Can't get past the BSOD

Horchheimer · 11-08-2009, 10:41 AM

This morning when I went to the computer, I saw that resident shield was displaying a warning about a vundo.dll (or something like that) trojan. So I was going to come onto h2g to run through all of the normal scans (housecall, panda, etc) and I couldn't get signed onto explorer because resident shield would keep popping up to inform me of this vundo thing.

So I have copies of the hosecall and all of that stuff on my computer (possibly a version or two outdated), and I thought I'd be able to run prescans, before going online to run updated versions scans.

But it wouldn't let me do that either...

so looking at my available programs, I noticed I had one, I think it's called safeboot or something like that, which gives me the option to reboot in safe mode, and in my infinite wisdom, I thought "well I boot it in safe mode, I shouldn't be getting that vudo warning, and I'll be able to do a clean up"...

Reboot in safe mode put me at the BSOD and now I can't get past it (in any mode). The message I'm getting is...

a problem has been detected and windows has been shut down to prevent damage to your computer

If this is the first time you've seen this Stop error screen,
restart your computer. If this screen appears, follow
these steps:

Check for ciruses on your pomputer. Remove any newly installed
hard drives or hard drive controllers. Check your hard drive
to make sure it is properly configured and terminated.
Run CHKDSK /F to check for hard drive corruption, and then
restart your computer.

Technical information:

*** Stop: 0x0000007B (OXF7C00528, OXC0000034, 0X00000000, 0X00000000)

I'm at a loss though...

Thank you all for any help in advance that you can provide.

-Kurt

arraknid · 11-08-2009, 11:07 AM

We'll get someone from the Spyware Forum to take a look, but they are incredibly busy, so hang in there.

arraknid · 11-08-2009, 12:20 PM

Whilst we are giving your problem some thought, can you please provide the following...

Make and model of machine.

Version of Windows.

Do you have a Windows installation disk?

theseven · 11-08-2009, 12:27 PM

I just had to resolve very similar problem with someone's laptop about a week ago. There are 2 options available to you at the moment (unless somebody can suggest anything else):

1. Create or download bootable "rescue" CD and do a full scan of your system drive with anti-virus.

2. Disconnect you hard drive, connect it as a slave device to a clean machine (or put it in external enclosure and connect via USB/FireWire/eSATA) and again do a full scan of your system drive with anti-virus programme.

I used Kaspersky Rescue Disk that can be "created" by installed Kaspersky Anti-Virus or Kaspersky Internet Security.
Here is a small list of other available CDs:
FREE Bootable AntiVirus Rescue CDs Download List

I personally would go with Avira AntiVir Rescue System:
Virus removal, boot sector repair, system check - free tools download

After you clean or remove infected system file that prevents your operating system from booting you should be able to boot. In my case it was infected atapi.sys as far as I remember but obviously it can be different in your case. Also the whole lot of other files was cured and/or removed. Don't feel safe though, the system is most probably still compromised and needs further scans with different anti-virus and anti-malware programmes. Basically, you again have 2 options here:

1. Save all your data (documents, e-mails (if you use e-mail client such as Outlook, Outlook Express, Mozilla Thunderbird etc.) pictures, music etc.) on external hard drive or burn that on CDs/DVDs and then reinstall operating system with full reformat. Then update the system, install anti-virus software and move all personal data back.

2. Boot into Safe Mode with Networking and start downloading, installing, updating and scanning with anti-malware programmes (Malwarebytes' Anti-Malware, SUPERAntiSpyware, Spybot Search&Destroy), going through the list of Sturtup items, analysing HijackThis log etc.

I personally would go with option 1 as this is sometimes faster and safer and guarantee that the system is 100% clean. Had to choose option 2 with that computer I was fixing though as Windows installation disc wasn't available and system restore partition was not present.

arraknid · 11-08-2009, 01:30 PM

If you prefer or need to use a USB flashdrive rather than a CD, this tutorial will show you how. To ensure you have the most up to date definitions, you'll need to connect your machine to the internet with an ethernet cable. If that isn't possible, run with the included definitions.

Once the scan is complete, you can manually modify the Boot.ini file found on the C: drive (C:\boot.ini). Be aware that your drives will be designated differently, but should be able to recognise the correct drive. It'll contain a Windows folder. It will also contain a file called boot.ini. Open it and delete just the following text, then save it.

/SAFEBOOT:MINIMAL(ALTERNATESHELL)

That'll enable normal startup once you exit the live CD/USB device.

Horchheimer · 11-08-2009, 01:46 PM

I'll give the suggestions a try. Thank you guys.

Horchheimer · 11-09-2009, 06:38 PM

I think it looks like I'm in in business right now, arraknid. I used your USB link, and was able to get past the BSOD... my desktop is a little different at the moment, as my PC is doing a scan from bitdefender 2010.

If it's alright with everyone else, I'd like to keep this thread open a bit longer while it runs it's scan, as I'm sure I'm going to need some help doing cleanup and evaluating the HJT logs and whatnot.

I do appreciate your help.

arraknid · 11-09-2009, 07:45 PM

Not a problem. Let us know.

Horchheimer · 11-09-2009, 09:50 PM

Ok, it ran through the scan, and I quarantined the infected files, exited out as it suggested, pulled the jump drive out when indicated and rebooted and it came up I still got hit with the bsod.

:/

arraknid · 11-10-2009, 03:20 AM

You need to do this part too...

Quote:

Once the scan is complete, you can manually modify the Boot.ini file found on the C: drive (C:\boot.ini). Be aware that your drives will be designated differently, but should be able to recognise the correct drive. It'll contain a Windows folder. It will also contain a file called boot.ini. Open it and delete just the following text, then save it.

/SAFEBOOT:MINIMAL(ALTERNATESHELL)

That'll enable normal startup once you exit the live CD/USB device.