Adlice forum

Software feedback => RogueKiller => Topic started by: David Cawley on August 19, 2015, 01:37:19 pm

Title: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 19, 2015, 01:37:19 pm
Background: getting a BSOD every morning about 5 minutes after boot, other than that, system is stable and fast.
BSOD are different each time, keep researching and doing proposed fixes, then I get a new BSOD... nightmare!

Registry:

This is my report:

RogueKiller V10.10.1.0 [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : C:\Users\David\Downloads\RogueKiller.exe
Mode : Scan -- Date : 08/19/2015 07:01:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CitrixReceiver : "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SH100S3240G +++++
--- User ---
[MBR] 44a18fa383b29672982d934a3cf9f67e
[BSP] 88ca0319269ad6323fba2737c9302e92 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 211861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 435040200 | Size: 16457 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 468758528 | Size: 50 MB
User = LL1 ... OK
User = LL2 ... OK


Is it odd I have 3 PMEM messages? do you guys see anything here I should be removing?

Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 19, 2015, 03:03:12 pm
Hi David,

Welcome to Adlice.com Forum.
Is Detekt installed on your computer ? If that's the case, please uninstall it.

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version) (http://www.adlice.com//?smd_process_download=1&download_id=2181), redo a full scan and post the report obtained in your next reply.

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 19, 2015, 04:18:34 pm
First thank you so much for helping.
I have installed and run the 64 bit version.
I do not have detekt running, at least I don't think I do, I've never heard of it.
Here are my results:
RogueKiller V10.10.1.0 (x64) [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : C:\Users\David\Downloads\RogueKillerX64_10_10_1_0 (1).exe
Mode : Scan -- Date : 08/19/2015 10:13:19

¤¤¤ Processes : 3 ¤¤¤
[VT.Unknown] EasyDmsExplorer.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\EasyDmsExplorer.dll[-] -> Unloaded
[VT.Unknown] EasyDmsPrxy.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\EasyDmsPrxy.dll[-] -> Unloaded
[VT.Unknown] librfc32.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\librfc32.dll[-] -> Unloaded

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CitrixReceiver : "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk" [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SH100S3240G +++++
--- User ---
[MBR] 44a18fa383b29672982d934a3cf9f67e
[BSP] 88ca0319269ad6323fba2737c9302e92 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 211861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 435040200 | Size: 16457 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 468758528 | Size: 50 MB
User = LL1 ... OK
User = LL2 ... OK

Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 19, 2015, 04:38:58 pm
Hi David,

Your report is clean.

BSOD are not always related to malwares. We will check.
Please download BlueScreenView (x64) (http://www.nirsoft.net/utils/bluescreenview-x64.zip) and unzip the archive.
Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 19, 2015, 05:58:23 pm
Thanks again!

==================================================
Dump File         : 081915-14367-01.dmp
Crash Time        : 8/19/2015 6:24:00 AM
Bug Check String  : NTFS_FILE_SYSTEM
Bug Check Code    : 0x00000024
Parameter 1       : 00000000`001904fb
Parameter 2       : fffff880`093b7ce8
Parameter 3       : fffff880`093b7540
Parameter 4       : fffff880`01cd96c7
Caused By Driver  : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description  : NT File System Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081915-14367-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 8/19/2015 6:39:52 AM
==================================================

==================================================
Dump File         : 081815-14476-01.dmp
Crash Time        : 8/18/2015 8:10:14 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03d8c89e
Parameter 3       : fffff880`097ba670
Parameter 4       : 00000000`00000000
Caused By Driver  : vwififlt.sys
Caused By Address : vwififlt.sys+4ad7670
File Description  : Virtual WiFi Filter Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081815-14476-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 8/18/2015 8:27:29 PM
==================================================

==================================================
Dump File         : 081715-14851-01.dmp
Crash Time        : 8/17/2015 6:05:58 AM
Bug Check String  : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000007e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff880`05432993
Parameter 3       : fffff880`079af638
Parameter 4       : fffff880`079aee90
Caused By Driver  : rdbss.sys
Caused By Address : rdbss.sys+409f870
File Description  : Redirected Drive Buffering SubSystem Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : rdbss.sys+1b22993
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081715-14851-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 8/17/2015 6:07:22 AM
==================================================

==================================================
Dump File         : 081615-14227-01.dmp
Crash Time        : 8/16/2015 1:29:57 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03d718ee
Parameter 3       : fffff880`0ea9bab0
Parameter 4       : 00000000`00000000
Caused By Driver  : portcls.sys
Caused By Address : portcls.sys+d03dab0
File Description  : Port Class (Class Driver for Port/Miniport Devices)
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081615-14227-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 301,989
Dump File Time    : 8/16/2015 1:30:36 PM
==================================================

==================================================
Dump File         : 081415-14898-01.dmp
Crash Time        : 8/14/2015 7:10:14 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03ae0876
Parameter 3       : fffff880`0f669fd0
Parameter 4       : 00000000`00000000
Caused By Driver  : dump_iaStor.sys
Caused By Address : dump_iaStor.sys+bc2bfd0
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081415-14898-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,413
Dump File Time    : 8/14/2015 7:11:12 PM
==================================================

==================================================
Dump File         : 080515-15038-01.dmp
Crash Time        : 8/5/2015 8:10:36 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03dc22dc
Parameter 3       : fffff880`0965f0f0
Parameter 4       : 00000000`00000000
Caused By Driver  : circlass.sys
Caused By Address : circlass.sys+405f0f0
File Description  : Consumer IR Class Driver for eHome
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\080515-15038-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 8/5/2015 8:12:23 PM
==================================================

==================================================
Dump File         : 072815-13774-01.dmp
Crash Time        : 7/28/2015 3:48:35 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff960`001a8683
Parameter 3       : fffff880`0b0601e0
Parameter 4       : 00000000`00000000
Caused By Driver  : win32k.sys
Caused By Address : win32k.sys+d8683
File Description  : Multi-User Win32 Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-13774-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 303,637
Dump File Time    : 7/28/2015 3:50:19 PM
==================================================

==================================================
Dump File         : 072815-14086-01.dmp
Crash Time        : 7/28/2015 7:12:38 AM
Bug Check String  : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000007e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`03ab97c5
Parameter 3       : fffff880`058702e8
Parameter 4       : fffff880`0586fb40
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+6c7c5
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Processor         : x64
Crash Address     : ntoskrnl.exe+6c7c5
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-14086-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 264,650
Dump File Time    : 7/28/2015 7:13:06 AM
==================================================

==================================================
Dump File         : 072815-13416-01.dmp
Crash Time        : 7/28/2015 7:11:18 AM
Bug Check String  : NTFS_FILE_SYSTEM
Bug Check Code    : 0x00000024
Parameter 1       : 00000000`001904fb
Parameter 2       : fffff880`07bacc88
Parameter 3       : fffff880`07bac4e0
Parameter 4       : fffff880`01cd8c45
Caused By Driver  : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description  : NT File System Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-13416-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 7/28/2015 7:12:04 AM
==================================================

==================================================
Dump File         : 072515-14055-01.dmp
Crash Time        : 7/25/2015 7:40:18 AM
Bug Check String  : BUGCODE_USB_DRIVER
Bug Check Code    : 0x000000fe
Parameter 1       : 00000000`00000005
Parameter 2       : fffffa80`0769b1a0
Parameter 3       : 00000000`80863b3c
Parameter 4       : fffffa80`094ec258
Caused By Driver  : rdbss.sys
Caused By Address : rdbss.sys+a2dff2
File Description  : Redirected Drive Buffering SubSystem Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072515-14055-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 354,061
Dump File Time    : 7/25/2015 7:41:10 AM
==================================================

==================================================
Dump File         : 071715-13634-01.dmp
Crash Time        : 7/17/2015 6:29:41 AM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`03bb2137
Parameter 3       : 00000000`00000000
Parameter 4       : ffffffff`ffffffff
Caused By Driver  : fltmgr.sys
Caused By Address : fltmgr.sys+7072
File Description  : Microsoft Filesystem Filter Manager
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\071715-13634-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 7/17/2015 6:30:05 AM
==================================================

==================================================
Dump File         : 071115-12963-01.dmp
Crash Time        : 7/11/2015 7:53:03 AM
Bug Check String  : UNEXPECTED_KERNEL_MODE_TRAP
Bug Check Code    : 0x0000007f
Parameter 1       : 00000000`00000008
Parameter 2       : 00000000`80050033
Parameter 3       : 00000000`000006f8
Parameter 4       : fffff800`038d4026
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+748c0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\071115-12963-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 301,930
Dump File Time    : 7/11/2015 7:54:22 AM
==================================================
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 19, 2015, 08:54:30 pm
Hi David,

The BSODs don't seem to be malware related.
However, since many drivers are involved, it could indicate a filesystem corruption or, worst, a hard disk problem. I strongly advice you to make backups of your personal files and investigate this potentially issue as soon as possible.

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 19, 2015, 09:39:29 pm
That certainly is scary, I made a backup a couple days ago, and I've already purchased a replacement PC, but I don't have it set up to work yet with all of my consulting clients.

Most scary: its an SSD, so if it dies, no recovery, right - just poof! its gone!

So what do I do?  I could clone this drive to the old 500GB hdd, but won't I just be cloning corrupt data?

Its Windows 7, so there isn't a 'refresh' option like windows 8 has, right?

Where would you go from here?

Thanks for your help!
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 19, 2015, 10:09:41 pm
Hi David,

Since you've got an SSD, a drive crash is unlikely to occur. How old is it ?
Cloning won't sovle anything, especially if the problem is not linked to the filesystem.

I would recommand to enable TRIM and check the filesystem for corruption.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
fsutil behavior set disablenotify 0 && chkdsk C: /f /v /x
Please allow chkdsk to run on next reboot and restart the computer to perform the analysis.

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 19, 2015, 10:14:56 pm
Thanks again.

My SSDLife Free says: drive health is excellent... it should work until March 9, 2020.
Trim is supported and system: enabled

Health 100%

I'm applying some windows updates, then I'll try to get that checkdisk done - this is likely my last response for 12 hours or so.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 20, 2015, 02:52:46 am
Hi David,

Thanks for the information.
If the issue is not solved after the checkdisk process, please let me know.

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Aruval on August 20, 2015, 03:08:46 pm
Excuse me, what has the word "orange" to do in this ?
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 20, 2015, 05:00:31 pm
Hi Aruval,

Orange highlighted lines are entries which could be possible malware (for exemple, PUP and PUM, Hooks).
For more information, please refer to the RogueKiller Official Tutorial (http://www.adlice.com/softwares/roguekiller/roguekiller-official-tutorial/).

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 20, 2015, 11:28:09 pm
I was not able to run the command as provided, it choked on 'disablenotify' I think, coming up with instructions:

Usage : fsutil behavior set <option> <value>

<option>               <values>

AllowExtChar           1 | 0
BugcheckOnCorrupt      1 | 0
Disable8dot3           [0 through 3] | [<Volume Path> 1 | 0]
DisableCompression     1 | 0
DisableEncryption      1 | 0
DisableLastAccess      1 | 0
EncryptPagingFile      1 | 0
MftZone                1 through 4
MemoryUsage            1 through 2
QuotaNotify            1 through 4294967295 seconds
SymlinkEvaluation      [L2L:{0|1}] | [L2R:{0|1}] | [R2R:{0|1}] | [R2L:{0|1}]
DisableDeleteNotify    1 | 0

Some of these options require a reboot to take effect.

Please use "fsutil behavior set Disable8dot3 /?" for more information.

So I just did the chckdisk part after the && - rebooted, ran a checkdsk, and it showed the messages very fast then rebooted -seemed to think the disk was ok, but maybe the fsutil was needed?

Thanks again for all your help, sorry I was MIA today.

Had a BSOD this morning: IRQL_NOT_LESS_OR_EQUAL, about five minutes after first boot, rebooted and ran fine all day.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 21, 2015, 12:21:15 am
Hi David,

Sorry, I made a mistake in the command.
However, since chkdsk didn't fix anything, we can assume the root cause of the BSODs is not linked to the filesystem.

Could you please regenerate a BlueScreenView log and copy/paste it in your next reply ?

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 21, 2015, 12:34:52 am
Here it is:
==================================================
Dump File         : 082015-14492-01.dmp
Crash Time        : 8/20/2015 7:02:28 AM
Bug Check String  : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x0000000a
Parameter 1       : fffffa7f`ffffffe0
Parameter 2       : 00000000`00000002
Parameter 3       : 00000000`00000001
Parameter 4       : fffff800`03a945f1
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+735c0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\082015-14492-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 8/20/2015 7:03:39 AM
==================================================

==================================================
Dump File         : 081915-14367-01.dmp
Crash Time        : 8/19/2015 6:24:00 AM
Bug Check String  : NTFS_FILE_SYSTEM
Bug Check Code    : 0x00000024
Parameter 1       : 00000000`001904fb
Parameter 2       : fffff880`093b7ce8
Parameter 3       : fffff880`093b7540
Parameter 4       : fffff880`01cd96c7
Caused By Driver  : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description  : NT File System Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081915-14367-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 8/19/2015 6:39:52 AM
==================================================

==================================================
Dump File         : 081815-14476-01.dmp
Crash Time        : 8/18/2015 8:10:14 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03d8c89e
Parameter 3       : fffff880`097ba670
Parameter 4       : 00000000`00000000
Caused By Driver  : vwififlt.sys
Caused By Address : vwififlt.sys+4ad7670
File Description  : Virtual WiFi Filter Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081815-14476-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 8/18/2015 8:27:29 PM
==================================================

==================================================
Dump File         : 081715-14851-01.dmp
Crash Time        : 8/17/2015 6:05:58 AM
Bug Check String  : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000007e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff880`05432993
Parameter 3       : fffff880`079af638
Parameter 4       : fffff880`079aee90
Caused By Driver  : rdbss.sys
Caused By Address : rdbss.sys+409f870
File Description  : Redirected Drive Buffering SubSystem Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : rdbss.sys+1b22993
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081715-14851-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 8/17/2015 6:07:22 AM
==================================================

==================================================
Dump File         : 081615-14227-01.dmp
Crash Time        : 8/16/2015 1:29:57 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03d718ee
Parameter 3       : fffff880`0ea9bab0
Parameter 4       : 00000000`00000000
Caused By Driver  : portcls.sys
Caused By Address : portcls.sys+d03dab0
File Description  : Port Class (Class Driver for Port/Miniport Devices)
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081615-14227-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 301,989
Dump File Time    : 8/16/2015 1:30:36 PM
==================================================

==================================================
Dump File         : 081415-14898-01.dmp
Crash Time        : 8/14/2015 7:10:14 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03ae0876
Parameter 3       : fffff880`0f669fd0
Parameter 4       : 00000000`00000000
Caused By Driver  : dump_iaStor.sys
Caused By Address : dump_iaStor.sys+bc2bfd0
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Crash Address     : ntoskrnl.exe+735c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\081415-14898-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,413
Dump File Time    : 8/14/2015 7:11:12 PM
==================================================

==================================================
Dump File         : 080515-15038-01.dmp
Crash Time        : 8/5/2015 8:10:36 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`03dc22dc
Parameter 3       : fffff880`0965f0f0
Parameter 4       : 00000000`00000000
Caused By Driver  : circlass.sys
Caused By Address : circlass.sys+405f0f0
File Description  : Consumer IR Class Driver for eHome
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\080515-15038-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 8/5/2015 8:12:23 PM
==================================================

==================================================
Dump File         : 072815-13774-01.dmp
Crash Time        : 7/28/2015 3:48:35 PM
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff960`001a8683
Parameter 3       : fffff880`0b0601e0
Parameter 4       : 00000000`00000000
Caused By Driver  : win32k.sys
Caused By Address : win32k.sys+d8683
File Description  : Multi-User Win32 Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-13774-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 303,637
Dump File Time    : 7/28/2015 3:50:19 PM
==================================================

==================================================
Dump File         : 072815-14086-01.dmp
Crash Time        : 7/28/2015 7:12:38 AM
Bug Check String  : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000007e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`03ab97c5
Parameter 3       : fffff880`058702e8
Parameter 4       : fffff880`0586fb40
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+6c7c5
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor         : x64
Crash Address     : ntoskrnl.exe+6c7c5
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-14086-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 264,650
Dump File Time    : 7/28/2015 7:13:06 AM
==================================================

==================================================
Dump File         : 072815-13416-01.dmp
Crash Time        : 7/28/2015 7:11:18 AM
Bug Check String  : NTFS_FILE_SYSTEM
Bug Check Code    : 0x00000024
Parameter 1       : 00000000`001904fb
Parameter 2       : fffff880`07bacc88
Parameter 3       : fffff880`07bac4e0
Parameter 4       : fffff880`01cd8c45
Caused By Driver  : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description  : NT File System Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072815-13416-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,157
Dump File Time    : 7/28/2015 7:12:04 AM
==================================================

==================================================
Dump File         : 072515-14055-01.dmp
Crash Time        : 7/25/2015 7:40:18 AM
Bug Check String  : BUGCODE_USB_DRIVER
Bug Check Code    : 0x000000fe
Parameter 1       : 00000000`00000005
Parameter 2       : fffffa80`0769b1a0
Parameter 3       : 00000000`80863b3c
Parameter 4       : fffffa80`094ec258
Caused By Driver  : rdbss.sys
Caused By Address : rdbss.sys+a2dff2
File Description  : Redirected Drive Buffering SubSystem Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\072515-14055-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 354,061
Dump File Time    : 7/25/2015 7:41:10 AM
==================================================

==================================================
Dump File         : 071715-13634-01.dmp
Crash Time        : 7/17/2015 6:29:41 AM
Bug Check String  : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x0000001e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`03bb2137
Parameter 3       : 00000000`00000000
Parameter 4       : ffffffff`ffffffff
Caused By Driver  : fltmgr.sys
Caused By Address : fltmgr.sys+7072
File Description  : Microsoft Filesystem Filter Manager
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\071715-13634-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 302,101
Dump File Time    : 7/17/2015 6:30:05 AM
==================================================

==================================================
Dump File         : 071115-12963-01.dmp
Crash Time        : 7/11/2015 7:53:03 AM
Bug Check String  : UNEXPECTED_KERNEL_MODE_TRAP
Bug Check Code    : 0x0000007f
Parameter 1       : 00000000`00000008
Parameter 2       : 00000000`80050033
Parameter 3       : 00000000`000006f8
Parameter 4       : fffff800`038d4026
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+748c0
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor         : x64
Crash Address     : ntoskrnl.exe+748c0
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\Windows\Minidump\071115-12963-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 301,930
Dump File Time    : 7/11/2015 7:54:22 AM
==================================================

Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 21, 2015, 12:49:57 am
I have a usb port replicator with 2 logitech things plugged in for a wireless keyboard/mouse and wireless headset.  I think they are both RF, not Bluetooth.
I have an HDMI monitor plugged in.
wireless turned off
hardwired network cable plugged in.

Also, when I look at 'playback devices' - all I see is my wireless headset, I cannot turn my speakers back on at this point, they seem to have disappeared.

Thought I'd just ramble some info at you.  Its an HP laptop from 2009.

I recently changed the CMOS battery because the system was resetting to 2008 on every 3rd or 4th reboot.

Like the above said 'orange' was just me reporting the color of the 'rootkit' messages section.  I saw elsewhere people discussing that being 'green' - and mine was not green, so I was scared.  I think that was just because I was running the 32 bit version.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 21, 2015, 12:33:20 pm
This morning, two BSOD: BUGCODE_USB_DRIVER... then my reboot failed, just sat on a black screen, tried again.... windows boot screen looked different, it had an old fashioned looking progress bar instead of a pulsing windows logo, then a MEMORY_MANAGER BSOD that blinked by before I could read anything else.

Rebooted again now... lets see if it lasts more than five minutes
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 21, 2015, 12:34:30 pm
I reran Bluescreenview - and neither of today's BSOD show up.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 21, 2015, 03:27:37 pm
Hi David,

At this point, it's difficult to say if your issue is software or hardware related.
Anyway, I think a system reinstallation is necessary.

Regards.
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: David Cawley on August 21, 2015, 06:57:55 pm
Thank you for all your help.

I have already purchased a replacement laptop, once I'm fully migrated over to that, I may upgrade this to windows 10, will that achieve the same as reinstall?
Title: Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?
Post by: Curson on August 24, 2015, 05:39:35 pm
Hi David,

An upgrade may not correct the issue right away. Maybe you will need to do a system reset or a full reinstall.
For more information, please read How to Clean Install Windows 10 (http://www.howtogeek.com/224342/how-to-clean-install-windows-10/).

Regards.