TechSpot

BSOD 0x00000024 from spyware/virus?

By Zadig
Feb 21, 2010
Topic Status:
Not open for further replies.
  1. Hey everyone

    I generally keep pretty safe browsing habits, but yesterday I got this nasty google redirect virus, so that google links would redirect somewhere else. I ran spyware S&D, and cleared the firefox cache. Didn't work, whatever, turned the computer off, went to bed. Woke up, turned it on, and now I get this BSOD with this 0x00000024 error (0x001902FE, 0xBA4FB38C, 0xBA4FB088, 0x89B29889). I don't know what those numbers mean to all of you, but the thing won't boot in any of the modes.

    Luckily, I dual boot ubuntu and so I'm currently pulling all important files from the Windows XP partition into my external. The hard drive is less than a year old, and ubuntu is working fine, and it's all the same physical hd, so it can't be a dying hard drive. I feel like spyware isn't going to make my pc inoperative, which makes me think spyware search and destroy did something funny to my registry, or something like that.

    The question is, short of backing everything up and reinstalling windows, what can I do here? I can fiddle with the windows files through ubuntu, so if it's just something that needs deleting or such, I could do that.

    Please help. Thanks
  2. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    I just ran into the same exact problem... except my system crashed and now I get the BSOD. I ran chkdsk /r since I also can't run Safe Mode or anything and like usual it didn't fix the problem even though it found errors. The blue screen itself doesn't mention any files but just to run chkdsk /f.

    My stop code is:

    0x00000024 (0x001902FE, 0xBA4FB484, 0xBA4FB180, 0x8B078889) -no other info

    The Stop messages seem to be related and I have no idea what to do. Luckily, my Windows 7 installation still boots up so I know it's an XP issue; that my hardware is okay. I'm gonna try scanning the disk with another computer and see if I can dig anything up. If I can't get it fixed in the next day or so it looks like I am saying goodbye to XP on this machine.
  3. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Well, I just scanned an area of the drive I suspected to be infected and oh what a mess. Avast found about 7 or so different infections. I moved them to quarantine but I am going to run a full drive scan and then backup what I need. A few of the infections seem pretty severe so I think a reformat is my best option, especially since I can't boot into XP anyways.

    Here's what Avast found in my local folders:

    Win32: Malware-gen (virus/worm)

    Win32: Jifas-DZ (trojan horse)

    Win32: Trojan-gen (trojan)

    Win32: Rootkit-gen (rootkit)


    There seemed to be multiple instances of each infection so I'm concerned about them spreading to my other drives once the hdd is back in my main computer. I need some of the stuff off of my XP install though so it's gonna take some time to scan and get everything backed up. Not what I felt like doing today.

    Hopefully you have better luck...
  4. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    I suggest, you start new topic in malware removal section.
  5. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Well my main problem now is not being able to boot into Windows XP, which is very similar to the OP's problem. I ran a full drive scan twice on the problem partition after the initial detections and it was clean. I have a feeling the BSOD was directly tied to one of the infected files in the Windows\Temp folder but the lack of actual information is questionable; I wasn't able to find any minidump files related to the screens.
  6. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    1. Download Dr.Web LiveCD: ftp://ftp.drweb.com/pub/drweb/livecd/minDrWebLiveCD-5.0.1.iso
    2. Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    3. Using Imgburn, burn minDrWebLiveCD-5.0.1.iso to a CD.
    4. Make sure that the CD/DVD drive is set as the first-boot device. Adjust corresponding BIOS settings, if necessary.
    5. Insert Dr.Web LiveCD into the drive and restart computer.
    6. As loading starts, a dialogue window will pop up:

    [​IMG]

    7. Press Enter to continue with DrWeb-LiveCD (Default) mode.
    8. The operating system will detect all available disk drives automatically. It will also try to connect to the local network, if available.
    9. Check the disks or folders you want to scan, and click on Start.

    Dr.Web LiveCD user manual: ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf
  7. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Thanks, will def give that a try later.

    Is there an alternative download location? I'm getting a network error...
  8. Broni

    Broni Malware Annihilator Posts: 46,713   +254

  9. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Eh I couldn't get the LiveCD working for some reason... it would either go to load the GUI or text mode and just hang there. I think it has something to do with the hard drive structure or something but I can't get it to work at all. When I try to boot into DrWeb Safe Mode (text only) it stops loading at the "raid456" line, so I'm guessing that's where it stops during GUI mode too...

    I still have some scanning and file moving to do so I will give it another shot later, maybe on another system just to test if the CD is corrupt or something. What exactly does this CD do anyways? Does it just scan the drives like a normal anti-virus program would?
  10. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Pretty much so.
    Let me know, if you're still stuck, we'll try something else.
  11. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Well I mean I ran Avast! Pro on the drive twice, and it came up clean the second time around after some initial infections, which were quarantined on another system. I will know tomorrow if the hdd still doesn't boot into XP... I'm actually using it right now but with Windows 7 booted. No problems on this partition as far as I can tell. Keeping my fingers crossed.

    Thanks for your interest in helping out... wonder where the OP went.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    OP - original poster

    Well, I recommended Dr.Web, because you said XP partition was not bootable.
    Keep me updated.
  13. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Well I haven't made much progress with this... XP still won't boot. I was actually able to get Dr.Web working but I had to use text mode cuz my mouse/kb wouldn't work in GUI for whatever reason. So I got the scan to run, which literally took all day to complete, and it did find a few things but I wasn't able to tell what they were. After it finished I chose to restart and it gave me an error. So I had to restart the system manually, which for some reason erased all of my BIOS settings lol. Thankfully I had them saved to a profile so I didn't have to reconfigure everything.

    So I'm still able to boot into Windows 7 but XP is still down for the count it seems, same BSOD while it's trying to start. I don't know if this helps but the last file it attempts to load before the crash is "sptd.sys" which I see when trying to boot safe mode. Not sure if it's related but Windows doesn't get past that point. Anyways, I have an Avast! BartCD with scanning tools and other data utilities which I might try but if I can't get XP to boot by the end of this week I will probably just erase the partition.

    I should be able to fix this though since I am able to access all the files through 7 or with the BartCD so I really don't want to erase the data just yet. If I can at least get XP to load to desktop I can sort out the problem from there... but it's just not happening. What's next?
  14. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    sptd.sys - driver used by the CD Rom emulation program, Daemon Tools Version 4


    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
  15. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Hmm, well I don't use Daemon Tools but I do use Alcohol 120% for virtual devices... perhaps they use the same driver? It's almost 11:30 here so I might have to give this a shot some time tomorrow and then post back the results. Thanks again for your continuing support and prompt response, I appreciate the help.
  16. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    You're always welcome :)
  17. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    OLTPE Scan Results

    I ran the OLTPE disk this morning before work and ran the scan. I didn't get the option to "load the remote registry" but i made sure remote user profiles and auto load remaining profiles were loaded. I checked "All" for both Drivers and Registry and then hit Run Scan. It only took a minute or two and then I saved the log file (attached).

    I looked it over quick but didn't really notice anything... hopefully there's something there that may lead me to why XP isn't booting up.

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    O33 - MountPoints2\{8d430479-1182-11de-8923-001fc6372819}\Shell - "" = Autorun
    O33 - MountPoints2\{8d430479-1182-11de-8923-001fc6372819}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{8d430479-1182-11de-8923-001fc6372819}\Shell\AutoRun\command - "" = C:\WINDOWS\System32\shell32.dll -- [2008/04/14 05:42:06 | 008,461,312 | ---- | M] (Microsoft Corporation)
    O33 - MountPoints2\{8d430479-1182-11de-8923-001fc6372819}\Shell\Open\command - "" = I:\RECYCLER\S-2-2-12-100010518-100016267-100017083-3655.com -- File not found
    
    
    :Services
    
    :Reg
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
  19. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    Will give it a shot and post back with the results/log. Thanks again for the help.
  20. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Sure thing :)
  21. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    The fix ran successfully but I still get the blasted blue screen when attempting to boot XP. My best guess is there is something very wrong with the registry but the screen doesn't give any information. I see there is a registry editor on the CD, but I'm more likely to just salvage what entries I can and then delete the XP partition.

    I have the log for when the fix you supplied finished though, if you want to have a look at that...

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Yeah, I guess something was seriously messed up during all this malware ordeal.
    I suppose, your best option is to backup, what you can and reinstall XP.
  23. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    I probably wont reinstall XP since I have 7, but I'm a little bummed that I couldn't get it working again. I figured it wouldn't be so hard to fix since I have full access to all of the XP files, but oh well. I'm just gonna pull what I can from the registry (perhaps after one last scan) and then go from there. Thanks for all the help... I'll let you know if by some divine miracle I am actually able to fix and boot XP again...
  24. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    I'll be around :)
  25. EXCellR8

    EXCellR8 The Conservative Posts: 2,278

    One thing I forgot to bring up is when the BSOD initially appeared, which I suppose may be helpful. After my antivirus software quarantined the first pair of infected files, I sought to immediately disconnect from the internet. Instead of just yanking the ethernet cable like i should have done, I right-clicked the connection icon on the task bar and selected Disable. Right after i did that the system froze for a couple of seconds and then I got the blue screen. That was the last thing that happened in XP so I'm wondering if something that's network related has something to do with the BSOD. I know it's unlikely but I've had my share of strange problems before...

    Regardless, I'm still working on backing up my registry hives and whatnot, and I will most-likely delete the XP partition some time this weekend. There's not a whole lot of applications I need to save so it should be relatively painless with all of my important data already backed up. Most of the other stuff I can just reinstall on 7. Still kinda pissed tho... oh well.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.