BOSD downloading virus removal tool and client registry error

sv76 · 17 Sep 2013

I got the BSOD while working tonight and, while trying to find the root of the problem, have narrowed the problem down to the Kaspersky virus removal tool (free download). The original BSOD wasn't caused by that program, but every instance since is only the result of downloading that file.

Upon reboot, the system said that the problem file was 1033, which corresponded with a file in Microsoft Office 2010, which I had just activated two days earlier. Uninstalling and deleting the program caused the virus removal tool to give me a client registry error and then go back to the BSOD.

Have had no problems with any other programs, including Internet Security which has been run and come up with NO threats. An sfc fixed some problems, but I've run it three times with no further improvement. A system restore did not yield any better results.

I'm hoping this isn't virus or malware, but the cause is really confusing me since I've removed the files that would seem to be the culprit.

Here's MGADT:

Code:

 
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-73CQT-WMF7J-3Q6C9
Windows Product Key Hash: KaFG+RmurcM3ZxzWyfEP9WtPUJw=
Windows Product ID: 00359-OEM-8992687-00010
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {1C05E2C7-CB4A-4719-A930-7C85D1AD8D99}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130708-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{1C05E2C7-CB4A-4719-A930-7C85D1AD8D99}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-3Q6C9</PKey><PID>00359-OEM-8992687-00010</PID><PIDType>2</PIDType><SID>S-1-5-21-4292623399-2106070516-2677787799</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Pavilion g6 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.34</Version><SMBIOSVersion major="2" minor="7"/><Date>20120614000000.000000+000</Date></BIOS><HWID>ACF93A07018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00178-926-800010-02-1033-7601.0000-0862012
Installation ID: 021764478892422864547604685305697350810576341421558221
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 3Q6C9
License Status: Licensed
Remaining Windows rearm count: 1
Trusted time: 9/16/2013 11:32:55 PM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 7:13:2013 11:41
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: LAAAAAEAAQABAAEAAAABAAAAAgABAAEA6GFiZF7UalaA3bLE7o8ib+7cLnM=
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   HP      INSYDE  
  FACP   HPQOEM  SLIC-MPC
  HPET   HP      INSYDE  
  BOOT   HP      INSYDE  
  MCFG   HP      INSYDE  
  WDAT   HP      INSYDE  
  ASF!   HP      INSYDE  
  SLIC   HPQOEM  SLIC-MPC
  MSDM   HP      INSYDE  
  SSDT   HP      INSYDE  
  ASPT   HP      INSYDE  
  SSDT   HP      INSYDE  
  SSDT   HP      INSYDE

ICIT2LOL · 17 Sep 2013

Hello and welcome sv. I run Kaspersky ISS and haven't had nay problems when using the TDSS just where did you download it from?

Arc · 17 Sep 2013

And it is not a MGAdiag report that we need to assist you.

Post it following the Blue Screen of Death (BSOD) Posting Instructions.

sv76 · 17 Sep 2013

Here's the info you wanted:

sv76 · 17 Sep 2013

ICit2lol said:

Hello and welcome sv. I run Kaspersky ISS and haven't had nay problems when using the TDSS just where did you download it from?

Kaspersky runs fine. The removal tool, which I used once before with no problem, is from Kaspersky's site. I ran it as a "just to be safe" measure because my scans didn't report any viruses after the original BSOD, but it won't even get that far before tanking my system.

EDIT: It's wasn't the TDSS, that ran fine. It's the general virus removal tool.

Arc · 17 Sep 2013

Scan the system for possible virus infection with the following programs.

Code:

BugCheck 50, {fffff88003bb7ff8, 0, fffff80002ccf816, 0}

*** WARNING: Unable to verify timestamp for 0048422drv.sys
*** ERROR: Module load completed but symbols could not be loaded for 0048422drv.sys

Could not read faulting driver name
Probably caused by : 0048422drv.sys ( 0048422drv+4bc41 )

Followup: MachineOwner
---------

sv76 · 17 Sep 2013

Windows Defender Quick Scan came up with nothing.

TDSS found 1 threat, copied to quarantine. It was the object you pointed out. I ran this last night and it came up with nothing, but I guess that doesn't matter.

You'll have to forgive me because I have very little knowledge with computers. So, what should I do next to confirm the problem has been resolved?

Arc · 17 Sep 2013

Do another scan with TDSSkiller, and then observe it for a few days.

sv76 · 17 Sep 2013

TDSS again and deleted file, another scan and reboot gave the all-clear. Should I try to run the virus removal tool again to see if it works or just leave it alone?

Arc · 17 Sep 2013

OK, try it :)