Malware trouble cant login to safe mode without a bluescree after 5 seconds

ok i am working on a laptop for a friend of mine. he has gotten somekind of malware on it.. i had once before removed some stuff from it.. and told him it wasn't completely clean and what to do about it.. but it would seem he has been back on the internet unprotected since then..

at the moment when i log into regular mode i get a bluescreen listing a 0x000000f7 stop error.. but it gives no details.. also the bluescreen never takes longer than 30 seconds to occur so no way to do any trouble shooting there..

when i try to log into safe mode the screen barely changes at all before i get the same bluescreen as before..

the computer is a stock hp pavilion dv1000.. i do not know the exact specs of the computer other than it is running XP home SP2.. the guy im working on it for isnt at all technically savvy so it probably has just whatever was standard at the time he bought it...

any help would be greatly appreciated..

thankx in adv.

 

update: ok found some articles elsewhere online (thx google) and ive decided my friends laptop is victum to a buffer overrun attack... however im not having any luck discovering the driver thats over-running its buffer... any ideas as to a way to figure this out?

thx for any help or suggestions or thoughts

 

One method of checking drivers is to boot to a command prompt, either using F8 options or with the repair console on the CD.

Then add the following switches to boot.ini

/bootlog (records driver loading action in c:\ntbtlog.txt)

and/or

/sos (forces xp to display drivers as loaded and halt at problem one.)

 

ok at the moment i am kinda just playing with dofferent things.. i found the minidump fule along with the boot log and neither seem tohelp.. im about to try to get the MS debugging tools as per http://forums.majorgeeks.com/showthread.php?t=35246 and see what i find from that... will post more info later

thx for all suggestions/.. please let me know of anymore

edit: i did notice that when i login as safemode with command prompt the computer doesnt bluescreen.. ima do this and launch the explorer from there to get to the internet... (hopefully)*crosses fingers*

 

iight just another update for anyone whos reading.. i have ben playing on it online for about an hour now with no bluescreens.. i am trying to run an eset online scan to see if it will clean anything up or maybe give me a malware name to do further research on...

if anyone has any further ideas let me know.. i will try anything i can... never know what will help..

 

yet another update..

sorry for the numerous posts.. just dont want someone to waste the time on something i have already tried...

just finished a malewarebytes scan and it gave me 76 infections including trojan.vundo.h, trojan.vundo, trojan.zlob, trojan.bho, trojan.agent, trojan.avkiller, adware.bho, malware.trace, trojan.extension.exploit, rogue.link, and trojan.dnschanger..

now lets see what it can clean up...

will post after if things still seem fishy...

 

will do. but i just ran it again after rebooting and disabling system restore.. i found 10 more infections including search.hijack, malware.trace, trojan.vundo, trojan.zlob, and hijack.startmenu..

also i should mention bfore i go through all the read and run first stuff that when i did the eset online scan it mentioned 7 trojans.. win32/privacyset.a(x2), win32/rootkit.agent.nex, win32/small.ndr, win32/small.ndr, win32/bho.nbm, win32/bho.ncv(x2), and win32/small.ndr

however the eset online scan didnt offer any fixes for them nor could i find manual fixes in their threat encyclopedia... but o well..

now to do the read and run first stuff.. i was lookin at it earlier and it seemd a VERY good guide to cleaning computers.. i could use it at work too.. xD maybe someone could make those programs into a boot disk of somekind? or work them into the ultimate boot cd and set it as a new distribution of it? just ideas though..

will post later with the logs.. thx again for the previous help and ideas and future thx for any more help provided... :cool

 

sorry just reading your post.. yea i knew better than to disable it already.. suppose sleeplessness is starting to kick in.. still working on running scans... working on spybot right now.. i have the log for superantispyware... ill find the logs for malewarebytes after spybot is finished.. still have combofix and mgtools left to go... not too bad

by the way.. do you work for majorgeeks.com or is it more a side job? was just curios cuz i really want to get more into the security side of things with computers and thought if this is your job you might have some suggestions to get started or different classes/certs to go for...

lol
will post all the logs at once.. in 2 different posts of course since theres a 3 attatchment limit(or so i read)

edit: spybot has just under 100,000 files left to go through

edit: ok mbam only listed one of the two logs? anychance it would have deleted one of the logs.. or maybe not even created one? it would appear the first log was deleted/. i know i didnt do it(purposely) unless it got caught in one of the clean up features of superantispy... thats the only other thing i can think of right now...

 

iight here comes the logs.... gonna have to switch to the computer in question... (im lucky enough to have a couple of computer to play on while i waited.. xD)

 

and heres the second mbam log.. stil dont know where the first went to...

let me know what else you need...

ima go to bed for tonight.. will pick this up tomorroow proly round noon(got classes til then)..

thx again for all the help

edit: also.. if you dont mind.. i would like to know what all you are looking for inthe logs.. i have a couple other computer that i would like to do thid for and would love to be able to do this for at work too.. would probably helpout with many of our problems up there... im part time as the pc/computer room tech for a trucking company and im sure you can imagine us having ppl calling all the time with this and that problem.. but if i knew what i was lookinjg for in the logs i could possibly help out on here and just whereever else it was needed(fixing friend's laptops.. >.>)

forgot to defrag earlier.. going to install and run diskkeeper sometime tomorrow as well

 

ok i dont mean to rush anyone but i would like to go ahead and get the defrag running and get MS updates going as well.. i noticed that the laptop had a couple of updates to get.. most likely including SP3...

and while im on that topic has there been any complaints about sp3? i have talked to several people saying they are just going to wait and see how it goes with others before they put it on their machines...

but anyways.. if someone could help out with those logs i would greatly appreciate it...

as always thx in advance.. i cant ever get enough help.. xP

 

well thx for helping.. i gave the laptop back to my friend today as it seemed to be running fine.. he put avg on it.. at least now he has SOMETHING there to help out...

would still appreciate someone to look at the logs and tell me what they think.. iwould really like to know what to look for in the logs as well so i can trouble shoot computers on my own..

but as far as this issue goes i suppose the thread can be closed...

again thx everyone for the help.. will be posting in here again..

 

awesome.. ill see if i can get the laptop for a lil while another day.. maybe this weekend before he has had too much time to do damage.. ill do as suggested...

i know the sp3 quote should go on the software forum.. just figured to hit it while i was here..

also this is a bit more personal but i would still like to know better what to look for in the log files.. like when you look at them what are the general flags that somethings amiss.. obviously something like the uninstalling all of norton and java updates and that stand out as i have seen several places where you have told people to do that.. but where do you see that it needs the certain options in HJT? or the registry changes? is that just from experience or was there something specific in the logs that caused you to suggest those things?

again sorry i know this isnt really the place for those questions.. and i would have just sent them to you in a pm or something.. but i suppose i havent gotten enough posts in to be allowed to pm... and i havent found the appropriate forum to ask such things either..

i REALLY appreciate the help.. ima start using those cleaner tools on computers at work and whereever that need to be tighty-ed up... yea i didnt know how to spelled tighty-ed.. lol

again thx.. looking forward to future help.. who knows maybe after anther problem or two i might be able to help someone else.. xD

 

wow i didnt even see post #16.. my bad.. ok thx for the info there.. ill try to watch my posts..

really appreciate the links to find out more about malware and training and stuff.. cant ever get enough reading material.. just hope as i read i will have instances to apply it on... and continue to get plenty to work on.. so i dont forget things....

are those links specific to the scans we ran or are they more tuned to malware in general?

 

oh my fault... i hadnt been to them yet.. well ill stop posting in here since the problem is fixed and we are starting to get a bit off topic..

thanks again for all your help and for the links.. im about to go look around on them and might try to get started with some things.. who knows..

 

i know.. i have to get my friend to let me have the laptop back.. until then i cant do much... sorry if you are waiting for confirmation logs or anything... i will do my best to get the laptop monday afternoon.. but.. no promises..

 

iight heres the logs

note: combofix stalled and after about an hour of waiting i closed it.. it was in the creating log stage so i hope it didnt mes anything up..

the log i attatched for combofix.. im not sure that thats the current one.. if needed i will run combofix again and repost that log.. let me know..

appreciate the help..:cool

 

yes.. im an idiot.. i forgot to note that i couldnt run the windows messenger remover because of no internet connection.. i wasnt in a place where i could get internet.. i had the instruction printed out for the txt files and what all else to run..

i will run that asap..

the norton this i wasnt aware that norton was still on it.. it didnt show in the add remover programs nor anywhere else that i remember seeing.. maybe it still has traces that are doing what they can to run.. i know how annoying norton can be to remove without that removal tool..

^^ that must be why you mentioned norton before... sorry i didnt pick up on the hint..

also should i run combo fix again?

thx alot

 

ok was just making sure as the previous run didnt finish completely..

i will try to run the norton remover and windows messenger remover as soon as i can..however i dont know when thatll be... unless you think something will evolve from what i have on the computer atm then i guess we can consider this topic closed...

i know i have said this several times.. but i really appreciate all of your help.. and the links to learn more i know will prove useful.. i have enrolled in GeekU and am about to start the practice logs there... would you ming sharing some of your canned speeches with me to use as templates in creating my own? also what program do you use for your canned speeches? i downloaded Keynote and am working on figuring it out.. i made sure to bookmark all of the pages referencing HJT tutorials and such to look back on.. lol

but anyways.. i wont keep rambling here... thanks again...:cool