kmixer.sys error - blue screen of death

I just did a complete swipe of my XP sp2 OS, due to a serious malware infection(w32/brontok-x).

Upon reinstalling and updating XP, and reinstalling all the programs, I got the blue screen of death. This is what it said was at fault:

kmixer.sys PAGE_FAULT_IN_NONPAGED_AREA

kmixer.sys address AECOF2C7 base at AEC0E000 datestamp 448FCD31

I did a search in safe mode for this file and got a bunch of them, listed as system files. And then safe mode shut down suddenly. Software or malware issue? And if malware, how did it survive the swipe.

XP is doing a system scan now, and seems to be frozen in the indexes review for about 20 minute now. ( I'm emailing from another computer at a cafe).

I do have an external drive, but I scanned it and cleaned it. And then rescanned it 2 more times. It came up clean after the first quarantine and delete.

Please tell me what you think I should do?

 

After doing some research, it seems the kmixer.sys crash can be caused by malware/virus/rootkit, bad memory, or by corrupt/improperly installed sound drivers. Since you have a fresh install, the chance of this being malware is pretty small unless a rootkit invaded the HD boot sector (malware can survive a HD format if it hides in the boot sector) so download and run a rootkit remover (links below). To check your RAM, first open the case with the power cord unplugged and re-seat all your RAM sticks and make sure the slots are clean (you can always clean out the whole case while it's open; blow it out with canned air or a compressor). Then run a bootable memory checker. I like bootable tests as they have complete unrestricted access to the RAM more-so than a Windows based RAM diagnostic. To check for a possible sound driver issue, if using on-board sound you can try to disable it in the BIOS and see if the problem persists. You can also try installing a new driver after removing the current one; you can download it from the manufacturer. Here's some links:
GMER rootkit remover http://www.majorgeeks.com/GMER_d5198.html
Sophos rootkit remover http://www.majorgeeks.com/Sophos_Anti-Rootkit_d5238.html
Sysprot rootkit remover http://www.majorgeeks.com/SysProt_AntiRootkit_d5708.html
TrendMicro Rootkit Buster http://www.majorgeeks.com/Trend_Micro_RootkitBuster_d5427.html
Windows Memory Diagnostic http://www.majorgeeks.com/Microsoft_Windows_Memory_Diagnostic_d3955.html (run it in Windows to create a bootable floppy or ISO image file to burn for a bootable CD)
AleGr MemTest http://www.majorgeeks.com/AleGr_MEMTEST_d3257.html (has Windows and DOS modes)
MemTest86+ http://www.majorgeeks.com/Memtest86_d4226.html (.ISO image file for bootable CD; floppy version available)
I wouldn't worry about the system scan being 'frozen'.... if you're running 'chkdsk' it can take a long time, I mean a really long time. I've seen chkdsk take over 8 hours, so just let it run. You can cause more problems by restarting the computer in mid-chkdsk, so just leave it alone, go to bed and let it run all night if needed.

Good luck, and let us know how it goes....

 

Thanks for getting to me.
I have downloaded the rootkit removal tools, and am confused by them. How do they work? I press scan, and tons of files show up. But how I can tell which ones are bad and should be deleted? I have attached one log I cut and pasted from GMER, from its Rootkit/malware tab, and another from SysProt. I searched for a tutorial on Rootkit Removal tools on Major Geeks, but did not find one.

 

I will wait for your word on the Rootkit log interpretation. I went ahead and downloaded the Microsoft mtinst.exe and created an ISO file, but I can't burn the CD. I have re-loaded all my applications( after the reformat) using the CD/DVD drive, and tested it by inserting a music CD and a film DVD. All work fine. But if I insert a blank CD-R in the disk drive, I get this message:

D:\ is not accessible. Incorrect function.

Is it possible that the driver for the read function works, but not the read/write?
Perhaps this is the root of the problem, ailing driver from the reformat?

I don't have a floppy, although perhaps that's a cheap solution to this impasse.

 

For d:/ unaccessable, incorrect function,
Check Microsofts bit on this
http://www.microsoft.com/windowsxp/using/setup/learnmore/bott_03september16.mspx
I found unchecking the xp burner box on the properties often helped. Also, sometimes a disc just will not be compatabkle, unless you have the latest firmware update on your cd burner - It could be worth a check the cd burner manufacturers site for an update .
Be careful if using any firmware, ensuring you follow its instructions, or, it can make it into a doorstop.

dlb might come back on your other problem, too many cooks can make things more difficult for you.

 

Thanks baklogic, that Windows tutorial you linked me to was spot on. I fixed the CD-R problem in less than 5 minutes. Now if only I could figure out what to do with this rootkit data that I've accumulated. Its over my head.

 

Its not the RAM. All 3 RAM diagnostics turned up fine. While await your word on how to read the anti rootkit software logs, I have been rescanning the system with anti spyware software. Just in case its malware ( which means I may be on the wrong forum). I installed Spybot Search and Destroy. In the advanced mode, I found this setting rather curious:

Ignore System Internals

%JavaDir%\QTJava:zip missing shared Dll
install.exe wrong app path
MsoHtmEd.exe wrong app path
win32.exe wrong app path

I did not set any of these files to be ignored. Did XP? Or is it a rootkit?

 

Sorry I was gone for awhile.... anyway, I looked through the rootkit logs and they look pretty clean. Rootkit scanner are a bit different from regualr virus scanners as they tend to leave the interpretaion of the files up to the user. However, in the GMER log, the very last entry is a bit worrysome. It's only a temp file (the .tmp extension tells us this) so removing it should be no problem. Generally speaking, .tmp files have no business at all being in the SYSTEM32 folder, and since the name of the temp file is abit odd (50.tmp) and the fact that it showed up in a rootkit scan tells me that it should be removed; rootkit scans generally reveal files/processes that run unseen by the user, so if this .tmp file qualifies as running unseen and hidden, it may be undesireable. You can try renaming it to something like "50.tmp.abc" just to see if it's needed after a reboot (you'd get an error saying "cannot find 50.tmp"). It may not be any type of infection, and probably isn't the cause of your problems, but it's better to be safe than sorry. After you rename/remove it, reboot and check the SYSTEM32 folder again for a similar file. If something keeps coming back after several reboots, then we know something is up. If it turns out that everything is normal with the SYSTEM32 folder, and if the problems persist, then I'd think about uninstalling your sound drivers and installing the newest ones available from your sound card (or motherboard) maker's web site.

Good luck!

 

Actually, late last night I came across an interesting set of problems. I installed Comodo Fire Wall and it promptly discovered the trojan w32/Brontok hiding in a log file in a folder in my external hard drive(E) called System Volume Information, along with a systems file. Comodo could not delete it because it said the file was in use by another program. So I deleted it in safe mode, only to see it come back on its own in the same location in regular mode upon restart. I then turned off System Restore, suspecting that that was being used as a point of reference. And that seems to have worked. It has not come back. I have not yet turned on System Restore, but I know I need to soon. Now I've notice this System Volume Information folder has shown up in my C drive. I cannot delete it.

Maybe I belong in the Malware section now. I cannot find the file you mentioned, 50.temp, anywhere.

 

Yeah, I think you should head over there also, and post a link to this thread for reference. You mentioned the trojan Brontok in your very first post and it appears to have infected the system restore cache on the external drive. This explains how drive C: got messed up again; the trojan most likely jumped from E: to your newly formatted C: shortly after you installed your Windows and drivers and plugged the drive in. The folder named "System Volume Information" is actually the system restore cache and it's where Windows stores info about what to restore when you perform a restore along with some info about what gets loaded at each reboot, etc.... As for the file "50.tmp"... maybe it was nothing, but it was odd that it showed up in the GMER rootkit scan, and that's why I was a bit worried about it. Many viruses/malware these days comes in as .tmp files... anyway, head over to the malware forum and follow the steps in the "READ ME FIRST" sticky, and don't forget to reference this thread with a link in case the experts over there need any of this info or the scan logs. That way you won't need to repeat yourself.

GOOD LUCK! (I tried :cry)

[dlb]