Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD's; Rootkit and/or memory problem?


  • Please log in to reply
7 replies to this topic

#1 D-Fault

D-Fault

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 07 August 2012 - 02:25 AM

Dear experts,

A few weeks ago (just before my vacation) the computer running windows XP of my mom started to give BSOD’s (like ‘page_fault_in_nonpaged_area’ error 0x00000050) and give other problems like anti-malware software that cannot install or run and the antivirus that stops working. I also got 2 times a screen with a counter of together with a message that the system will shut itself down after the seconds displayed on the counter.
Moreover, on another user account, the computer seemed more stable (longer time to work on it without BSOD), but also sometimes get a BSOD.

She has a Dell Dimension 4600 with 1 GB Ram (2 times 512 MB DDR2-3200 in dual channel) and a Pentium 4, 3.2 GHz processor. (I think from 2006 or something). The computer is working fine for all these years and no hardware changes or something were made.

The first thing was thinking about was a virus; so I tried some scanners like stinger (also in safe mode) which stopped during scanning, antimalwarebutes which could not install properly and GMER which stops scanning during scan of again gives a BSOD. CHKDSK did not give errors.
I also had problems to boot up with some rescue and anti-virus boot CD’s, which all booted fine on my newer laptop.

I thought about a rootkit (although I don’t have any experience with it) and tried TDSS killer in safe mode for example. This found al lot of threads (12 the first time) but did not name that a specific rootkit was found when I enables all checkmarks (also ‘to verify file digital signatures and detect tdlfs file system’). After a second scan it just had 3 or 5 threads or something. I also tried some other tools without much progress.

In a normal boot, the computer seemed stable but I wanted to do a format and reinstall in order to get rid of all other possible problems. During the backup and copy of all my documents, the computer was stable and I did not get any BSOD in that time.
I decided to first erase the total harddisk with Darik ‘s Boot and Nuke Cd using ‘quick’ erase, reformat it and then install Windows 7 on the machine.

However I could not install windows 7 because I again got a BSOD when ‘starting windows’ came on the screen. I thought maybe I should first try a BIOS update and that will solve the problem. (I back then had the A4 BIOS version and I updated via DOS to the latest A10 BIOS version). After that I still got a BSOD so my conclusion was that the videocard/driver probably could not handle windows 7.

I again tried to install windows XP with the CD that was delivered with the computer, however I got a BSOD ( again 0x00000050 and also stop: 0x0000008E) again while installing it. After looking at google, I noticed that did not reset the CMOS. So after resetting it, I could install windows XP correctly.

While wanting to download service pack 2 and 3 for a few times in order to get the computer up to date, I again got BSOD’s (again 0x00000050).
Now I began to wonder if my memory was still working correctly, so I ran Memtest86-4.0a and directly got a whole pile of errors!! I have two 512 MB RAM cards in the computer working on dual channel (position 1 and 3 as stated in the manual). I first ‘cleaned’ the case from dust with compressed air and then tried to run the test with the cards individually (on both the 1 and 3 position for both cards). All test passed without errors after 3 to 4 passes. (then I stopped them). Then tried dual channel again and switched them, also tried dual channel 2 and 4 position. Result: All dual channels directly give errors with Memtest86.

Now I chose single channel (position 1 and 2), ran Memtest86 without errors and normally booted up the computer. I know my performance is a bit lower now, but I don't have any BSOD anymore. Also my virusscanner, stinger, Hitmanpro etc. does not find anything. (I have logs of it and even a GMER log, if you are interested). However, I would like to solve my problem and run the memory in dual channel again without problems.
Can you please help me/ give me advise? Do you think I have had (maybe still somewhere have) a rootkit or is it just a memory issue?

Thank you in advance.

Best regards,

D-Fault

BC AdBot (Login to Remove)

 


#2 D-Fault

D-Fault
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 10 August 2012 - 11:47 AM

An update:

In the mean time I was just using single channel 2x 512 MB RAM, resulting in a stable system.
I ran HitmanPro and Antimalwarebytes together with stinger and my own virusscanner, all resulting in no threads.
I updated XP with the latest updates and installed Office 2003.
I then started with restoring the documents and did a restart. After that, the computer was running (but not used) a whole day without problems.
When I wanted to open a new user account for the first time, I directly got 2 errors for process of Windows that did not work properly (I thinksomething with system32, but do not remembre the exact errors).
From this, I got suspicious and started antiwalmarebytes: While scanning the windows system 32 folder, it kept on finding threads (500 and up) before I again got a BSOD:
Posted Image

Then I booted up in safe mode and do another scan with antimalwarebytes, which now did not give any result.
Also TDSS Killer did not give a thread (only with 'signature verification' on it found 1 unknown thing which probably is nothing.
Stinger gives the message that it did not scan for rootkits when I tried to use it and running together with antimalwarebytes, the system suddenly shut down.
Today, I again tried to run hitmanpro and antimalwarebytes in safe mode with networking. Hitmanpro found 2 tracking cookies and durin scan of antimalwarebytes I again got a BSOD:
Posted Image

Hope maybe now someone can give me some advise / help me?

Thanks,
D-Fault

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:08 PM

Posted 16 August 2012 - 09:18 PM

Hello, sorry for your wait. This may not be a malware but a software iisue and you may wind up reposting, but we will make sure first.

Would you post your GMER log.


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.




Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Run TDSS loke this...
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 D-Fault

D-Fault
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 20 August 2012 - 01:09 PM

No problem, thank you for your response and help.

I downloaded aswMBR.exe to my desktop and during booting I received some errors that my mcaffee did not respond and was shut down.
aswMBR asked if I wanted to get the latest virus definitions, I said 'yes'.
During downloading of these definitions, again I got a BSOD (PAGE_FAULT_IN_NONPAGED_AREA).
Now every time I try to reboot, I got the following error:
UNMOUNTABLE_BOOT_VOLUME
Posted Image

Rebooting in safe mode or safe mode with networking also give the same error.

So sorry I cannot give you the log files. Can you first help me with this problem (Should I do chkdsk ?)

Thanks

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:08 PM

Posted 20 August 2012 - 07:10 PM

This is XP?
Yes run chkdsk /r command
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 D-Fault

D-Fault
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 24 August 2012 - 02:07 AM

Yes, this is XP sp3.
( I also noticed it is a common Windows 7 problem)

chkdsk /r did not work, after 25% I got the message that the harddisk was irreparable.

So I started to format it again and do a new install.
However, after chosing my name etc, I again got the BSOD (page_fault_in_nonpaged_area’ as shown in my 2nd post).
I am now performing a 2nd try, keep you posted.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:08 PM

Posted 24 August 2012 - 03:58 PM

OK if the reformat issues continue start a new XP topic so and expert in that area can help.. You can include a link to here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 D-Fault

D-Fault
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 29 August 2012 - 11:59 AM

The issue continues, thank you for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users