Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Blue screen problem


  • Please log in to reply
9 replies to this topic

#1 rotor123

rotor123

  • Moderator
  • 8,094 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:13 PM

Posted 04 October 2011 - 03:43 PM

Hi, I have a Laptop that caught a Rootkit & MBR infection.

I went to run the Symantec TDSS remover application which requires a reboot. On the reboot I get a BSOD,Safe mode or regular mode. Booting off of a windows XP install disc BSODs also. Memory test passes fine. Pulling the SSD and it boots fine from a windows disc.

I suspect a interaction between the Symantec App and the Virus has something funny to the MBR causing these problems.

Any sugestions With regard to fixing the MBR without trashing the drive contents. I can see them right now from a Linux boot DVD and am running a virus scan from that. Since I can not run a windows install disc or Ultimate boot CD without blue screening I'm not sure where to go from here.

Thanks

Edited by Budapest, 04 October 2011 - 04:31 PM.
Moved from XP ~Budapest

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


BC AdBot (Login to Remove)

 


#2 lilimila1977

lilimila1977

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 PM

Posted 04 October 2011 - 05:13 PM

what version of windows do you have? and do you have windows disc available?.... If you do use disc to get to recovery console once in type fixmbr then enter then type exit then enter and reboot

Edited by lilimila1977, 04 October 2011 - 05:15 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 AM

Posted 05 October 2011 - 02:47 AM

Hello,

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#4 rotor123

rotor123
  • Topic Starter

  • Moderator
  • 8,094 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:13 PM

Posted 05 October 2011 - 09:45 AM

XP, It will take a little while since it is still running the Linux version of Avast from Linux boot disc.

I'm suspecting something in the boot sector since it blue screens any windows boot disk I have. The Linux boot disc worked fine and allows me to see the contents of the drive.

Thanks
RT

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 AM

Posted 05 October 2011 - 09:53 AM

The BSOD from windows disk is most likely caused by missing SATA drivers or something like that. Please let me know if the scan found anything, but rather try not to remove anything, as this can cause quite some damage to your OS (system files are not protected this way as Windows is not running).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 rotor123

rotor123
  • Topic Starter

  • Moderator
  • 8,094 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:13 PM

Posted 05 October 2011 - 11:08 AM

The Linux Avast found 12 infected files and cleaned them. That must have applied my answer that I though was for the one file to clean a infected .mpg in temp to all it found as now the Video driver is MIA. OTOH it is booting again.

It seems it found WIN32:Crypt-KMR and Win32:Injector...

So I'm moving on with this laptop.
So far I have backed up my Main Desktop to a smaller SSD just in case.
Likewise for one of two laptops.

Still to do this laptop and my brothers computer I put a Intel SSD in it for a boot drive. Then Issues surfaced that could lead to data loss. Still need to back his up too.

Now that it boots again I ran TDSSKiller and it only found a suspicious service a27cb212 which I'll have to research. Running MalwareBytes right now, up to 151 thousand+ and nothing found so far.

Thanks for the help.

I'm usually pretty good at this virus stuff since I'm always doing it for family and family friends. I've got a Dell 3000 from one of mom's friends to get back on the internet right now that I've been ignoring working on this laptop. Now that this booting again I can get back to that.

Where I work we do hardware warranty for a couple of brands so I'm pretty good on hardware.

Edited by rotor123, 05 October 2011 - 11:14 AM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 AM

Posted 05 October 2011 - 11:09 AM

Can you post me the TDSSkiller log?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 rotor123

rotor123
  • Topic Starter

  • Moderator
  • 8,094 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:13 PM

Posted 05 October 2011 - 12:12 PM

found it. These are what look dodgy to me. The file in the windows directory is showing a 0 bytes in size. and they as I see it all relate to that one file. I'm thinking of nuking it with Spybots file shredder.

11:42:26.0906 5168 a27cb212 (53f5c40b8da1266756a47075185a03fe) C:\WINDOWS\313687202:1568886253.exe
11:42:26.0906 5168 Suspicious file (Hidden): C:\WINDOWS\313687202:1568886253.exe. md5: 53f5c40b8da1266756a47075185a03fe
11:42:26.0906 5168 a27cb212 ( HiddenFile.Multi.Generic ) - warning
11:42:26.0906 5168 a27cb212 - detected HiddenFile.Multi.Generic (1)

11:42:38.0484 4272 Detected object count: 1
11:42:38.0484 4272 Actual detected object count: 1
11:43:10.0109 4272 a27cb212 ( HiddenFile.Multi.Generic ) - skipped by user
11:43:10.0109 4272 a27cb212 ( HiddenFile.Multi.Generic ) - User select action: Skip

Now that it is working again it would be easy to backup to a external drive and since it is a Thinkpad I can wipe to like new easy. Did I mention that I like business models. They aren't spiffy looking but they are solid and have better security features. I would never travel with laptop that I can't set a Bios Password as well as a hard drive password and a full backup. Lojack for laptops too. I may be paranoid but I do believe the bad guys are out to get me and my financial information. That is why I have one laptop only used for financial things such as online banking, bill paying, Income tax and sometimes shopping at Newegg or Amazon. No Email or Internet browsing and always up to date Antivirus. Second laptop for playing on internet and Nice Desktop for video work.
So far Knock wood that has worked for me.

Sorry for rambling on.....

Once again thanks

Oh I think I have a handle on it so if you don't want to waste your time, that's fine too. SInce we seem to have strayed into virus removal territory from a BSOD on boot..

Edited by rotor123, 05 October 2011 - 12:14 PM.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#9 rotor123

rotor123
  • Topic Starter

  • Moderator
  • 8,094 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:08:13 PM

Posted 05 October 2011 - 12:22 PM

Kind of expensive having two laptops and a Nice desktop but it makes me feel secure.

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:13 AM

Posted 05 October 2011 - 12:42 PM

This is an Alternative Data Stream and part of a ZeroAccess infection. You can safely remove both items with TDSSkiller. Afterwards it is recommended to run a full scan with your on-board antivirus in order to catch any leftovers.
You may also experience Access Denied errors (best is to test all security related programs on the computer and see if they still run, if not we'll need to reset permissions).

And you are indeed perfectly right, better safe (and a bit more precaution) than sorry. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users