Blue screen of the death after virus desinfection

Murena · 12 May 2011

Hello,

yesterday my laptop get infected. I fought against the infection by running pograms such as ad-aware, spybot, malwarebyte and superantispyware multiple time. Finally after several hour, these programms were not finding any malware anymore but I still have a problem. When I switch on my computer, after about 5 minutes, it crashes except in safe mode. I had already 2 blue srceen running ad-aware then malwarebyte when I was infected but now it crashes all the time.

I have windows 7 32 bits. Originaly, it was windows vista but I upgraded it.

Thanks a lot for your help.

yowanvista · 12 May 2011

Run this tool in safemode with networking How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?
Remove Avast and use MSE

Code:

Unable to load image \SystemRoot\system32\DRIVERS\iaStor.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for iaStor.sys
*** ERROR: Module load completed but symbols could not be loaded for iaStor.sys
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 88e53b40, 907d8754, 0}

Unable to load image \SystemRoot\System32\Drivers\aswSnx.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswSnx.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswSnx.SYS
Probably caused by : iaStor.sys ( iaStor+41b40 )

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 88e53b40, The address that the exception occurred at
Arg3: 907d8754, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
iaStor+41b40
88e53b40 8b4704          mov     eax,dword ptr [edi+4]

TRAP_FRAME:  907d8754 -- (.trap 0xffffffff907d8754)
ErrCode = 00000000
eax=a4f9c720 ebx=00000000 ecx=0000000e edx=a4f9c6b0 esi=a4f9c6b0 edi=00000000
eip=88e53b40 esp=907d87c8 ebp=907d87d8 iopl=0         nv up ei ng nz na po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010283
iaStor+0x41b40:
88e53b40 8b4704          mov     eax,dword ptr [edi+4] ds:0023:00000004=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  maconfservice.

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 82e48593 to 88e53b40

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
907d87d8 82e48593 86c74030 a4f9c720 854f5008 iaStor+0x41b40
907d87f0 88f4540f 907d889c b8dfc420 b8dfc444 nt!IofCallDriver+0x63
907d881c 8e71ebac 854f5008 8549aec8 1e0a2cf0 fltmgr!FltIsVolumeWritable+0x77
907d8880 88f3bbf5 000000a4 00000005 01000008 aswSnx+0x2bac
907d88b4 88f3c417 854ba890 00000005 188ea173 fltmgr!FltpDoInstanceSetupNotification+0x69
907d8900 88f3c7d1 86c3f118 854f5008 00000005 fltmgr!FltpInitInstance+0x25d
907d8970 88f3c8d7 86c3f118 854f5008 00000005 fltmgr!FltpCreateInstanceFromName+0x285
907d89dc 88f45cde 86c3f118 854f5008 00000005 fltmgr!FltpEnumerateRegistryInstances+0xf9
907d8a2c 88f3a7f4 854f5008 ae7cc320 8539cf80 fltmgr!FltpDoFilterNotificationForNewVolume+0xe0
907d8a70 82e48593 a9daac00 854f5008 8539cfdc fltmgr!FltpCreate+0x206
907d8a88 830582a9 b06f4d46 907d8c30 00000000 nt!IofCallDriver+0x63
907d8b60 83037ac5 86c74030 a52c16e0 a8364570 nt!IopParseDevice+0xed7
907d8bdc 83047ed6 00000000 907d8c30 00000040 nt!ObpLookupObjectName+0x4fa
907d8c38 8303e9b4 03f7f1bc 852c16e0 00000001 nt!ObOpenObjectByName+0x165
907d8cb4 83062218 03f7f218 c0100080 03f7f1bc nt!IopCreateFile+0x673
907d8d00 82e4f1ea 03f7f218 c0100080 03f7f1bc nt!NtCreateFile+0x34
907d8d00 774870b4 03f7f218 c0100080 03f7f1bc nt!KiFastCallEntry+0x12a
03f7f220 00000000 00000000 00000000 00000000 0x774870b4


STACK_COMMAND:  kb

FOLLOWUP_IP: 
iaStor+41b40
88e53b40 8b4704          mov     eax,dword ptr [edi+4]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  iaStor+41b40

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: iaStor

IMAGE_NAME:  iaStor.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a287809

FAILURE_BUCKET_ID:  0x8E_iaStor+41b40

BUCKET_ID:  0x8E_iaStor+41b40

Followup: MachineOwner
---------

Neoseer88 · 12 May 2011

I got this problem too a few days ago, my computer was also infected by a trojan and a virustool. Microsoft Security Essentials found it and removed it, after that Blue Screens all the time and malware popup in safe mode(with network), so I decided to get a clean install of Windows 7 now it's working again.

P.s. My brothers pc got infected too but with a different trojan. Installed Windows 7 on his pc too.

After some searching on the internet I came up on a website it was saying that my pc could be possibly infected by a rootkit.

Hope you'll solve your problem ASAP. Wish you the best luck in it!

Murena · 12 May 2011

Thanks a lot for your help.

So I ran TDSSKiller and he found this: HardDisk0 (Rootkit.Win32.TDSS.tdl4).
He cured it and I reboot the computer. Since then, I haven't had any BSOD anymore. I uninstall avast, spybot and ad-aware and install MSE and performed a scan. According to MSE, there is no infection. Am I cured?

Also, I have an offer for one year of trend micro or 6 months of Mcaffee but I decided to keep Avast because I was satisfied with it. But, is one of this program better than MSE? My laptop is quite old, so, if the antivirus is light, it's better.

PS: thank you for your support Neoseer88.

yowanvista · 13 May 2011

Murena said:

Thanks a lot for your help.

So I ran TDSSKiller and he found this: HardDisk0 (Rootkit.Win32.TDSS.tdl4).
He cured it and I reboot the computer. Since then, I haven't had any BSOD anymore. I uninstall avast, spybot and ad-aware and install MSE and performed a scan. According to MSE, there is no infection. Am I cured?

Also, I have an offer for one year of trend micro or 6 months of Mcaffee but I decided to keep Avast because I was satisfied with it. But, is one of this program better than MSE? My laptop is quite old, so, if the antivirus is light, it's better.

PS: thank you for your support Neoseer88.

Yes your computer is now cured, keep MSE as it is enough for basic protection :)