Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue screen after running malware bytes - infected with malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 drjack123

drjack123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 31 August 2011 - 08:29 PM

I have run into a terrible problem and can no longer use my computer. It started a few days ago when I believe I was infected by malware...I noticed a program running in my task manager...one of those short 3 letter exe programs, so I decided to run malware bytes. Malware bytes succesfully found that program and I think called it a rootkit or something else. I chose to remove the found problems and then it asked me to restart. Following restart, I get a blue screen of death shortly after the windows XP title comes on. When I choose any of the options (Safe Mode, Safe mode with networking, Safe mode with command prompt, or normal windows) I always get the blue screen and cannot log into windows.

The error message reads:
A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen restart your computer. If this screen appears again follow these steps: Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical Information:
STOP: 0x0000007B (0xBA4C7524, 0XC0000034, 0x00000000, 0x00000000)

So at this point I ordered startup/recovery CDs from dell. I am using a dell computer with OEM installed windows XP home edition. I got the recovery CD today, and can now boot from CD. I first tried to repair my windows installation, and I still got the blue screen after restart. I have gone into the windows recovery console and have tried a few things. I tried running "Bootcfg /Rebuild" followed by "Fixboot" and this did not help.

Next, I thought the problem might be an infected atapi.sys file which I read others experiencing, so I did the following: renamed my atapi.sys to atapi.old, and then I did expand i386\atapi.sy_ from my CD drive and it expanded a new atapi.sys file into my windows\system32\drivers folder. This also did not help.

I ran chkdsk /p and it said CHKDSK found one or more errors. I then ran chkdsk /r....this took a very long time and it said found and repaired one or more errors. But still no luck.

So I am now stuck and cannot get past the blue screen of death to further troubleshoot my computer. Any advice would be greatly appreciated!!

Thanks!

Edited by drjack123, 31 August 2011 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:39 AM

Posted 01 September 2011 - 05:10 AM

Hello, lets see if we can find the cause of this problem. I will move this topic to the malware removal forum.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 drjack123

drjack123
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 01 September 2011 - 09:38 AM

Thank you for your reply. I am sorry I did not get to a chance to post an update, but I have been up all night working on this problem. So after reading online about people who have had similar problems, I decided to run the "fixmbr" command from the windows recovery console. After doing that, I was finally able to get past the blue screen, and then my computer completed the windows repair installation that I had started previously which I guess it was not able to get to because of the blue screen error. After the repair installation, I was able to get back into windows, with all my settings and files intact.

After that, I downloaded and ran combofix. I was following the steps outlined on a different thread on this site (changed the name to dom.exe, ran it, allowed it to do its thing, it deleted some files, I restarted my computer, ran combofix again, and then I uninstalled it). I did not save any of the logs which I believe were deleted with the uninstall. I then downloaded a bunch of new windows updates which I had fallen behind on.

So how do I tell at this point if I am in the clear? I am leery of running malware bytes again, because that is what led me to the original problem with the BSOD. I am happy to download any software you recommend and post you the scan logs if you can help me figure out if I am in the clear or still infected. Thank you so much!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:39 AM

Posted 01 September 2011 - 10:09 AM

Malwarebytes was not the culprit here, merely the "mediator". The infection was an MBR rootkit. It is not uncommon that such infections cause BSODs after starting to run cleaning tools. MBAM itself does not target MBR infections, but it may have touched something related to the infection. You can safely run it now (be sure to update first) and run a full scan.

Since you ran combofix, please post me also the log at c:\combofix.txt Note that it is not recommended to run Combofix on your own.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:39 AM

Posted 20 September 2011 - 04:37 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users