Tag Archives | safe mode

Blank Windows Screen or ISAPNP.sys Hang = A Zero Bytes .Sys Driver

I had one hell of a mystery on my hands the other day.  A client called me and said she had a blank screen every-time she booted up her Windows XP computer.  I was pretty busy, so I told her I’d pick it up and work on it over the weekend.  I just figured it was a bad vid card or a corrupted Windows XP install.

Here are the things I tried:

  1. Full Scans using my UBCD4WIN…nothin found…
  2. I tried to load safe-mode but it hung on isapnp.sys everytime.
  3. I ran checkdisk /r
  4. I did an in-place Windows XP repair

….nothing would work.

As I was doing a visual check for standard Windows XP drivers I discovered there was a randomly named zero kb .sys file in c:\windows\system32\drivers.  I simply deleted the file and the PC booted up completely normal.

I just wanted to put this out there because it looks like it’s something new.  I’m not sure if it affects other versions of Windows or not.

Continue Reading · 13

Malware Photos from the Field – Issue #2

Well I’ve decided to post photos from at least one of my appointments each week along with a little story about the appointment. Here is this weeks.

Sally called me and said something got through her Avira and was preventing her from opening anything. At this point I knew she was infected with a rogue antivirus that prevents other .exe’s from loading. While this is fairly easy for me to get rid of it’s almost impossible for the average PC user.

When I arrived to Sally’s house I was greeted with a rogue antivirus screen.

Upon further inspection I can see the Rogue Antivirus has been installed to the All Users directory under application data. This is a very common installation path for exe terminating rogues (for now at least).

Let’s open that folder and take a look at the rogue inside…WOW! What a shock. A randomly named exe. Typical.

Next I proceded to load combofix…but wait…it’s not loading. Doh! We’re dealing with a rootkit. Lets rename combofix and try again. Still no dice. Ok…hmmm…lets reboot in safe mode. Nope. Fine…time to break out the anti-malware boot disc.

When my disc loads I immediately start SuperAntiSpyware and scan the System32 directory. SAS quickly lays waste to a few rootkits and some other malware. Once the rootkits are toast I reboot into safemode and peform my typical quick scans with SAS and MBAM.

Now that the malware has been removed from Sally’s PC we need to advise her to start using a sandbox when browsing the web because antivirus just isn’t enough right now (or ever again). I installed Sandboxie and configured the default sandbox to be emptied as soon as the browser closes. After a little training (like 5 minutes) Sally is a Sandboxie pro. I place two shortcuts on Sally’s desktop: Safe Internet and Non-Safe Internet.

Continue Reading · 22