Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD please help


  • This topic is locked This topic is locked
39 replies to this topic

#1 Robert P

Robert P

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 19 February 2010 - 08:28 AM

I have a Dell desktop that is running XP Media center. The computer got infected with some virus's and I started to get them cleaned up, well when I tried to boot into safe mode I got a BSOD. Then I proceeded with cleaning the virus's with Spybot and Malwarbytes in normal mode, but then I did a windows update and one of the updates was a video card update. Upon restarting the PC I am now getting a BSOD when booting into both normal and safe modes. What can I do besides completely reloading windows?

Thanks, Bob

BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:01:57 AM

Posted 19 February 2010 - 09:01 AM

You should post in the XP forum and can you please post the BSOD message.

IMO, video driver downloads from Windows Update always ends in tears.

Usually you could try uninstalling your video drivers and rebooting.

Windows should boot with the native display drivers.

You could then go to the site of your video card manufacturer
and download the updated drivers for your card.

First, we have to sort out getting the computer to boot in safe mode.

Your computer may still be infected and you may have to get help in the
Security Am I Infected? What Do I Do? forum.

The BSOD error message may give us a clue.



#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 19 February 2010 - 09:31 AM

Hello Bob, this is possibly caused by a rootkit on your system that interferes with the windows update.

We can diagnose/fix this by running a scan from a CD. This will require you download a 270 MB file and burn it to a CD.

Please let me know if you are okay with that smile.gif

Edited by elise025, 19 February 2010 - 09:31 AM.
typo

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 19 February 2010 - 11:00 AM

QUOTE(elise025 @ Feb 19 2010, 08:31 AM) View Post
Hello Bob, this is possibly caused by a rootkit on your system that interferes with the windows update.

We can diagnose/fix this by running a scan from a CD. This will require you download a 270 MB file and burn it to a CD.

Please let me know if you are okay with that smile.gif



Sure, what file do I need to download. Does that need to go onto a bootable CD then?

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 19 February 2010 - 11:16 AM

I am posting instructions below smile.gif

Just to let you know, I am moving this topic to the malware removal forum, because the tools we use are only allowed there.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 19 February 2010 - 11:49 AM

I am unable to download the otlpe.iso because my sonic firewall is blocking it because it is picking it up as a virus infected file. Other options to get the file?

Thanks for your help, Bob

"This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: FraudPack.GHY (Trojan)"

Edited by Robert P, 19 February 2010 - 12:09 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 19 February 2010 - 12:31 PM

Well, I can assure you this file is NOT a virus, although it is true it might be picked up as such. smile.gif

There really isn't any other way to get it. You can try to disable your firewall in order to download the file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 19 February 2010 - 01:11 PM

I was able to get it. I will follow the instructions and let you know.

Again, thanks for your help

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 19 February 2010 - 01:39 PM

Okay, good to hear that!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 19 February 2010 - 05:43 PM

Here is the output file.

Thanks, Bob

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 20 February 2010 - 04:36 AM

Hello, I would appreciate it if you could paste logs in the reply box instead of attaching them smile.gif

Well, we have at least two rootkits on board, one we can fix right now, the other one only in windows or using another CD However, please consider the following first...

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please open OTLPE and copy/paste the text in the codebox below in the "custom scan/fix" box. Click "None" and then "Run scan". Post me the log afterwards.
CODE
/md5start
iastor.sys
/md5stop


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 20 February 2010 - 11:43 AM

I would like to try to fix this thing, at least so that I can get the data off of it. Here is the output file.

Bob

OTL logfile created on: 2/20/2010 10:29:51 AM - Run
OTLPE by OldTimer - Version 3.1.30.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.39 Gb Total Space | 260.80 Gb Free Space | 88.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Custom Scans ==========



< MD5 for: IASTOR.SYS >
[2006/10/10 14:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys
[2006/07/06 07:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys
[2006/07/06 07:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2006/10/10 14:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys
[2006/07/06 08:01:32 | 000,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2006/07/06 07:59:42 | 000,246,784 | ---- | M] () MD5=F2C220AF0D5DE10896184080CCEDB407 -- C:\WINDOWS\system32\drivers\iaStor.sys
< End of report >


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 20 February 2010 - 12:01 PM

Please paste the text in the codebox below in OTLPE and click "run fix"
CODE
:files
C:\WINDOWS\system32\drivers\iaStor.sys|C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys /replace

Afterwards, try to boot normally.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Robert P

Robert P
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 20 February 2010 - 01:33 PM

It worked, Thank you so much. I will now run my spybot and malwarebyes in safe mode to ensure everything is cleaned out.

Thanks, Bob

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:57 AM

Posted 20 February 2010 - 01:36 PM

Hi, glad it worked, but unfortunately I doubt it will be an easy fix from here on. You still have an MBR rootkit on board it seems.

If you want I can help you clean your computer further, however, thats up to you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users