Getting BSOD-might be malware or h/w issue

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by fmBrownU, Jan 19, 2007.

  1. fmBrownU

    fmBrownU Private E-2

    Hi there!

    I have been scouring the boards today and using the READ AND RUN ME FIRST guide to see if I could fix the laptop I am working on. I do desktop support here and a user was getting BSOD out of nowhere and during nothing in particular. Had to hard reboot each time. I initially ran Symantec anti virus scan, and ad-aware scans, which were clean except for cookies. When I installed Spybot, it gave me a message saying the program had already been changed from the install, so I should run immediately because I probably had malware on there. Ran a scan, and nothing except cookies.

    Have gone through the 'read and run me first' steps. I ran AVG spyware scan and the machine BSOD's in the middle of that. Tried to run the BitDefender scan and the machine BSOD's in the middle of that. So I ran the HijackThis log and reviewed it against your HJT tutorial and it looks okay in terms of malware.

    In short, I am stumped and would like to avoid wiping the machine and installing the OS from scratch. Which is coming soon.

    Any suggestions/advice?

    Machine is Dell Latitude D620 Laptop
    Intel Centrino Duo 1.83GHz processor
    2GB RAM
    93.1 GB HD with 73 GB free

    If you need other details, please let me know. THANKS!
     
    fmBrownU, Jan 19, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Doubt this is a malware problem ....do you have the error code for the BSOD's? Are they random? Are they different each time?
    Does the same happen in safe mode?
     
    TimW, Jan 19, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please try to attack as many logs as you can, esp. the GetRun, ShowNew and the HiJackThis. as well as any others that you can get to complete.

    Also Please try the following:
    Sophos Anti-Rootkit will scan your computer for files that have been hidden using rootkit technology.

    Many of the newer malware infections use this technology to hide themselves and to make them more difficult to remove.

    Installation
    Download Sophos Anti-Rootkit 1.1 and save to a location you will be able to find such as your desktop

    Run sarsfx.exe by double clicking on it.

    Click Accept to agree to the EULA

    Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)

    Once it finishes copying files, exit the installer​
    Running the scan
    Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)

    Run sargui.exe by double clicking on it.

    Ensure that all three of the options are checked

    Click Start Scan

    Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

    DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON
    Finding the logsClick on Start --> Run

    Type in %TEMP%\sarscan.log and press enter

    The log file will open in the default editor (probably Notepad)

    Click File --> Save As and save the file to your desktop or other location for easy retrieval.
     
    TimW, Jan 19, 2007
    #3
  4. fmBrownU

    fmBrownU Private E-2

    Hi! Working on the instructions below, thanks!

    The BSOD's are different each time, and I stupidly did not write them down each time. Most recent was today during BitDefender scan in SafeMode with networking. Error was PAGE_FAULT_IN_NONPAGED_AREA and code listing was: ***STOP: 0x00000050 (0xF3713CDC, 0x00000001, 0x8058232F, 0x00000002)

    I successfully ran Panda scan and Sophos. Panda found only cookies and Sophos said it found nothing. Interestingly, I first ran Panda in SafeMode with networking and it had listed a rootkit, but because of the crappy graphics settings being on 600x800, I could not see the whole window, so I was unable to save that log. Run in normal mode, no rootkit listed.

    I will attach my logs here and would appreciate any advice. Thanks again!
     

    Attached Files:

    fmBrownU, Jan 23, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run HijackThis and select Do a system scan only. Look for the below lines (you may not always find both of them) and select them but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -

    After clicking Fix, exit HJT.


    Please copy the text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Your BSOD problems could be caused by many things.
    Have you run a chkdsk /r on the drive?

    http://support.microsoft.com/kb/162837

    Is the computer part of a domained network?

    You need to run Counterspy and attach the log.
    Also attach new:
    GetRunKey
    ShowNew
     
    TimW, Jan 23, 2007
    #5
  6. fmBrownU

    fmBrownU Private E-2

    Thanks Tim!

    Ran HijackThis again. You only listed one line there, I found it and fixed it. Also did the regedit.

    Ran a chkdsk /r on the machine after reading. Just hadn't thought of it before (this is not the only thing on my plate, I am sure you understand.)

    No errors, but it did take about 45 mins to complete.

    Ran CounterSpy - nothing found, no log.

    Here are the other two new logs.

    About the MS link you sent, it lists WinNT as the OS for that issue, I assume that is not applicable since I am on WinXP?

    Once again, all help and suggestions are appreciated. Thanks!
     

    Attached Files:

    fmBrownU, Jan 23, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not seeing anything in your logs that would indicate malware. You are on a school domain?

    You may uninstall any programs that we asked you to download for the anaylsis.

    You should re-run CCleaner for both the cleaner and the issues (make the backup when prompted.

    You may wish to post in the software section regarding the stop errors. They could be caused by bad ram, overheating, corrupt system files, etc.
     
    TimW, Jan 23, 2007
    #7
  8. fmBrownU

    fmBrownU Private E-2

    This machine is not on the main university domain. We have our own domain server here, separate from the school domain (separate building for Facilities Management staff.)

    Thanks for confirming no malware. I will run ccleaner once more, thanks for the tip.

    If I get anymore of these errors, I will post in software. I will get the machine back to the user to see if he can work a regular day without getting any.

    Thanks again for your assistance!
     
    fmBrownU, Jan 23, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good luck!:)
     
    TimW, Jan 23, 2007
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds