Multiple BSOD after virus

Status
Not open for further replies.

brodie

Posts: 35   +0
Hi,

I was told to create a thread here after explaining my problems in the BSOD Help & Support forum. I'll just copy and paste what I said:

The past few weeks my computer has been either randomly restarting itself, completing freezing in which case I am forced to shut it down or coming up with the blue screen of death.

There have been four different BSOD messages pop up, sometimes with different codes though. More commonly I've been getting
DRIVER_IRQL_NOT_LESS_OR_EQUAL
STOP: 0x0000000D1 (0xEE1E5D00, 0x00000002, 0x00000000, 0xEE1E5000)

Then I received this one last week:
PAGE_FAULT_IN_NONPAGED_AREA
STOP: 0x00000050 (0x840FE84D, 0x00000001, 0x804E8F42, 0x00000000)

And just yesterday morning, when I first turned the computer on, after logging on this one came up:
IRQL_NOT_LESS_OR_EQUAL
STOP: 0x0000000A, 0x000F7F38, 0x00000001, 0x00000000, 0x804E70DD)

So I restarted it, clicked my login name, then when I came back another BSOD popped up:
BAD_POOL_HEADER
STOP: 0x00000019 (0x00000020, 0x81031108,0x81D31190, 0x0A110005)

I ran memtest a week ago but it came up with no errors. This all started happening not long after I had a virus on my computer. Every time I clicked a link on google, it would redirect me to some other website completely unrelated. I managed to find out it was some virus a lot of people were having at the time and followed some of their advice. One of which told me to delete a file called 'wdmaud.sys" which it was apparently attacking. I did so, but then reinstalled a hotfix from microsoft with that in it later on when the problems started as I thought maybe I shouldn't have deleted it.

I've also tried system restore, which didn't work. After a virus scan with AVG, I found that there were two trojan horses in the system restore files, I healed them but haven't tried rolling back the system again because I didn't know whether it would make it worse. I also found a "TrojanNewDot" in SuperAntiSpyware and also two Adware tracking cookies, which I quarantined and removed.

With the attached hijackthis log... someone told me there were infection remains from looking at this, but I don't know what to do. Can anyone tell me which to select and then 'fix checked'? Could this possibly be what is causing my problems?

Also, I tried running a SuperAntiSpyware and Malwarebytes scan today, but the computer kept restarting part way through so I couldn't finish it. I'm attaching the logs from a scan I did about a week ago... I don't know if that's a problem, but I'll keep trying to run a full scan and see if it manages to do so without restarting.

I don't have the actual Windows XP disc, but I do have an NEC Windows recovery disc... would reinstalling Windows fix the problem? If anyone has any suggestions to help fix this, I would really appreciate it.

Sorry for typing so much, I wasn't sure how much information to give. I don't know what computer specs you need.... I'm running Windows XP (Home edition), about 40 GB harddrive and 256MB RAM. If you need anything else, I am more than happy to provide what I can.

Thanks!
 
would reinstalling Windows fix the problem?
Re-installing (ie running your recovery disc and totally wiping the drive and all data) Would certainly eliminate your present software

So if you want to do that, let us know now. ;)

But presently you have AVG8 installed, and your Malwarebytes was not updated, before scanning :(

I would suggest that you:

Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Run Startup Control Panel and remove any not required startups: (should be most!)

Install the much better Avira free AntiVirus

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed
 
Thanks for the response. No, I don't particularly 'want' to reinstall windows, but I am prepared to do so as a last result if nothing else works!

I followed what you said... I updated Malwarebytes, then tried running a scan a few times but the computer kept restarting so I have not yet been able to run a full scan. I'm still working on that! I uninstalled/removed AVG and installed Avira, when I scanned with that for some reason the computer played nice. The first scan resulted in EXP/ASF.GetCodec.Gen being found, so I quarantined it. Then I ran the rootkit search, afterward it asked me if I wanted to scan a partition or something. I did and it came up with 33 warnings.

I'll have to try Malwarebytes again tomorrow as I'm heading off to bed soon and don't like leaving the computer turned on overnight. I'll also see if that virus Avira found and quarantined might have had something to do with it, as the computer likes to have these problems more specifically just after I start up in the morning.

Anyway, thanks so much for your help, I really appreciate it!
 
That's ok :)

Also it was AVG that caused the restarts
And the found Virus\Malwares from Avira, tells me you definitely need to run a full scan with this. Then do another Malwarebytes (updated first) full scan

You're getting there :grinthumb But you just have to sleep for the moment :zzz:
 
Okie dokie. So when I started up the computer again this morning, firstly after logging in it came up with a plain blue screen then said "Out of Range" and the dimensions of the monitor. I couldn't do anything, so had to manually restart. After that it froze at login, then restarted twice during bootup, froze completely after 30 minutes and I think the last one was the Driver_irql blue screen. Apparently my computer does not like waking up in the mornings!

I ran a full scan with Avira last night, but it only took an hour or so... with AVG it usually took 6 long hours. I'll run another Avira scan in a minute. I just finished running a full Malware scan (I updated first) but it didn't find anything. I'm beginning to not like technology lol.

Also, I liked in the Event Viewer from the Control Panel and there seems to be at least one or more Error's pop up daily... I'm not sure if they correspond with the times that the computer messes up though.
 
I just ran it and it popped up saying "Disk check complete" but nothing about any errors found or anything. Sorry if this is turning into a bother!
 
with AVG it usually took 6 long hours. I'll run another Avira scan in a minute.

Did Avira find any Viruses?
By the way, I'm assuming Malwarebytes was fully updated, full scan completed, and nothing found

Also it may be time to provide a fresh HJT scan log as an attachment
 
I had to start the Avira scan again because it froze. So far it's found one warning, but no detections as yet. Yes, I updated Malwarebytes before scanning and clicked the full system scan and nothing found. I'll attach the log for that along with the hijack this.
 
Good job :grinthumb

Please run a scan only with HJT, and tick the following entries (all listed here by me)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.belarc.com/cgi-bin/SecurityAdvisorUpdate?version=2005.6.14.0&date=1118707200&advisor=7.0o
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;*.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O23 - Service: DeepSight Extractor Service for NP08 (eneaduyza) - Unknown owner - C:\WINDOWS\system32\gwlqinkejn.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
Close any Internet Browsers (like Internet Explorer or Firefox) Then select FIX

Also un-install Ad-aware, I feel it may be stopping changes made, seeming it starts with Windows as a service

---------

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

Also do another scan with HJT (scan and log file) and attach this to a new reply as well

I'd say, you'd just about be clean by then ;)
 
Okay, I've done everything you said to. The combofix and hijack this logs are attached. I selected all the entries you mentioned and clicked "fix checked" but looking at the new log, the "O23 - Service: DeepSight Extractor Service" is still there... so I don't know what that means.

But so far so good, no shut downs, bsod or restarts. I'll see how it goes tomorrow morning as that is usually when my problems tend to start. I'll let you know what happens.

Edit: I just tried running a SuperAniSpyware scan, which was going fine until the computer froze completely. I don't know whether it helps to know, but it froze while scanning "C:\DRIVERS\RTM.EXE". I'll run the Avira scan again as I never finished that due to restarting with combofix.
 
Yes all good :)

Place another tick against these two as well: (browser can be left open)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O23 - Service: DeepSight Extractor Service for NP08 (eneaduyza) - Unknown owner - C:\WINDOWS\system32\gwlqinkejn.exe (file missing)

Clear system restore points

  • Clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.

Restart

Tell me how it seems to be running :)
 
I fixed those two in hijack this and did as you said regarding the system restore. It restarted fine... so I did another hijack this scan and that O23 is back yet again.

Is it supposed to be such a persistent little bug? Regardless, things are running fine so far... if anything goes wrong, I'll let you know :)
 
Hmm, I now see what you mean
O23 - Service: DeepSight Extractor Service for NP08 (eneaduyza) - Unknown owner - C:\WINDOWS\system32\gwlqinkejn.exe (file missing)

Please click on Start->Run-> services.msc
Maximize the Services Window that opens

Locate DeepSight Extractor, and double click on it
Change the Startup to Disabled (instead of Automatic)
Apply->Ok and then exit Services Window

Then fix the quoted entry in HJT scan again
Then restart

Is it finally gone?
 
Ahh, you are a genius! :) After I disabled it, it was gone from HJT, so there wasn't anything for me to select. I restarted, ran the scan again and it's still gone. The only thing that has returned is the Proxy Override entry.

Thank you very much all your helpful posts! So far so good with the computer, fingers crossed this has fixed it. If it screws up again, I'll let you know.
 
I just did that, ran HJT and the entry hasn't returned. And I've got to say, my computer seems to be running better after all of this... starting up usually took at least ten minutes before it was ready to use, now it's only a couple of minutes. Definitely a plus! I would never have known to do all of this on my own, so really, thanks so much again :)
 
Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Oh and thanks for all your good feedback :grinthumb

I'm thinking, all fixed :)
 
Done and dusted! Hopefully I never have to look at those scary blue screens again lol

That's no problem. I've posted my problem on a few other forums weeks ago but nobody responded (which I can understand as they probably get snowed under with requests), but you've been more than helpful on here, which I'm grateful for. Anyway, I'm heading off to bed and I think my computer needs a rest after all the health checks today. So goodnight! (or morning, whatever time it is for you). I'm feeling confident things will be fine on start up tomorrow :)
 
Sorry, I'm back again :( I haven't seen any BSOD's this morning, it hasn't restarted or shut down (huge relief) but the computer has frozen twice. Once it shut down firefox, then when I did alt+ctrl+del to see if it was running in the background, it froze. Then it froze again while I was updating Avira. I looked in the Event Viewer and there was an Error corresponding with the times it froze:

Event ID: 7000. The helpsvc service failed to start due to the following error:
The system cannot find the file specified.

So I tried going to services.msc, clicked 'start' this service and it popped up saying this: Could not start helpsvc on Local Computer. Error 2: The system cannot find the file specified.

Edit: I just came back to the computer after leaving it for a while and was greeted with a BSOD. There weren't any 'driver_irql" or "bad_pool_header" names like that, it just said to check to make sure you have adequate disk space. If a driver is identified in the stop message, disable, etc. Try changing video adapters. Disable BIOS memory options (caching, shadowing), etc.
The stop code was: STOP: 0x0000008E (0xC0000005, 0x00000000, 0xF3174B3C, 0x00000000)

I've attached a new HJT log. But seeing as I've done all that cleaning the system yesterday, it might not be a virus problem? So if you want me to create a thread in a different section, that's not a problem.
 
I haven't tested the drivers yet, but I'm running the memtest at the moment on the computer (I'm using my other computer to type this). I ran a memtest86 (not 86+) last week and it came up with no errors... but this one has found 1817600 errors....I was worried just one would come up! I take it this isn't a good sign? And I'm guessing my RAM probably needs replacing... I let it run for 10 passes as it was still climbing in number at 7. I have a couple of things to do, so I'll see if there are any drivers that need updating shortly.

Edit: Call me dense, but I'm not sure what drivers I have from that list in the topic you linked... I have an NEC Powermate computer and I know there's some Realtek, SiS... and I have no idea what else.
 
Status
Not open for further replies.
Back