0x000000B4 (Video driver failed to initialize) on three computers today -- new spyware issue?

Posted on 2008-10-16
Last Modified: 2013-12-01
I'm a computer tech of 12 years, specializing in spyware removal.  Today we've had three separate customer computers hit the bench that have all had the same symptom -- they will either not boot into XP Home at all, or if they do, they will give "memory referenced" errors and not open the programs.  If you try to boot into "Last Known", same thing.  Any of the "safe mode" boot options return a BSOD, STOP 0x000000B4 "The video driver failed to initialize".  Also interesting is that the first three memory addresses after the stop error are different, but the fourth is always 0x00050000.

Two of the computers have been Dell systems, one was a custom-built one (not from us).  One has onboard video, two had video cards (both nVidia).  All three are Intel-based.  Two have XP Home, one has XP MCE 2005.

All of them said they were getting popups before it stopped working.  Is this a new virus/spyware that's going around and hitting fast?  We're not in a big area, and for three to hit the bench with this same problem before noon is pretty unbelievable.  I'm still working with getting them up and running, but figured I'd ask if anyone else is seeing this explode all of a sudden over the past few days.

EDIT: Not many points on this because I'm not particularly looking for a solution, just opening a discussion on the topic to see if this is something we should be watching for.
Question by:Zeromus-X
  • 2
LVL 27

Expert Comment

ID: 22733709
Wish they would have told you what the pop up's were. The first thing that comes to mind is MS updates. I believe they were pushed this past Tuesday. My systems at work and home received multiple updates. Perhaps this caused an issue?

Author Comment

ID: 22734130
I haven't gotten any of them up and running yet, so I'm not 100% sure.  If there was a major update that caused this, it would explain why I'm getting so many.  I only have three benches here and there are about ten in line, so it's quite possible that there are more exhibiting this same thing.

I've gotten one to the point where it'll boot to XP, but won't allow you to run any programs after about the first 20 seconds of being booted (just gives memory address instruction errors; can't run .exe or .com files... can run .bat but if they run any .exe or .com they crash).  I managed to sneak HijackThis into the Startup folder so that it runs within that ~20 second window, and the log file is clean -- no rogue services, files, etc to be seen.  I stuck a CMD in the startup too and if I navigate to the Windows or System32, there are thousands of files of the format xx???.exe, xx???32.exe, xx???.dll, xx???32.dll, where 'xx' is two letters and ??? are three seemingly random characters.  All of them have random file create dates and all of them have a file size of '0'.  Not hidden or anything.

ComboFix can't run using the startup folder trick because it bascially just executes lots of GREP commands and such, it seems.  If I try to put any kind of antispyware programs in the startup, they run for about five seconds and then close automatically.  That's what most makes me think this is a malware issue.  I've tried SpySweeper, MalwareBytes' Anti-Malware, Spybot, Ad-Aware, even random programs like CWShredder close.  Oddly enough, HijackThis doesn't close.  And booting to safe mode is impossible due to the STOP error.

System file check didn't fix it, doing a repair checkdisk from the XP disc did nothing, and a repair install puts the computer into a situation where it can't finish Setup due to not being able to execute anything after a certain point.

Heck of a bug.

Accepted Solution

bertram_wilberforce_wooster earned 50 total points
ID: 22924501
Look for Trojan: TDSS.
I had almost identical symptoms on one of my customers PCs today
I moved the "infected" drive to a new build XP PC with the latest version of malwarebytes installed
I got Malwarebytes to scan the infetd drive.  It found and dealt with 7 TDSS infections. It required a reboot to be sure they were destroyed
Put the "infected drive back where it belonged in my customer's PC and I am now able to boot to the customers original windows xp installation after 4 days of head scratching!
If this helps or you need any more guidance then please let me know.

Author Closing Comment

ID: 31506792
Wasn't really a question, per se, but I've got to give it to someone, and your reply is basically what we ended up doing on two of the systems... so anyone who is searching for this problem, have at it.

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question