• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1668
  • Last Modified:

ever heard of fake bluescreens?

hi, im runnin a computer with XP Pro SP 2, pentium D 3.4GHz and a GB of RAm. usually straight after start up i get a BSOD, then it dissapears and a different BSOD shows up. i didnt think that they behaved in this manner? another wierd symptom is being able to use my mouse over the BSOD. it kinda seems like a huge virus link, kinda like those background viruses. i was hoping that someone knows where they come from and if i can disable them or get rid of them somehow. i cant run any scans cause they (BSOD) prevent me from accessing anything on the desktop
0
beefstu123
Asked:
beefstu123
  • 11
  • 11
  • 6
  • +4
3 Solutions
 
CynepMeHCommented:
check to make sure your screensaver is not loading some sort of BSOD fake...
http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx

0
 
patrickfromscCommented:
Sysinternals once had a BSoD screen saver, but I think CTRL+ALT+DEL made it go away.  Here is a blurb about it:
http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=193700617

It would be nice if that is all the problem you are having, eh?

Regards,
PfSC
0
 
WakeupCommented:
Have you tried to boot into Safemode?  If you can't do anything in normal mode, that might help trying that route.  I would highly suggest scanning the system for infections.

Some good decent programs to try that are free:

AVG, Superantispyware, spybot search and destroy, hijackthis, and if your system background has been taken over try smitfraudfix, and combofix.  

If you need links, let me know!
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
CynepMeHCommented:
also, go to start > run  and type MSCONFIG

Click on "startup" tab and check for any suspicious programs. This is what gets loaded at startup - any suspects can be un-checked. After unchecking, reboot and see if problem re-occurs. You may be told that your system is running in a diagnostic mode. If problem goes away, narrow down your list until you find out what's causing it. It should tell you the path of the executable - track it down and nuke it.

Also, try running hijack this:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

and

CCleaner
http://www.ccleaner.com/

IF YOU USE THESE UTILITIES BE VERY CAREFUL NOT TO REMOVE USEFUL STUFF! BE SURE TO KNOW WHAT YOU'RE DOING BEFORE RUNNING IT!
0
 
CynepMeHCommented:
Wakeup - man, you sure love that "safe mode" - that's a second time I saw that today =) LOL
0
 
CynepMeHCommented:
hm... google search:
wakeup +"safe mode" site:experts-exchange.com yields 330 results.

Woot for safe boot! =)

Be safe everyone, adios! ROFL
0
 
WakeupCommented:
Safemode is the bomb! :)  hehe...sometimes you gotta do the safemode thing weather you like to or not....gotta be done! :)
especially viruses and spyware.  I hate doing it...cuz safemode everything runs slower and takes more time, and you dont have access to everything you need.  But it gets the job done!
0
 
beefstu123Author Commented:
thanx for the info so far guys. im attempting to install the usual scanners, however the BSOD's are in the way. i've been thru safe mode however since none of the scanning programs i need are installed yet safe mode isnt much help. so far ive been able to determine that the BSODs are not screensavers.
0
 
WakeupCommented:
Any verification on the BSODS as to what they are saying?  
If they are legitimate BSOD's and they cause the system to restart etc and they display BRIEFLY on the screen or BARELY....hit the F8 after one of those untill you get the "safemode" selections....instead of hitting safemode or normal etc.......find the stop on error one...I cant quite remember the title of it word for word, but it is basically to stop the system from restarting after error....near the bottom of the list....maybe 3rd or 4th from the bottom.
0
 
WakeupCommented:
haha...wow 330 times!?  hehehe... nifty! :)
0
 
CynepMeHCommented:
It's: right click my computer > properties > advanced > startup and recovery settings > uncheck "automatically restart".

close. Also, you should not be able to see mouse cursor in a "true" BSOD, as it is all text-based and by that time GUI/GDI is dead.
0
 
CynepMeHCommented:
so wait, are you saying that you're able to do some other things while BSOD is displayed? If so, then it is not a BSOD. When system BSOD's - all you see is a nice blue screen of death, unable to do much except hard reset. Can you bring up a task manager by hitting CTRL+ALT+DEL? If so, then it's definitely not a BSOD. See what you find in your list of running processes under "tasks" - that BSOD crapware may be one of the programs launched. Obviously if you get to task manager - you are not BSOD'd.
0
 
beefstu123Author Commented:
yeah, i am positive that they are not trues BSOD's. they do not start a memory dump, they do not reststart the PC, they have a mouse over the top, and oine of them has the error, SYSINTERNALS_GREAT_SITE at the top lol
0
 
WakeupCommented:
Ya he stated he was able to move the mouse cursor.  So that leads me to believe infection...
But if it's restarting......disable automatic restart and tell us what kind of BSOD's yer getting.

0
 
CynepMeHCommented:
that's a sysinternals BSOD. jeez. did u look at the MS article I provided? run "msconfig" and look for any files with .scr in a name - that's your suspect.

0
 
beefstu123Author Commented:
also, the registry editing, all programs menu, task manager, and system proerties have been disabled due to other infections. so most of my normal courses of action are not available lol. im trying to disable restart as mentioned above but the BSOD's pop up so damn quickly. i ve disabled it via the startup screen, soi i'll see how i go now
0
 
beefstu123Author Commented:
yes i dd read the article and yes i was helpful. but i still cant get to msconfig due to the disabled task manager and start menu etc. im close to enabling them thru GP but the popups are really hampering the process.
0
 
WakeupCommented:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Use combofix.  above link is a description on how to use it.

Are your .EXE's not executing as well?  You can rename your .exe to .com or .bat and they'll run that way.  
You can rename combofix to combofix.com as well, and run it and Combofix will fix that problem too.
If you can boot to "SAFE MODE!" hahaha.....you can try using ADD REMOVE programs, remove any programs that may be malicious....if you are unsure....Let us know what they are here and we can try to help.  Try Hijackthis and post your log here as well?  

Try some of those programs I listed above?  Even if you can't update them, you might be able to use them in raw form to remove SOME of what is ailing you to make the system run a tiny bit better? and might get you in to do other things with other programs.

0
 
WakeupCommented:
Oh and if you can find your msconfig and such you can rename or make a copy of it with .com on the end etc....and may get it to run as well.
0
 
CynepMeHCommented:
If you have a healthy system on the same network, try connecting to your "infected" computer's registry and disabling startup items. Here's some info about the registry location you'll need to search:

http://www.doshelp.com/HowToView/Registry_Keys.htm

At this point though.... if you're so hampered with crap, save the data and re-build the box. If you need to do that, start your system using something like ERD commander and salvage the data to some other drive. Otherwise, if you can connect to the system over the network, try saving your data that way by network copy. Lastly, if that's not an option and you need to preserve your data on the existing drive, install a new drive in your system, remove old one, install OS and then connect your old drive as a "slave" or in external enclosure. This way you can do whatever you need to. You may also consider scanning that volume for viruses. A clean system with latest AV defs may be able to pick up the executables and files that are giving you grief. Once removed, you can possibly put the drive back in and re-use it... though a box like this I'd never trust again until I scraped it and rebuilt it. ONce compromised - never to be used again until rebuilt. That's my $0.02.
0
 
CynepMeHCommented:
BTW, if you have a healthy system on the network and it has antivirus tools, try maping from your healthy to your infected drive in this system. Then run remote antivirus scan on that volume. Be sure to select "jokeware" and "malware" in your scan... and confirm you have the latest antivirus definitions loaded.
0
 
WakeupCommented:
And in the same token as CynepMeH, if you have a healthy system you can pull the drive out and slave it accordingly to the healthy system and run tools as well to clean up infections.  Just be careful to not run any programs off your infected drive, you may infect your healthy machine.
0
 
WakeupCommented:
especially if you cant get access to it on the network or if you keep getting errors or problems.  And it'll be faster to just dump it into a working machine.  
0
 
beefstu123Author Commented:
cool, thanx guys. i was leaning towards a rebuild from the beginning but the client wouldnet hear a word of it. i try to do some more convincing later on. so far i've gotten rid of the BSOD's, renabled the task manager registry etc, im trying to get a hijack this log for anyone who wants to see it. i'll post the dtails next comment
0
 
CynepMeHCommented:
Wakeup, btw I posted answer to your security tab comment in the other discussion. Back on topic.
0
 
CynepMeHCommented:
beefstu: all you have to tell him is as follows:

Your system was infected with number of viruses and trojans and malware. Do you feel confident enough in your decision that you would have no problems:

a) Submitting confidential data on it
b) Running it unsupported
c) Compromising your personal information and possibly exposing it to the world
d) Having your system used as a staging point for attacks and illegal activities for which you may possibly be suspected until proven otherwise?
e) Agree that if you continue using this system I will not support any further problems with it until I have rebuilt it?

If he doesn't bite, take the money and walk away. Sometimes you gotta draw a line in the sand. If he was dumb enough to get viruses on the system he needs to understand the risks and implications. Don't let him bully you if it makes no sense.

For your sake I hope you're being paid for this and by the hour. If so, then take your sweet time. =)
0
 
beefstu123Author Commented:
format reinstall is a go! :D thanx heaps guys for all the info provided. was very helpfu and should help for future similar problems. i'll prob close the question soon too. thanx agin, have fun :)
0
 
WakeupCommented:
Great!  Good luck!  You can also do a parallel install if the customer is adamant about maintaining data.  
0
 
WakeupCommented:
awww...I didnt get any points!?  Ah well...  Win some lose some.
0
 
applefoxCommented:
Safe mode is wonderful besides the little fact that it is pretty easy to hack on to someone's computer with it.
0
 
astralcomputingCommented:
I saw this recently in conjunction with Antivirus 2008 scan. They were ABLOSULELY bogus Blue screens. It was very well crafted, including a "rebooting Windows' sequense without the Bios.

Cheers
0
 
vku325Commented:
test
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 11
  • 11
  • 6
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now