# Bluescreen reboots and malware!!



## longboneslinger (Nov 20, 2004)

Please, no 'search' flames. My system is too unstable at the moment to try searches. It crashs to often. Thx.

System specs: WinXP ProP4 2.66
512 Mbs ram
GeForce 6200 OC (BFG Tech)
AV-Kaspersky Internet Security Suite. It updates daily and scans nightly.
Here is the problem(s). My comp will only stay in Windows for 3-5 minute before it BeSODs on me. Windows reports (website pullup after it reboots) that I have a conflict with my video card drivers.
I checked Device Manager and nothing is indicated, no yellow check marks etc. I was already running the latest drivers from NVidea. I uninstalled the drivers via Add/Remove Prorams and reinstalled the ones on the disk that came with the card. Still blue screens after a few minutes. 
So, I went back into Device Manager, still no icons. I went back into Add/Remove Programs and re uninstalled the drivers and rebooted into safe mode and went back to Device Manager and uninstalled the card there. It listed it as Video Controller (VGA Compatible) since it has no drivers. I then went to the C drive and deleted the Nvidea folder. I reboot into Windows and cancelled the hardware install. Several minutes later, blue screen. I left it on in safe mode when I left for work and its still up. It's set to shut down instead of reboot on major system error so it seems that the comp will run forever in safe mode.
Now is this still a driver conflict?? Is it the standard Windows VGA drivers that are corrupt? I installed this card as a cheap replacement for my FX5200 that died. My monitor started going into suspend but wouldn't come out. I popped in an old Voodoo 3-3000 and it stayed up fine so I figured it was the card. This one worked fine for 2 weeks and then this weird crud. The only app I've installed since is the Kaspersky Internet Security Suite.
It also hangs up on shutdown for several minutes though it seems to boot fine. When it boots into safe mode it 'seems' to hang on AGP40.sys but since it's apparantly the last thing listed it may just be busy elsewhere. I dunno. Also, the HD drive churns continuously even after Kaspersky finishes and it's the last to come up. This seems to indicate a crash since it keeps working right up to the blue screen.
Hopefully some one can help me figure this out. I just hope it aint the card or my AGP slot since I cant afford a mobo or another card at the moment.

As a temp fix I went into Display-->Advanced-->Troubleshoot and set the 'Hardware Acceleration' slider to none and unchecked the 'Use Write Combining' box and haven't reinstalled the drivers. It seems stable but I cant play any games (Which is why I use the ^%$# card any-&%&%-ing-way but at least I can hit the net (Kaspersky's firewall wont run in safe mode). Update: I reinstalled the latest NForce drivers. Still running.
Here are the messages:
From MS:
Error type: Windows stop error
Cause: Video adaptor device driver
Computer Message: Stop 0x000000ea THREAD_STUCK_IN_DEVICE_DRIVER or 
DRIVER_M
UPDATE:
After the above fix, the comp stayed up for abour 3 hours before blue screening again 

with the folowing message:
*** STOP: 0x0000007e (0x00000005, 0xf4d0000c4, 0xf8b88b54, 0xf8b99850)
***klif.sys address F4d000c4 base at f4cf3000 datestamp 44d328c7

MS calls this 'unknown' device driver.

I used the time to do some research. Blacklight wont load. Says It cant get the proper privaledges. I'm in as admin. Here is the rootkitreveal log:

HKLM\.DEFAULT\RemoteAccess\InternetProfile	3/30/2006 11:18 PM	13 bytes	Data mismatch between Windows API and raw hive data.

HKLM\S-1-5-18\RemoteAccess\InternetProfile	3/30/2006 11:18 PM	13 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Classes\webcal\URL Protocol	3/5/2005 12:52 AM	13 bytes	Data 
mismatch between Windows API and raw hive data.

HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg	10/11/2006 5:03 PM	0 bytes	Access 

is denied.
C:\Documents and Settings\Administrator\Local Settings\Application 

Data\Mozilla\Firefox\Profiles\rnwhr6k7.default\Cache\2D2D92EBd01	11/2/2006 7:11 

PM	37.83 KB	Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Kaspersky 

Lab\AVP6\PdmHist\614.18136C4401C6FEE4.history\00000001.bak	11/2/2006 7:10 

PM	9.28 MB	Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Kaspersky 

Lab\AVP6\PdmHist\97c.E0D6D12601C6FEE3.history	11/2/2006 7:03 PM	0 bytes	

Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Kaspersky 

Lab\AVP6\PdmHist\d3c.E0ABE6D201C6FEE3.history	11/2/2006 7:03 PM	0 bytes	

Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Kaspersky 

Lab\AVP6\PdmHist\e68.12FB45F601C6FEE4.history	11/2/2006 7:04 PM	0 bytes	

Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Kaspersky 

Lab\AVP6\PdmHist\ebc.3A3294A401C6FEE3.history	11/2/2006 6:58 PM	0 bytes	

Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~1327dac24.htp	11/2/2006 7:11 PM	8.00 KB	Hidden from 

Windows API.
C:\WINDOWS\Temp\cch~1327db1ad.htp	11/2/2006 7:11 PM	8.00 KB	Hidden from 

Windows API.
C:\WINDOWS\Temp\cch~132e29436.htp	11/2/2006 7:11 PM	8.00 KB	Hidden from 

Windows API.
C:\WINDOWS\Temp\cch~132e2992a.htp	11/2/2006 7:11 PM	8.00 KB	Hidden from 

Windows API.
C:\WINDOWS\Temp\cch~f9edbb2c.htp	11/2/2006 7:07 PM	8.00 KB	Visible in 

Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~f9edc00a.htp	11/2/2006 7:07 PM	8.00 KB	Visible in 

Windows API, but not in MFT or directory index.

Sorry for the long post, but I'm trying to add all I can since I don't know how long I'll be up and running and want to include everything I can. I am about to reboot into safe mode and run adaware and spybot since I updated them. Kaspersky wont run in safemode which REALLY hacks me off but oh well. I installed it after a borked attempt at putting in Nortons suite and got some malware while I was at it. I think I may have had some anyway now. Kaspersky has killed a lot but the comp wont stay up long enough for a full scan and the firewall doesnt work in safe mode so I'm scared to use my cable connection since any trojans and other malware will use the open connection to add to their ranks.
Thx in advance to all.
Later taters,
Bone


----------



## longboneslinger (Nov 20, 2004)

UPDATE:
Ad-aware and spybot found some junk, 3 for ad and 2 from spy. All rated low.
A-Squared found 5 including one trojan. AVG anti-spyware found nothing. Mcafee stinger found nothing either.
As an extra, I think that the blue screen happened about the same time that Kaspersky popped up an alert that it had found a trojan, cant remember the name. I hit 'neutralize' and I got a blue screen. Once other blue screen happened after I started to reboot and noticed that the 'shut down' button had the icon indicating that windows updates had an install. So I shut down instead of rebooting. I started the usual 'installing updates' and 'dont unplug your computer' bit for about 2 minutes and blue screened. Thats when I got the KLIF.SYS bit.
I about to go to Panda for a free online scan (if the comp stays up long enough!!). Afterwards I'll check back here then reboot and let Kaspersky try to do a full scan.
Later taters,
Bone


----------



## longboneslinger (Nov 20, 2004)

Update 2:
I let Kaspersky do a full scan. 7 hits for 2 dif trojans, all reported deleted. I did a bitdefender online scan and found nothing. It stayed up all night for the bitdefender scan so I decided to try turning hardware acceleration back to full and turn wright combining back on. Naturally I had to reboot for this to take effect. It bluescreened on reboot with this error:
BAD_POOL_HEADER
MS calls this 'unknown driver issue'.
Sigh. It wont shut down without bluscreen and now this. This is annoying to say the least. I'm at my wits end though I'm about to do some research for as long as I can.
Later taters,
Bone


----------



## longboneslinger (Nov 20, 2004)

Update 3:
I uninstalled the drivers for my sound card and reinstalled them. There was a prob with unistall. A .dll file wasn't able to be removed, permission denyed. I installed the updated drivers and rebooted. It got to the log-on screen and blue screened. 
I attempted a scandisk. It bluescreened on reboot. It wouldnt even let me into safemode with out a bluescreen.
I went into BIOS and set it boot from the cdrom 1st and ran scndsk, it reported that the drive had several errors though it didnt say if it fixed them or not and I have no idea where the log file is if there is one though I had the 'fix errors' box checked. Next I ran the recovery console. After I typed 'exit' it rebooted and started a scandisk. I let it run for the hell of it. It boots now. No idea if the prob is fixed or not. I'll wait to see.
For the hell of it I went into BIOS again and set 'install OS' to on and installed XP home onto a spare HD I borrowed from a friend. It installed fine but after several reboots it always said it couldn't find the primary drive. I hit F1 to contue and it loads into windows xp fine.I installed all my drivers and played around with no blue screens. Device Manager lists something called 'Scan' in unknown devices.. I have NO clue what that could be. Every reboot it reports 'cannot find primary drive' but boots fine when I hit F1.
Next, I disconnected the new drive and reconnected the old C drive. It still says 'cant find primary drive' but boots normally when I hit 'F1 to continue'. Also, the onboard sound is now showing up in device driver under 'unknown devies' as 'Multimedia Audio Controller'. I have NO clue why the onboard sound has lost its drivers. 
New bluescreen code"
***STOP 0x0000007e (0xc0000005, 0xf571398e, 0xf8c29c28, oxf8c29924)
***system32:1zx32.sys Address f571398e base at f5711000 datestamp 4538ed2a

All these dif codes are making me wonder about power supplies. The only thing I've added is the sound card so it 'should' be up to the task unless it's about to die. Sigh.


----------



## longboneslinger (Nov 20, 2004)

Main problem solved. My UPS was going out. I took it out of the loop and the system has run for close to 24 hours with no bluescreans.


----------



## tetonbob (Jan 10, 2005)

Glad to hear you got it solved, sorry we weren't of more assistance. This kind of combo thread (hardware and malware issues) can be hard to place correctly for the proper exposure.

If you need support with the BSOD still, ask in XP, or Hardware for the UPS. If you think you need help with malware still, post a HijackThis log in the HijackThis Log forum.


----------

