Jump to content

Rash of BSoDs - What Could Be the Culprit Here?

TrevMUN

By TrevMUN
in Windows XP 64 Bit Edition

 Share

Recommended Posts

TrevMUN

TrevMUN

Posted
  • Author
Posted

Alright. Should I image the disc before or after I perform chkdsk? I sw some people saying chkdsk resulted in the loss of several files, folders going empty, etc. That's why I opted to copy my personal and necessary files to a USB drive now.

Link to comment
Share on other sites

TrevMUN

TrevMUN

Posted
  • Author
Posted

Will do. I'm glad I talked to you guys before plunging right into it!

 

After I finish imaging and run /chkdsk, I hope the hard drive holds out long enough for me to get my laptop back from RMA. I had to send it out Friday after the monitor and touchpad broke. Talk about horrible timing ... :}

Link to comment
Share on other sites
jaclaz

jaclaz

Posted
Posted

Yep. :)

The idea is (generically) to have a way back and "infinite chances", if chkdsk works on the disk, good, if it doesn't you restore the image to that disk (or to a new one) and try another program/method, if it works good, otherwise you restore the image ....

jaclaz

Link to comment
Share on other sites
TrevMUN

TrevMUN

Posted
  • Author
Posted

Alrighty. Got the disk image and chkdsk ran alright.

 

I was looking through the log generated by chkdsk. It did some things to a few files which look like they had something to do with 3DS Max when I googled them, but what had me curious was the totals listed at the end.

 

"0 KB in bad sectors." Does this mean chkdsk would report bad sectors as a matter of course, regardless of whether or not you ran it as /r? (I THINK chkdsk ran as /f.)

Link to comment
Share on other sites
HarryTri

HarryTri

Posted
Posted

Yes, it always reports the current number of sectors that have been identified as bad (during the latest check or any previous one). By the way use the /r option only if you have a good reason to do it, it can report sectors as bad without them really being so and will destroy the data of any files that are detected as defective by replacing their defective sectors.

Link to comment
Share on other sites
  • 3 months later...
TrevMUN

TrevMUN

Posted
  • Author
Posted

Hey guys,

 

It's been a while and not much has happened since I last posted here. I haven't had the time to try running that driver verifier, though now that I've got my laptop back I'll give it a shot soon. There was something interesting I wanted to bring up though, and I wonder if it may be related to what caused all the BSoDs.

 

Recently I checked out the latest version of SpyBot 2.4 (I had been using Avast and SpyBot for protection, but I've been advised to switch to using BitDefender and MalwareBytes, which I plan to do in the near future) and ran its rootkit scanner, which explicitly states it doesn't find rootkits but any sort of tricks rootkit programs use, whether or not they're really rootkits.

 

It flagged two entries, one of which was a folder for one of my MMORPGs that had "no admin in ACL," and the other is a registry key in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\.

{0F3AAD10-A046-B8A8-F08A-227A6E0471C4}<0x00>, having something to do with Common Dialogs. SpyBot flagged this because of a "zero char in key."

 

I talked to an IT friend about this, who told me the MMORPG folder was a security settings thing, and that the registry key the other one is possibly suspicious, or just badly designed registry key. Because it's blank, it's either a useless key in the Device Drivers section, or a tricksy method of doing something. He pointed out to me that many anti-cheat mechanisms for games and some forms of DRM try to install themselves as device drivers so they can run with kernel-level permissions, not just rootkits.

 

Which makes me wonder, is there a way I can track down how this registry key was created, and what programs may be using it? The fact this was found in the Device Drivers section of the registry seems like it might have something to do with what's been going on ...

Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted

Why "switch to"? I use an AV (just pick a good one), Spybot, *and* MBAM? Who's advising you? Tell them you have better advice resources. You might also get CCleaner (I also use that). WARNING on checking Registry inconsistencies (in both CCleaner and Spybot) - ensure you ARE backing up (via the program's options) before "fixing".

 

I have no clue if this will work on XP x64 -

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Link to comment
Share on other sites
TrevMUN

TrevMUN

Posted
  • Author
Posted (edited)

Why "switch to"? I use an AV (just pick a good one), Spybot, *and* MBAM? Who's advising you?

 

I should point out, it was my idea to get Avast and Spybot and I've had them for several years.

 

Bitdefender was recommended two me by several people. One of them is an IT guy, the other is an avid MMO gamer who had used several different antivirus programs. Both of them recommended Bitdefender over Avast because Bitdefender can do a better job than Avast while consuming less system resources. They spoke both from personal experience and through reviews by test labs like AV-TEST.

 

That's the main reason why I'm planning to switch Avast out for Bitdefender. As for SpyBot, I like having it around purely for its Immunization technology, and the way it modifies the HOSTS file to head off any unwitting attempts to contact known malicious servers/sites. However, given the fact I had no idea SpyBot had received a whole new version for a year or two, and that some of the sites I've been looking at have given very unfavorable reviews of SpyBot, I'm starting to wonder if it's worth having on my system.

 

MBAM's free version was highly recommended as a "second line of defense" seeing that it has no active protection unless you pay for it. The free version, though, was recommended as something to run a scan with on a semi-regular basis to make sure nothing slips through the active scanner's cracks (and if it does, to get rid of it). It seems to be very well loved by IT professionals from what I saw on sites like AV-TEST.

 

I have no clue if this will work on XP x64 -

http://technet.micro...s/bb897445.aspx

 

I tried installing that, and it wouldn't work. But I did come across Malwarebytes' Anti-Rootkit BETA, and I'm giving that a spin just to see if it agrees with SpyBot's findings or not.

EDIT: Well, crap. BitDefender's free version does not support XP64, only XP32. In fact, the most recent version of BitDefender to support XP64 is their professional 2011 version. Glad I found out about this before I uninstalled Avast.

EDIT EDIT: Malwarebytes' Anti Rootkit BETA doesn't pick up any rootkits hidden in the devices or drive sectors. It won't finish scanning the file system, though, it keeps hanging up on History.IE5\desktop.ini in nVidia's UpdatusUser account.

EDIT EDIT EDIT: I went ahead and installed Malwarebytes for a second-line defense. It caught some "Potentially Unwanted" stuff I got rid of and two cases of something called Spyware.OnlineGames, both in hidden DLLs located in Windows' Fonts folder. Strange. I got rid of those too, then did another system scan after the restart. MBAM says the system is clean now.

Edited by TrevMUN
Link to comment
Share on other sites
TrevMUN

TrevMUN

Posted
  • Author
Posted (edited)

Just tried using it ... ComboFix won't run; it thinks XP64 is 2K. :huh:
 
I noticed that ComboFix automatically cleans up malware it detects. I'm more interested in finding out what program put that blank registry key in my system, or at least what program is using it. Given everything we've uncovered so far in this thread (such as the BSoDs being related to the device drivers), my hunch is that it might be the culprit, and that (based on the timing of everything) it might have been Renegade-X's doing.

 

MBAM's scan didn't flag the registry key as evidence of malware, and neither did their beta anti-rootkit utility.
 
EDIT: Oh, while I'm at it, I looked up what exactly Spyware.OnlineGames is, since MBAM found two instances of it in my fonts folder ...
 

Spyware.OnlineGames it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.

The Spyware.OnlineGames infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.
 
Spyware.OnlineGames got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker. This Potentially Unwanted Propgram is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic), so if you have downloaded a software from these websites, chances are that Spyware.OnlineGames was installed during the software setup process.


That's a relief. That means all four instances of malware that MBAM found weren't really that serious ... and in fact I bet they all came from the same source. Malwarebytes had classified one of the two other hits as being from OpenCandy, and I know I wound up getting THAT on my system due to trying to install a newer version of Daemon Tools Lite rather than the one I'd been using before.

 

Though I do wonder why Malwarebytes doesn't use the PUP prefix for Spyware.Onlinegames that it did for the other two hits it found.

Edited by TrevMUN
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...