Sign in with
Sign up | Sign in
Your question

BSOD + Malware

Last response: in Windows 7
Share
February 15, 2011 11:13:16 PM

I am working on a laptop that had a nasty virus infection and a series of random blue screens.

Toshiba C655D
Windows 7 Home Premium 64-bit

I ran MBAM + TDSSKiller because it had a search redirect virus..which I was hoping was related to the TDSS Rootkit; but that wasn't the case. TDSSKiller came back clean and MBAM just removed a few malware traces and some adware.

This laptop was blue screening in regular mode at login screen or shortly after login screen. Sometimes it would run for 5 minutes, sometimes it would run for an hour. The blue screen was different everytime. I ran through a process of removing all unnecessary software, only to find the problem still persisted. I performed a clean boot on the machine by disabling all non-MS services and all startup items. The problem was still there. Convinced that it wasn't a software issue, I ran Memtest86. Ran through tests all night with no errors. I was able to get the computer up long enough to attempt at manually finding hidden virus DLL files and I stumbled across one that had stumped me in the past:

C:\Windows\SysWOW64\FastUv32.dll (Known Malware)

I removed this file in hopes to FINALLY solve the problem. I knew it would solve the search redirect issue, as I have dealt with it before. The search issue was taken care of and the problem seemed to me that it was a thing of the past. I downloaded and updated ALL drivers via Toshiba's website. I also downloaded and ran Combofix to see if it could snag anything I may have missed, but here is the current problem:

Combofix's loading bar appears and gets to the very end and blue screens. I'm not sure if this is a system incompatibility with 64-bit Windows, but I've used it before on similar machines with no issues. Anyways, during the initial reboot, I tried Safe Mode (which was working before), but it gave me a BSOD as soon as the login appeared.

I managed to get it up long enough, once again, to run a SFC /scannow. No problems were found. It is still consistently blue screening.

I will attach Minidump files for you to analyze.

If anyone has any idea of what else I can try, I would much appreciate it. I don't really want to reload the OS unless it's a last resort.
Quote:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050033, 6f8, fffff80002e570d2}

Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000006f8
Arg4: fffff80002e570d2

Debugging Details:
------------------


BUGCHECK_STR: 0x7f_8

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: taskhost.exe

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff80002e79ca9 to fffff80002e7a740

STACK_TEXT:
fffff880`009eec68 fffff800`02e79ca9 : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
fffff880`009eec70 fffff800`02e78172 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`009eedb0 fffff800`02e570d2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
fffff87f`fffffff0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x1e2


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b2
fffff800`02e78172 90 nop

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiDoubleFaultAbort+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c44a9

FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2

BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2

Followup: MachineOwner


Quote:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff88005fffff8, 0, fffff880012558f3, 0}


Could not read faulting driver name
Probably caused by : Ntfs.sys ( Ntfs!NtfsCleanupIrpContext+32e )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff88005fffff8, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff880012558f3, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800031020e0
fffff88005fffff8

FAULTING_IP:
Ntfs!NtfsCleanupIrpContext+32e
fffff880`012558f3 66443949f8 cmp word ptr [rcx-8],r9w

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: mscorsvw.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffff8800600d0f0 -- (.trap 0xfffff8800600d0f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8800600d3e8 rbx=0000000000000000 rcx=fffff88006000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880012558f3 rsp=fffff8800600d280 rbp=fffff8a000125010
r8=0000000000000000 r9=0000000000000727 r10=fffff80003052c00
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
Ntfs!NtfsCleanupIrpContext+0x32e:
fffff880`012558f3 66443949f8 cmp word ptr [rcx-8],r9w ds:fffff880`05fffff8=????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002f4af14 to fffff80002eca740

STACK_TEXT:
fffff880`0600cf88 fffff800`02f4af14 : 00000000`00000050 fffff880`05fffff8 00000000`00000000 fffff880`0600d0f0 : nt!KeBugCheckEx
fffff880`0600cf90 fffff800`02ec882e : 00000000`00000000 fffff880`0600d3a0 fffffa80`05d00600 fffff800`02ee07a3 : nt! ?? ::FNODOBFM::`string'+0x42837
fffff880`0600d0f0 fffff880`012558f3 : 80000000`989bd963 fffff880`00e2099a fffff880`0600d660 00000000`00000000 : nt!KiPageFault+0x16e
fffff880`0600d280 fffff880`0125b76a : fffff880`0600d3a0 fffff880`00000001 00000000`00000000 fffff880`0600d3a0 : Ntfs!NtfsCleanupIrpContext+0x32e
fffff880`0600d2d0 fffff880`012fd244 : fffff880`0600d600 fffff880`0600d3a0 fffffa80`05b89c60 00000000`00000000 : Ntfs!NtfsCommonCleanupOnNewStack+0x14a
fffff880`0600d340 fffff880`010fd23f : fffff880`0600d3a0 fffffa80`05b89c60 fffffa80`05b89fb8 fffffa80`05becc30 : Ntfs!NtfsFsdCleanup+0x144
fffff880`0600d5b0 fffff880`010fb6df : fffffa80`047cd520 00000000`00000000 fffffa80`033cb300 fffffa80`05b89c60 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`0600d640 fffff800`031e0a0f : fffffa80`05b89c60 fffffa80`059f3b30 00000000`00000000 fffffa80`046cb4c0 : fltmgr!FltpDispatch+0xcf
fffff880`0600d6a0 fffff800`031c6a24 : 00000000`00000000 fffff8a0`02fb19d0 fffff8a0`019b0de0 fffff800`02ecf1fa : nt!IopCloseFile+0x11f
fffff880`0600d730 fffff800`031e0501 : fffff8a0`02fb19d0 fffff8a0`00000001 fffff8a0`02fb19d0 00000000`00000000 : nt!ObpDecrementHandleCount+0xb4
fffff880`0600d7b0 fffff800`03188374 : 00000000`00000008 fffff8a0`02fb19d0 fffff8a0`03ff9020 00000000`00000008 : nt!ObpCloseHandleTableEntry+0xb1
fffff880`0600d840 fffff800`031882f4 : 00000000`00000004 00000000`00000000 fffffa80`059f3b30 fffff800`031719e1 : nt!ObpCloseHandleProcedure+0x30
fffff880`0600d880 fffff800`0318713e : fffff8a0`03fe2001 fffff880`0600dc20 fffffa80`059f3b30 fffffa80`059f3b30 : nt!ExSweepHandleTable+0x74
fffff880`0600d8c0 fffff800`031afd18 : fffff8a0`03fe2060 00000000`00000000 00000000`00000000 000007ff`fffd9000 : nt!ObKillProcess+0x62
fffff880`0600d900 fffff800`03188635 : 00000000`00000000 fffff800`031c9101 000007ff`fffd9000 fffffa80`059f3370 : nt!PspExitThread+0x878
fffff880`0600d9c0 fffff800`02ea71db : fffffa80`05207001 fffffa80`05db2010 00000000`00000000 00000000`00000000 : nt!PsExitSpecialApc+0x1d
fffff880`0600d9f0 fffff800`02ea7620 : 00000000`00461860 fffff880`0600da70 fffff800`0318874c 00000000`00000001 : nt!KiDeliverApc+0x2eb
fffff880`0600da70 fffff800`02ec9a37 : fffffa80`059f3b30 00000000`00000001 fffffa80`05d00660 fffff800`031e0414 : nt!KiInitiateUserApc+0x70
fffff880`0600dbb0 00000000`7762008a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`0124ee28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7762008a


STACK_COMMAND: kb

FOLLOWUP_IP:
Ntfs!NtfsCleanupIrpContext+32e
fffff880`012558f3 66443949f8 cmp word ptr [rcx-8],r9w

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: Ntfs!NtfsCleanupIrpContext+32e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc14f

FAILURE_BUCKET_ID: X64_0x50_Ntfs!NtfsCleanupIrpContext+32e

BUCKET_ID: X64_0x50_Ntfs!NtfsCleanupIrpContext+32e

Followup: MachineOwner


Quote:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050033, 6f8, fffff80002e8f9bf}

Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000006f8
Arg4: fffff80002e8f9bf

Debugging Details:
------------------


BUGCHECK_STR: 0x7f_8

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: conhost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80002e82ca9 to fffff80002e83740

STACK_TEXT:
fffff880`009eec68 fffff800`02e82ca9 : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
fffff880`009eec70 fffff800`02e81172 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`009eedb0 fffff800`02e8f9bf : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
00000000`00000000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PsEnterPriorityRegion+0xf


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b2
fffff800`02e81172 90 nop

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiDoubleFaultAbort+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c44a9

FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2

BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2

Followup: MachineOwner

More about : bsod malware

a b $ Windows 7
February 24, 2011 7:08:07 PM

Run through the malware guide in my signature.

Combofix doesn't run on 64 bit operating systems. That's why you're having trouble with that.
m
0
l
!