Rootkit Intrusion Possible cause for BSoD Error 0x00000050

jp281 · 13 Nov 2012

Hello, my name is Jogi. I was sent here by the BSOD team. Two weeks ago, my computer suddenly crashed while I was playing minecraft. Additionally, I was on skype with other players. The BSOD exactly happened when I clicked a link that was posted in the skype chat. Im not sure whether that guy posted a virus as the link was to a youtube video.

Then on from there I did multiple Scans with Norton at first. Nothing popped up. I posted my problem on the BSOD crash forum. They analyzed the data but they did not find a sure cause. I uninstalled Norton, and installed Avast as well as Malewarebytes. A boot time scan with Avast showed no viruses. On the onther hand the Malewarebytes keeps showing 2 trojan.agents in laptop. One is a memory process and a file. svchost.exe

Recently I pinpointed the exact time when my pc crashes. Whenever I try to install the Windows Security Updates, the system crashes. Yesterday while posting a reply on the bsod thread, Avast blocked like 20-25 malicious urls. with the process pointed toscvhost.exe. One of the members of the BSOD team said that a rootkit might have made a logical storage partition. My question is, How do I go about finding out whether a Rootkit Intrusion is the cause of the BSOD error 0x00000050?

P.s. I did use system restore to a point i think 9.23.12 the farthest I could go. Doesnt seem to work. One thing I did notice is that during the update... the system crashes exactly when it attempts to create a restore point. I really think this is a viable cause. Please assist my situation. Thanks. Let me know what additional data you need.

The link to the BSOD thread is right here: https://www.sevenforums.com/crashes-d...ml#post2176533

Jacee · 14 Nov 2012

Sounds like someone has compromised your computer ... Use a known "Clean" computer to change ALL your passwords! Do Not use the infected computer.

Let's flush the DNS cache and restore MS's Hosts file.
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.

Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Now, download (free version) Malwarebytes' Anti-Malware to your desktop
Malwarebytes Anti-Malware Download
* Double-click mbam-setup.exe and follow the prompts to install the program.Right click to run as Administrator, using Windows 7 or Vista.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

jp281 · 15 Nov 2012

OK I followed your suggestions. here is the log file attached. One new thing that just started is that some \\.\globalroot\systemroot\svchost.exe keeps going to random malicious websites like -searchthetext.com/insland-groupon-expire...- automatically. There are two files detected by Malewarebytes but when they are planned for "Delete on reboot", they come back when I restart. Do you think I should try some anti-Spyware program or does Malewarebytes does it all? tell me anything else to post. Im using Avast for now which is blocking access to those malicious urls.