Author Topic: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code? (Read 19549 times)

David Cawley · « **on:** August 19, 2015, 01:37:19 PM »

Background: getting a BSOD every morning about 5 minutes after boot, other than that, system is stable and fast.
BSOD are different each time, keep researching and doing proposed fixes, then I get a new BSOD... nightmare!

Registry:

This is my report:

RogueKiller V10.10.1.0 [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : C:\Users\David\Downloads\RogueKiller.exe
Mode : Scan -- Date : 08/19/2015 07:01:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CitrixReceiver : "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"

-> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/ -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SH100S3240G +++++
--- User ---
[MBR] 44a18fa383b29672982d934a3cf9f67e
[BSP] 88ca0319269ad6323fba2737c9302e92 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 211861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 435040200 | Size: 16457 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 468758528 | Size: 50 MB
User = LL1 ... OK
User = LL2 ... OK

Is it odd I have 3 PMEM messages? do you guys see anything here I should be removing?

Curson · « **Reply #1 on:** August 19, 2015, 03:03:12 PM »

Hi David,

Welcome to Adlice.com Forum.
Is Detekt installed on your computer ? If that's the case, please uninstall it.

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version), redo a full scan and post the report obtained in your next reply.

Regards.

David Cawley · « **Reply #2 on:** August 19, 2015, 04:18:34 PM »

First thank you so much for helping.
I have installed and run the 64 bit version.
I do not have detekt running, at least I don't think I do, I've never heard of it.
Here are my results:
RogueKiller V10.10.1.0 (x64) [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : David [Administrator]
Started from : C:\Users\David\Downloads\RogueKillerX64_10_10_1_0 (1).exe
Mode : Scan -- Date : 08/19/2015 10:13:19

¤¤¤ Processes : 3 ¤¤¤
[VT.Unknown] EasyDmsExplorer.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\EasyDmsExplorer.dll[-] -> Unloaded
[VT.Unknown] EasyDmsPrxy.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\EasyDmsPrxy.dll[-] -> Unloaded
[VT.Unknown] librfc32.dll(3472) -- C:\Program Files\SAP\EasyDmsInterface\Ansi\librfc32.dll[-] -> Unloaded

¤¤¤ Registry : 11 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CitrixReceiver : "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"

-> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pmem (\??\C:\Users\David\AppData\Local\Temp\_MEI110402\drivers\winpmem64.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://finance.yahoo.com/ -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=bestbuy&pf=cnnb -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2087372787-698181960-4156799124-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: KINGSTON SH100S3240G +++++
--- User ---
[MBR] 44a18fa383b29672982d934a3cf9f67e
[BSP] 88ca0319269ad6323fba2737c9302e92 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 211861 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 435040200 | Size: 16457 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 468758528 | Size: 50 MB
User = LL1 ... OK
User = LL2 ... OK

Curson · « **Reply #3 on:** August 19, 2015, 04:38:58 PM »

Hi David,

Your report is clean.

BSOD are not always related to malwares. We will check.
Please download BlueScreenView (x64) and unzip the archive.

Double click on BlueScreenView.exe to run the program.
When scanning is done, go to EDIT - Select All.
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Regards.

David Cawley · « **Reply #4 on:** August 19, 2015, 05:58:23 PM »

Thanks again!

==================================================
Dump File : 081915-14367-01.dmp
Crash Time : 8/19/2015 6:24:00 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 00000000`001904fb
Parameter 2 : fffff880`093b7ce8
Parameter 3 : fffff880`093b7540
Parameter 4 : fffff880`01cd96c7
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081915-14367-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 8/19/2015 6:39:52 AM
==================================================

==================================================
Dump File : 081815-14476-01.dmp
Crash Time : 8/18/2015 8:10:14 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03d8c89e
Parameter 3 : fffff880`097ba670
Parameter 4 : 00000000`00000000
Caused By Driver : vwififlt.sys
Caused By Address : vwififlt.sys+4ad7670
File Description : Virtual WiFi Filter Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081815-14476-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 8/18/2015 8:27:29 PM
==================================================

==================================================
Dump File : 081715-14851-01.dmp
Crash Time : 8/17/2015 6:05:58 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff880`05432993
Parameter 3 : fffff880`079af638
Parameter 4 : fffff880`079aee90
Caused By Driver : rdbss.sys
Caused By Address : rdbss.sys+409f870
File Description : Redirected Drive Buffering SubSystem Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : rdbss.sys+1b22993
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081715-14851-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 8/17/2015 6:07:22 AM
==================================================

==================================================
Dump File : 081615-14227-01.dmp
Crash Time : 8/16/2015 1:29:57 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03d718ee
Parameter 3 : fffff880`0ea9bab0
Parameter 4 : 00000000`00000000
Caused By Driver : portcls.sys
Caused By Address : portcls.sys+d03dab0
File Description : Port Class (Class Driver for Port/Miniport Devices)
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081615-14227-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 301,989
Dump File Time : 8/16/2015 1:30:36 PM
==================================================

==================================================
Dump File : 081415-14898-01.dmp
Crash Time : 8/14/2015 7:10:14 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03ae0876
Parameter 3 : fffff880`0f669fd0
Parameter 4 : 00000000`00000000
Caused By Driver : dump_iaStor.sys
Caused By Address : dump_iaStor.sys+bc2bfd0
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081415-14898-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,413
Dump File Time : 8/14/2015 7:11:12 PM
==================================================

==================================================
Dump File : 080515-15038-01.dmp
Crash Time : 8/5/2015 8:10:36 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03dc22dc
Parameter 3 : fffff880`0965f0f0
Parameter 4 : 00000000`00000000
Caused By Driver : circlass.sys
Caused By Address : circlass.sys+405f0f0
File Description : Consumer IR Class Driver for eHome
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\080515-15038-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 8/5/2015 8:12:23 PM
==================================================

==================================================
Dump File : 072815-13774-01.dmp
Crash Time : 7/28/2015 3:48:35 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff960`001a8683
Parameter 3 : fffff880`0b0601e0
Parameter 4 : 00000000`00000000
Caused By Driver : win32k.sys
Caused By Address : win32k.sys+d8683
File Description : Multi-User Win32 Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-13774-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 303,637
Dump File Time : 7/28/2015 3:50:19 PM
==================================================

==================================================
Dump File : 072815-14086-01.dmp
Crash Time : 7/28/2015 7:12:38 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff800`03ab97c5
Parameter 3 : fffff880`058702e8
Parameter 4 : fffff880`0586fb40
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+6c7c5
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Processor : x64
Crash Address : ntoskrnl.exe+6c7c5
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-14086-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 264,650
Dump File Time : 7/28/2015 7:13:06 AM
==================================================

==================================================
Dump File : 072815-13416-01.dmp
Crash Time : 7/28/2015 7:11:18 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 00000000`001904fb
Parameter 2 : fffff880`07bacc88
Parameter 3 : fffff880`07bac4e0
Parameter 4 : fffff880`01cd8c45
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-13416-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 7/28/2015 7:12:04 AM
==================================================

==================================================
Dump File : 072515-14055-01.dmp
Crash Time : 7/25/2015 7:40:18 AM
Bug Check String : BUGCODE_USB_DRIVER
Bug Check Code : 0x000000fe
Parameter 1 : 00000000`00000005
Parameter 2 : fffffa80`0769b1a0
Parameter 3 : 00000000`80863b3c
Parameter 4 : fffffa80`094ec258
Caused By Driver : rdbss.sys
Caused By Address : rdbss.sys+a2dff2
File Description : Redirected Drive Buffering SubSystem Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072515-14055-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 354,061
Dump File Time : 7/25/2015 7:41:10 AM
==================================================

==================================================
Dump File : 071715-13634-01.dmp
Crash Time : 7/17/2015 6:29:41 AM
Bug Check String : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x0000001e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff800`03bb2137
Parameter 3 : 00000000`00000000
Parameter 4 : ffffffff`ffffffff
Caused By Driver : fltmgr.sys
Caused By Address : fltmgr.sys+7072
File Description : Microsoft Filesystem Filter Manager
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\071715-13634-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 7/17/2015 6:30:05 AM
==================================================

==================================================
Dump File : 071115-12963-01.dmp
Crash Time : 7/11/2015 7:53:03 AM
Bug Check String : UNEXPECTED_KERNEL_MODE_TRAP
Bug Check Code : 0x0000007f
Parameter 1 : 00000000`00000008
Parameter 2 : 00000000`80050033
Parameter 3 : 00000000`000006f8
Parameter 4 : fffff800`038d4026
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+748c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.18933 (win7sp1_gdr.150715-0600)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\071115-12963-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 301,930
Dump File Time : 7/11/2015 7:54:22 AM
==================================================

Curson · « **Reply #5 on:** August 19, 2015, 08:54:30 PM »

Hi David,

The BSODs don't seem to be malware related.
However, since many drivers are involved, it could indicate a filesystem corruption or, worst, a hard disk problem. I strongly advice you to make backups of your personal files and investigate this potentially issue as soon as possible.

Regards.

David Cawley · « **Reply #6 on:** August 19, 2015, 09:39:29 PM »

That certainly is scary, I made a backup a couple days ago, and I've already purchased a replacement PC, but I don't have it set up to work yet with all of my consulting clients.

Most scary: its an SSD, so if it dies, no recovery, right - just poof! its gone!

So what do I do? I could clone this drive to the old 500GB hdd, but won't I just be cloning corrupt data?

Its Windows 7, so there isn't a 'refresh' option like windows 8 has, right?

Where would you go from here?

Thanks for your help!

Curson · « **Reply #7 on:** August 19, 2015, 10:09:41 PM »

Hi David,

Since you've got an SSD, a drive crash is unlikely to occur. How old is it ?
Cloning won't sovle anything, especially if the problem is not linked to the filesystem.

I would recommand to enable TRIM and check the filesystem for corruption.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

fsutil behavior set disablenotify 0 && chkdsk C: /f /v /x
Please allow chkdsk to run on next reboot and restart the computer to perform the analysis.

Regards.

David Cawley · « **Reply #8 on:** August 19, 2015, 10:14:56 PM »

Thanks again.

My SSDLife Free says: drive health is excellent... it should work until March 9, 2020.
Trim is supported and system: enabled

Health 100%

I'm applying some windows updates, then I'll try to get that checkdisk done - this is likely my last response for 12 hours or so.

Curson · « **Reply #9 on:** August 20, 2015, 02:52:46 AM »

Hi David,

Thanks for the information.
If the issue is not solved after the checkdisk process, please let me know.

Regards.

Aruval · « **Reply #10 on:** August 20, 2015, 03:08:46 PM »

Excuse me, what has the word "orange" to do in this ?

Curson · « **Reply #11 on:** August 20, 2015, 05:00:31 PM »

Hi Aruval,

Orange highlighted lines are entries which could be possible malware (for exemple, PUP and PUM, Hooks).
For more information, please refer to the RogueKiller Official Tutorial.

Regards.

David Cawley · « **Reply #12 on:** August 20, 2015, 11:28:09 PM »

I was not able to run the command as provided, it choked on 'disablenotify' I think, coming up with instructions:

Usage : fsutil behavior set <option> <value>

<option> <values>

AllowExtChar 1 | 0
BugcheckOnCorrupt 1 | 0
Disable8dot3 [0 through 3] | [<Volume Path> 1 | 0]
DisableCompression 1 | 0
DisableEncryption 1 | 0
DisableLastAccess 1 | 0
EncryptPagingFile 1 | 0
MftZone 1 through 4
MemoryUsage 1 through 2
QuotaNotify 1 through 4294967295 seconds
SymlinkEvaluation [L2L:{0|1}] | [L2R:{0|1}] | [R2R:{0|1}] | [R2L:{0|1}]
DisableDeleteNotify 1 | 0

Some of these options require a reboot to take effect.

Please use "fsutil behavior set Disable8dot3 /?" for more information.

So I just did the chckdisk part after the && - rebooted, ran a checkdsk, and it showed the messages very fast then rebooted -seemed to think the disk was ok, but maybe the fsutil was needed?

Thanks again for all your help, sorry I was MIA today.

Had a BSOD this morning: IRQL_NOT_LESS_OR_EQUAL, about five minutes after first boot, rebooted and ran fine all day.

Curson · « **Reply #13 on:** August 21, 2015, 12:21:15 AM »

Hi David,

Sorry, I made a mistake in the command.
However, since chkdsk didn't fix anything, we can assume the root cause of the BSODs is not linked to the filesystem.

Could you please regenerate a BlueScreenView log and copy/paste it in your next reply ?

Regards.

David Cawley · « **Reply #14 on:** August 21, 2015, 12:34:52 AM »

Here it is:
==================================================
Dump File : 082015-14492-01.dmp
Crash Time : 8/20/2015 7:02:28 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : fffffa7f`ffffffe0
Parameter 2 : 00000000`00000002
Parameter 3 : 00000000`00000001
Parameter 4 : fffff800`03a945f1
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+735c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\082015-14492-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 8/20/2015 7:03:39 AM
==================================================

==================================================
Dump File : 081915-14367-01.dmp
Crash Time : 8/19/2015 6:24:00 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 00000000`001904fb
Parameter 2 : fffff880`093b7ce8
Parameter 3 : fffff880`093b7540
Parameter 4 : fffff880`01cd96c7
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081915-14367-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 8/19/2015 6:39:52 AM
==================================================

==================================================
Dump File : 081815-14476-01.dmp
Crash Time : 8/18/2015 8:10:14 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03d8c89e
Parameter 3 : fffff880`097ba670
Parameter 4 : 00000000`00000000
Caused By Driver : vwififlt.sys
Caused By Address : vwififlt.sys+4ad7670
File Description : Virtual WiFi Filter Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081815-14476-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 8/18/2015 8:27:29 PM
==================================================

==================================================
Dump File : 081715-14851-01.dmp
Crash Time : 8/17/2015 6:05:58 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff880`05432993
Parameter 3 : fffff880`079af638
Parameter 4 : fffff880`079aee90
Caused By Driver : rdbss.sys
Caused By Address : rdbss.sys+409f870
File Description : Redirected Drive Buffering SubSystem Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : rdbss.sys+1b22993
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081715-14851-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 8/17/2015 6:07:22 AM
==================================================

==================================================
Dump File : 081615-14227-01.dmp
Crash Time : 8/16/2015 1:29:57 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03d718ee
Parameter 3 : fffff880`0ea9bab0
Parameter 4 : 00000000`00000000
Caused By Driver : portcls.sys
Caused By Address : portcls.sys+d03dab0
File Description : Port Class (Class Driver for Port/Miniport Devices)
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081615-14227-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 301,989
Dump File Time : 8/16/2015 1:30:36 PM
==================================================

==================================================
Dump File : 081415-14898-01.dmp
Crash Time : 8/14/2015 7:10:14 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03ae0876
Parameter 3 : fffff880`0f669fd0
Parameter 4 : 00000000`00000000
Caused By Driver : dump_iaStor.sys
Caused By Address : dump_iaStor.sys+bc2bfd0
File Description :
Product Name :
Company :
File Version :
Processor : x64
Crash Address : ntoskrnl.exe+735c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\081415-14898-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,413
Dump File Time : 8/14/2015 7:11:12 PM
==================================================

==================================================
Dump File : 080515-15038-01.dmp
Crash Time : 8/5/2015 8:10:36 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff800`03dc22dc
Parameter 3 : fffff880`0965f0f0
Parameter 4 : 00000000`00000000
Caused By Driver : circlass.sys
Caused By Address : circlass.sys+405f0f0
File Description : Consumer IR Class Driver for eHome
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\080515-15038-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 8/5/2015 8:12:23 PM
==================================================

==================================================
Dump File : 072815-13774-01.dmp
Crash Time : 7/28/2015 3:48:35 PM
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000`c0000005
Parameter 2 : fffff960`001a8683
Parameter 3 : fffff880`0b0601e0
Parameter 4 : 00000000`00000000
Caused By Driver : win32k.sys
Caused By Address : win32k.sys+d8683
File Description : Multi-User Win32 Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-13774-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 303,637
Dump File Time : 7/28/2015 3:50:19 PM
==================================================

==================================================
Dump File : 072815-14086-01.dmp
Crash Time : 7/28/2015 7:12:38 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff800`03ab97c5
Parameter 3 : fffff880`058702e8
Parameter 4 : fffff880`0586fb40
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+6c7c5
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor : x64
Crash Address : ntoskrnl.exe+6c7c5
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-14086-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 264,650
Dump File Time : 7/28/2015 7:13:06 AM
==================================================

==================================================
Dump File : 072815-13416-01.dmp
Crash Time : 7/28/2015 7:11:18 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 00000000`001904fb
Parameter 2 : fffff880`07bacc88
Parameter 3 : fffff880`07bac4e0
Parameter 4 : fffff880`01cd8c45
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+4211
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072815-13416-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,157
Dump File Time : 7/28/2015 7:12:04 AM
==================================================

==================================================
Dump File : 072515-14055-01.dmp
Crash Time : 7/25/2015 7:40:18 AM
Bug Check String : BUGCODE_USB_DRIVER
Bug Check Code : 0x000000fe
Parameter 1 : 00000000`00000005
Parameter 2 : fffffa80`0769b1a0
Parameter 3 : 00000000`80863b3c
Parameter 4 : fffffa80`094ec258
Caused By Driver : rdbss.sys
Caused By Address : rdbss.sys+a2dff2
File Description : Redirected Drive Buffering SubSystem Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\072515-14055-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 354,061
Dump File Time : 7/25/2015 7:41:10 AM
==================================================

==================================================
Dump File : 071715-13634-01.dmp
Crash Time : 7/17/2015 6:29:41 AM
Bug Check String : KMODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x0000001e
Parameter 1 : ffffffff`c0000005
Parameter 2 : fffff800`03bb2137
Parameter 3 : 00000000`00000000
Parameter 4 : ffffffff`ffffffff
Caused By Driver : fltmgr.sys
Caused By Address : fltmgr.sys+7072
File Description : Microsoft Filesystem Filter Manager
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\071715-13634-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 302,101
Dump File Time : 7/17/2015 6:30:05 AM
==================================================

==================================================
Dump File : 071115-12963-01.dmp
Crash Time : 7/11/2015 7:53:03 AM
Bug Check String : UNEXPECTED_KERNEL_MODE_TRAP
Bug Check Code : 0x0000007f
Parameter 1 : 00000000`00000008
Parameter 2 : 00000000`80050033
Parameter 3 : 00000000`000006f8
Parameter 4 : fffff800`038d4026
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+748c0
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7601.18939 (win7sp1_gdr.150722-0600)
Processor : x64
Crash Address : ntoskrnl.exe+748c0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\071115-12963-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 7601
Dump File Size : 301,930
Dump File Time : 7/11/2015 7:54:22 AM
==================================================

Author Topic: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code? (Read 19549 times)

David Cawley

Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Aruval

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

Curson

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?

David Cawley

Re: Help me understand? Antirootkit orange, no messages - VT.Unknown MBR code?