Vista Machine - Constant BSODs and Can't install Windows Updates

C

ClickRight

Member
Reaction score
18
Location
BC, Canada
I have a computer which came in with complaints of slowness and spyware.

First thing I did was throw 2GB of RAM in to the machine (It's a Gateway with only 1GB running Vista.)

When I first booted it, all I got was a black screen with a cursor. It's running Vista X86 WITH NO SERVICE PACKS (they won't install!)

I booted in safe mode and immediately found some spyware (Personal AV.) I ran through Combofix which found the UAC rootkit and a couple other things. (I was going to attach the log to this post, but when I went to open it Notepad says "The process cannot access the file because it is being used by another process" even though nothing is running and Unlocker can't unlock it.)

Anyways, I ran through ComboFix TWICE, MBAM TWICE, and did a manual check. MBAM found a few more pieces of the UAC rootkit, and Personal AV. My manual search returned nothing.

Now the problems:

  • CONSTANT 0x00000050 BSODS
    - I have looked at the minidumps but couldn't interpret them. None specified a driver and they all specified "ntkrpamp.exe" as the IMAGE_NAME.
    - This happens randomly, but most often during a windows update.
    - I have updates all the drivers (Chipset, video, NIC)
    - I have TESTED (Memtest - overnight) and REMOVED the 2GB of RAM I added - the problem persists.

  • Windows updates will not install
    - I tried to install Vista SP1, which gave a "0x80070002" error code. of course I gogled it but only got MS's advise which I couldn't make work and a bunch of people with ideas but no concrete solution. I'm still exploring some of these.
    - Automatic updates always fail and are usually interrupted by BSODs.
    - The updates you download are corrupt as well. For example, I downloaded the "Vista updates readiness tool" and when I launch the installer it says: "Installer encountered an error: 0x80070000d. The Data is invalid"

  • Most downloads are corrupt
    - For example, when I downloaded the graphics drivers, explorer refused to extract them and 7-zip threw an incomplete archive error. Downloading them again worked.
    - ALl downloaded windows updates produce an error during installation, whether downloaded from IE or Firefox.
    - HOWEVER, I downloaded and installed Firefox just fine.
    - I can't initiate a download from some websites in IE, but they will work in Firefox also.

Anyways, I'm going to run some rootkit scanners and see what I can come up with. Sorry for the lack of details in the post, it's time for bed and I've had it with this computer. I'll add more details when I have a better idea of what's going on.
 
Last edited:
With such bizarre results I would get any kind of boot disk that does not use the customers hard drive and then run an assortment of programs to see if you still produce weird errors. Especially any kind of cpu testing or ram testing but also something that does some kind of i/o to media.

If it does then you have a hardware issue, if not then you can go further to tell if its a subtle hard drive error or something with software.

But I would isolate the customers drive and data from this to be sure its not mobo/ram/whatever acting flakey at random times.
 
My newbie ad-wise (or rather a question)

Did you run chkdsk for bad sectors and errors?
And a SMART check?

Are there no errors in the ever impressive event viewer?
Or something "good" in whocrashed?
 
Cue said:
My newbie ad-wise (or rather a question)

Did you run chkdsk for bad sectors and errors?
And a SMART check?

Are there no errors in the ever impressive event viewer?
Or something "good" in whocrashed?
Click to expand...

The hard drive tested fine. However, I have cloned and replaced the HDD and SATA cable just to be safe and the issue persists.

The event log is FULL of 4357 events - "Windows servicing failed to complete the process of settings package KBXXXXXX (Update) into Stage(Staged) state.

Haven't looked into whocrashed yet.
 
ClickRight said:
I have a computer which came in with complaints of slowness and spyware.

First thing I did was throw 2GB of RAM in to the machine (It's a Gateway with only 1GB running Vista.)
Click to expand...

This is the part I question. I make it an point to never swap parts before verifying the issue. Just leaves out a lot of guesswork and questioning. I think the proper thing to do would have been leaving the machine as is and going from there, no matter how damn slow the machine is acting until its verified. It would be case in point if you got some DOA RAM that caused this whole thing and corrupted all your updates since you've been playing with it with a new unverified variable (new RAM) in the equation.
 
anonymous Mac Tech said:
This is the part I question. I make it an point to never swap parts before verifying the issue. Just leaves out a lot of guesswork and questioning. I think the proper thing to do would have been leaving the machine as is and going from there, no matter how damn slow the machine is acting until its verified. It would be case in point if you got some DOA RAM that caused this whole thing and corrupted all your updates since you've been playing with it with a new unverified variable (new RAM) in the equation.
Click to expand...

Thanks, but as I said I removed the new RAM and the issue persists. The customer also complained of BSODs so I don't believe they are related. I have also memtested the memory. However, my next post might shed some light on the issue....
 
UPDATE:

First something weird. When I cloned the hard drive and put the new one in, the RAID controller (Intel) complained of a broken RAID 0 mirror. Keep in mind there's only one hard drive in the computer. I just turned the HDD controller mode to IDE in the BIOS and it booted right up.

Another strange thing is I went for about 2 hours yesterday + OVERNIGHT with no BSODs. When you're using the computer, it'll generally BSOD a few times an hour.

Now, for the interesting bits: RootRepeal will not run. It gives the error:

FOPS - DeviceIoControl Error! Error Code = 0xc000000024 Extended Info (0x000000d8)

GMER can never finish a scan without BSODing, but it does detect rootkit activity before the BSOD.

So now I'm leaning towards a rootkit. I still can't open the ComboFix log either! Still looking into it.
 
Update: Now I can't run any exes. When I click them I get "illegal operation attempted on a registry key that has been marked for deletion."

I think this will be a N&P Job.
 
Would you not have found all rootkits when you mount the hard disk and scan?

As I understand it a rootkit can hide itself from the OS, but if its not running it cant hide...?
 
Cue said:
Would you not have found all rootkits when you mount the hard disk and scan?

As I understand it a rootkit can hide itself from the OS, but if its not running it cant hide...?
Click to expand...

I agree, seems like you should be able to 'slave' the drive to another system and scan it that way with AVG, PrevX (haven't tried it, yet), McAfee (probably the best of the 'big ones'), Ad-Aware, MBAM, etc. Also, you can visually look for files this way, sorting reverse by date (date modified and also, date created). That's how I first found and fixed the 'UAC' and 'TDSS' viruses that hide themselves from the OS.
 
You must log in or register to reply here.

Similar threads

Big Jim
Windows XP POSReady Repair install ?
Replies
17
Views
824
britechguy
britechguy
C
Office 365 Cannot Copy & Paste
Replies
8
Views
341
Markverhyden
Markverhyden
M
Latest Win10 updates/Patch Tuesday can take 30 min to an hour!
Replies
0
Views
146
MDD1963
M
Blue House Computer Help
Surface Pro 5 - no touch screen after N&P
Replies
6
Views
362
johnrobert
johnrobert
NviGate Systems
Found My New Windows 11 Test Machine
Replies
2
Views
290
johnrobert
johnrobert
Back
Top