Solved

ever heard of fake bluescreens?

Posted on 2008-06-12
32
1,646 Views
Last Modified: 2012-08-13
hi, im runnin a computer with XP Pro SP 2, pentium D 3.4GHz and a GB of RAm. usually straight after start up i get a BSOD, then it dissapears and a different BSOD shows up. i didnt think that they behaved in this manner? another wierd symptom is being able to use my mouse over the BSOD. it kinda seems like a huge virus link, kinda like those background viruses. i was hoping that someone knows where they come from and if i can disable them or get rid of them somehow. i cant run any scans cause they (BSOD) prevent me from accessing anything on the desktop
0
Comment
Question by:beefstu123
  • 11
  • 11
  • 6
  • +4
32 Comments
 
LVL 11

Assisted Solution

by:CynepMeH
CynepMeH earned 350 total points
ID: 21774581
check to make sure your screensaver is not loading some sort of BSOD fake...
http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx

0
 
LVL 3

Assisted Solution

by:patrickfromsc
patrickfromsc earned 150 total points
ID: 21774585
Sysinternals once had a BSoD screen saver, but I think CTRL+ALT+DEL made it go away.  Here is a blurb about it:
http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=193700617

It would be nice if that is all the problem you are having, eh?

Regards,
PfSC
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774595
Have you tried to boot into Safemode?  If you can't do anything in normal mode, that might help trying that route.  I would highly suggest scanning the system for infections.

Some good decent programs to try that are free:

AVG, Superantispyware, spybot search and destroy, hijackthis, and if your system background has been taken over try smitfraudfix, and combofix.  

If you need links, let me know!
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774598
also, go to start > run  and type MSCONFIG

Click on "startup" tab and check for any suspicious programs. This is what gets loaded at startup - any suspects can be un-checked. After unchecking, reboot and see if problem re-occurs. You may be told that your system is running in a diagnostic mode. If problem goes away, narrow down your list until you find out what's causing it. It should tell you the path of the executable - track it down and nuke it.

Also, try running hijack this:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

and

CCleaner
http://www.ccleaner.com/

IF YOU USE THESE UTILITIES BE VERY CAREFUL NOT TO REMOVE USEFUL STUFF! BE SURE TO KNOW WHAT YOU'RE DOING BEFORE RUNNING IT!
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774604
Wakeup - man, you sure love that "safe mode" - that's a second time I saw that today =) LOL
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774614
hm... google search:
wakeup +"safe mode" site:experts-exchange.com yields 330 results.

Woot for safe boot! =)

Be safe everyone, adios! ROFL
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774616
Safemode is the bomb! :)  hehe...sometimes you gotta do the safemode thing weather you like to or not....gotta be done! :)
especially viruses and spyware.  I hate doing it...cuz safemode everything runs slower and takes more time, and you dont have access to everything you need.  But it gets the job done!
0
 
LVL 2

Author Comment

by:beefstu123
ID: 21774626
thanx for the info so far guys. im attempting to install the usual scanners, however the BSOD's are in the way. i've been thru safe mode however since none of the scanning programs i need are installed yet safe mode isnt much help. so far ive been able to determine that the BSODs are not screensavers.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774643
Any verification on the BSODS as to what they are saying?  
If they are legitimate BSOD's and they cause the system to restart etc and they display BRIEFLY on the screen or BARELY....hit the F8 after one of those untill you get the "safemode" selections....instead of hitting safemode or normal etc.......find the stop on error one...I cant quite remember the title of it word for word, but it is basically to stop the system from restarting after error....near the bottom of the list....maybe 3rd or 4th from the bottom.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774645
haha...wow 330 times!?  hehehe... nifty! :)
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774684
It's: right click my computer > properties > advanced > startup and recovery settings > uncheck "automatically restart".

close. Also, you should not be able to see mouse cursor in a "true" BSOD, as it is all text-based and by that time GUI/GDI is dead.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774693
so wait, are you saying that you're able to do some other things while BSOD is displayed? If so, then it is not a BSOD. When system BSOD's - all you see is a nice blue screen of death, unable to do much except hard reset. Can you bring up a task manager by hitting CTRL+ALT+DEL? If so, then it's definitely not a BSOD. See what you find in your list of running processes under "tasks" - that BSOD crapware may be one of the programs launched. Obviously if you get to task manager - you are not BSOD'd.
0
 
LVL 2

Author Comment

by:beefstu123
ID: 21774698
yeah, i am positive that they are not trues BSOD's. they do not start a memory dump, they do not reststart the PC, they have a mouse over the top, and oine of them has the error, SYSINTERNALS_GREAT_SITE at the top lol
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774705
Ya he stated he was able to move the mouse cursor.  So that leads me to believe infection...
But if it's restarting......disable automatic restart and tell us what kind of BSOD's yer getting.

0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774712
that's a sysinternals BSOD. jeez. did u look at the MS article I provided? run "msconfig" and look for any files with .scr in a name - that's your suspect.

0
 
LVL 2

Author Comment

by:beefstu123
ID: 21774722
also, the registry editing, all programs menu, task manager, and system proerties have been disabled due to other infections. so most of my normal courses of action are not available lol. im trying to disable restart as mentioned above but the BSOD's pop up so damn quickly. i ve disabled it via the startup screen, soi i'll see how i go now
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Author Comment

by:beefstu123
ID: 21774756
yes i dd read the article and yes i was helpful. but i still cant get to msconfig due to the disabled task manager and start menu etc. im close to enabling them thru GP but the popups are really hampering the process.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774765
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Use combofix.  above link is a description on how to use it.

Are your .EXE's not executing as well?  You can rename your .exe to .com or .bat and they'll run that way.  
You can rename combofix to combofix.com as well, and run it and Combofix will fix that problem too.
If you can boot to "SAFE MODE!" hahaha.....you can try using ADD REMOVE programs, remove any programs that may be malicious....if you are unsure....Let us know what they are here and we can try to help.  Try Hijackthis and post your log here as well?  

Try some of those programs I listed above?  Even if you can't update them, you might be able to use them in raw form to remove SOME of what is ailing you to make the system run a tiny bit better? and might get you in to do other things with other programs.

0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774767
Oh and if you can find your msconfig and such you can rename or make a copy of it with .com on the end etc....and may get it to run as well.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774780
If you have a healthy system on the same network, try connecting to your "infected" computer's registry and disabling startup items. Here's some info about the registry location you'll need to search:

http://www.doshelp.com/HowToView/Registry_Keys.htm

At this point though.... if you're so hampered with crap, save the data and re-build the box. If you need to do that, start your system using something like ERD commander and salvage the data to some other drive. Otherwise, if you can connect to the system over the network, try saving your data that way by network copy. Lastly, if that's not an option and you need to preserve your data on the existing drive, install a new drive in your system, remove old one, install OS and then connect your old drive as a "slave" or in external enclosure. This way you can do whatever you need to. You may also consider scanning that volume for viruses. A clean system with latest AV defs may be able to pick up the executables and files that are giving you grief. Once removed, you can possibly put the drive back in and re-use it... though a box like this I'd never trust again until I scraped it and rebuilt it. ONce compromised - never to be used again until rebuilt. That's my $0.02.
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774786
BTW, if you have a healthy system on the network and it has antivirus tools, try maping from your healthy to your infected drive in this system. Then run remote antivirus scan on that volume. Be sure to select "jokeware" and "malware" in your scan... and confirm you have the latest antivirus definitions loaded.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774818
And in the same token as CynepMeH, if you have a healthy system you can pull the drive out and slave it accordingly to the healthy system and run tools as well to clean up infections.  Just be careful to not run any programs off your infected drive, you may infect your healthy machine.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21774829
especially if you cant get access to it on the network or if you keep getting errors or problems.  And it'll be faster to just dump it into a working machine.  
0
 
LVL 2

Author Comment

by:beefstu123
ID: 21774877
cool, thanx guys. i was leaning towards a rebuild from the beginning but the client wouldnet hear a word of it. i try to do some more convincing later on. so far i've gotten rid of the BSOD's, renabled the task manager registry etc, im trying to get a hijack this log for anyone who wants to see it. i'll post the dtails next comment
0
 
LVL 11

Expert Comment

by:CynepMeH
ID: 21774879
Wakeup, btw I posted answer to your security tab comment in the other discussion. Back on topic.
0
 
LVL 11

Accepted Solution

by:
CynepMeH earned 350 total points
ID: 21774928
beefstu: all you have to tell him is as follows:

Your system was infected with number of viruses and trojans and malware. Do you feel confident enough in your decision that you would have no problems:

a) Submitting confidential data on it
b) Running it unsupported
c) Compromising your personal information and possibly exposing it to the world
d) Having your system used as a staging point for attacks and illegal activities for which you may possibly be suspected until proven otherwise?
e) Agree that if you continue using this system I will not support any further problems with it until I have rebuilt it?

If he doesn't bite, take the money and walk away. Sometimes you gotta draw a line in the sand. If he was dumb enough to get viruses on the system he needs to understand the risks and implications. Don't let him bully you if it makes no sense.

For your sake I hope you're being paid for this and by the hour. If so, then take your sweet time. =)
0
 
LVL 2

Author Comment

by:beefstu123
ID: 21775095
format reinstall is a go! :D thanx heaps guys for all the info provided. was very helpfu and should help for future similar problems. i'll prob close the question soon too. thanx agin, have fun :)
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21776170
Great!  Good luck!  You can also do a parallel install if the customer is adamant about maintaining data.  
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 21776343
awww...I didnt get any points!?  Ah well...  Win some lose some.
0
 

Expert Comment

by:applefox
ID: 21909199
Safe mode is wonderful besides the little fact that it is pretty easy to hack on to someone's computer with it.
0
 
LVL 6

Expert Comment

by:astralcomputing
ID: 22204552
I saw this recently in conjunction with Antivirus 2008 scan. They were ABLOSULELY bogus Blue screens. It was very well crafted, including a "rebooting Windows' sequense without the Bios.

Cheers
0
 

Expert Comment

by:vku325
ID: 22318989
test
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The month of August was another action packed month for hackers and a security nightmare for many retailers and restaurant establishments. Some of the more notable data breach victims this past month included supermarket giants SUPERVALU and Alberts…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now