hardware problem or virus?

I'm having some trouble so I was hoping someone could shed some light for me. I'm running a Latitude D800, XP.

I had just opened the internet when I got a BSOD; the error was "DRIVER_IRQL_LESS_OR_EQUAL" I restarted, but then my computer was unresponsive after login. That is to say, it would log me in, but if I tried to open the start menu or any programs it would do nothing.

I shut it off, reseated the RAM, cleaned the system fan, then tried to boot into safe mode, where I got another BSOD, this time with no reference to a driver.

I restarted again, then logged in normally, which it allowed, and gave a Microsoft "recovery" message, with the following error signature:

BCCODE: 100000d1 BCP1: 00000006 BCP2: 00000002 BCP3: 00000000
BCP4: AAF2D2A9 OSVer: 5_1_2600 SP: 3_0 Product: 256_1

It seemed to be responsive so I tried to run malwarebytes, but it came back with the error 721 (0,14).

I logged out then back in, but then it became unresponsive again. This seems to happen once every couple log in attempts, and I still cannot access safemode.

While it does very 'virusy,' when I get a BSOD that makes me think hardware. I could just wipe my hd and use my backup image, but that takes a while and I don't want to wipe everything before I'm sure.

Any help/insight would be greatly appreciated.

 

Can you post the memory dump so we can analize what caused you to BSOD. It would be in C:\Windows\minidump

 

Hope this is helpful:


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [G:\Mini092209-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Tue Sep 22 01:32:30.586 2009 (GMT-4)
System Uptime: 1 days 4:48:46.196
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {6, 2, 0, aaf2d2a9}

Probably caused by : atapi.sys ( atapi!IdeProcessCompletedRequest+664 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000006, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: aaf2d2a9, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000006

CURRENT_IRQL: 2

FAULTING_IP:
+26
aaf2d2a9 f6400605 test byte ptr [eax+6],5

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from f78396fc to aaf2d2a9

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
80550e84 f78396fc 8a320ef8 8a3c90e8 00000000 0xaaf2d2a9
80550eb0 f7839c8e 894ff008 8a320ef8 80550f2b atapi!IdeProcessCompletedRequest+0x664
80550f2c 804dbbd4 8a3c90a4 8a3c9030 00000000 atapi!IdePortCompletionDpc+0x204
80550f50 804dbb4d 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46
80550f54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x26


STACK_COMMAND: kb

FOLLOWUP_IP:
atapi!IdeProcessCompletedRequest+664
f78396fc 5f pop edi

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: atapi!IdeProcessCompletedRequest+664

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: atapi

IMAGE_NAME: atapi.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4802539d

FAILURE_BUCKET_ID: 0xD1_atapi!IdeProcessCompletedRequest+664

BUCKET_ID: 0xD1_atapi!IdeProcessCompletedRequest+664

Followup: MachineOwner
---------

 

How often does it BSOD? Do you do something that cases to BSOD or does it just BSOD At random?

 

@pclover:

The first time I had just opened the internet and was about to check my e-mail. That was the only time it gave me the DRIVER_IRQL etc. message.
Now, every time I try to enter safe mode it gives me a BSOD, without any reference to a driver... just says windows had to stop me.

@halo:

I do have daemon tools, but i've had it for quite some time and never had a problem but i'll give it a try.

****

I read that some malware can disguise itself as atapi.sys... is that viable? What is atapi.sys when it's functioning correctly?

 

Well I tried several things... none of which worked. At this point I'm thinking it must be some weird virus... why else could I log in to my account but get a BSOD every time I try to startup in safe mode?

So I'm just going to wipe my hd and restore my latest backup image. Thanks for everyone's help and advice. If this doesn't work then at least I'll be sure it's a hardware thing... and I may be back asking for more help!