MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
2 edits | [XPAV infection?] Cannot log in to windows, nor safe mode
[I apologize in advance if this is not the best forum for this question]
I just ran across a very similar problem as: »(topic move) [Trojan] Cant even login to windows
Got a call for a second opinion on a XPhome machine that goes into repeated restarts after logining in, safe mode also apparently fails. User told no other option but to reformat. Though the user has a backup of the most crucial data files, there is enough missing that he wanted a second opinion on the possibility of salvaging the system.
I queried him during the telephone call about the circumstances directly preceeding the problem. It is clear that he was just infected within the past few hours by a strain of the WinXP anti virus / anti malware. Clicked to view a video, needed to download a file, gets a subsequent "Windows" message that his system is infected with malware files, and he gives permission for a scan. Then told he needs to buy a copy in order to complete the removal. Now at the stage where the PC will not complete the boot up process.
Walking him through a safe mode start up, it appears to almost complete. However, right after clicking the OK message to confirm safe mode he gets a blue screen that states a critical error at xxx, and that the system is shutting down to protect itself, it doesn't, just stays on the blue screen. I suspect that this safe mode BSOD message is fake, though the system will not go any further. He is bringing the box over to me within the hour.
My question is, I recall over a year ago a similar strain that really did block systems from booting up with a fake bsod. I recall correcting that issue by first using an XP disk to go into repair mode command prompt. If I remember, the fix may have required the renaming of ~ 3 or 4 system files and copying back ups from another directory. That then allowed the system to boot up, and the virus could then be cleaned. I have checked over my notes, and done some searches, but I cannot find a copy of that documented procedure to correct the bootup issue.
Does anyone remember that old strain, and recall the specific procedure to allow the machine to boot? I searched for fake BSOD but the results are about ones that occur after the systems complete booting up and are running.
Since this occurred today I will be glad to recover any copies of the virus files if needed for analysis. I suspect this could be a new variant since most of the Typical "XP antivirus" infections do not prevent the system from booting up.
[EDIT]
I now have the machine, auto reboots as soon as Windows login password is entered. Booting in safe mode generates a blue screen with:
"A problem has been detected and Windows has been shut down to prevent damage to your computer. beep.sys caused a page fault in a nonpaged area and also begin dump of physical memory"
The BSOD message stays on the screen.
This is different than the fake BSOD that I thought of above, however it directly followed an XP AV infection. So that other fix which I mentioned may not be applicable here. I am not entirely sure that this is a valid windows error message[END EDIT]
MGD |
|
ross
join:2000-08-16
 ·Digizip
| You could try this method:
Download the Ultimate Boot CD ISO, and add your favorite anti-virus, -trojan, -spyware software to the ISO image, then burn the image to CD. Set your BIOS to boot from the CD/DVD-ROM, and use the software you have at hand to scrub the hard drive of malware. Reset the BIOS to boot from the hard drive. Boot into Safe Mode with networking enabled, then run an on-line scanner like the one available at Kaspersky, or at Trend Micro. |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
1 edit | Thank you for your help,
Prior to reading your post, I booted into a command prompt with a windows cd. I renamed beep.sys in the windows/system32/drivers folder to .old. I then copied in a beep.sys from a known good system. I was then able to successfully boot into safe mode. The now beep.old was a 17KB file that was dated today at noon, the time of infection. The correct beep.sys is ~5KB
This is apparently a new strain of the XP Antivirus. I am now examining the system in safe mode prior to running the scans. I suspect those symptoms may start showing up with many others.
MGD
EDIT = corrected directory path |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ross
I uploaded beep.sys to virustotal, they report a prior submission:
File has already been analysed:
MD5: 7f61fb6dd535d902a9f19e35c68f5bea
First received: 09.24.2008 09:08:13 (CET)
Date: 09.25.2008 22:39:52 (CET) [>2D]
Results: 8/36
Permalink: analisis/0b5d2a757d1337267ab80af888014d0c
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to ross
To add, Virustotal currently shows a 17/36 detection level:
»www.virustotal.com/analisis/fdd2···dadfe2fe and ThreatExpert »www.threatexpert.com/report.aspx···c68f5bea
MGD |
|
MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to MGD
Update, Ran freshly updated Malwarebytes Anti-Malware, SUPERantispyware, followed by, Windows Malicious Software Removal Tool, and Spybot. Cleared all temporary files, and internet cache (had remnants of the malware). Then ran a thorough Anti Virus scan. Also reviewed a final HijackThis log. Finished by clearing old system restore points and setting a new one. I recommend booting into safe mode after replacing the infected beep.sys, and running some of the cleaning tools from there first.
I suspect that this new variant of the fake XP Antivirus / Anti malware is nailing a lot of systems.
MGD |
|
