BSOD after virus infection and removal

[fezster]

Yesterday I had a virus infection on my computer, which brought up a fake "Anti virus Protection" tool. I've had these in the past, and I usually just restore from my Acronis True Image backup, which is scheduled to run each day and backup my entire C drive.

The problem this time is that even after restoring (tried yesterday's backup, and the day before's backup), as soon as I boot I get google redirects, and then eventually BSOD.

My question is - how is the virus persisting even after the restore ? Is it able to stay in memory, or is it present on one of my other hard drives (which are not touched by the restore) ? And if the BSODs are due to corrupt system files or drivers, surely the restore should have recovered those - so I presume they are getting reinfected.

I've since tried running rkill.com and then MalwareBytes, whilst in safe mode, and it removed a number of infections from the computer. But Im still getting a BSOD a minute after booting normally into windows (safe mode is fine). The error is IRQ_NOT_LESS_OR_EQUAL and using BlueScreenView shows:

==================================================
Dump File : 082511-39249-01.dmp
Crash Time : 25/08/2011 08:47:14
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000070`000000dc
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000001
Parameter 4 : fffff800`02eb2045
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+70740
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\tmp\082511-39249-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7600
Dump File Size : 274,200
==================================================

 

[zigzag3143]

Yesterday I had a virus infection on my computer, which brought up a fake "Anti virus Protection" tool. I've had these in the past, and I usually just restore from my Acronis True Image backup, which is scheduled to run each day and backup my entire C drive.

The problem this time is that even after restoring (tried yesterday's backup, and the day before's backup), as soon as I boot I get google redirects, and then eventually BSOD.

My question is - how is the virus persisting even after the restore ? Is it able to stay in memory, or is it present on one of my other hard drives (which are not touched by the restore) ? And if the BSODs are due to corrupt system files or drivers, surely the restore should have recovered those - so I presume they are getting reinfected.

I've since tried running rkill.com and then MalwareBytes, whilst in safe mode, and it removed a number of infections from the computer. But Im still getting a BSOD a minute after booting normally into windows (safe mode is fine). The error is IRQ_NOT_LESS_OR_EQUAL and using BlueScreenView shows:

==================================================
Dump File : 082511-39249-01.dmp
Crash Time : 25/08/2011 08:47:14
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 00000070`000000dc
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000001
Parameter 4 : fffff800`02eb2045
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+70740
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+70740
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\tmp\082511-39249-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7600
Dump File Size : 274,200
==================================================

To enable us to assist you with your computer's BSOD symptoms, upload the contents of your "\Windows\Minidump" folder.

The procedure:

* Copy the contents of \Windows\Minidump to another (temporary) location somewhere on your machine.
* Zip up the copy.
* Attach the ZIP archive to your post using the "paperclip" (file attachments) button.
*If the files are too large please upload them to a file sharing service like "Rapidshare" and put a link to them in your reply.


To ensure minidumps are enabled:

Go to Start, in the Search Box type: sysdm.cpl, press Enter.
Under the Advanced tab, click on the Startup and Recovery Settings... button.
Ensure that Automatically restart is unchecked.
Under the Write Debugging Information header select Small memory dump (256 kB) in the dropdown box (the 256kb varies).
Ensure that the Small Dump Directory is listed as %systemroot%\Minidump.
OK your way out.
Reboot if changes have been made.

 

[fezster]

Thanks for the response.

Minidump from this morning's crash attached.

 

[zigzag3143]

Thanks for the response.

Minidump from this morning's crash attached.

Hi and welcome

It is extremely difficult to diagnose from a single dmp. Yours is no exception. It is obviously a driver and so I suggest you run these two test to verify your memory and drivers.




1-Memtest.

*Download a copy of Memtest86 and burn the ISO to a CD using Iso Recorder or another ISO burning program.

*Boot from the CD, and leave it running for at least 5 or 6 passes.

Just remember, any time Memtest reports errors, it can be either bad RAM or a bad motherboard slot.

Test the sticks individually, and if you find a good one, test it in all slots.

http://www.sevenforums.com/tutorials/105647-ram-test-memtest86.html

2-Driver verifier

I'd suggest that you first backup your data and then make sure you've got access to another computer so you can contact us if problems arise. Then make a System Restore point (so you can restore the system using the Vista/Win7 Startup Repair feature).

In Windows 7 you can make a Startup Repair disk by going to Start....All Programs...Maintenance...Create a System Repair Disc - with Windows Vista you'll have to use your installation disk or the "Repair your computer" option at the top of the Safe Mode menu .

Then, here's the procedure:
- Go to Start and type in "verifier" (without the quotes) and press Enter
- Select "Create custom settings (for code developers)" and click "Next"
- Select "Select individual settings from a full list" and click "Next"
- Select everything EXCEPT FOR "Low Resource Simulation" and click "Next"
- Select "Select driver names from a list" and click "Next"
Then select all drivers NOT provided by Microsoft and click "Next"
- Select "Finish" on the next page.

Reboot the system and wait for it to crash to the Blue Screen. Continue to use your system normally, and if you know what causes the crash, do that repeatedly. The objective here is to get the system to crash because Driver Verifier is stressing the drivers out. If it doesn't crash for you, then let it run for at least 36 hours of continuous operation (an estimate on my part).

If you can't get into Windows because it crashes too soon, try it in Safe Mode.
If you can't get into Safe Mode, try using System Restore from your installation DVD to set the system back to the previous restore point that you created.

http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html