locked
Help with possibly a worm in my Windows 7, and BSODS become an almost daily event RRS feed

  • Question

  • Hi, I noticed back some weeks ago that applications on my machine, include the OS itself slowing down to ridiculously slow crawls. I mean it would take up to a minute for mouse events to register. Simply clicks to open microsoft word or any other operation took a significant amount of cursor. Moving the cursor from one end of the screen to another took more than 100 times the speed I was used to. Infact, I started getting BSODs on a regular basis at one time and had to get another computer. 
    When I try to power down the machine, I get a BSOD. When I open an application like MS Word to type, after a couple of types, the machine freezes up and then BSOD. When I try to surf the internet. After a couple of minutes of failing, a BSOD comes up. I got so confused I decided to focus on finding the problem rather than continuing to use it. 
    I set out to find the problem and since I know that worms are essentially the one infection that could hog resources, and cause the machine to slow down to such painful speeds, I decided to thoroughly scan all my machine files to find one. Among the virus scanning utilities I have used thus far as 
    a) Microsoft Security Essentials 
    b) Avast Professional (Both in Normal Full Scan and Boot Scans)
    c) MalwareBytes
    d) Windows Malicious software Removal Tool  (Both in Normal and Safe window modes)
    e) Microsoft Safety Scanner (Both in Normal and Safe window modes)
    Even after all of the above, nothing, not even a single virus or trojan caught. I did notice that whenever I turned off my network scanning(via avast). The problem will diminishes when I turn Network off( as in disconnect totally from the internet). I did some research to find if Avast is the problem but seems that is not the case. Whatever the problem, it persists, and I have spent yet another weekend, scanning my machine thoroughly but still coming up empty. Any idea what could be the problem, and how I can fix this please? Thanks in advance
    Monday, December 12, 2011 10:14 PM

All replies

  • Sounds like it might not be a virus, can you upload the files in
    c:\windows\minidump to skydrive for further analysis,
     
     

    -- Mike Burr
    Technology
    Monday, December 12, 2011 10:49 PM
  • Is your system date off by a month? The latest dump I see in the archive
    is 11/18/11...
     
    It indicates that there is an issue with Avast or a memory corruption
    that likely needs the driver verifier to sort out,
     
     
    1: kd>  !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
     
    DRIVER_CORRUPTED_EXPOOL (c5)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is
    caused by drivers that have corrupted the system pool.  Run the driver
    verifier against any new (or suspect) drivers, and if that doesn't turn up
    the culprit, then use gflags to enable special pool.
    Arguments:
    Arg1: 01803614, memory referenced
    Arg2: 00000002, IRQL
    Arg3: 00000001, value 0 = read operation, 1 = write operation
    Arg4: 8312e4c1, address which referenced memory
     
    Debugging Details:
    ------------------
     BUGCHECK_STR:  0xC5_2
     
    CURRENT_IRQL:  2
     
    FAULTING_IP:
    nt!ExAllocatePoolWithTag+4b7
    8312e4c1 897004          mov     dword ptr [eax+4],esi
     
    CUSTOMER_CRASH_COUNT:  1
     
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
     
    PROCESS_NAME:  AvastSvc.exe
     
    TRAP_FRAME:  a71c662c -- (.trap 0xffffffffa71c662c)
    ErrCode = 00000002
    eax=01803610 ebx=831446c0 ecx=8946dc50 edx=868d65d0 esi=83144840 edi=831446c4
    eip=8312e4c1 esp=a71c66a0 ebp=a71c66e8 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    nt!ExAllocatePoolWithTag+0x4b7:
    8312e4c1 897004          mov     dword ptr [eax+4],esi ds:0023:01803614=????????
    Resetting default scope
     
    LAST_CONTROL_TRANSFER:  from 8312e4c1 to 8304f5db
     
    STACK_TEXT:
    a71c662c 8312e4c1 badb0d00 868d65d0 8304c1fa nt!KiTrap0E+0x2cf
    a71c66e8 8301998b 00000000 00000040 656e6f4e nt!ExAllocatePoolWithTag+0x4b7
    a71c66fc 9272807a 00000000 00000040 356a5a94 nt!ExAllocatePool+0x15
    WARNING: Stack unwind information not available. Following frames may be wrong.
    a71c679c 9272846f 866c8760 a71c67d0 356a560c aswSP+0x507a
    a71c6b04 9272449b 85c31598 8690f100 0000006c aswSP+0x546f
    a71c6b78 927245c4 85c31598 8690f100 0000006c aswSP+0x149b
    a71c6bb0 92728c1a 86d7e030 00000000 86d7e030 aswSP+0x15c4
    a71c6bc4 927295de 86d7e030 85bef7d8 356a56f4 aswSP+0x5c1a
    a71c6bfc 8304558e 86d7e030 85bef7d8 85bef7d8 aswSP+0x65de
    a71c6c14 83238a31 85c31598 85bef7d8 85bef848 nt!IofCallDriver+0x63
    a71c6c34 8323bc03 86d7e030 85c31598 00000000 nt!IopSynchronousServiceTail+0x1f8
    a71c6cd0 8328249c 86d7e030 85bef7d8 00000000 nt!IopXxxControlFile+0x6aa
    a71c6d04 8304c1fa 00001410 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    a71c6d04 777670b4 00001410 00000000 00000000 nt!KiFastCallEntry+0x12a
    0811cab4 00000000 00000000 00000000 00000000 0x777670b4
     STACK_COMMAND:  kb
     
    FOLLOWUP_IP:
    nt!ExAllocatePool+15
    8301998b 5d              pop     ebp
     
    SYMBOL_STACK_INDEX:  2
     
    SYMBOL_NAME:  nt!ExAllocatePool+15
     
    FOLLOWUP_NAME:  Pool_corruption
     
    IMAGE_NAME:  Pool_Corruption
     
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
     
    MODULE_NAME: Pool_Corruption
     
    FAILURE_BUCKET_ID:  0xC5_2_nt!ExAllocatePool+15
     
    BUCKET_ID:  0xC5_2_nt!ExAllocatePool+15
     
    Followup: Pool_corruption
    ---------
     
     

    -- Mike Burr
    Technology
    Monday, December 12, 2011 11:18 PM
  • While attempting to run Verifier, another BSOD. :( 

    The IO manager has detected a violation by a driver that is being verified. The Faulty Driver that is being verified must be debugged and replaced with a working version

     

    I did reboot, and I am hoping the get the machine up and running soon 

    Monday, December 12, 2011 11:48 PM
  • I tried to restart the machine again, after the previous BSOD, and yet another BSOD, same message above. I think I may have 2 dump files for you, but it seems restarting after setting Verifier is leading to something else now. 

    Tuesday, December 13, 2011 12:01 AM
  • Hi Mike, 

     

    I tried several times to restart my machine with verifier enabled and each time I got BSODs. I am looking at my 4th one in the last hour and I think it is safe to conclude that having that utility enabled causes this to happen. 

     

    I have update skydrive with the 2 new dump files that were generated. 

     

    https://skydrive.live.com/#cid=5EC36877C8A41287&id=5EC36877C8A41287%21120

    Please see if this helps

    Thanks

    Tuesday, December 13, 2011 12:28 AM
  • Hi DataByter,

    If you're still having trouble with the verifier.exe BSODing your PC, you need to boot to safe mode and in the "Search programs and files" box type verifier /reset.

    I've been checking out your Dump files. The last 2 BSODs that verifier forced, seems to be pointing to USB drivers. By any chance do you have Virtual PC installed?


    • Edited by jayquigley Tuesday, December 13, 2011 2:30 AM
    Tuesday, December 13, 2011 2:27 AM
  • Hi,
     
    As a first troubleshooting step, can you update the BIOS, the verifier
    enabled dumps seemed to be pointing to the Windows driver for human
    interface devices (keyboard/mouse/etc)
     
     
    1: kd>  !sysinfo machineid
    Machine ID Information [From Smbios 2.4, DMIVersion 0, Size=731]
    BiosVendor = Hewlett-Packard
    BiosVersion = F.51
    BiosReleaseDate = 02/26/2008
    SystemManufacturer = Hewlett-Packard
    SystemProductName = HP Pavilion dv9700 Notebook PC
    SystemFamily = 103C_5335KV
    SystemVersion = Rev 1
    SystemSKU = KC351UAR#ABA
    BaseBoardManufacturer = Quanta
    BaseBoardProduct = 30CB
    BaseBoardVersion = 79.29
     

    -- Mike Burr
    Technology
    Tuesday, December 13, 2011 3:32 AM
  • Thanks for the fix on reseting verifier. I don't have Virtual PC installed on the machine. 
    Tuesday, December 13, 2011 3:45 AM
  • Mike, 

     

    I successfully updated BIOS and and tried again setting VERIFIER, but I still get the BSOD right when the Windows Boot begins and is about to show the login Screen.  

    I will reset it again now.

    Tuesday, December 13, 2011 3:14 PM
  • OK, Can you upload the latest dump files? Thanks
     
     

    -- Mike Burr
    Technology
    Tuesday, December 13, 2011 3:49 PM
  • I have uploaded today's dump on there. https://skydrive.live.com/?cid=5EC36877C8A41287&id=5EC36877C8A41287%21120

     

    I did notice that all the other dump files have been deleted i.e It seems windows is deleting previously created dump files( at least all those generated yesterday are now gone). Is this normal? 

    Tuesday, December 13, 2011 6:11 PM
  • Hi,
     
    Typically no, are you using a tool that creates a zip file for you?
     
    I looked at the latest dump and it was referencing the HID device driver
    again. I was wondering if we could try something, Please enable driver
    verifier and configure your system for kernel memory dumps (instead of
    small memory dumps),
     
     
    By default, the kernel memory dump will be in c:\windows\memory.dmp
    instead of c:\windows\minidump
     
    To upload the kernel memory dump, you may need to split the dump into
    smaller files,
     
     

    -- Mike Burr
    Technology
    Wednesday, December 14, 2011 6:31 PM
  • While I am trying to do what you ask, I am still getting BSOD's. However since you mention HID, I do see here that the Technical information display on my BSOD screen does say 

     

    HIDCLASS.SYS - Address 9671FA8c base at 9671D000, DateStamp 4ce79c09.

     

    Is this by any change what you are referring to?

    Wednesday, December 14, 2011 10:34 PM
  • Yep, that's it.
     

    -- Mike Burr
    Technology
    Wednesday, December 14, 2011 10:46 PM
  • I was finally able to get the machine to stop throwing BSODs long enough to get the dump out .  . . MEMORY.7z it is called

    https://skydrive.live.com/?cid=5EC36877C8A41287&id=5EC36877C8A41287%21120 

    Thursday, December 15, 2011 1:32 AM
  • Looks like it might be related to the HP Remote Control HID. The
    particular driver is from 2007, so there may be a newer version of it if
    you go to HPs site and look at the downloads for your computer model. An
    alternative might be to disable the driver and analyze the next dump,
     
     
    0: kd>  !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
     
    DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
    The IO manager has caught a misbehaving driver.
    Arguments:
    Arg1: 00000220, IRP_MJ_SYSTEM_CONTROL has been completed by someone other than the ProviderId.
        This IRP should either have been completed earlier or should have been passed
        down.
    Arg2: 9671fa8c, The address in the driver's code where the error was detected.
    Arg3: a58fee00, IRP address.
    Arg4: 8b4be6a0, ProviderId.
     
    Debugging Details:
    ------------------
     BUGCHECK_STR:  0xc9_220
     
    DRIVER_VERIFIER_IO_VIOLATION_TYPE:  220
     
    FAULTING_IP:
    HIDCLASS!HidpMajorHandler+0
    9671fa8c 8bff            mov     edi,edi
     
    FOLLOWUP_IP:
    HIDCLASS!HidpMajorHandler+0
    9671fa8c 8bff            mov     edi,edi
     
    IRP_ADDRESS:  a58fee00
     
    DEVICE_OBJECT: 8d9cdd40
     
    DRIVER_OBJECT: 91f2b1b8
     
    IMAGE_NAME:  HpqRemHid.sys
     
    DEBUG_FLR_IMAGE_TIMESTAMP:  4694f78d
     
    MODULE_NAME: HpqRemHid
     
    FAULTING_MODULE: 9671b000 HpqRemHid
     
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
     
    PROCESS_NAME:  System
     
    CURRENT_IRQL:  2
     
    LOCK_ADDRESS:  831b5c00 -- (!locks 831b5c00)
     
    Resource @ nt!PiEngineLock (0x831b5c00)    Exclusively owned
        Contention Count = 1
        NumberOfExclusiveWaiters = 1
         Threads: 859c5020-01<*>
         Threads Waiting On Exclusive Access:
                  859c4d48
     
    1 total locks, 1 locks currently held
     
    PNP_TRIAGE:
        Lock address  : 0x831b5c00
        Thread Count  : 1
        Thread address: 0x859c5020
        Thread wait   : 0xa71
     
    LAST_CONTROL_TRANSFER:  from 83385f03 to 8312deb4
     
    STACK_TEXT:
    887276ac 83385f03 000000c9 00000220 9671fa8c nt!KeBugCheckEx+0x1e
    887276cc 833882cd 9671fa8c 88727708 9671fa8c nt!VerifierBugCheckIfAppropriate+0x30
    887276e4 833885c7 00000220 9671fa8c 8b4be6a0 nt!ViErrorFinishReport+0xc9
    88727760 8338f459 00000220 a58fee00 a58fef90 nt!VfErrorReport10+0x54
    8872777c 83387f43 8dcef620 8dcef580 00000001 nt!VfWmiVerifyIrpStackUpward+0x4a
    88727794 8338688b 8d9d4168 00000001 00000000 nt!VfMajorVerifyIrpStackUpward+0x3c
    887277c8 83380bfe c0000010 88727854 a58fef93 nt!IovpCompleteRequest2+0x8a
    887277f4 830c7913 8d9cdd40 a58fee00 8872786c nt!IovpLocalCompletionRoutine+0x75
    8872783c 83380b64 a58fefac 91f2d068 a58fee00 nt!IopfCompleteRequest+0x128
    887278a4 83104d7a 887278c0 9671f377 8d9cdd40 nt!IovCompleteRequest+0x133
    887278ac 9671f377 8d9cdd40 a58fee00 a58fefd0 nt!IopInvalidDeviceRequest+0x17
    887278c0 9671f3de 8d9cdd40 a58fee00 00000000 HIDCLASS!HidpCallDriver+0x3f
    887278dc 9671e0ce 8d9cddf8 a58fee00 8d9cddf8 HIDCLASS!HidpIrpMajorDefault+0x5c
    887278f4 9671fb5d 00000002 a58fee00 8dd09018 HIDCLASS!HidpIrpMajorSystemControl+0x48
    88727910 833806c3 009cdd40 00000017 a58fefd0 HIDCLASS!HidpMajorHandler+0xd1
    88727934 83086545 00000000 a58feff4 8d9cdd40 nt!IovCallDriver+0x258
    88727948 833923d0 8d96a6f8 a58fee00 91f3d160 nt!IofCallDriver+0x1b
    88727960 833806c3 91f3d218 a58fee00 a58feffc nt!ViFilterDispatchGeneric+0x5e
    88727984 83086545 00000000 88727a0c 91f3d160 nt!IovCallDriver+0x258
    88727998 83385bcc 00000004 00000017 00000000 nt!IofCallDriver+0x1b
    887279c4 8338f4f7 8b4be6a0 887279e8 00000001 nt!VfIrpSendSynchronousIrp+0xa5
    88727a10 8338811f 8b4e11f8 88727a9c 83200745 nt!VfWmiTestStartedPdoStack+0x48
    88727a1c 83200745 8b4be6a0 8b4e11f8 00000000 nt!VfMajorTestStartedPdoStack+0x48
    88727a9c 8320bfa3 00000001 00000000 8d9110c0 nt!PipProcessStartPhase3+0x427
    88727c94 831d7e14 859d0698 8d9110c0 88727cc8 nt!PipProcessDevNodeTree+0x2e6
    88727cd4 83063cfd 8d9110c0 831b3b20 859c5020 nt!PiProcessStartSystemDevices+0x6d
    88727d00 830cca6b 00000000 00000000 859c5020 nt!PnpDeviceActionWorker+0x241
    88727d50 83257fda 00000001 ae33e0c6 00000000 nt!ExpWorkerThread+0x10d
    88727d90 831001d9 830cc95e 00000001 00000000 nt!PspSystemThreadStartup+0x9e
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
     STACK_COMMAND:  kb
     
    FOLLOWUP_NAME:  MachineOwner
     
    FAILURE_BUCKET_ID:  0xc9_220_VRF_IMAGE_HpqRemHid.sys
     
    BUCKET_ID:  0xc9_220_VRF_IMAGE_HpqRemHid.sys
     
    Followup: MachineOwner
    ---------
     
    0: kd>  lmvm HpqRemHid
    start    end        module name
    9671b000 9671cc00   HpqRemHid   (deferred)
        Image path: \SystemRoot\system32\DRIVERS\HpqRemHid.sys
        Image name: HpqRemHid.sys
        Timestamp:        Wed Jul 11 09:30:21 2007 (4694F78D)
        CheckSum:         00009287
        ImageSize:        00001C00
        File version:     1.0.0.0
        Product version:  6.0.6000.16386
        File flags:       8 (Mask 3F) Private
        File OS:          40004 NT Win32
        File type:        3.7 Driver
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Hewlett-Packard Development Company, L.P.
        ProductName:      HP Remote Control HID Device
        InternalName:     HpqRemHid.sys
        OriginalFilename: HpqRemHid.sys
        ProductVersion:   1.0.0.0
        FileVersion:      1.0.0.0 built by: WinDDK
        FileDescription:  HP Remote Control HID Device
        LegalCopyright:   © Copyright 2007 Hewlett-Packard Development Company, L.P
     
     

    -- Mike Burr
    Technology
    Thursday, December 15, 2011 3:31 PM
  • I disabled the HP remote control drive. However, I just got a BSOD again, but this time, it completes the memory dump writing and reboots on it's own, rather than hang and wait for me to do it, as was the case before. 

    https://skydrive.live.com/?cid=5EC36877C8A41287&id=5EC36877C8A41287%21120

    Thursday, December 15, 2011 4:32 PM