Dreaded Blue Screen

[felixm]

Hi, my sister was tricked into downloading Anti Spyware 2009 onto my laptop(Dell Inspiron 6400, Xp Home), now i'm getting the blue screen on boot. Reading:

 

Check with your hardware vendor for any Bios updates, disable Bios memory options such as caching and shadowing. If you need to use safe mode to remove or diasble components restart your computer, presss F8 to select advanced options and select safe mode. 0x0000007e

 

I think i've managed to get the virus off. I've got into safe mode and a few things but still no joy with the blue screen. And i'm more used to Vista at the moment, but far from an expert. I don't have a restore disk and was never sent an extra copy of Xp.

 

Anyone had the same message come up. Any advice would be much appreciated.

 

Cheers

[Guest Wolfeymole]

Can you choose the option "Last Known Good Configuration" Felix?

[felixm]

no, i've tried that.

 

cheers

[Guest Wolfeymole]

Ok there's a couple of things we try here.

 

Can you get on the net at all either via Safe mode with Networking or just normally?

 

Do you have the XP disk also?

[felixm]

i tried briefly to get on the net through safe mode, didn't wait long enough. Will try in a mo. I can't get beyond the blue screen in normal mode.

 

I don't have an Xp disc. Wasn't given one when i purchased the laptop from dell. Is it standard to be given one?

 

cheers

[felixm]

okay, i'm online through safe mode. writing this post from the laptop.

[felixm]

Wolf, i'vefollowed your instructions to get the malware off the laptop, there seemed to be more trojans everytime i ran Malwarebytes, which i already had downloaded.

 

cheers

[Guest Wolfeymole]

I reckon your computer is still massively infected with Malware.

 

Run all the tools below Felix and get back to us.

 

• Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
  It is a combination of the words malicious and software.
  The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
  

 

• Required Cleanup Steps
  
  1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
     
  2. Run a Temporary file and cache cleaner (ATF)
     
  3. Run 2 Anti-Malware scanners (Listed Below)
     
  4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
     
  5. Clear out old System Restore points
     
  6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.
     

The reason to run multiple scanners is to ensure that no single scanner is missing something.

The time it takes will vary depending on your system and your internet connection speed.

Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.

The ESET online scan should take between 1 to 3 hours.

In most cases, these scans will suffice to clean and disinfect your computer.

Heavily infected systems or slower PCs can take much longer to scan and clean.

 

For best results print the following instructions and bookmark this Web page

To keep this guide printer-friendly, use your cursor to highlight the contents below.

From your browser select File - Print and in the printer dialog box under "Print range"

click the

Selection

choice to print out these instructions for removal of malware.

 

 

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif

 

____________________________________________

STEP 1

• Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2)
  
  
  1. Run Spybot-S&D in Advanced Mode.
     
     
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
     
     
  3. On the left hand side, Click on Tools
     
     
  4. Then click on the Resident Icon in the List
     
     
  5. Uncheck "Resident TeaTimer" and OK any prompts.
     
     
  6. Restart your computer.
     
     

__________________________________________________

STEP 2

• Follow these instructions carefully.
  
  
• Download ATF-Cleaner from
  Snapfiles.com
  to remove un-needed temporary files from your computer that may contain malware.
  
  
• You can also download it from
  Majorgeeks.com
  
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
  
• NOTE:
  If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
  
• Then click on "Empty Selected".
  
  

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif

.

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif

__________________________________________________

STEP 3

• Install and run the free version (not the Professional version) of SUPERAntiSpyware from
  SUPERAntiSpyware.com
  
  
  • Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.
    
    
  • You do not have to send them your e-mail address, just click next.
    
    
  • You can leave the automated check for updates on.
    
    
  • You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.
    
    
  • DO NOT
    allow SUPERAntiSpyware to protect your Home Page settings.
    
    
  • On the
    Top Left
    select the
    Scan your computer
    button.
    
    
  • Make sure there is a CHECK MARK on all
    Fixed Drives
    .
    
    
  • Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.
    
    

__________________________________________________

STEP 4

• Install and run
  Malwarebytes' Anti-Malware
  from
  Malwarebytes - (direct download)
  
  
  • Accept all defaults for the installer
    
    
  • Allow the program to update the definitions
    
    
  • Click on the
    Quick Scan
    and click Next.
    
    
  • If any items are found allow it to clean them and then Reboot your computer.
    
    

__________________________________________________

STEP 5

• Run an online scan with ESET from
  Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  
  • You
    must
    use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
    
  • If your computer is running Window's Vista, then you
    must first
    start Internet Explorer as an Administrator. To do so, right-click on the
    Internet Explorer
    icon in the Start Menu and select "
    Run as administrator
    " from the popup context menu.
    
    
   
  • Accept the terms and click "Start".
    
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
    
  • Click "Start" to begin the scan.
    
    
  • When completed restart your computer
    
    

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating.

At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted.

 

If required this is the download link for TrendMicro™ HijackThis™

Unless instructed to by the Technician helping you then do not download this tool.

 

Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one.

Please follow the instructions here

How to turn off and turn on System Restore in Windows XP

How to turn off and turn on System Restore in Windows Vista

[felixm]

i couldn't get super anti spyware to run. It said it needed admin priveliges, and that it couldn't run in safe mode.

[Guest Wolfeymole]

Are you running this in XP or Vista.

 

Are you the Administrator?

[Seth]

Super will run in Safe Mode.

 

 

Try changing it's executable to a different name then running that.

[RandyL]

The last time I looked at the SAS website it said that it would not run in safe mode but in the future they might come out with a version that will.

[Seth]

SAS is designed to run in Safe Mode. I used to do it all the time until they came out with Direct Disk Access.

 

SAS will not install in Safe Mode however.

[RandyL]

Ah. That's what it was. Thanks for clearing that up for me seth.

[Seth]

You're welcome Randy.

 

Although with now over 12 million users, it's starting to get targeted by various means.

[felixm]

Are you running this in XP or Vista.

 

Are you the Administrator?

xp and i am the administrator

[Guest Wolfeymole]

You said it's asking for admin privileges to run, this should not happen in XP. :confused:

[RandyL]

It's rare but possible that some bit of malware is still running in safe mode or has affected the basic Windows OS. Try what Seth said.

 

Try changing it's executable to a different name then running that.

 

Go to "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

and change the name from SUPERAntiSpyware.exe to something like SAS.exe

Double click that file to execute the program.

 

Another thing you should look into is if there are any suspect programs in add/remove. Uninstall those first before ALL the scans. Look in startup items in msconfig after that just to be sure. Reboot after the above just to be sure.

 

The fact that you keep picking up new infections after the scans detect and remove them leads me to believe that malious programs that are installed are reinfecting your machine. Those should be removed FIRST before the scans. If they are not they may be the cause.

 

P2P file sharing programs like limewire, bearshare etc or any other program that you can download free files should be suspect and removed first. These type of programs are the usual cause of this particular Trojan if it's the one I think it is.

[felixm]

i tried renaming the Super anti-spyware program and it's still coming up 'The system administrator has set policies to prevent this installation'.

 

I've looked to uninstall other programs that may be harmful.

 

cheers guys

[Seth]

Run this program on the system to remove the policy restrictions:

 

Windows XP Security Console

 

Once you've unchecked the policy restrictions, apply the settings, try installing Super and running a full scan. If it still doesn't work, restart into Safe Mode and try Super again.

 

BTW-What are the security programs that you've run successfully?

Edited November 1, 2008 by Seth

[felixm]

Seth, do i need to obtain the liscensed version of security console?

 

thx

[Seth]

Nope.

[felixm]

Which option do i use?

 

sorry if it is obvious

[Seth]

Go through each heading and make sure all the options are unchecked, then apply the settings.

[felixm]

tried all the options and still no joy in getting sas to work.