BSOD after following read and run malware thread

Hi, I've been having a problem with iexplore.exe running and playing audio ads in the background. I started to follow the read and run me first thread, but after running the program to disable cd emulation when my computer restarted it now crashes to Bsod after the user log in. This happens with both normal and safe mode.

The error code is 0x0000007e (0xc0000005, 0xe2084430, 0xb4c07c70, 0xb4c0796c)

Any help would be appretiated.

 

Hmm, how long does Windows stay up before crashing?

 

After I put my password in it crashes pretty much straight away.

 

what cd emulation software do you use?

0X7E in your case is most likely a driver issue, probably affected by malware.

We need the minidump files in the affected computer's C:\Windows\Minidump folder.

If you can hook that hard drive up as a slave, or use a bootable cd such as Hiren: http://www.hirensbootcd.org/download/

use its Mini Windows XP Feature to dig into that folder, transfer the files over to a USB flash drive. Upload here, it should tell us what driver is conflicting.

 

I had both daemon tools and poweriso I think, I haven't used either in ages.
I don't have access to another computer at home I'm afraid, having to type this on my phone. I've found the Vista OS cd, would that be of any help?

 

Hmm, so crashing immediately after Userinit.exe, probably something set to load as Shell that no longer exists? HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell is where you need to look, I think UBCD4WIN and the UBCD both allow access to the Registry 'offline', if you want to check what's trying to load there.

I wouldn't change anything until you've made certain that you can see where the problem is, it might be worthwhile creating a new thread in the Malware forum once you have further details, the last scan logs from the drive, etc.

 

I've finally got hiren's boot cd, and I can use minixp to find the minidump files but I can't transfer them as minixp isn't recognising any of my usb storage devices.

 

To add a bit more detail, it detects that the usb storage is there but it isn't assigning a drive letter so I can't use it. And unfortunately my wireless network adapter is usb so no luck there. I really hate computers sometimes.

 

There is an icon on the desktop of Hiren's mini windows XP called "Mount Removable"

Double click that, then your USB drive should been seen by explorer, with an assigned drive letter and all

 

Sorry I can't see that, all I can find is auto mount drives which is useless.

 

http://www.soft-linking.com/foto/out.php/i1649_hirens.boot.cd.mini.windows.xp.live.jpg

something like this.

i personally only use the 10.5 and 10.6 versions, i can't imagine them taking it out of the 13.0-14.0 builds tho.

 

I'm using 14 and it doesn't have that icon. Guess I'll have to download and burn 10.6...

 

That sucks, they took out a lot of great software in hiren 11.0 +. Taking out the ability to mount removable drives is really dumb though.

 

downloaded 10.6 and I've now got the files, thanks.

 

i'm not seeing anything inside that .zip archive.

 

better?

 

The dumps, which are very consistent, all happen between 45 seconds and 1:17 into boot time, right around the time that the Desktop would show. All finger Hal.dll, which can only mean hardware or hardware driver in this instance, I think.

SCDEmu.SYS, virtual CD driver, PowerISO is loading, was this the emulation software you tried to uninstall? Either way, I think you need to rename this file to SCDEmu.bak via your boot CD and try booting to test, it's probably located in C:\Windows\System32.

Make sure you have nothing connected externally at boot except mouse/keyboard/monitor.

EDIT: added 2x sample outputs.

Code:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\Mini062011-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.17021.x86fre.vista_gdr.100218-0019
Machine Name:
Kernel base = 0xe2000000 PsLoadedModuleList = 0xe2111e10
Debug session time: Wed Jun 15 16:53:24.538 2011 (UTC + 1:00)
System Uptime: 0 days 0:00:44.194
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, e2084430, b51dfc70, b51df96c}

Probably caused by : ntkrpamp.exe ( nt!strlen+30 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: e2084430, The address that the exception occurred at
Arg3: b51dfc70, Exception Record Address
Arg4: b51df96c, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!strlen+30
e2084430 8b01            mov     eax,dword ptr [ecx]

EXCEPTION_RECORD:  b51dfc70 -- (.exr 0xffffffffb51dfc70)
ExceptionAddress: e2084430 (nt!strlen+0x00000030)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000010
Attempt to read from address 00000010

CONTEXT:  b51df96c -- (.cxr 0xffffffffb51df96c)
eax=00000010 ebx=00000000 ecx=00000010 edx=00000001 esi=ca0a5000 edi=00000000
eip=e2084430 esp=b51dfd38 ebp=b0c574c0 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!strlen+0x30:
e2084430 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000010=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000010

READ_ADDRESS: GetPointerFromAddress: unable to read from e21315ac
Unable to read MiSystemVaType memory at e21117e0
 00000010 

FOLLOWUP_IP: 
nt!strlen+30
e2084430 8b01            mov     eax,dword ptr [ecx]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from e2225704 to e2084430

STACK_TEXT:  
b51dfd7c e2225704 00000000 b51d4680 00000000 nt!strlen+0x30
b51dfdc0 e209162e b1c6130f 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!strlen+30

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b7d25c9

STACK_COMMAND:  .cxr 0xffffffffb51df96c ; kb

FAILURE_BUCKET_ID:  0x7E_nt!strlen+30

BUCKET_ID:  0x7E_nt!strlen+30

Followup: MachineOwner
---------



Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\Mini061511-05.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.17021.x86fre.vista_gdr.100218-0019
Machine Name:
Kernel base = 0xe2000000 PsLoadedModuleList = 0xe2111e10
Debug session time: Wed Jun 15 14:06:13.850 2011 (UTC + 1:00)
System Uptime: 0 days 0:01:17.475
Loading Kernel Symbols
...............................................................
...................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, e2084430, b4c0bc70, b4c0b96c}

Probably caused by : ntkrpamp.exe ( nt!strlen+30 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: e2084430, The address that the exception occurred at
Arg3: b4c0bc70, Exception Record Address
Arg4: b4c0b96c, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!strlen+30
e2084430 8b01            mov     eax,dword ptr [ecx]

EXCEPTION_RECORD:  b4c0bc70 -- (.exr 0xffffffffb4c0bc70)
ExceptionAddress: e2084430 (nt!strlen+0x00000030)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000010
Attempt to read from address 00000010

CONTEXT:  b4c0b96c -- (.cxr 0xffffffffb4c0b96c)
eax=00000010 ebx=00000000 ecx=00000010 edx=00000001 esi=c4260000 edi=00000000
eip=e2084430 esp=b4c0bd38 ebp=b0c75988 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!strlen+0x30:
e2084430 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000010=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  5

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000010

READ_ADDRESS: GetPointerFromAddress: unable to read from e21315ac
Unable to read MiSystemVaType memory at e21117e0
 00000010 

FOLLOWUP_IP: 
nt!strlen+30
e2084430 8b01            mov     eax,dword ptr [ecx]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from e2225704 to e2084430

STACK_TEXT:  
b4c0bd7c e2225704 00000000 b4c00680 00000000 nt!strlen+0x30
b4c0bdc0 e209162e b0cce30f 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!strlen+30

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b7d25c9

STACK_COMMAND:  .cxr 0xffffffffb4c0b96c ; kb

FAILURE_BUCKET_ID:  0x7E_nt!strlen+30

BUCKET_ID:  0x7E_nt!strlen+30

Followup: MachineOwner
---------

 

Yeah. Poweriso was being disabled when it crashed on reboot. I'll try renaming.

 

Yes, the zip was bugged for me too, worked ok with Winrar though, right-click > extract to

 

I tried that but I'm still getting the same problem.

 

Looks identical from the parameters, that emulator's not loading now, the zip still gave me an error about the compression method, what compression tool was it created with?

I'll study the debug and loaded drivers further.

 

I'm having to use my phone and androzip, I don't have another computer to use at hom

 

I Googled the string of the failure bucket ID, FAILURE_BUCKET_ID: 0x7E_nt!strlen+30 and the only hit was this thread . It's consistent across all dumps, I think we have a serious problem and the chances of hitting on a quick fix have reduced enormously.

Have you got all your valuable data off the drive yet?

Can you access any other anti-malware logs from the drive?



EDIT: That's fine on the zip, I can cope with it

 

says caused by driver hal.dll
very generic error. Using Mini Windows xp, I'd check to see if hal.dll is in:
C:\WINDOWS\system32

If it isn't, expand it from a windows xp cd, or windows vista windows 7 dvd. Whichever os you have. id idn't see if you wrote it down


I attached the windows xp version of hal.dll.

 

I've got vista, do you have a copy of that version?

Moving my important stuff is tonights task.

 

If the hal.dll (or any other known driver loaded) was a bad version or corrupt, the debugger would normally flag it as such during the analysis.

Concentrate on your data, that's the most important thing. If you get time, grab any recent logs that may be useful, esp. any from any A/V or anti-malware programs you ran in the lead-up to this problem.

 

Here's the vista version

 

Sorry satrow, didn't see you there.

Replacing hal.dll alone probably won't fix it. So satrow's idea of at least backing up your data first is most important. I'm not sure why it doesn't show up in the debugger either satrow. I keep seeing hal.dll from bluescreenview.

 

No worries, thisisu

BSV is basically a fast scanner, as to a lesser extent is Windbg with the !analyze -v command. I check hal.dll (lmvm hal) and I get the following output:

Apart from anything else, notice the internal filename - halmacpi.dll - that m might indicate that this version is specific to multicore CPU's,as the 'decision' on which files to use is made during the original install. Other 'changeable' filenames might be shown with mp, it depends on the filename length as they must conform to the 8.3 standard.

So, for many Windows core file replacements, check 'bit'ness, SP level and whether it's for a single or multicore install.

On 'easy' BSOD's, the offending driver is often listed onscreen and by both BSV and Windbg, with the more difficult ones, it can be hard or impossible to find the real culprit.

Sometimes scanning down the Stack Text in the Windbg output can pinpoint the probable cause, in this instance, all we get in all dumps is just the same 3 lines - nothing I'm familiar with and blanks out on a search.

Other BSOD's can be worked out from good descriptive data from the OP and checking through the drivers listed in BSV lower screen. "I was just watching Youtube" (often bad network drivers), "Every time my uTorrent's been running for x minutes" (could be firewall/network drivers), etc.

All computers become as different as their owners after a while, each case must be treated individually, guesswork is often a good shortcut

 

I've backed up all my essential data. I'm starting to get tempted to just delete everything and reinstall.

 

That's beginning to look like it maybe the fastest and best option.

Don't run with it immediately, thisisu might come up with some fresh considerations.

 

Glad to know you have your data backed up.

Have you tried replacing hal.dll yet?

If so, go into Hiren and let's run a full chkdsk.

Open command prompt. you'll see X:>
type chkdsk c: /r
This is a 5 stage checkdisk (chkdsk)

Will take a while to complete (2 hours+ on avg)
Once finished, post results, I got some more things we can try afterwards but they are a little bit more involved.

 

I've done that and ran chkdsk. How do I get the results? Is there a log file somewhere?

 

@ log creation: not really.. sometimes (if there was corruption) it will leave behind found.001 found.002 type folders @ the root of C: (you have to be able to view hidden and system files to see them). Other than that, I don't think so..

I'm guessing the PC still doesn't boot after the chkdsk? Still getting a BSOD? @ work atm so can't talk for long, i'll be back later with something else you can try.

basically, bootrec /fixmbr and bootrec /fixboot , i'll walk you through it in a bit, unless you just know exactly what I'm talking about

 

Still no luck after dskchk I'm afraid.

 

Perhaps we could try replacing what may be the problem file (it reads like it was infected anyway), sptd.sys is the most common one, though there are a few variations

It might be safer to get the Registry copied and scrutinised first though, what do you think, thisisu? Is it feasible? Would trying to copy over the backup Registry be a better plan?

 

You'll probably have to tell him how to do that, because I'm not sure what you want to do exactly. Also, I don't think I could explain it as I don't have much experience with offline registry editing.

If you think sptd.sys is a potential culprit (is this also something you gathered from the debugger program you use?), it's not a file i'm familiar with tbh, so I'm not even sure if windows vista recovery disc will have it on file to expand from, but I don't see any harm in deleting/replacing it with a clean version.

 

sptd.sys "after running the program to disable cd emulation when my computer restarted it now crashes to Bsod" from the OP.

A little busy at the moment

 

Oh, my apologies, I should have reread the first posts

 

There should be a way of working out the version and hopefully name of the file we need to replace, I'd begin by searching the Program files folder for logs, install.dat, uninstall.dat - really anything there that can be read by a text editor.

Once we have enough clues, it should be plain sailing to grab the correct installer and copy the clean file back over. Maybe the original installer is still on the drive somewhere?

Perhaps the tool used only renamed the file to *.bak to block it from loading?

It's in no way guaranteed to work but there's a slim chance.

 

http://www.winhelponline.com/blog/restore-registry-hives-system-restore-snapshot-xp/

Is there a windows vista/7 version of this?

 

I'm pretty sure it's very similar, it's allied to the method I was thinking of back around post #5 to access and check the registry (no point in using an old Reg if the file's still missing), check your C:\Windows\System32\config and \RegBack if you get time.

 

Nice find, but the ones I have are dated from today. Is this because I have system restore turned off? ha..

 

hey boredmedic,

boot with the vista cd, access the System Recovery Options menu. use system restore to restore to a date before the problem occurred.

http://windows.microsoft.com/en-US/windows-vista/What-happened-to-the-Recovery-Console

Techsent

 

I bit the bullet and tried to erase everything and reinstall, but I can't even do that right. I tried using dariks from my hiren's boot cd but it stops after 5 seconds and says dban finished with non-fatal errors.this is usually caused by discs with bad sectors. You wouldn't think it would be complicated to raze everything to the ground. Any one have any sugestions, is there a better way to do this?

 

I'm not completely au fait with the way W7/Vista works with regard the frequency/storage etc. of Registry backups but even without SR, you should have RegIdleBackup (weekly?) running from Task Scheduler and Windows should always have a copy (or copies over several good boots) of Last Known Good.


@boredmedic, now that you've gotten bored with trying to keep up with our track down and fix discussion, can you boot from the W7 DVD and how far can you get with a fresh install?

There may be an underlying MBR/bootsector problem from an undiscovered infection.

If there is a physical drive problem, that could be the cause of the problem; hardware errors should always be checked for ahead of moving on to Windows/drivers/software, etc., our bad for not getting that checked sooner.

 

When I go to reinstall I get a choice of partitions. My C drive, the recovery one which I never use and a third one of 55 that I assumed was from minixp. Should that still be there?

 

55MB(?) is a strange size, is it a partition or unallocated space? I don't think any boot/diagnostic CD creates partitions by default, it would be something that you'd actively need to do.

You have a Recovery partition? Is the partitioning scheme one you set or is it a pre-load? If pre-load, Dell or ?.

Is there a way (F12 or something at the BIOS screen?) you can boot to the Recovery partition to do a fresh factory recovery?

All this assuming, of course, that your data is safely verified and away from this computer.

 

The recovery one was there when I got the computer from dell. I don't think I've ever touched it. The other partition is 54.7mb. I don't remember seeing it when the pc was working. I've taken some screenshots in case that helps.