Ugh Virus forum to this forum

Hi,
I have a dell dimension 9180 stock except for 4g ram. I went through the virus forum

http://forums.majorgeeks.com/showthread.php?p=1815518#post1815518

and was suggested to come here for further help.

I run XP and am the only user for the most part.
Thanks in advance,

 

Can you define your problem? Your thread over there is incredibly vague as to what the actual issue is.

 

I'm pretty sure I pickedup a virus. I get different BSOD with different error messages. It won't run for very long without going to BSOD. While it is running ms security will pop up and say not protected. I am not able to update ms virus. I had zone alarm running for the last while but have removed it since this incident. After a couple of BSOD with will chkdsk and make a number of changes but non lasting.
IRQL not less or equal
pfn list corrupt
page fault in nonpaged area
ide device failed
bad pool caller

Thanks

 

Sounds like a bad hard drive to me.

 

Agreed.

 

Hi,
Just tested with seagate and it passes quick test and extended test.
Thanks

 

Does your optical drive function properly?

And I hate to say this, but sometimes even the short/extended tests don't catch a bad drive.

 

Are you sure about the RAM installed. I'll quote from your logs.

And sysinfo log:

Could this be an errant module or slot?

You ran OTL and MGTools in safe mode.TimW advised you to scan in Normal mode.

Over to Adry and others and you should attach a BSOD dump. Just throwing info for other MGs.

Cheers..

 

Thanks for your help. I was wrong. It's 2g ram. I tried to run OTL in normal just now and get a BSOD. Where do I find the dump from the BSOD?
I ran seagate from an iso.
Thanks

 

The ones small enough to upload are under C:\Windows\Minidump.

 

Thank you. I am attaching the dmp files from today. I was able to convert to txt files on the stricken computer but not able to copy and paste to notes.
I am not able to attach dmp files here and have not been able to understand how to convert to txt on this machine which is windows 7.
Thanks,

 

Don't convert them to text. Just compress and upload.

 

Thanks

 

With what the debugging information is showing, I still think there is a hardware failure in progress. If not the hard drive, then the ram.

 

Hi,
I think you are looking for a quick fix. When I run a quick scan on malaware I get 11 virus hits. I am attaching a log for your perusal and seeking assistance to remove these.

Thanks

 

What is your drive X? The infections appear to be in a Windows-like folder structure, but Windows files are on C.

 

Was this off a Hiren's boot disk. Looks like MBAM detecting Hiren. :-D

http://forums.malwarebytes.org/index.php?showtopic=5736

Cheers..

 

Nice catch... I didn't even look at that part of the log... I was in a hurry. :-D

 

As already mentioned, those "infections" all point to what appears to be a boot CD and not your OS.

Tell you what. I will post the debug reports when I get my laptop out later and you can decipher them and tell me if I am looking for a quick fix.


Look at your original errors. One of them points to possible hard drive failure.

In your mini dumps, two of them point to nfts.sys, which is a kernel level file system driver. One of them points to ntkrnlmp.exe, which is the kernel itself. That is probably not the real cause though, as kernel level drivers are usually the cause of that crashing.

What conclusion would you draw? That the filesystem driver just decided to implode? Or it is trying to read the filesystem and faulting because of a hardware fault?' I mean, not being able to get into Safe Mode isn't exactly a good sign that this is a software issue.

I'll let you be the judge of that, but I thought about it for a good amount of time before replying. I try to be as optimistic as I can. If you disagree, that is fine. But don't accuse me of "looking for a quick fix". I don't get paid for this, you know. I was just trying to help you out.

One way to be for certain that it isn't a hardware problem is to reinstall Windows cleanly. Your call.

 

Mindumps as promised are attached.

First one:

So Windows Defender was running at the time trying to scan and it ran into a problem, most likely on the filesystem.

You might want to run a chkdsk /r.

Second one:

This time, it was just the main System process.


Third one:

Now this one was a kernel crash.



I have bolded some commonalities between each of these crashes. You might think I am looking to give aquick answer, but I spent some time looking at this.

I still stand by HDD or ram. Do a chkdsk /r, test both ram and HDD thoroughly. A quick test will not find problems all the time.

 

Hi,
I do appreciate your help. I had a virus about 4 years ago and was given a similar response; replace HDD or ram. We worked together and resolved the problem. I would rather work with you than compete as you will win .

This is from another board in my effort to understand what you were saying;

ntkrpamp.exe may (I'm not 100% sure of this) be listed as ntoskrnl.exe on your system. It's (IMO) because the different types of kernels are renamed at installation so they'll work with the coding in the system (which is coded to use ntoskrnl.exe)

These are the kernel (core) of the operating system. If it was to blame, you'd be seeing many more problems other than just the occasional BSOD. When we see this we immediately look for other causes.

With the requested information we'll have a good chance of figuring out what the problem is.



I am more certain it's a virus cause the problem began when downloading from a stupid board. Then I couldn't get in at all. Used the Hiren's to get chkdsk r which seemed to solve the problem for a short period but not able to run any virus software. I also replaced MBR but not the logs. After several crashes the machine will go to chkdsk and replace a bunch of things. Then a message will come up registry not correct but recovered from logs. Plus ms security is acting real weird - on and off.

Presently I can run in normal and run some programs for a period of time before BSOD. I can also load to safe and the dell recovery program where I did the chkdsk r from. I don't have enough knowledge to move forward on my own but I am very confident it is not hardware related.

More likely I am not communicating the problem to you.

Thanks

 

Maybe you are right and it is software related. However, it sure doesn't seem like it.

If chkdsk /r solves something for the short term, that doesn't bode well for it being a software issue.

The reason why ntkrlpamp.exe is showing instead of ntoskrnl.exe is because the outside naming of the package does not represent the internal name. As I mentioned, it isn't the cause, just a victim.

While I could see a virus running in kernel mode causing these issues, I think it unlikely, especially if you found relief with chkdsk /r. Your scanners would naturally go haywire if your hard disk is going bad, because when they encounter the area they cannot read, they either crash, or more likely, you get a stop error. An interesting test would be if you disabled all realtime scanners and see if your OS stabilizes.

 

It looks like the same thing triggered each BSOD, the following sequence of calls is identical in each Stack:

Referencing John Carrona's studies of BSOD causes, the common factors are driver and antivirus software:

The easiest one to rule out is the A/V, I would uninstall MSE and install Avast! Free to test, run a full scan once it's updated.

 

From what I understood, he is getting crashes running the antivirus. So I think we should be looking into what is causing that crash. Noting that it cannot read or write in each dump leads me to think it is butting up against a bad sector.

A chkdksk /r would mark the sector as bad and move it to the end of the drive. This would work for a time...unless you had another sector fail. It has been my experience that when one sector goes, more tend to follow shortly after.

 

Wouldn't a chkdsk /b be better, it implies /r (which implies /f). :confused

 

It isn't supported in XP.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/chkdsk.mspx?mfr=true

 

Hi,
Not sure based on the discussions what you are rec'd I do. I did a msconfig and the general startup has selective startup button setting. Shouldn't it be on normal startup?
Thanks

 

Apparently you have disabled items at some point. I can't say that you should put it back to normal startup without knowing what you disabled, and whether those apps work/ are still installed. If they aren't, you are adding new errors into the mix.

 

You have junk left over from protection software.
Run the following in Safe mode if Normal mode or Selective mode crash.
http://www.bleepingcomputer.com/download/f-secure-uninstallation-tool/
http://www.majorgeeks.com/Zone_Alarm_Uninstall_d7492.html
http://www.majorgeeks.com/AVG_Remover_d7000.html

Cheers..

 

Thanks for the help. Each one of those removed the programs from normal.