stop 0x000000F7 error cleaning smitfraud

Discussion in 'ESET NOD32 Antivirus' started by cpututor, Mar 25, 2008.

Thread Status:
Not open for further replies.
  1. cpututor

    cpututor Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    8
    I am trying to clean a toshiba laptop with Windows XP Media Edition that is infected with at least smitfraud, maybe zlob, plus ? These infections took place with NOD32 v3 installed. NOD32 installed and computer scanned Mar 3rd 2008. Infection first appeared 5:45 am March 24th. All NOD32 settings were at default. I have scanned with NOD32 set to maximum cleaning strength - last scan shows nothing found. Internet Explorer 7 starts with about:blank, even though set to google. I have noticed a folder date-stamped at time of infection labeled "Helper" which appears to be empty, but can't be deleted. Starting IE7 now just shows a blank page for about:blank, where before it tried to load a vermin type site selling antivirus program. (I have screen shots). Has shown "security alert" in system tray. Have tried to clean with Spybot S&D, Smitfraudfix, vundofix, and tried using restore - both to a few days before infection, and to date of NOD32 install. ALL result in stop F7 error.

    Any ideas besides restoring to factory? I do have DVD, but there are many other installed programs & configurations.
    Any point in removing the drive and scanning it in another computer?
     
    Last edited: Mar 26, 2008
  2. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Out of curiosity, what software detected smitfraud and zlob on the machine?
     
  3. cpututor

    cpututor Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    8
    Spybot S&D 1.5.2, updated, found but did not complete removal before stop error (It got further in Safe Mode, but not all the way.) NOD32 shows various (in order of appearance in logs): Adware.virusheat, Adware.AVSystemCare, Adware.WinFixer, Adware.AdvancedCleaner, TrojanDownloader.zlob, TrojanDownloader.FakeAlert, BHO.NCV trojan (was in the "Helper" folder previously mentoned.) I have just turned off Restore, and am about to do another NOD32 scan with new definitions.
    I have Windows Ultimate Boot CD v 2.0 as well as a bench computer with trays/adapters to mount the drive if I remove it from the machine.
     
  4. cpututor

    cpututor Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    8
    I have run a scan with NOD32 ver3 in Safe Mode, and got the same stop F7 error. It seems to happen upon access of some file in the evil seats. IE no longer goes to the virmin's sales page since I added "127.0.0.1 securitypills.com" to the hosts file
     
  5. cpututor

    cpututor Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    8
    I have now completed two scans since turning Restore off. The first removed 4 infections, the second one came up clean. Looks like it may be gone. Still may see the F7 stop error (plan on running Spybot again), but am creating an image of drive in its current state.
     
  6. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    why dont u try scanning with a different engine, besides eav (maybe stand alone drweb cureit in safe mode or other).??
     
  7. cpututor

    cpututor Registered Member

    Joined:
    Oct 22, 2003
    Posts:
    8
    I like the overall performance and specs for NOD32, and did not have the time to sift through a number of other products which NOD32 ordinarily out-performs. It wasn't a question of identifying the problem, it was one of removal. Windows' stop error prevented efforts to eliminate it. The variety of steps I did take all provoked the same response.
    I did uninstall and reinstall Spybot S&D and that didn't make any difference in its performance. I ended up uninstalling it and running Adaware 2007 which was on the computer already. That cleaned up the odd registry references.
    I now consider the issue resolved.

    Appreciate your thoughts, though.
     
  8. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    @ cpututor: i was refering to the possibility of being sure that nothing was left behind. different scanning engines use different paterns and some time the results r not exactly the same. i use nod v3 also,still the best for me...

    happy to hear that u came out of it clean..
     
  9. M450

    M450 Registered Member

    Joined:
    Jun 17, 2008
    Posts:
    1
    Hey, I'm having a very similar problem to this, but I cant even login without the STOP F7 blue screen occurring. It is possible to login to a limited account and safe mode without crashing straight away but I cant successfully run any anti-spyware scans. Sometimes a scan will succeed and display the multitude of spyware on my system but crashes as soon as the program attempts to clean it!

    I've used Spybot S&D, Ad-Aware 2007 and McAfee VirusScan with no luck...

    Is it possible to scan the hard drive using my laptop connected over the network? Or will that be of any advantage?

    Thanks
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest sending a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject. I'll check it out and let you know how to clean out that threat.
     
Thread Status:
Not open for further replies.