Help! Coincidence or Virus or ???

[greymist]

My wife called me at work, advising her PC at home was showing a BSOD. I get home and reboot, sure enough BSOD with message STOP: 0x0000007F. I boot into Safe Mode, and it works, I try restoring to a point from last night, reboot same BSOD. Her PC is running Win XP Pro SP2.

I decide to use my PC to Google the Stop message, fire it up: BSOD, STOP: 0x0000007F!! My PC is running Win 2000 with most recent SP.

The PCs are networked so something could have got from one to the other, and we use a shared e-mail address so we both get the same messages. We have received a number of PDFs and a couple of JPGs in the shared mailbox, but all were expected, nothing weird.

The MS KB indicates that this STOP message relates to a hardware or software malfunction, but I find it unlikely that 2 PCs would experience a malfunction, especially given that both worked fine yesterday, and my wife's PC was shutdown since yesterday night, and I turned mine off early this morning. Both use an APC UPS. And there are no indications that a power surge occurred while we were a work.

I came across a Symantec page which indicated this STOP message might be due to the limited amount of kernel space for kernal drivers. While this page discusses a specific issue with Norton AV (which I don't use) I did note that when my wife's PC boooted in Safe Mode it did not load any of the usual apps into the System Tray, including ZoneAlarm and AVG Anti-Virus. AVG is set to auto-update on both PCs and I am wondering (hoping) that a recent update might have caused an issue.

Sorry for being long-winded, but if anyone has any ideas, I will grateful, as I am stumped.

 

[ssampier]

http://support.microsoft.com/kb/137539/

Most stop errors are hardware related. However, since they occured close together, I leaning toward virus. Have you ran a virus scan in safe mode?

 

[greymist]

I did run one of the XP machine, with nothing untoward found, but I think I will run full scans on both machines, to see if anything pops up.

 

[Rl'Halsinor]

As has been said, most Stop Errors are due to hardware conflicts - drivers specifically - and XP kernels. However, my particular Stop Error was due to my Sunbelt Kerio Firewall of all things. There is a tremendous place called TechSpot and after I downloaded my minidump someone read it for me and confirmed my suspiscion that it was my software firewall. At first I thought it was either my logitech mouse or my M-Audio 5.1 Revolution soundcard, but thank goodness all I have to do is update my firewall version.

Let us know what you find.

 

[greymist]

I have my fingers crossed that it is simply a software issue. On the XP box I ran AVG which found nothing, then I ran Trend Micro's online scan and it found a couple of items, which I deleted. Still get the STOP BSOD when I try to boot normally.

On the Win2000 box I booted into Safe Mode with Networking and I kept losing my Internet connection, but I have finally got the Trend Micro scan running and I am waiting for it to finish.

I will take a look at TechSpot, and I just downloaded HiJackThis using my laptop which is still working fine. I may try running that on one of the desktops and see if that reveals anything untoward.

 

[silvermane]

Virus schvirus.

I am amazed how many people blame anything suspicious occurring on a computer on a virus, where in 99% of cases hardware or another user activity (or sometimes their own!) is the cause.

There was a girl in my office that came to me once saying her password does not work anymore (Win 2000). Obviously it must be a virus, she said. After I inspected her computer and searched for a long time for a Win 2000 rescue CD, she suddenly remembered that she fiddled with the password settings and set it to null. Of course I could log her in once I knew what's going on.

 

[greymist]

Silvermane, do you have any ideas on what could be the cause of the BSODs?

It is possible that there is a hardware issue, but what are the odds that a hardware issue hit two PCs at the exact same time? Especially given that both were working fine on Wednesday, and the BSOD appeared the first time both were booted on Thursday. I suppose there could be a problem with the router, to which both PCs are wired?

Both PCs run AVG and both are updated automatically, so it is possible that there was a bad update, but the laptop that I am using right now has the same AVG set up and no problem (although it is connected to the router wirelessly). And, when I booted the affected PCs in Safe Mode, I ran AVG to scan both PCs and it seemed to run OK, no BSOD or crash.

I am planning on trying to start the PCs with AVG disabled, and I will also do the same with ZoneAlarm, hopefully, as was the case with Rl'Halsinor, the problem might lie there. I'm not confident that ZoneAlarm will be the problem, because I don't have it set to update automatically, so I cannot see how it would suddnely turn "bad" unless we got a virus.

I should note that in both cases AVG returned an error when trying to read the MBR and in both cases it noted that the kernel was changed. This sounds like virus or rootkit activity to me, but I am by no means an expert.

 

[Redrobes]

All stop messages like this should be recorded in the event log with the program or driver that caused it. That would be a good starting point.

 

[Rl'Halsinor]

greymist, try this link. And next time a BSOD occurs write down the numbers.

Link: http://www.5starsupport.com/info/stop_error.htm#0a

 

[greymist]

Redrobes, I just checked out the Event Viewer...mostly gibberish to me. Things like this after each reboot:

The TCP/IP NetBIOS Helper Service service depends on the AFD Networking Support Environment service which failed to start because of the following error:
No attempts to start the service have been made since the last boot.

OR

The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error:
No attempts to start the service have been made since the last boot.

Rl'Halsinor, I did write down the STOP numbers: 0x0000007F. The four numbers in the parentheses that followed were all 0's, and the problem is described as an Unexpected Kernel Mode Trap. The MS KB indicates that this is usually a hardware issue.

I did manage to get both PCs working today! On the XP machine I simply restored to a point earlier than yesterday's restore, and it worked. On the Win2000 box I am still confused why it is working.

When I rebooted the W2000 box, it would get further into the startup than the XP box. My wallpaper would appear, the Quick Launch bar would populate, my desktop icons would appear, and the system tray would start to fill, then BSOD. I figured that something that was auto-starting was causing the problem. I used Mike Lin's Startup to kill Wallmaster and Stickies, and a few other things, and it booted!

I immediately ran BitDefender's rootkit detector which found nothing. I then ran rootkit revealer, and I got another BSOD. I rebooted and it started fine. I wonder if there is a rootkit on this machine which is evading detection?

I think I will have to reinstall Windows on the 2000 machine for sure, as it has not been done for at least 2 years, maybe 3. The XP box, I will jeep my fingers crossed that it was a bad download on my wife's part, and that it does not happen again!!