BSOD - iaStor.sys issue

[ucfknights22]

I just ran into a BSOD randomly today while studying for finals (go figure). Anyways, I have not installed any new software prior to the BSOD. Essentially, the computer froze up while reading a .pdf, so I attempted to restart the computer with no success. I started the computer in safe mode and was in the middle of running a virus scan from Malwarebytes when the BSOD occurred. Below is the error message:

DRIVER_IRQL_NOT_LESS_OR_EQUAL
***STOP: 0x00000001 (0x0000000000000004, 0x0000000000000002, 0x00000000000000(rest is cut off), 0xFFFFF880012E5964)
***iastor.sys - Address FFFFF880012E5964 base at FFFFF880012E2000, Datestamp 4b8f2033

After receiving the message I took a look around for similar messages and tried some of the various remedies that I could. I've run the Kaspersky Rescue Disk which didn't find anything. It doesn't allow me to install new software that uses the windows installer, so I could not try the intel device update manager or the rootkit eliminator. I ran a disk chk but I got a BSOD that was slightly different. Here is the error message I received:

Technical Info:
***STOP: 0x0000007E (0xFFFFFFFFC0000005, 0xFFFFF8800107D57E, 0xFFFFF88003325948, 0xFFFFF88003325180)
*** iaStor.sys - Address FFFFF8800107D57E base at FFFFF88001008000, DateStamp 4b8f2033

After seeing the second error with a different code, I decided to throw it out to the experts here and give up on trying to figure it out myself. My system is running Windows 7 Home Premium 64bit (OEM) and is 9 months old with the original OS installed. If you need any additional info, don't hesitate to ask. Attached is the BSOD dump but I could not get the system health report working properly in safe mode. Thanks for the help!

Edit: I was able to get my BSOD dump uploaded online. Here is the link: http://www.mediafire.com/?zep722ei73ie56s

 

[Jonathan_King]

Hello,

This is being caused by a notorious rootkit, I'm afraid. I'll let you make a choice here, and try to tell you about each one.

The first and probably best option is a complete wipe and reinstall. Depending on how much stuff you have installed, it might even be faster. It is certainly the safer option, because even if we can remove/disable the rootkit, you never know what pieces are lurking behind.

To do this, boot up an Ubuntu Live CD, and start copying your important files to an external hard drive or USB stick. I'm not sure if you'll have CD and DVD burning capabilities, but it wouldn't surprise me. If you want to use DVDs, give it a try!

Then stick in the Windows installation DVD and wipe the hard drive completely using the Clean All command: http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

If you are dead set against a reformat, we can try to monkey around first. Bear in mind, this has proven to be extremely difficult to remove, and what works for one person doesn't always help another. My own success has been very limited, though I might blame much of that on the fact that people don't post back when I give advice. In other words, there's a chance that our monkeying around will be futile and we'll have to do a reformat in the end anyway.

I can give it my best shot, and I know one other person on SF who has been able to remove them in cases such as yours.

It's up to you.

 

[ucfknights22]

Jonathan King,

Thanks for the response. I was afraid you were going to suggest a reformat. Fortunately, I don't have any files on this computer that aren't readily available elsewhere. I went ahead with the reformat and it has removed the problem. A quick question, any ideas as to where this rootkit could have been contracted? I want to minimize my chances of this happening again. I'm also curious as to where you get your driver updates from. I'm having issues finding if my drivers are up to date.

Thanks for the guidance,
Jeff

 

[Jonathan_King]

I wish I knew where the virus came from. If I can ever find that, I will intentionally infect a virtual machine just so I can figure out how to remove it. Let me know if you find the answer yourself!

As far as the driver updates, I can get a list of loaded drivers from the dumps and other files from the jcgriff2 report. If I see one I think might be the cause, I find a link on the manufacturer's website.