highlevel

Last resort asking for help ;-)

97 posts in this topic

Merged post

Hi guys and gals,

New to this forum. Thanks for being here.

I may be passed the point of help.

I have a nasty bug on my machine Dell 5150 with XP Home SP3. This started with the machine just shutting down/rebooting with the BSOD a while back. Norton and AVG were on the machine and I removed both. I installed Avast. I just recently installed MB. Every time I attempt to run any of the scans the computer shuts off and restarts.

I can access the internet but can not finish running any type of protection or removal program. Each will start and then within 1 - 2 minutes the system reboots. Half the time I get the BSOD, the "corrupt driver" stop error message 0x...0C4 is displayed as the problem. I did a complete diagnostics through Dells utilities so all the hardware checks out.

At this point I can't even boot into "normal" windows. I can only boot into safe mode. I have tried all the steps listed on the forum that are possible and every one that scans will cause a reboot. I thought Chameleon would work but no joy. rkill didn't work either. Tried the new user trick and now when I type in Malwarbytes in a google search the computer will shut off and reboot. Is this thing a learning worm???? :angry2:

I would just wipe everything but I don't have a disk... only the option of returning the system to the point it was when purchased. I don't believe that will actually get rid of the problem. I would love nothing more than to write zeros to the drive and wipe this nightmare out.

So here I am asking for any help possible. TIA

Here are the files as requested.

BTW... I tried using HJT and it would not install. Also tried vipre rescue and it would install but the same thing happened with the scan. Sorry for the additional post but I didn't see a way to edit my first one, did I miss something? :unsure:

attach.txt

dds.txt

Share this post


Link to post
Share on other sites

Back again after attempting a virus removal via another computer. I pulled the hard drive and installed it as another drive in a different machine (computer b). I have another desktop PC. I ran a full scan on the drive and Malwarebytes found nothing. However, while running that scan Avast stopped a Trojan. I then ran a scan from Avast on the drive. It found nothing.

I installed the drive back into the original machine. I still can't get into normal windows... so I am only able to run in safe mode. As soon as the windows logo appears I get the "driver corrupted" stop error message. I tried running rkill again and this time it worked. Malwarebytes was able to perform a quick scan without interruption. So, I attempted a full scan and it went right back to the same thing... rebooting. I tried Avast again and I kept getting an error message. I DLd the uninstall tool and reinstalled Avast with the latest version. As soon as I got to that magic place in the scan... a couple of minutes... same symptom... reboot.

I won't try anything else until I hear back from someone. Here are the latest from dds

dds.txt

attach.txt

Share this post


Link to post
Share on other sites

Hello and :welcome:

Download BlueScreenView

No installation required.

Double click on BlueScreenView.exe file to run the program.

When scanning is done, go Edit>Select All.

Go File>Save Selected Items, and save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Share this post


Link to post
Share on other sites

Hi,

Thanks for the welcome... oh yeah... and thanks to the admin who merged the posts!

AND THANK YOU for the help!

Here is the BOSD text.

==================================================

Dump File : Mini042212-02.dmp

Crash Time : 4/22/2012 5:04:21 PM

Bug Check String : DRIVER_VERIFIER_DETECTED_VIOLATION

Bug Check Code : 0x000000c4

Parameter 1 : 0x0000003c

Parameter 2 : 0x0012ff0c

Parameter 3 : 0x00000000

Parameter 4 : 0x00000000

Caused By Driver : aswSnx.SYS

Caused By Address : aswSnx.SYS+35cf6

File Description : avast! Virtualization Driver

Product Name : avast! Antivirus System

Company : AVAST Software

File Version : 7.0.1426.0

Processor : 32-bit

Crash Address : ntoskrnl.exe+22f43

Stack Address 1 : ntoskrnl.exe+18379c

Stack Address 2 : aswSnx.SYS+35cf6

Stack Address 3 : aswSnx.SYS+366b7

Computer Name :

Full Path : C:\WINDOWS\Minidump\Mini042212-02.dmp

Processors Count : 2

Major Version : 15

Minor Version : 2600

Dump File Size : 90,112

==================================================

==================================================

Dump File : Mini042212-01.dmp

Crash Time : 4/22/2012 3:28:29 PM

Bug Check String : DRIVER_VERIFIER_DETECTED_VIOLATION

Bug Check Code : 0x000000c4

Parameter 1 : 0x0000003c

Parameter 2 : 0x0012ff0c

Parameter 3 : 0x00000000

Parameter 4 : 0x00000000

Caused By Driver : aswSnx.SYS

Caused By Address : aswSnx.SYS+35cf6

File Description : avast! Virtualization Driver

Product Name : avast! Antivirus System

Company : AVAST Software

File Version : 7.0.1426.0

Processor : 32-bit

Crash Address : ntoskrnl.exe+22f43

Stack Address 1 : ntoskrnl.exe+18379c

Stack Address 2 : aswSnx.SYS+35cf6

Stack Address 3 : aswSnx.SYS+366b7

Computer Name :

Full Path : C:\WINDOWS\Minidump\Mini042212-01.dmp

Processors Count : 2

Major Version : 15

Minor Version : 2600

Dump File Size : 90,112

==================================================

I down loaded the TDSSkiller to the desktop. When I unzipped the file I renamed it. When the program started the machine rebooted. Oh how frustrating this bugger is. I will try once more to see if it will work. It seems to know every time something is doing any type of scan that will find/catch it. FYI regedit works so if I need to go through there I am game.

Thanks again.

Share this post


Link to post
Share on other sites

Hi again,

I renamed the zip file this time before extracting. This worked. The tdsskiller scan was able to complete... however, it found no threats. I think I need a wambulance.

Thanks.

Share this post


Link to post
Share on other sites

The driver errors are caused by Avast. Can you uninstall that and see if you still have the same problem?

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Share this post


Link to post
Share on other sites

Hi,

Thanks for the tips.

OK I removed Avast, but, no changes as to the start up. The computer will automatically shut down with the BSOD error if I allow it to start normally. So... still using safe mode. At least that works and I have access to the internet!

Downloaded, saved, and ran Combofix.

Please see attached. You did want it attached and not cut and pasted, correct?

I really appreciate the help.

ComboFix.txt

Share this post


Link to post
Share on other sites

Hi again, what driver file is now mentioned in the BSOD?

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Driver::
58768664
66971658

File::
c:\windows\system32\drivers\21784809.sys
c:\windows\system32\drivers\86837690.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Hi,

I'm a little confused by the most recent response. I am not sure what CF-Script I am supposed to save. Am I clicking on the animation?

As far as the driver/BOSD issue I am pretty sure it is a corrupted driver caused by this same infection because that was the initial symptom. It has not changed.

The following is exactly what I am seeing each time the BSOD appears. It happens everytime I start the computer and do not go into safe mode.

"A problem has been detected and windows has been shut down to prevent damage to your computer. A device driver attempting to corrupt the system has been caught. The faulty driver currently on the kernel stack must be replaced."

Then the normal "if this is the first time, yada, yada. At the bottom of the screen is the following...

"Techical information:

Stop: 0x000000C4 (0x00000000, 0x00000000, 0x00000001, 0x00000000)"

Is there another log file I should post for this?

Share this post


Link to post
Share on other sites

OK... I re-read your instructions several times... guess I am tired. I got it. Here is the log file from combofix after dropping the CF-script into the program.

Also... I never reinstalled Avast. So I am running no antivirus at the moment. Shall I wait to reinstall it or does it matter? Thanks.

log.txt

Share this post


Link to post
Share on other sites

You can reinstall Avast now as it has not made any difference for the BSOD issue.

Please press Windows key + R, type c:\windows\system32\verifier.exe and press enter.

This will open Driver Verifier Manager. Tick Display Existing Settings and click Next. Let me know if any category on the next screen is listed as Enabled (in that case you'll see Yes under Enabled?).

Share this post


Link to post
Share on other sites

OK thanks. Just didn't want to install if there was some other testing or log needed.

In DVM all that are listed are not enabled.

Share this post


Link to post
Share on other sites

I still see AVG remnants. Can you please verify if it is installed and if so uninstall. Alternatively use this utility.

Share this post


Link to post
Share on other sites

Hi Elise,

I had uninstalled it earlier. So since you recommended the utility I used that. Do you want the uninstall log posted?

No change on restart. Still get the same BSOD.

I will try an Avast scan and see how far it gets.

Thank you! Again!

Share this post


Link to post
Share on other sites

Well... it turns out that the latest version of Avast... the one I removed and then reinstalled was apparently corrupted by the infection. The program started but under the scan window none of the scan styles were listed. Only the option for a custom scan. It had question marks in the name. I tried renaming it and it would not change. I tried running a scan from there and got the same symptom, shut down/reboot. I figured I would go ahead and reload the program. When I opened the add remove programs list to uninstall Avast... it wasn't even listed. So I used the Avast removal tool.

Next I tried the Microsoft malicious software removal tool. I chose run rather than downloading it to minimize risk of corruption that way. It actually ran the quick scan and found nothing. I attempted to run it again and do a full scan... and got the same failure... reboot! UGH!

Share this post


Link to post
Share on other sites

Did you reinstall Avast after running the removal tool?

Please press Windows key + R, type chkdsk /r and press enter.

Type Y and press enter to schedule the disk check for next reboot.

Restart the computer and let the disk check run unhindered. When done let me know if things have improved.

Share this post


Link to post
Share on other sites

Yes... and Avast would not run through a scan and the scan screen was still missing the list of scans.

And I had deleted the Avast setup files and downloaded them again. :-(

I did a thorough hardware check with Dell utilities and disk check before even thinking about posting here. I will do another since you asked.

Share this post


Link to post
Share on other sites

I'm asking you for this one as file system errors can be the cause of the problem you describe, which is why I want to rule it out before continuing.

Share this post


Link to post
Share on other sites

OK... thanks for the info.

So... when I rebooted after typing in the command I let the computer attempt to go into windows and it did not run the scan, I just received the same BSOD error message. I rebooted again and went for safe mode. The computer screen stayed at the list of drivers and it sounded like it ran the disk check but I couldn't verify.

Share this post


Link to post
Share on other sites

I re-ran the command and the computer acted the same. The amount of time it took to start in safe mode with while the drivers list screen was up leads me to believe the scan was run.

Share this post


Link to post
Share on other sites

Can you please run the Avast uninstall utility, restart the computer and then rerun combofix and post me the new scan log?

Share this post


Link to post
Share on other sites

Please do the following in normal mode so we can see if the BSOD code has changed.

We Need to Diagnose Your BlueScreen

  1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  2. Select "Disable Automatic Restart on System Failure", as shown here:
    advancedoptions.png
  3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    bsod_c.jpg

Please post me the error(s).

Share this post


Link to post
Share on other sites

Hi,

OK... I tried it twice and recieved the same information as I listed in post number 9 on this thread. The information in quotations.

"A problem has been detected and windows has been shut down to prevent damage to your computer. A device driver attempting to corrupt the system has been caught. The faulty driver currently on the kernel stack must be replaced."

Then the normal "if this is the first time, yada, yada. At the bottom of the screen is the following...

"Techical information:

Stop: 0x000000C4 (0x00000000, 0x00000000, 0x00000001, 0x00000000)"

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.