Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant Login To Safe Mode Bluescreen 0x000000f7 After About 5 Seconds Malware Suspected


  • Please log in to reply
11 replies to this topic

#1 SomeCrazyStuff

SomeCrazyStuff

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 07 September 2008 - 02:02 AM

ok i am working on a laptop for a friend of mine. he has gotten somekind of malware on it.. i had once before removed some stuff from it.. and told him it wasn't completely clean and what to do about it.. but it would seem he has been back on the internet unprotected since then..

at the moment when i log into regular mode i get a bluescreen listing a 0x000000f7 stop error.. but it gives no details.. also the bluescreen never takes longer than 30 seconds to occur so no way to do any trouble shooting there..

when i try to log into safe mode the screen barely changes at all before i get the same bluescreen as before..

the computer is a stock hp pavilion dv1000.. i do not know the exact specs of the computer other than it is running XP home SP2.. the guy im working on it for isnt at all technically savvy so it probably has just whatever was standard at the time he bought it...

any help would be greatly appreciated..

thankx in adv. :thumbsup:

BC AdBot (Login to Remove)

 


#2 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 07 September 2008 - 03:04 AM

update: ok found some articles elsewhere online (thx google) and ive decided my friends laptop is victum to a buffer overrun attack... however im not having any luck discovering the driver thats over-running its buffer... any ideas as to a way to figure this out?

thx for any help or suggestions or thoughts

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:29 PM

Posted 07 September 2008 - 06:16 AM

You can attempt to locate the dump file that the BSOD generates - but since it's not booting into Windows you may not get one. Search the hard drive for files ending in .dmp and .mdmp If you can locate them, perform an analysis on another computer using this procedure: http://forums.majorgeeks.com/showthread.php?t=35246 Copy/paste the results here for us to have a look at. The dump file may/may not have the driver named there - and you won't be able to initiate Driver Verifier because you can't get into Windows.

Use a bootable CD with tools (such as a live Linux distro or the Ultimate Boot CD)
- clear out all temporary files using a tool on the CD
- move suspicious drivers to a temporary folder (so you can recover them later if you need them)
What this is is an attempt to "break" the loading of the driver (by changing the path to the bad driver) so you can get into Windows.
You can also submit the questionable drivers to http://virusscan.jotti.org/ to have them scanned for malicious traces

The easy way out would be to backup their stuff (using the boot CD's above) - don't forget to scan it with an updated anti-virus scanner!
Then break out the restore CD's, wipe the hard drive clean and start over fresh (this'll wipe out the bad drivers).
If you don't have the restore CD's you can order them from HP for around $20 and will have them in 4 or 5 days (and it's a lot cheaper than a copy of XP).

FWIW - this could very well be a buffer overrun attack - but it could also be other things. Without being able to get into Windows there's not much that you can do tho'
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 08 September 2008 - 04:57 PM

awesome ideas ill give them all a try.. one by one of course.. ill post later what i find..

one quick question.. how would i go about accessing the laptop harddrive on another computer.. i would rather not pull the harddrive.. and its definitely not on any kind of network or anything? i know this is kinda a dumb question and i feel i should know this.. but its slipped my mind for the time being...

thx again for the response and ideas

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:29 PM

Posted 08 September 2008 - 05:45 PM

You should be able to access the laptop's hard drive by using one of the boot disks that I mentioned in my previous post. I don't use them myself, so I can't recommend one (I use a customized, proprietary version of the Windows RE). These disks will let you access the files on the hard drive without having to use Windows (which is where the BSOD comes from).

The disk will boot another operating system (other than Windows), and it'll only reside in your memory - not on the hard drive. Using that, you should be able to copy the data to either an external hard drive, to a USB flash drive, or to CD/DVD media.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 08 September 2008 - 05:58 PM

ok so far i have booted to safemode with commandprompt which actually didnt bluescreen on me.. i launched explorer from there and added the /bootlog and /sos switches to boot.ini via msconfig(wasnt too sure how else to do it) i rebooted and got the same blue screen.. now im going to see if i can view the log back in safemode w/ cmd.. will let yall know what happens..

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:10:29 PM

Posted 08 September 2008 - 06:07 PM

I just googled the stop error and a lot of the sites refer to a VirusHeat.exe file causing this Stop Error. Did you attempt to download any video codecs to view a movie?

#8 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 08 September 2008 - 06:13 PM

well its not my laptop.. and no i dont think the guy who owns thelaptop would have figured out to do that for something.. he uses it just for word processing.. yes i googled different stuff too and did see about that virusheat and also the zlob viruses.. and it very well may be one of those.. but for now until i can get it to boot knowing that doesnt really help me... once i can find the faulty driver and fix that then i can run virus/spyware scanners and go from there...

thx for the thought though.. anymore? all info will help...

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:10:29 PM

Posted 08 September 2008 - 07:24 PM

well its not my laptop.. and no i dont think the guy who owns thelaptop would have figured out to do that for something.. he uses it just for word processing.. yes i googled different stuff too and did see about that virusheat and also the zlob viruses.. and it very well may be one of those.. but for now until i can get it to boot knowing that doesnt really help me... once i can find the faulty driver and fix that then i can run virus/spyware scanners and go from there...

thx for the thought though.. anymore? all info will help...



What id do is put the drive in your computer and run a virus scan on that drive.

#10 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 08 September 2008 - 08:49 PM

well its not my laptop.. and no i dont think the guy who owns thelaptop would have figured out to do that for something.. he uses it just for word processing.. yes i googled different stuff too and did see about that virusheat and also the zlob viruses.. and it very well may be one of those.. but for now until i can get it to boot knowing that doesnt really help me... once i can find the faulty driver and fix that then i can run virus/spyware scanners and go from there...

thx for the thought though.. anymore? all info will help...



What id do is put the drive in your computer and run a virus scan on that drive.



yea i would love to do that but it is a laptop and he doesnt want me doing any operation on it.. nor does his parents want me to format it... though i told them that since it has ben compromised that would be the absolute best cause there is no way to tell if it has been completely cleaned.. and if there has been a rootkit downloaded then it will probably never be completely cleaned until it is formated...

right now i am trying to run an eset online scan.. it actually hasnt bluescreened since my last post(amazing)... hopefully this will grab and clean several things.. or at least give me a malware name to do further research on... also i tried to do the MS debugger thing that somone mentioned and it tells me that as logged on as administrator that i dont have the permissions to install stuff...

whatever he got on it is a nasty one cuz it would sem it has gone and changed all the permissions along with make backdoors for whatever else...

keep giving me ideas.. they really help alot..

#11 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 08 September 2008 - 11:18 PM

just finished a malewarebytes scan and it gave me 76 infections including trojan.vundo.h, trojan.vundo, trojan.zlob, trojan.bho, trojan.agent, trojan.avkiller, adware.bho, malware.trace, trojan.extension.exploit, rogue.link, and trojan.dnschanger..

now lets see what it can clean up...

#12 SomeCrazyStuff

SomeCrazyStuff
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 09 September 2008 - 12:06 AM

iight my last reply here as i am now gettin some help on majorgeeks.com after lettin malwarebytes clean things up i rebooted and disabled system restore then ran it again revealing 10 more infections.. which i listed in my topic on majorgeeks.com... i will continue with their listed guide to cleaning up computers and see what i get..

thx to everyone who offered help and/or advise/ideas.. they all helped me get from point to point.. if you want to follow what i do next i will be posting updates here:

http://forums.majorgeeks.com/showthread.ph...d=1#post1210861

again thx for the help and ideas...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users