Jump to content
Grumpy

Blue Screen of Death

Recommended Posts

At first I was going to ask what to do, but as I managed to figure it out, I'll share what I did instead.

SAS caught a trojan attack today. As you can imagine, a few things did get through, although it seems to have prevented the worst of the damage, namely a root hack. This is going to make cleanup much simpler.

The problem came when I tried to run a system scan. As SAS was running through my registry, my system hit a blue screen of death and rebooted. I could never manage to complete the scan.

Using a REG edit tool, it provided the answer. Obviously, there was a faulty entry in the registry most likely specifically designed to crash the search. I found an invalid entry using a REG edit tool. It was a PSCCX library entry, whee. :| I deleted it along with the one next to it and my next scan got past the registry and is working through the last of my Windows directory as I type.

I wish I had taken a screenshot of what the entry looked like, but I was mostly just glad to find the probable answer. Hopefully this current scan will wipe the remains of the infection so that I can plug the system back into the network.

Gotta say THANKS to SAS for making this much easier for me to clean by preventing the majority of the infection.

EDIT: While I spell-checked, the scan completed, but sadly it's still infected. :( It's not finding some of the files.

Share this post


Link to post
Share on other sites

Actually, I am not certain this was the problem now. After the reboot from the scan, I am back to hitting a blue screen of death while scanning the registry.

It gets into the CSLID and then something else. Entries are blurring by so quickly that I can't see precisely. I hit Pause and Reume, but don't know. It was probably removing a few CDF files from the Windows directory. One of the programs running I have to kill is called X-Spruce.exe

I'm a bit frustrated now

What I see inside this one remaining file is a reference to Creative Tech. Yes, I have a Creative Labs audio card. CTHELPER.EXE is running and I can't kill it. I can't delete this other file because some program that's running is using it. It looks like they have used a developer hack into Creative's entries to make it difficulty to remove this file. Maybe it's just the lack of sleep speaking, though.

Share this post


Link to post
Share on other sites

I'm fairly confident that this is a Vundo Variant. There were some bogus EXE files in the Windows directory.

I am no longer confident that the BSoD is happening during registry scan, as mentioned above. Right now, though I am running VundoFix V6.7.7 and hoping this removes the ability of some of the installers to hide from SAS.

Share this post


Link to post
Share on other sites

VundoFix failed to find any files.

The registry IS the problem. When I hit pause, a bare second before the most recent BSoD, it was in the TypeLib area mentioned above. I don't know which entry is bugged now though. The two bogus EXE files are not being re-created, but my infected computer isn't on the network, which is probably why.

I'm continuing to try and locate the installer that SAS is failing to find and find some way to reliably locate the BSoD entry in the registry

Share this post


Link to post
Share on other sites

Hi Grumpy,

RE:BSoD

Have you tried SAS from safe mode yet ?

FYI Vundofix like all canned fix's need updating the same as the botkillers to target new emerging strains and as with most softwares/fix's the authors have a holiday break....

If you suspect Vundo or at least have identified/located suspect files the first thing would be shoot them past VirusTotal to see if any DB's there are flagging them :wink:

http://www.virustotal.com/

LMK what data is being returned :)

Share this post


Link to post
Share on other sites

Thanks for the replies. I didn't expect any today, honestly. I did grab the most recent VundFix prior to running it. It just probably wasn't a Vundo infection was all.

The issue of the infection has been resolved, though it involved another piece of software. I bought the 'lifetime' update version of SAS, so I don't plan on ditching it or badmouthing it. I am still confident that it did prevent some of the worst system hacks by the malware so that I could more easily get rid of it.

The only major changes I've made recently to my system are to upgrade my video card and also update my BIOS. At some point in the future I may well put in a ticket if the BSoD hasn't been resolved by cleaning out the infections, but for now I'm in 'twitchy mode' and don't want to touch anything.

Thanks again for the responses.

Share this post


Link to post
Share on other sites

Ok, I think this will be the final update. Sorry for spamming this thread with so many tiny updates.

SAS scans without BSoD now. I'm glad to be rid of the infection, but wish I could help you fight that particular bit of nastiness in a way too.

To finish on a more positive note, I decided to run SmitFraud to make CERTAIN my host files were ok. It said under the Rustock section that it had detected an xpdx infection. I know that the SYS file for that wasn't around, but decided to run SAS. It turned up an INI file that goes with it that the other checks had missed. Go SAS. :)

All software seems to agree that I'm clear again. I think my lesson is to not 'go chasing waterfalls'. Guess it's just the lakes and ponds that I'm used to. ;)

Thanks again for the responses.

Share this post


Link to post
Share on other sites
It said under the Rustock section that it had detected an xpdx infection

FYI

More than likely it has detected the xpdx service load entry.When this particular Rustock(In memory RK)is active it hides it activities(Firewall bypass/Taskmanager bypass etc) and also its load(Run) service entry is hidden.Ironically its principal file on the HD is not hidden but sits there in folder.

Once something nukes that file(manually deletable in safe mode)then the service entry is no longer hidden and that is probaly what that detection was by Vundofix.

:!: SAS has nuked those variant(s) of the Rustock file todate on my research(Victim) machine,i'm guessing Nick has a *smart* rule for that badboy in place :P

But like you said if BSoD was happening during the registry scan then SAS never got to hit the files to affect a kill on it.

All the best with the learning curve in the water,i think most of us are swimmers :lol:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×