Microsoft Antispyware locks up

G

Guest

Microsoft Antispyware is set to scan my computer daily. Each time it locks
up at the file C:\Windows$hf miq$\KB890859\SP2QFE\ntkrnlpa.exe I have to
manually shut down the computer and restart. Error message reporting to
microsoft comes back - an unknown issue between Windows and Intel storage
driver. No other information is available. Any suggestions?
 
B

Bill Sanderson

I have a single system which has blue-screened twice in the last month
(since .701 came out) pointing to the Intel storage driver as a possible
cause.

There doesn't seem to be a newer version of that driver available.

I don't have a suggestion at this point. If scanning is locking up or
crashing the machine, I'd consider uninstalling.
 
D

Dave M

What Anti-Virus are you running? And when did you last run it?
Looks like it could be the Worm W32.Petch .. not Spyware. This file (if
legitimate) is from Microsoft.
You might do a search for that file and see what its properties tell you about
where it came from.
 
G

Guest

If I search this file, and click properties, I get a blue screen. I am
running Norton's antivirus(Internet Security).
 
B

Bill Sanderson

I'd suggest opening My computer, right-clicking on the system drive, and
choosing properties. Click on the Tools tab, and choose to do a chkdisk. I
believe it will need to be scheduled for the next restart.

Restart the computer to actually do the chkdsk. It will start, run the
chkdisk, and then restart normally.

I'm not at all sure what's going on here, but one possibility is file system
corruption.

--
 
G

Guest

my machine also crashes when I defragment the hard drive. I get the same
error reportin message about the Intel storage driver. That started before I
installed the antispyware program.
 
D

Dave M

Doctordan;
Please see this knowledgebase at Symantec...
http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.html
You need to follow the removal instructions at the bottom of this page, do not
delay. once it fully installs it can disable your security functions and prevent
restarting your system. What they don't tell you at Symantec is that this worm
replaces the legitimate ntkrnlpa.exe with an infected copy during the process.
You need to run a full AV scan and fix your restore process if you're on XP.
 
G

Guest

Thanks for your help. My virus program stays up to date. I am following the
instructions on the Symantec site, but it takes about an hour for a full
system scan. I'll report back later.
 
B

Bill Sanderson

This is well worth reading, but I'm still going for disk corruption.

If that bug had been fully installed, windows won't run on reboot.

--
 
D

Dave M

Bill, of course you may be correct on this (and you probably are), but I think
that in this case it's wise to err on the side of caution and running an AV scan
sure won't hurt if that thing is half way through an infection. I did a little
more research on it and apparently it was initiated by IRC chat. The loader was
a referral to a Britney.jpg (woohoo) site which turned out to be a malicious VB
script, followed by another different site replacing Media Player using a java
script. Starting Media Player then did the real damage. Fortunately, the
original sites turn out to be long gone. Lets hope they haven't resurfaced, it
would have required a compete OS re-install if it had completed, maybe MSAS RTP
Script checkpoint saved him :) Rodger on the reboot.

So if only ntkrnlpa.exe would have been compromised and needed removal, my
question is... what's appropriate?
A system restore to a point prior to his last known clean AV scan.
Or, would you just attempt repair of the single Ms file first?
I know there were a whole bunch of OS files possibly involved with that Worm.
 
B

Bill Sanderson

I think I'd use SFC:

http://www.updatexp.com/scannow-sfc.html

as a start, at least. This can be problematical after an SP install,
however, but it won't hurt to try it.

I agree that if there's a chance that a virus is involved, a scan is the
first thing to do--so I hope that gets done. It is possible that the
lengthy time for the scan relates to whatever's wrong, as well.


--
 
G

Guest

I followed all of the instructions on the symantec site (disable system
restore) and scanned for virus. Nothing showed up. I ran chkdsk and it
crashed to a blue screen during stage 4 (verifying file data). I don't know
whether I have a failing hard drive or corrupted software. I called Dell but
the warranty is over and they weren't very helpful. Blue screen STOP:
0x0000000A (0x00000166, 0x00000002, 0x00000000, 0x804E5433)
 
B

Bill Sanderson

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314063

This error can be caused by a driver. Driver, as a broad term, can
definitely include both Microsoft Antispyware's low level hooks, and an
antivirus.

The fact that it happens during CHKDSK is probably significant, but I don't
know what to make of that myself, I'm afraid. It worries me, because I
thought that CHKDSK ran before Windows loads all those drivers.

I think I'd try the broad areas that KB article suggests--update drivers for
hardware--maybe roll them back for any newly installed hardware, or remove
the hardware temporarily.

Simplify the software involved--maybe remove both antivirus and Microsoft
Antispyware for testing. See if you can get to a point where the system is
stable and doesn't crash.

The memory addresses in the crash message don't tell me anything, although
occasionally there will be a KB article searchable using more than just the
first one--you might try searching on 0x0000000A and checking all the
relevant articles to see if the more precise particulars match your messsage
any better.

A memory dump, and analysis of that using debugging tools, is really the way
to get at this. I've done this once or twice myself, but its an art.



--
 
T

Tom Emmelot

Hello Doctordan,

can you remove the file at the Dos Prompt?
If not can you download KB890859 security update from the Microsoft site
and install again, because the file you revere is updated with that update!

Regards >*< TOM >*<

Doctordan schreef:
 
G

Guest

I reinstalled )repaired) Windows, and went through the multiple updates to
Windows. This seems to have solved the problem. Must have been some
corrupted files.
 
S

Simon Zerafa

Hi Guys,

A quick look at that BSOD error on Google finds this page:

http://castlecops.com/print-1-125774.html

Which details a STOP 0A error which might be related.

With that particular STOP Error:

0x0000000A (0x00000166, 0x00000002, 0x00000000, 0x804E5433)

I would be looking at Disk Controllers and their Drivers.

The thread on that web page above gives a suggested troubleshooting sequence
you could try.

HTH

Kind Regards

Simon
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Setting up RunOnce registry Key when Microsoft Windows AntiSpyware is Installed 1
MS AntiSpyware MAJOR BUG 3
AntiSpyware locks up 3
Problems with closing down Windows 2
Control Panel Locking Up After MS Antispyware Install 3
video locks up 1
Microsoft AntiSpyware (Beta) problems 9
MS Antispyware slows/locks up Outlook Express and EZ-Anti-Spam 1

Top