Virus or Hardware/RAM problem?

[chuck825]

Greetings!

Two years ago I was helped by moderators and helpers on this forum, and so I have returned.

Background (long but please bear with me!): I am using a 3-year-old homebuilt P4 computer, shared by the family. In early March I added another 512mb of RAM (DDR 400) to speed things up. The computer did indeed run faster but would periodically reboot and show a "serious error" message box, which then opened a MS website with recommendations about possible causes, including recent hardware changes, outdated drivers, viruses, and the like. One recommendation was to run the Windows Memory Diagnostic Tool, which showed the memory to be OK. From reading various forums I eventually became acquainted with Memtest86+ and used it to test the 2 memory sticks. This revealed memory failure during test#5. Interestingly, in testing each memory stick separately, I found that my original 512mb stick had gone bad, not the new one. So I pulled the old one and ordered another new 512mb stick from the same vendor I had found on that very famous auction site that begins with "e".

In the interim, the computer seemed to run OK with the new 512mb stick, and when the second one arrived, I put it in and tested the pair again, using Memtest86+, which yielded another test#5 failure. Rats! However, tests of each stick individually produced no failures. From the memory forums I learned that my experience was not uncommon, and that I should reverse the sticks on the motherboard. Upon doing so, the pair tested OK with Memtest86+.

After a few days, I started experiencing reboots again. This time I de-selected the automatic restart option, found under "Startup and Recovery" on the "Advanced" tab of System Properties. This allowed me to read the BSOD error messages. These varied but were typically STOP 0x000000** messages, where the ** differed from failure to failure. I searched each message on Google but never came up with a definite explanation, only a reference to general RAM problems. However, some forum respondents mentioned that they had found rootkit infections of their computers that mimicked this same behavior.

Today I checked the scan logs of the AVG Free Edition that I use, and found that most (but not all) of my overnight complete system scans of the last 2 months did NOT complete. The log summary said something to the effect that the log was corrupted, and the number of files checked was much less than the number (approx 470,000) typically found in a complete scan. So I tried to run a BitDefender on-line scan. This crashed with another BSOD. Next I turned to the 8-step procedure here to collect the log files, but could not (and still cannot) get a complete scan using AVG 8.5 Free Edition without a BSOD failure. I downloaded a new copy of AVG, uninstalled the original, installed the new copy, and got the same results. Nevertheless, I did collect the 3 logs and have attached them.

Most of the evidence points to RAM, although it tests OK now, but I thought I would ask for your help on the rootkit virus side. Any and all advice will be much appreciated. Thanks in advance for your help!

 

[snowchick7669]

Hi Chuck825,

Doesn't seem to be any nasties in your logs. If you are concerned about a rootkit as such, try running a program designed more directly at them. I personally use GMER which is a free download from google, this will point out any suspicious looking files and creates a log which you can post up.

Seems more hardware orientated to me. Would be nice to have a look at those dumps, if you can post your minidump files then that would be greatly appreciated. Found in

C:\Windows\Minidump

That is the directory for XP. Then we can proceed to debug them for you

Just out of curiosity, how long are you running the memtest for?

 

[chuck825]

The minidump files got erased during step 2 by CCleaner. But I am sure I can come up with another within a day! Which is preferred: small, kernel, or complete? I had been set on small.

The memtest86+ runs were 7 passes or more (overnight), as recommended on the memory forums I was reading.

Two other quirks to mention:

When using the forward and back buttons on browser toolbars (I'm using Firefox at the moment, but see this also with Chrome and IE), I will often experience a double jump from a single left-click of the mouse. In other words, if I click on the back button, the browser will frequently move back to the SECOND most recent page rather than the most recent. I have not yet switched out my mouse with another to see if it's the mouse itself.

The second is that I also get the BSOD crash when I try to run "sfc /scannow" from the Run box. It runs long enough for the blue bar to advance about 25% from left to right, then crashes.

Thanks for your response. As soon as I generate another BSOD, I will include the minidump file.

 

[snowchick7669]

Haha, lucky we aren't medical doctors "Wait till you have another attack and let us know the outcome"

I would suggest running memtest for a bit longer, sometimes it only shows errors after 100 passes (has happened in a few cases). Generally for a new stick of RAM, 20 passes is the industry standard.

Machine isn't overheating is it? Could pay to run speedfan (download from google) and just monitor the temperature of the components over time, perhaps even run some applications and see if it shoots up in heat

 

[chuck825]

Hello again!

I ran GMER last night. The log is attached.

I ran AVG overnight and the scan completed -- with no detections. This morning (USA East Coast) I just ran BitDefender on-line scan - BSOD crash yielded minidump-01 which is attached. Then I ran "sfc /scannow" which ran to about 40% before its BSOD crash. This produced minidump-02, also attached.

I noticed in the GMER log its reference to fltmgr.sys. One of the STOP errors from the last day or two was the following:

"STOP: 0x0000008E (0xC0000005, 0xF777529D, 0xF186F950, 0x00000000)

FLTMGR.SYS Address f777529D base at F7774000 DateStamp 480251da
KMIXER.SYS Address F186F950 at base F186F950 DateStamp 00000000"

(No quotation marks in the original error message)

Any help or interpretation you can offer will be most appreciated. Thanks!

 

[snowchick7669]

Hi Chuck825,

Have had a quick look at your dump files, seem to indicate ntfs.sys as the issue in the first one.

Have you tried running chkdsk on your hard drive at all? Give that a go and see if it corrects any errors, I would then be seeing what brand your hard drive is and running a scan to check the sectors.

I personally find seatools good for most drives (even if they arent seagate), it won't repair the bad sectors however. But at least you can see whats going on.

Then simply run the tool by your hard drive manufacturer afterwards.

"STOP: 0x0000008E (0xC0000005, 0xF777529D, 0xF186F950, 0x00000000)

To address that one, microsoft suggest running windows update and getting the latest service pack (it also indicates RAM), but for now we can look at the others.

Let me know how you get on!

 

[chuck825]

Hi Snowchick7669:

Back again!

I ran chkdsk /r (log attached) -- seems all OK. I then ran all Basic tests from Seatools (log attached) -- again it all seems to be OK. Then I ran the Western Digital drive diagnostics tool (log attached). This also seems to be OK. But please let me know if you see something different.

After all this was done I just had a few minutes ago another BSOD, again the 0X8E version!

Look forward to your reply.

 

[snowchick7669]

Might pay to one have on of the Malware team check over your virus logs.

Whereas I can continue to address the hardware problem, sort of jumped ahead on you there.

Sorry

It seems chkdsk did correct some errors (generally rather normal). What Service Pack are you running? I'm assuming its XP.

Open up a new thread with your virus/spyware logs and ask one of the Malware team to have a check through for you