an "unknown user S-1-5-32-547"

It has been long enough that I couldn't remember what the warning message said, so yesterday I checked properties in Avast and highlighted the unknown account and changed permission for that account to deny. The warning was "You are setting a deny permissions entry. Deny entries take a precedence over allow entries. This means that if a user is a member of 2 groups, one that is allowed and another that is denied the same permission, the user is denied permission. Do you want to continue?" Originally I assumed that was a regular MS warning to keep people like me from doing anything bad and I selected No. Yesterday I selected Yes. I had 5 accounts showing at the time, but when I selected apply, the only account left was the unknown account. I tried to change permissions back to allow, but still only unknown account showing.

3.) In one of my earliest posts, I mentioned that I had tried to install a newer version of Avast. At the time, it looked like it had installed, but I have not been able to start it. (I couldn't start it before that either.) Whenever I have clicked on it, I just got a "Warning your computer is not protected.", but selecting either "start now" or "fix now" does nothing. I could not remember if I had tried to uninstall it at that time or not. Thinking it wasn't doing anything anyway, yesterday I decided to see what happened. I used add/remove programs to uninstall and it looks like I was able to uninstall it.

I have not shut off the computer, so I don't know if or how any of this might effect anything. I will wait to hear from someone before I do anything more. Thanks for taking the time to respond. Imgran25

Edited by Imgran25, 06 January 2012 - 09:40 AM.


#9 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 06 January 2012 - 11:32 AM

Hi Imgran25,

I checked my permissions (running Windows 7) and I have the (Account Unknown(S-1-5-21-xxxxxxxx)) It has never caused any problems for me...After much research on this unknown user the only ones that makes sense is that it was created after using check disc, or that it is a previous account(s) that I have deleted...I remember also having this unknown user account on XP

When you get the blue screen does it show a source such as the one below..?

STOP 0x000000D1(parameter1, parameter2, parameter3, parameter4)
DRIVER_IRQL_NOT_LESS_OR_EQUAL

HTTP.SYS <<<source


Microsoft has a download to fix this if so..Worth a shot I think
Stop error message on a Windows XP-based computer: "STOP 0x000000D1"


Pauline

Edited by a_cup, 06 January 2012 - 11:33 AM.


#10 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 07 January 2012 - 07:51 AM

Hi Pauline,
No source shown. Just the Stop: 0x000000D1 (0x804730E4, 0x000000FF, 0x00000000, 0xF0F4D3D9) This is the last complete stop error, but the last string does change and the D3D9 has also been C3D9 & E3D9. I have tried to do a search, but so far any searches have come back with "no results"

Imgran25

#11 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 07 January 2012 - 11:11 PM

Hi Imgran25,

The (0x804730E4, 0x000000FF, 0x00000000, 0xF0F4D3D9) strings are specific to your computer. The first set of numbers is the address of the driver causing the error.

Let's see if we can narrow down the driver..
  • Did you add any hardware/software or do any updates other than Avast within the week of the BSOD..?
  • Check msconfig are you are still set for a clean boot..?
  • Go to manufacturers site and check for updated drivers
  • Check Windows for updates


Pauline

#12 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 08 January 2012 - 08:00 PM

Hi Pauline,

I figured the strings meant something, but I had no clue. As you asked more questions, I’m guessing the “address” isn’t all you need to figure out what the problem is.

I checked msconfig and I am still set for a clean boot.

Today I checked emachine web site, the only update I found was back in 2005 for a firmware update for Lite-On DVD-RW. I don’t think that is what I have and wouldn’t expect it to cause a problem after this much time.

As many updates as Windows has, I would not be surprised if I had done some in that week. I don’t remember if I had done any Windows updates that same day or not. The only thing I was sure of is that I had done an Avast update just before I noticed I had a problem. I did not think that it was the Avast update that caused my problem, I figured that it had something to do with an infection that was able to keep my antivirus & malware programs from running. The only other “event” that happened around that time, was my grandson used the computer to get some information for a homework assignment. I know he wouldn't knowingly cause a problem, but I know how easy it can be to be fooled or land on the wrong website just long enough.

This has been going on long enough that I’m sure there are quite a few updates I’m behind on, so I attempted to do Windows updates today. The microsoft update started to check for updates, but I got a message that “The website encountered a problem and cannot display the page you are trying to view” and it offered some options to help solve the problem. I went thru the FAQ & find solutions, but I didn’t see anything that matched my situation. I did follow suggestion to check to see if the auto updates was started. It is set to run automatically, but it did not appear to be running. When I clicked on start, I got a warning box with “Could not stat Auto Updates on Local Computer. Error 1084: The service cannot be started in safe mode.”

So back to trying to figure out how to get the computer to do a normal startup.

Thanks again for your assistance. Imgran25

Edited by hamluis, 16 January 2012 - 02:00 PM.
Removed excess spacing.


#13 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 10 January 2012 - 09:04 PM

Hi Imgran25

Yes it would take more than knowing the address..we would need to know what is at that address..

Go to device manager and click the icon right below the 'help' tab..When you hover over it it will say 'scan for hardware changes'

also try again to download the blue screen view as was suggested earlier..To start the alerter service first see that the workstation service is started and running..then start alerter service..

Download/install BlueScreenView, http://www.nirsoft.net/utils/blue_screen_view.html .

Double-click BlueScreenView.exe file.

When autoscan is done (screen comes up), click Edit/Select All...then File/Save Selected Items.

Save the report as BSOD.txt.



Pauline

Open BSOD.txt...copy all content and paste it into your next reply.



#14 Imgran25

Imgran25
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 16 January 2012 - 12:52 PM

Hi Pauline,
Hope you haven't given up on me.
I went to device manage and clicked on scan for hardware changes icon, but nothing seemed to happen? I'm sure there is something I'm not doing that I need to do, but even after searching for the last week, I don't know what it is.
I've been trying to figure out how to start the alerter service, but still am not able to. I get a message that says it cannot be started in safe mode. I still can only start in safe mode, so guess that's not fixable at this point.
The good news is I did manage to download the BlueScreenView.exe file to a flashdrive. I ran it this morning; hopefully, I did it right and I am attaching the results to this reply.
Thanks for bearing with me. Imgran25

Mod Edit: Posted log content for topic flow/ease of reading ~ Hamluis.

==================================================
Dump File : Mini072210-01.dmp
Crash Time : 7/22/2010 10:27:04 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xd4e28900
Parameter 2 : 0x00000000
Parameter 3 : 0xf731ea99
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+6069a
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6055 (xpsp_sp3_gdr.101209-1647)
Processor : 32-bit
Crash Address : ntoskrnl.exe+6069a
Stack Address 1 : ntoskrnl.exe+52198
Stack Address 2 : ntoskrnl.exe+9956
Stack Address 3 : Ntfs.sys+4a99
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini072210-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 65,536
==================================================

==================================================
Dump File : Mini070409-01.dmp
Crash Time : 7/4/2009 5:58:34 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 0x81bfffdc
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x804e7eb4
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+9aac
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6055 (xpsp_sp3_gdr.101209-1647)
Processor : 32-bit
Crash Address : ntoskrnl.exe+9aac
Stack Address 1 : ntoskrnl.exe+10eb4
Stack Address 2 : ntoskrnl.exe+13869
Stack Address 3 : ntoskrnl.exe+11fbb
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini070409-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 65,536
==================================================

Edited by hamluis, 16 January 2012 - 01:57 PM.
Removed attaachment, posted content.


#15 a_cup

a_cup

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:08 AM

Posted 17 January 2012 - 09:29 PM

Hi Imgran25,

The dates on both of those crashes are pretty old. One in 2009 and one 2010..

Let's check to see if any problem devices are listed..Go to start>>All Programs>>Accessories>>System Tools>>System Information. Open Components under System Summary and click on Problem Devices. Is anything listed there?

Also check device manager for hidden devices..To see Hidden Devices (Non Plug and Play Drivers) you need to select View, Show Hidden Devices..look for any yellow exclamations


Pauline




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users