BSOD at erandom times, probably caused by malware.

[lazarba]

Okay so, I am getting / have been getting BSOD crashes at random times. I think I have made a connection between the computer being idle for a long time with the crashes ( ex. when downloading a game and I have to leave the computer unattended for a long time) . I posted on the BSOD thread first and here is the link to that post : http://www.sevenforums.com/bsod-hel...s-overrun-stack-based-buffer.html#post3088908
Arc suggests that the crash is caused by malware, so here I am seeking your help.
I can reinstall, but I would like to avoid it if possible .
(All the info relevant to the problem have been posted on the other post).
Thanks in advance.

 

[cottonball]

lazarba,

Please use the Farbar Recovery Scan Tool Download
Select the version that applies to your system: 64-bit
Save it to your Desktop.
Double-click the downloaded file to run it.

When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

:ar: Please provide the FRST.txt in your reply.

The first time the tool is run, it also creates another log: Addition.txt
:ar: Also post the Addition.txt in your reply.

 

[lazarba]

Here you go!

 

[cottonball]

lazarba,

Have not forgotten you. Did take a look at the reports provided, and at first review, have not seen malware entries. Need to look at it more thoroughly, though.

Since the following driver has been questioned in your previous thread:
C:\Windows\SysWow64\WinFLAdrv.sys

Please run the file though one or more file scanners, and let's see if there are any malware detections:

VirusTotal
https://www.virustotal.com/

Jotti's malware scan

ThreatExpert - Online File Scanner

VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 39 AntiVirus Engines!

Comodo Instant Malware Analysis


Also, please check the following file:
C:\Windows\SysWow64\WinVDEdrv.sys

If you get a message saying: File has already been analyzed, click: Reanalyze file


:ar: Please post the link to the results of the scanners chosen.

 

[lazarba]

lazarba,

Have not forgotten you. Did take a look at the reports provided, and at first review, have not seen malware entries. Need to look at it more thoroughly, though.

Since the following driver has been questioned in your previous thread:
C:\Windows\SysWow64\WinFLAdrv.sys

Please run the file though one or more file scanners, and let's see if there are any malware detections:

VirusTotal
https://www.virustotal.com/

Jotti's malware scan

ThreatExpert - Online File Scanner

VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 39 AntiVirus Engines!

Comodo Instant Malware Analysis


Also, please check the following file:
C:\Windows\SysWow64\WinVDEdrv.sys

If you get a message saying: File has already been analyzed, click: Reanalyze file


:ar: Please post the link to the results of the scanners chosen.

For WinFLAdrv.sys
VirScan WinFLAdrv.sys MD5:98e452348ea54dc188883ee7ef12a842 0% Scanner(s) (0/39) found malware! - VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 39 AntiVirus Engines!
Virus total https://www.virustotal.com/en/file/...0addc26be2e232e3ca3ff763/analysis/1434452779/
Comodo failed, ThreatExpert refused to accept my file , Jottis remained unresponsive.

For WinVDEdry.sys

Virus total https://www.virustotal.com/en/file/...fc476393d11a1bb2d2708e89/analysis/1434453354/
VirScan WinVDEdrv.sys MD5:3cc985a4e7d90f5b6d9ff1fd5cd486d7 0% Scanner(s) (0/39) found malware! - VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 39 AntiVirus Engines!

They are both clean apparently.

 

[cottonball]

lazarba,

The file scanners you used are both good choices, and, as you mention, no malware found.

Let's go this route...

:info: Please, also use the herdProtect Anti-Malware Scanner:
Download herdProtect - Free Anti-Malware Platform

Select the Portable Version (green button on the right), and save to the Desktop

Double-click the herdProtectScan_Portable file to run the setup.

On the last prompt, make sure Launch herdProtect is checked, and press: Finish

Next, when presented with the Scanner prompt, press the green Scan button. (An Internet connection is needed.)
OK the next prompt.

The scan goes through various stages, and, when done, the scan Results are presented (Files scanned: xxx, Processes scanned: xxxx, etc.

When done, press (at the top): Save Results

:ar: Please do not remove any entries, and attach the herdProtect Scan_2015-(date) in your reply.


:info: Also, please give Malwarebytes Anti-Malware a whirl.
You may have used it at some point, just make sure it is updated, or get a fresh copy!

Download > https://www.malwarebytes.org/products/
Select the FREE version!
Save to the Desktop.

On the Desktop. double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Allow the file to run.
Follow the setup wizard to Install.

Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish
However, please make sure to uncheck the PREMIUM version Trial checkmark, if it appears.

Once MBAM opens, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits
Click the Scan tab at the top of the program window, and select: Threat Scan

Next, click: Scan Now
If you receive a message that updates are available, click: Update Now
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.

If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions

While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.


:ar: Please post the MBAM report in your reply.

Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

 

[Jacee]

After you've run MBam, as cottonball requested ... download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

[lazarba]

Okay , done all three. Included the mbav scan file and the herdprotect file, and here is the CKScanner results :
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4b.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4b_n.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4var2.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4var3.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\markarth\crackrock4_n.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\windhelm\wholdcrackedbrick.dds
c:\steam\steamapps\common\skyrim\data\textures\architecture\windhelm\wholdcrackedbrick2.dds
c:\users\lazaros\desktop\programs\comicrack.lnk
c:\users\lazaros\documents\my games\skyrim\saves\save 1791 - mar'dew cracked tusk keep 27.11.12.ess
c:\users\lazaros\documents\my games\skyrim\saves\save 1791 - mar'dew cracked tusk keep 27.11.12.skse
scanner sequence 3.EF.11.CWNAHZ
----- EOF -----

 

[lazarba]

Okay, just got another BSOD, this time there was no talk of drivers overflowing a stack based buffer and what-not, but regardless, here is the crashdump.

 

[Jacee]

Can you tell us about this C:\Windows\System32\Tasks\AutoKMS and this? C:\Windows\Tasks\AutoKMS.job

"The file is often installed if you are using a hacked program..... Office? and can be from a Keygen program."