0x000000B4 (Video driver failed to initialize) on three computers today -- new spyware issue?

Posted on 2008-10-16
Last Modified: 2013-12-01
I'm a computer tech of 12 years, specializing in spyware removal.  Today we've had three separate customer computers hit the bench that have all had the same symptom -- they will either not boot into XP Home at all, or if they do, they will give "memory referenced" errors and not open the programs.  If you try to boot into "Last Known", same thing.  Any of the "safe mode" boot options return a BSOD, STOP 0x000000B4 "The video driver failed to initialize".  Also interesting is that the first three memory addresses after the stop error are different, but the fourth is always 0x00050000.

Two of the computers have been Dell systems, one was a custom-built one (not from us).  One has onboard video, two had video cards (both nVidia).  All three are Intel-based.  Two have XP Home, one has XP MCE 2005.

All of them said they were getting popups before it stopped working.  Is this a new virus/spyware that's going around and hitting fast?  We're not in a big area, and for three to hit the bench with this same problem before noon is pretty unbelievable.  I'm still working with getting them up and running, but figured I'd ask if anyone else is seeing this explode all of a sudden over the past few days.

EDIT: Not many points on this because I'm not particularly looking for a solution, just opening a discussion on the topic to see if this is something we should be watching for.
Question by:Zeromus-X
  • 2
LVL 27

Expert Comment

ID: 22733709
Wish they would have told you what the pop up's were. The first thing that comes to mind is MS updates. I believe they were pushed this past Tuesday. My systems at work and home received multiple updates. Perhaps this caused an issue?

Author Comment

ID: 22734130
I haven't gotten any of them up and running yet, so I'm not 100% sure.  If there was a major update that caused this, it would explain why I'm getting so many.  I only have three benches here and there are about ten in line, so it's quite possible that there are more exhibiting this same thing.

I've gotten one to the point where it'll boot to XP, but won't allow you to run any programs after about the first 20 seconds of being booted (just gives memory address instruction errors; can't run .exe or .com files... can run .bat but if they run any .exe or .com they crash).  I managed to sneak HijackThis into the Startup folder so that it runs within that ~20 second window, and the log file is clean -- no rogue services, files, etc to be seen.  I stuck a CMD in the startup too and if I navigate to the Windows or System32, there are thousands of files of the format xx???.exe, xx???32.exe, xx???.dll, xx???32.dll, where 'xx' is two letters and ??? are three seemingly random characters.  All of them have random file create dates and all of them have a file size of '0'.  Not hidden or anything.

ComboFix can't run using the startup folder trick because it bascially just executes lots of GREP commands and such, it seems.  If I try to put any kind of antispyware programs in the startup, they run for about five seconds and then close automatically.  That's what most makes me think this is a malware issue.  I've tried SpySweeper, MalwareBytes' Anti-Malware, Spybot, Ad-Aware, even random programs like CWShredder close.  Oddly enough, HijackThis doesn't close.  And booting to safe mode is impossible due to the STOP error.

System file check didn't fix it, doing a repair checkdisk from the XP disc did nothing, and a repair install puts the computer into a situation where it can't finish Setup due to not being able to execute anything after a certain point.

Heck of a bug.

Accepted Solution

bertram_wilberforce_wooster earned 50 total points
ID: 22924501
Look for Trojan: TDSS.
I had almost identical symptoms on one of my customers PCs today
I moved the "infected" drive to a new build XP PC with the latest version of malwarebytes installed
I got Malwarebytes to scan the infetd drive.  It found and dealt with 7 TDSS infections. It required a reboot to be sure they were destroyed
Put the "infected drive back where it belonged in my customer's PC and I am now able to boot to the customers original windows xp installation after 4 days of head scratching!
If this helps or you need any more guidance then please let me know.

Author Closing Comment

ID: 31506792
Wasn't really a question, per se, but I've got to give it to someone, and your reply is basically what we ended up doing on two of the systems... so anyone who is searching for this problem, have at it.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virus .zepto files 10 86
Laptop fan running all the time 21 98
FMX TCameraComponent Problem 2 70
How can i restore the lenovo recovery partition after losing it? 5 93
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question