We help IT Professionals succeed at work.

BSOD for no obvious reason

I have a computer that I recently sold.  A Dell Precision T3400 Workstation from a very reputable vendor.  It has now started to blue screen.  The error relates to watchdog.sys.  That is the most I can gather.

I have scanned the hard rives using Seatools, performed a virus scan and Malware scan.  Hardware and virus come back negative.  Malware came back with something and cleaned it.  If I scan again with Malware it shows nothing.  I had the machine in my possession for 1 1/2 days reloading it, installing new programs etc. with no issues.  I delivered it, installed the customers software and backup software (Acronis) along with a USB drive and that evening they began to have problems.

The customer visits free adult content websites.  He knowingly has installed different stuff to gain access.  Because this is such an isolated incident I'm reluctant to believe its hardware related.  Before I make this declaration I like to bounce this off of others to see what they think.  This puts me in an awkward situation because I just moved to the area and its a very small town.  Thanks for any assistance you can offer.

Additionally, there may be some program I should be using to give me a better idea of the goings on in the PC other than checking the system logs but I don't know of anything else.

Only errors in the system log,
System Error = Error code 1000008e, parameter1 e0000001, parameter2 a7ce0925, parameter3 a252a8b8, parameter4 00000000.

pardm = Unable to get device object pointer for port object.

So far I have uninstalled and reinstalled Adobe Flash and the Nvidia drivers as a method of trouble shooting.  So far the system is still up and running but I just recently did this.  What I'm told is the machine will blue screen out of the blue.  

The machine is a fresh install of Windows XP Professional with all updates installed.  Running Norton 360 and Malwarebytes.  The issues occurred before either program was installed.  In the beginning the machine only had Avast free.  The other notable piece of software is Logmein.  The machine has hung up a few times when I've entered it via Logmein but I've always been able to reconnect.  The customer has also installed webshots.
Comment
Watch Question

Did you run a memory test?
http://www.memtest.org/

Author

Commented:
I have not.  Can I run this test or something of the sort in Windows vice booting to a CD?  I can remote into the machine and troubleshoot but physically being there isn't as easy.
It's really best to run from a boot CD, as then it can check all the RAM. I found this memtest that runs from within Windows, but it can't scan the RAM that Windows itself is using:
http://hcidesign.com/memtest/manual.html

However, a malware infection seems likely, or at least the after effects from a malware infection. Did you run Rkill before running Malwarebytes? It's possible that there's an infection that's protecting itself from detection and removal. Rkill will terminate any malware processes running so that malware removers can properly scan and remove infected files.
http://www.bleepingcomputer.com/download/anti-virus/rkill

You may also want to try a few other malware removal tools, such as Microsoft Safety Scanner or SuperAntiSpyware. They may detect something the others missed:
http://www.microsoft.com/security/scanner/en-us/default.aspx
http://www.superantispyware.com/


After making sure all malware is gone, you should do a system file check to make sure Windows has all the proper files it needs, and none were corrupted.
http://pcsupport.about.com/od/toolsofthetrade/ht/sfc-scannow.htm


You can also download the utility WhoCrashed to scan the minidumps created when Windows crashes; it may reveal a culprit:
http://www.resplendence.com/whocrashed

Author

Commented:
Thank you.  I will try these and repost.
Distinguished Expert 2019

Commented:
or post the minidump here from windows\minidumps
since he visits adult sites, i would tighten his security settings to max   http://25yearsofprogramming.com/blog/2008/20080524.htm

Author

Commented:
I'm going to replace the computer in an effort to please the customer.  I'm going to install Virtual Box on the new instance of XP and tell him to use it for surfing those sites.

How does this sound?
Virtual Box would require another OS in order to work. And since he's installing programs to view these sites, that other OS needs to be Windows, which would require buying another license. A little pricey.

Another option would be Sandboxie. He could view the sites in a sandboxed browser, and install programs within the sandbox, with out any malware infecting outside the sandbox. It also allows for a quick wipe of the sandbox, something that's a little more difficult with the VM. The free version should be good enough for his use:
http://www.sandboxie.com/

Does he download and save any files from these sites (pics or videos)? You'll have to show him the extra steps he'll need to do to pull the files out of the sandbox or VM for keeping, in case he needs to wipe the sandbox/VM due to an infection.


Of course, he's still vulnerable to infections from regular sites. If you want to beef up that security beyond AV software, you could get him to use another browser besides IE, which in an XP admin account is really unsecure. Have him try either Google Chrome or Firefox. You could also install AdBlock in the browser, which typically blocks many malware sites in addition to ads. Finally, you could modify his PC to use OpenDNS, which will block known malware sites as well. Again, free OpenDNS is probably good enough for his use.
http://www.opendns.com/business-solutions/premium-dns/benefits/
 

Author

Commented:
Assuming I go the VB route, wouldn't this be the safest course to take?  Thank you!
It depends on whether or not you think of "safest" under the terms of how the client is going to use the solution. If the client doesn't understand how to use the solution properly, or finds it too complicated, they may make themselves inadvertently vulnerable, or may just stop using the solution and go back to their old methods, with all the associated risks. So the safest solution may not be the one that's technically the safest, but the one that the client is most likely to be able to use effectively and consistently.


From a technical standpoint, a VM would be a completely separate OS, meaning it'd be extremely hard, if not impossibly, for the host machine to become infected. However, the VM is likely at a larger risk of being infected, which could affect at least the host's networking traffic, which could be monitored from an infected VM:
http://www.linuxpromagazine.com/Issues/2009/109/Security-Lessons

Since the VM is a separate OS, aside from the licensing issues, this would mean that the VM OS also needs to be updated and maintained. In addition, the use of a VM for high-risk activities is predicated on the idea that the VM will periodically be "wiped" or reverted back to a known clean state, which would also removed any OS updates made in the between time. So a specific methodology of periodically reverting, updating, then re-snapshotting the VM is needed, which may be too complicated for your client to properly follow.

Then the client has to know when to use the VM, and when not to. How easy/fast is it to start the VM and browser inside it? Does the client know when to switch between the VM browser and regular browser, or at least wiping between these browser sessions? Granted, sandboxing solutions have this same issue.

Browsing inside a VM is going to be resource intensive. If the client is viewing videos, the processing strain in a VM is going to be greater. If the client can't get the quality of video viewing from within the VM, they may abandon it.

Before going with a full VM, you may want to look at virtualization solutions that target provide a simple virtualized browser. Dell KACE is one solution:
http://www.kace.com/products/freetools/secure-browser/

BitBox is basically a customized and pre-configured VirtualBox and Linux VM for secure browsing:
http://www.tomsguide.com/us/firefox-linux-bitbox-secure-web-browser,news-11203.html



Sandboxing, on a technical level, may not be as separated from the OS as a VM, but on an XP system the separation made available may be "good enough, in the sense that no infection can escape it and can easily be wiped. There's no separate OS or browser to update and maintain. A sandboxed browser can typically be easily launched via a shortcut on the Desktop.

Sandboxing can also utilize multiple sandboxes more effectively than trying to utilize multiple VMs. You could utilize one sandbox for normal browsing, one for high-risk browsing, and one for high security browsing, like online banking. Having all browsing sandboxed is safer than only doing some browsing in a VM and the rest on the host.

Aside from the aforementioned Sandboxie, another sandboxing option is Bufferzone:
http://www.trustware.com/how-bufferzone-works/


You should definitely try out a few solutions yourself and figure out which will be the easiest for the client to use and maintain.

Author

Commented:
I think the client is smart enough to know when to use VM and not.  They would only use this for adult content viewing.  What I had planned was create the VM instance.  Once the OS is configured, create a snapshot.  That way if an infection occurs they can easily roll back to the saved uninfected instance.

I agree with your recommendation of making it simple.  I don't think VB is the simplest way for me but I do think it is the simplest way of managing the system for the customer.  They will likely intentionally/unintentionally install programs that shouldn't be there.  That's why I think VB is the best route.
What OS do you plan install in the VM? If it's XP, do you have another license and key for the VM?

What I had planned was create the VM instance.  Once the OS is configured, create a snapshot.  That way if an infection occurs they can easily roll back to the saved uninfected instance.
This is somewhat ok, but if the client only has the original snapshot, the OS is never going to get updated. OS updates can help prevent the VM from getting infected, which is good even though the VM can be rolled-back. So showing the client how to properly update the snapshot would be good.

Also, the VM should be rolled back periodically, even if there's no evidence of an infection, since it could be infected without him knowing it. This is especially true if there's no AV running inside the VM. Ideally, the VM would be rolled back every few days, at least. This may cause a problem if he's installing viewers to certain sites inside the VM, since he'll have to re-install them often.


Also, while getting him to use it for his adult content browsing is good, and certainly better than not using it,  regular browsing is not without its risks. A study a year or so ago revealed that infected regular sites outnumbered infected adult sites by about 99:1
http://www.avast.com/en-gb/pr-legitimate-websites-outscore-the-adult

Author

Commented:
Licensing is taken care of.  The VM instance will only be used for Internet browsing.  It will however have virus protection and will remain current with updates.

As for getting infections from other sites, the customer will be using Malwarebytes and Norton 360.

This is a new computer that I have recently sold and installed.  I'm 100% certain that the BSOD's are originating from software issues associated with some form of infection.  I'm performing all of these task, replacing the machine and configuring the OS in an effort to not only please the customer but to show them that these issues are originating from what they are doing.  Not the machine.

I'm not concerned about proving that I'm right only in getting things working properly.  Replacing the machine and configuring it with VB will prove that it is their surfing habits when/if these problems happen again.  Thanks for your help thus far.  I'm awarding points but may re post for additional assistance.