TechSpot

Another BSOD "Bad Pool Header" thread

By BigBen
Jul 28, 2006
  1. Hello, all:

    Greetings from sunny, hot, waiting for hurricanes :( Florida USA.

    Over the past several weeks, I have been getting an occasional BSOD, not often, just once in a while. It may have started when I installed some additional RAM, but I am not convinced of that. Also, sometimes, my computer also emits a "beep" every five seconds or so on booting up.

    Specific details: Bad_Pool_Header Stop 0x000019 (0X00000020, 0x82E00CE8, 0x0A23007). Beginning dump of physical memory.

    During these weeks, I have also had error windows every time I boot up, something like "Norton cannot make this repair" and "This MSI must be run from setup." ( I have Norton Internet Security installed. More on that later.)

    My son may have installed some new software (videogame "Alexander") during this time, and I installed a Bluetooth controller, both of which I have since uninstalled, just in case they were contributing to an overheating problem or causing conflicts.

    Wanting to get rid of the Norton problem, I downloaded and installed the most recent Norton antivirus, along with its bundled Systemworks. Instead of fixing the problem, every time I start to run a registry check with Systemworks, I get the BSOD. This now happens consistently, whether I have the old RAM or the new RAM, or both sticks installed.

    Norton utilities showed my RAM to be OK with all 768MB installed. (The vendor told me it was OK to install different size of RAM, although I see that Howard of this forum recommends against it.)

    Microsoft Debugging tools shows a SYMEVENT (Symantec, natch), but also says "Probably caused by Afpansi.sys." A few websites say this file is placed on computers by "Informer" keylogger. Norton, McAfee etc. have no mention of this system file.

    Do any of you know anything about Informer? None of the other files that Informer apparently places are on my computer. And I don't understand why there are only a few, not-well-known websites that seem to list this as keylogger spyware, and not the better-know guys. Could be, I guess.

    I am ready to uninstall Norton entirely, as also recommend in this forum, again by Howard, if I recall. I don't know why I keep putting up with their bloatware.

    Yesterday, I also updated a few of my key drivers, such as audio, graphics, etc., in an attempt to eliminate old drivers as the source of the problem.

    I am not convinced that my RAM is the problem, in spite of its implication in a lot of this type of BSOD. Maybe the attached minidumps will show otherwise, but I think yesterday's installation of the Symantec junk is a major source of my woes.

    Today, I have run all day on my original RAM, without a problem. As long as I don't try to run any Norton SystemWorks utilities, I seem to be OK. Because I am not convince RAM is the problem, I have not run Memtest.

    I should also mention that a couple of days ago, I also installed a Logitech Quick Cam, and my wife installed Yahoo! Messenger. The camera kept freezing up the first day, but seems OK now.

    I am attaching some of today's minidumps for someone more knowledgeable than myself to help me interpret what is going on.

    Sorry this post is so long. Hope someone can help me! Thanks in advance.

    Computer: Compaq Presario S3100Nx about 2-1/2 years old.
    70 GB Hard Drive
    Original RAM: 256MB DDR, another 512MB recenty installed (and uninstalled)

    Regards and thanks from BigBen (US version.)
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All your minidumps crash at AFPAnsi.sys. Apparently this is a keylogger/trojan.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log as a .txt attachment into this thread, only after doing the above.

    Regards Howard :)
     
  3. BigBen

    BigBen TS Rookie Topic Starter

    BSOD caused by keylogger trojan solution

    ------------------------

    You're the best, Howard Hopkinson. However, your "Here" doesn't seem to be a hyperlink. And as I briefly mentioned in my original post, none of the files connected with that Trojan seem to be on my computer. I will take another look, however.

    And please clarify, what is an HJT log?

    Man
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry about that, I forgot to add the link doh.

    Fixed now.

    Regards Howard :)
     
  5. BigBen

    BigBen TS Rookie Topic Starter

    Thanks again, Howard

    You are up late, sir! As the Spanish say, "Mil gracias." A thousand thanks.

    In this interim, I learned that the culprit file is used by ENUFF!, a computer time-limiting and monitoring program for parents like me. I installed it a couple of years ago - my kids were glued to the computer for far too much time. Apparently, it left some junk behind when I uninstalled it.

    What I don't know, is if the ENUFF! publisher was using it to spy on me! I vaguely recall a keystroke feature of the program, which I didn't use.

    Regards from the yankee BigBen. And don't stay up too late!
     
  6. BigBen

    BigBen TS Rookie Topic Starter

    Trojans and their ilk removal - Done!

    Wow, it was an ordeal and a half, but worth it, I guess. Computer running much faster now, and no BSOD so far. Muchas gracias, Howard!

    Now the strange part. A supposed keylogger file, afpansi.sys, was the apparent culprit, according to my minidumps. HOWEVER, NONE of the spyware scans located that file, which still is on my system. Furthermore, NONE of the spyware or anti-virus publishers listed in your instructions for spyware removal list that file as a nasty, nor did their scans detect the file. Not even when I scanned the file individually, did I get a peep from any of the spyware or anit-virus programs.

    Caveat to all: Mucking with the registry, as we all know, is a delicate chore, especially when the procedure involves turning off System Restore, which deletes all restore points. Afterwards, I had a "You have counterfeit Windows" experience, which I had to work through, which was not fun. This was possibly a result of slip-up on my part somewhere during this whole process of scanning and removing all the nasties in my system. I am careful about these things, but I got bit in the **** this time! Be careful, folks. :(

    I am going to leave afpansi on my system, to see what happens. I will zap it if I get another BSOD which implicates it, but so far, so good. I am still very inerested in learning if you see anything else that needs my attention, after you review my HJT log, attached.

    Many thanks for your good work, Howard.

    BigBen

    P.S. I blew Norton off my system. My last BSOD occurred as I was starting to scan with NIS. I may put it back on to see if it is the real source of my woes. Maybe Norton is the only one that doesn't like AFPANSI.SYS, and my BSODs were the result of that.
     

    Attached Files:

  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    xpinstall.exe
    ALCXMNTR.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    ALCXMNTR.EXE You will need to search your system for this file and delete all instances of it.

    C:\DOCUME~1\OWNER\LOCALS~1\TEMP\xpinstall.exe

    Reboot into normal mode and turn system restore back on.

    Let us know how your system is running.

    P.s I forgot to add, there`s no sign of the keylogger now.


    Regards Howard :)

    This thread is for the use of BigBen only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. BigBen

    BigBen TS Rookie Topic Starter

    Cleanest system in town!

    OK, Howard, I carried out your last instructions. Things look great :grinthumb . Thanks again for all your help.

    From now on out, I will take more care to avoid these problems.

    BigBen
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...