TechSpot

BSODs after virus ; even after system restored

By gnznroses
Feb 5, 2011
Post New Reply
  1. I was hit with an apparent Java exploit, and a virus was installed on my Windows 7 x64 system, just by visiting the site. (Had Windows and Java itself up to date also.)
    Nasty virus, took several different antivirus and anti-malware programs to finally find one that would fully remove it (Kaspersky).

    My PC has been unusable the past 3 days, constantly BSODing. It BSODs in safe mode as well. In normal mode sometimes it BSODs immediately when I log in, or freezes up entirely. Other times it'll work for 30 minutes before it does it.

    I restored a backup of my entire Windows partition, using Paragon backup and Recovery. The backup is from 9 months ago and was 100% working I know.

    It seems to be a driver issue, but I don't understand why restoring did not fix it.

    I can provide the .dmp files if needed, but I looked at them myself and made a summary (below). Each of these is a different crash, all occuring yesterday. You'll see the reason for the crash seems to be different each time.


    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    PROCESS_NAME: adapter_cfg_x6
    IMAGE_NAME: ntkrnlmp.exe
    FAILURE_BUCKET_ID: X64_0x1E_c0000005_nt!ExpAllocateBigPool+43d


    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    PROCESS_NAME: System
    IMAGE_NAME: ataport.SYS
    DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc118
    FAILURE_BUCKET_ID: X64_0x1E_0_ataport!IdeCompleteScsiIrp+62


    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    BUGCHECK_STR: 0xA
    PROCESS_NAME: SetPoint.exe
    IMAGE_NAME: ntkrnlmp.exe
    DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cfeb
    FAILURE_BUCKET_ID: X64_0xA_nt!KiPageFault+260


    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    IMAGE_NAME: ntkrnlmp.exe
    DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c44a9
    FAILURE_BUCKET_ID: X64_0x1E_c0000096_nt!KeStackAttachProcess+1ba


    DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
    PROCESS_NAME: unlodctr.exe
    IMAGE_NAME: ntkrnlmp.exe
    FAILURE_BUCKET_ID: X64_0x9F_4_nt!PnpBugcheckPowerTimeout+76




    Any help much appreciated. I work from my PC so I'm kinda lost without it.
     
  2. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    The issue could possibly be that you are still infected. Go to our Viruas and Malware Removal forum, read the Updated 8 Step sticky and follow the steps exactly as given.

    Then on that forum post with the required logs attached. You'll get excellent help.
     
  3. gnznroses

    gnznroses TS Rookie Topic Starter

    Thanks for the reply.
    I'm pretty confident that i'm no longer infected. I'm unable to follow those steps though because I'm getting BSOD either at logon or within a minute or two after (in safe mode) Tried five times just now... Two of them this time said IRQL_NOT_LESS_THAN_OR_EQUAL and one referenced ntfs.sys

    At this point I'm afraid I'm doing more damage and potentially corrupting files by trying to use the system and have it continuously crash.

    I could boot BartPE and run the steps from it but the DDS info for instance would not be applicable. Other than the GMER scan I've done everything else already, with the exception of using Kaspersky instead of Avast. Kaspersky is as good or better and has never failed before to remove things that other AVs miss. My brother uses Avast and was recently infected despite of it. That can be true though for all AV software since none are perfect.

    I will run GMER from BartPE and see what I get.

    All of my log files from MalwareBytes, Kaspersky, etc are all gone, due to restoring the backup, so I don't have anything virus-related to post. I previously used AVG, MalwareBytes, HiJackThis, Spybot, and Kaspersky.

    I'm a software developer (of a security program) so I'm pretty well versed in things but this has me stumped.
     
  4. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Okay, then please do the following if you can...

    How to find and post your Minidump Files:

    My Computer > C Drive > Windows Folder > Minidump Folder > Minidump Files.

    It is these files that we need (not the folder). Attach to your next post the five most recent dumps. Notice the Manage Attachments button at the bottom when you go to post the next time. You can Zip up to five files per Zip; if you only have one or two you don’t need to zip them, just attach as is. Please do us a favor and don’t Zip each one individually.
     
  5. gnznroses

    gnznroses TS Rookie Topic Starter

    I've attached 5 dumps from yesterday -- was unable to get the most recent ones. My USB port doesn't seem to work from within BartPE (for me to transfer the files to this laptop). I tried booting my XP install (it's dual boot) but it also gave BSOD while starting up.
     

    Attached Files:

  6. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Nothing definitive was cited. Only two of the dumps were the same error code; the other three were different. With your symptoms I would normally say the suspicion is corrupted memory but in your case history it appears that the OS or the harddrive has been compromised.

    Have you run harddrive diagnostics before?
     
  7. gnznroses

    gnznroses TS Rookie Topic Starter

    I'll run memtest and chkdsk.

    When I removed the virus, or rather the set of viruses, I don't recall malwarebytes or kaspersky giving it a real name, but the Windows Action Center would say that it detected Alureon virus, and when I looked up info on it, it said that it can inject itself into your harddrive drivers. But, the drivers should have all been reset when I wiped the whole partition? Also though, some of the other characteristics that were attributed to this virus were not present on my system, such as creating a new boot partition etc.

    Do you still think this is better suited for the virus subforum?

    Thanks.
     
  8. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Chkdsk only does so much. I am suggesting a much deeper and broader harddrive diagnostics. If the infection is nasty enough they can physically affect sectors on your harddrive. I speak from personal experience as well as a few posters here.

    What is the make of your harddrive?
     
  9. gnznroses

    gnznroses TS Rookie Topic Starter

    i ran GMER last night from BartPE. It says it did find a couple of things:

    type: .text
    name: ntkrnlmp.exe!KelinitializeInterrupt + B67
    value: 8040623C 1 Byte [06]

    type: Device
    name: \Driver\ACPI_HAL\Device\.00000003
    value: halaacpi.dll

    then it listed about 100+ jpegs that i'm pretty sure are false positives. i can check but they're all 24x24 and if there were anything injected into them the filesize difference would be apparent.

    should i post this in the virus forum? i'm not sure what to do about these two hits. i don't even know if this driver for instance is even on my harddrive or if it's a false positive found on the BartPE cd or running in memory. it doesn't list a location. BartPE (a "live"/bootable Windows) runs just fine and would have it's own drivers just in memory.
     
  10. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Yes, go to our Virus and Malware Removal forum and see what they say.

    halaacpi.dll and ntkrnlmp.exe are critical drivers for the Operating System.
     
  11. gnznroses

    gnznroses TS Rookie Topic Starter

    k, will do that. thanks for your time & help
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please close this thread. Member has posted in the V&M forum. He may be referred back here if the problem appears to be system related rather than malware.

    Thank you.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...