Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD every startup after cleaning with AdwCleaner


  • Please log in to reply
1 reply to this topic

#1 pradiptha

pradiptha

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 24 February 2018 - 10:42 AM

  • Asus vivobook pro (N580V)
  • Windows 10 version 1709 build 16299.248
  • x64
  • Originally windows 10
  • the os is pre-installed (oem)
  • age of the laptop : 2 months
  • Intel 7700HQ with Nvidia 1050

 

2 days ago, i accidentally install an adware program, later i used AdwCleaner to scan and clean the adware, but when i restart the laptop i getting BSOD, and this happen every startup, i just only have like 10s before it bsod again. the bsod message is IRQL_NOT_LESS_OR_EQUAL and when i check with whocrashed it says caused by ntoskrnl.exe

 

below i attatched the sysnative output and the AdwCleaner scan and clean logs

Attached Files



BC AdBot (Login to Remove)

 


#2 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:07:30 AM

Posted 28 February 2018 - 11:29 AM

From what I can tell you are most definitely infected. First our malware startup file:

GHWBQGCSHH.exe    c:\programdata\94505807c47b4a0d85825705e72bcb93\ghwbqgcshh.exe    ANGGIA-PC\Asus    HKU\S-1-5-21-729367108-3836987145-4061335825-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3: kd> .trap 0xffff8409db396200
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000000000c0 rbx=0000000000000000 rcx=ffff8e01dc346180
rdx=ffff8409db396330 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801bfec8711 rsp=ffff8409db396390 rbp=ffff8e01dc346180
 r8=0000000000000100  r9=0000000000000000 r10=ffffb9892c6b9210
r11=ffffb9893cd8dab0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!KiTryUnwaitThread+0x31:
fffff801`bfec8711 f0480fba6b4000  lock bts qword ptr [rbx+40h],0 ds:00000000`00000040=????????????????
3: kd> !dpx
Start memory scan  : 0xffff8409db3960b8 ($csp)
End memory scan    : 0xffff8409db398000 (Kernel Stack Base)

0xffff8409db3960b8 : 0xfffff801bff8f529 : nt!KiBugCheckDispatch+0x69
0xffff8409db3960e0 : 0xfffff801bfec8711 : nt!KiTryUnwaitThread+0x31
0xffff8409db3961f8 : 0xfffff801bff8b659 : nt!KiPageFault+0x519
0xffff8409db396200 : 0x00000000c0000120 :  Trap @ ffff8409db396200
0xffff8409db396318 : 0xfffff801bfec4c00 : nt!IopfCompleteRequest+0x7a0
0xffff8409db396368 : 0xfffff801bfec8711 : nt!KiTryUnwaitThread+0x31
0xffff8409db3963a8 : 0xfffff801c00b6057 : nt!ExFreePoolWithTag+0x2b7
0xffff8409db3963b8 : 0xfffff801bfe977fb : nt!KeExpandKernelStackAndCalloutInternal+0x8b
0xffff8409db396418 : 0xffffb9893b3e10f0 :  !da "SACpl.exe"
0xffff8409db396488 : 0xffff8409db396520 : 0xfffff803ff0e1c40 : tdx!TdxMessageTlRequestComplete
0xffff8409db3964d8 : 0xfffff801bfec4c22 : nt!IopfCompleteRequest+0x7c2
0xffff8409db396520 : 0xfffff803ff0e1c40 : tdx!TdxMessageTlRequestComplete
0xffff8409db396540 : 0xffffb9893b3e10f0 :  !da "SACpl.exe"
0xffff8409db396558 : 0xfffff801c002db0c : nt!MI_READ_PTE_LOCK_FREE+0xc
0xffff8409db3965d0 : 0xfffff803ff0fa000 : tdx!WPP_GLOBAL_Control
0xffff8409db3965d8 : 0xfffff803ff0f6310 :  !da "minio\netio\session\tdi\address.c"
0xffff8409db396608 : 0xfffff801bfec4447 : nt!IofCompleteRequest+0x17
0xffff8409db396610 : 0xfffff803ff0fa000 : tdx!WPP_GLOBAL_Control
0xffff8409db396650 : 0xffffb9893a66c900 :  !du ""E\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{43027CE...""
0xffff8409db3966a0 : 0xfffff803ff0e8250 : tdx!TdxSynchronousTlRequestComplete
0xffff8409db396738 : 0xfffff803ff0e35f5 : tdx!TdxDeleteTransportAddress+0x25
0xffff8409db396768 : 0xfffff803ff0e5195 : tdx!TdxTdiDispatchCleanup+0x3b5
0xffff8409db396770 : 0xffffb989376b4b50 : 0xffffb9892d413660 : 0xfffff803ff0fa180 : tdx!TdxTransportListHead
0xffff8409db3967e8 : 0xfffff801bfe3b669 : nt!IofCallDriver+0x59
0xffff8409db396828 : 0xfffff801c02db6c2 : nt!IopCloseFile+0x152
0xffff8409db3968b8 : 0xfffff801c02fe9a4 : nt!ObCloseHandleTableEntry+0x214
0xffff8409db3969f8 : 0xfffff801c0300dbb : nt!NtClose+0xcb
0xffff8409db396a58 : 0xfffff801bff8f003 : nt!KiSystemServiceCopyEnd+0x13
0xffff8409db396bb8 : 0xffff8409db396f21 :  !da "1022k.blogspot.com"
0xffff8409db396bc8 : 0xfffff801bff7fe50 : nt!KiServiceLinkage
0xffff8409db396be8 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396c20 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396c30 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396c38 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396c40 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396c48 : 0xffff8409db396f21 :  !da "1022k.blogspot.com"
0xffff8409db396ea0 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396eb8 : 0xfffff803fc57fed0 :  !da "http://1022k.blogspot.com/2018/02/1022s.html"
0xffff8409db396f28 : 0x2e746f7073676f6c :  !da "logspot.com"
0xffff8409db397050 : 0x323230312f32302f :  !da "/02/1022s.html"
0xffff8409db397150 : 0x74682e7332323031 :  !da "1022s.html"
0xffff8409db3979f8 : 0xfffff801c0083fc5 : nt!EtwpCCSwapTrace+0x2f9
0xffff8409db397a38 : 0xffffb9892c700000 : 0xfffff801c021e540 : nt!PspHostSiloGlobals
0xffff8409db397a68 : 0xfffff801c007f28c : nt!EtwpLogContextSwapEvent+0x134
0xffff8409db397ad8 : 0xfffff801c03726b3 : nt!PspDisablePrimaryTokenExchange+0x3b
0xffff8409db397b08 : 0xfffff801bff1db87 : nt!PspSystemThreadStartup+0x47
0xffff8409db397b58 : 0xfffff801bff83be6 : nt!KiStartSystemThread+0x16
0xffff8409db397b70 : 0xfffff801bff1db40 : nt!PspSystemThreadStartup
0xffff8409db397b98 : 0xffff8409db391000 :  !du "\\.\MountPointManager"

These are excerpts from the latest dump file. I dumped the raw stack because I knew I would get interesting results. Indeed at the time of the crash you were involuntarily connected to some strange websites. See https://www.virustotal.com/#/url/d517dfd3fd5f3c3c6453c09473652890febb6b6abc08b52894a480c32ca9abc2/detection

As this is a BSOD forum there isn't much we can do here. I suggest you post in our Virus, Trojan, Spyware, and Malware Removal Logs forum for malware removal assistance. Be sure to follow their posting instructions too.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users