Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP; Not able to boot/install Stop 0x7b, disks are fine & accessible


  • Please log in to reply
20 replies to this topic

#1 Erius

Erius

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 06:47 AM

Hey guys!

Very odd problem here, first some facts/a timeline, (some are stated in the title, but... clarity)

Former OS:
- Windows XP Pro.

Disks:
- Two (parralel ATA? The ancient broad cable ones) Seagates
-- Master/Boot one Model: ST3120022A; FW: 306
-- Slave one: Sorry, didn't take a note, it's not installed right now, but model ends with a 32 I think, I can look it up later

- Computer had been infected with a rootkit and a MBR virus.
-- Couldn't identify any of em directly, but I was also infected with a Skynet trojan, which might has something to do with the above.
- Combofix fixed the rootkit/MBR, for a week. NOD32 fixed Skynet.
- Gremlin came back, with the usual symptom. Explorer changed and wanted to phone somewhere.
-- Apparently the method was registering itself as a debugger, attaching itself to opera/chrome/etc as well as Explorer
- This time I couldn't do anything; CPU usage skyrocketed and jumped from process to process when I killed the faulty ones.
- System became unresponsive, since a dead, frozen D3D app was blocking the screen.
- I hard reseted.
- Stop 0x0000007b's (Inaccessible Boot Device) ever since.
-- (Always the same thing: error code ( address, 0xc0000034, more voodoo)

Tried fixes with a rough description, time-lined:
- Scandisk: fixed some faults, but ultimately: useless
- Recovery Console, fixboot , the works: useless.
- Changing from on-board IDE to a card one: useless.
- Making the slave the master and leaving the former master out: Useless.
- Several DOS/Linux rescue Virus scanners (Avira, F-prot, Kaspersky (though that one crashed): useless.
- Low-/Mid-/High-Level formats of all kinds and file-systems: useless.
- Flashing/Updating the BIOS: useless for this issue (but probably good for something else, hehe)
- Wiping the HDD: useless

Tried OSes:
- WinXP, no dice, at all.
- BartPE with WinXP, same thing.
-- It crashes in the Windows boot/splash screen
- Damn Small Linux HDD install.
-- (I'm a Linux noob, it didn't work, but I didn't use grubdisk, only the on-disk HDD option)
- Ubuntu (most recent one)
-- Works, I'm back online, yay...but I want my Windows back... :thumbsup:

What I didn't try:
- Taking the CMOS battery out and thus reverting to factory standards, because they don't recognize my CPU
-- I have no money to spare to buy an out of the box compatible one to re-flash

Summary:
- Disks are fine, it seems, and fully accessible and operational etc, the only thing I cannot do is install or boot Windows XP on and from them.

So, what am I dealing with here?
I'm not too hardware savvy, but I can use a computer and software quite well (eventually anyway).
I might have left something out, I'm mentally exhausted and grumpy at computer, so feel free to ask, I'll answer if the electronic gods
don't smite my computer completely.

Thanks in advance, and cheers!

Edited by Erius, 15 January 2010 - 11:37 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 06:49 AM

Hi, using ubuntu, please verify the following file exists: c:\windows\system32\drivers\atapi.sys

Please let me know what you did to remove the rootkit you had.


EDIT ~ Since this is most likely related to malware removal, I am moving this topic to the Am I Infected forum.

Edited by elise025, 15 January 2010 - 06:51 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 06:57 AM

Hi, thank you for moving it, then :flowers:

Anyway, a file search for atapi.sys brought up nothing, but then again, I installed Ubuntu after zeroing out a good portion of the disk, letting it use it's own file system.
(tried BartPE afterwards, no dice)

About the rootkit:
Both Root Repeal and Gmer identified both the rootkit and the MBR virus.
Hijackthis never found anything too suspicious.

Let me see if I can remember some facts about the kit...
- always had random.sys names, hidden from the OS.
- Hooked ZwGetkey something or other (or was it enum? I can't remember)
- was never able to wipe/force delete them

Combofix fixed it all though, at least apparently, and only temporarily.

That's all I can think off the top of my head.

Edit:
Dang! I should have backupped my combofix log. Ah well... :thumbsup:

Edited by Erius, 15 January 2010 - 07:03 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 07:10 AM

Does the following file exist: c:\windows\servicepackfiles\i386\atapi.sys

If so, copy it to the c:\windows\system32\drivers folder and try to reboot in windows.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 07:15 AM

No, nothing there anymore, sorry, I should have backupped those kind of files as well, because the former windows boot drive is now completely dedicated to Ubuntu.
The only way for me to get the data I have not backupped would be getting my hands on an undelete tool for Linux which would have to be able to undelete NTFS files which survived: a low level format, a partial zero-outing of the drive and a reformat by Ubuntu.

:thumbsup:

I just don't know if it's a hardware or a software problem.
It's so mysterious, I've dealt with lots of crap with windows over the years, but I'm utterly stumped here.
Why would Windows lose access to the device after that hard reset, even after pretty much nuking the disk, etc.
It worked fine before.

Yeah, I'm clueless, but I can probably get any info you need, at least hardware related.

Edited by Erius, 15 January 2010 - 07:29 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 08:04 AM

I don't think you have a big chance of succes here. Would you have left the system as it was after the rootkit removal we would have been able to fix things but at this point its just too messed up.

Does windows still show up in your GRUB boot loader?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 08:17 AM

No, it's gone, only Ubuntu lives on the HDD now.

I know I can't get my old windows installation back, and that's fine.
I want to do a fresh Windows install, but it keeps on losing the device.
When I run setup from the CD, it loses the device after it loads all the necessary steps into RAM, like the filesystem and so on, it literally crashes when the status bar (still that DOS like setup screen) displays "Setup is starting Windows".

When I run BartPE it crashes during the Windows loading screen, the one with the moving bar.

It just simply loses access to the drive and BSODs, even after low/mid/high level formats, which stumps me so badly.

Why does Ubuntu manage it? There must be something left, maybe a bios dump or some other hardware info might help?
I have some low level tools at hand...

Edit:
If Ubuntu woldn't work and if the drives would not be accessible, then I'd be more inclined of thinking that hardware might be faulty here, but yeah, it is odd...

Edited by Erius, 15 January 2010 - 08:18 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 08:48 AM

Maybe you have a SATA harddrive that is not recognized by XP. If this is the case you will have to slipstream the necessary drivers with nLite.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 08:53 AM

No, I only have those old PATA broad 40 pin drives, S-ata is disabled in BIOS as well.

#10 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 09:18 AM

I'm going to install the other drive, the one which also didn't work for a new install, but is otherwise untouched.
Maybe I can extract some informations about any potential nasties from there.
(I will edit this post when I did)

Edit:
So far so good, Ubuntu has recognized the drive and I can access it.

Now, how to get possible MBR infection infos?
I have wine installed, but maybe there are some Linux specific diagnostic tools (Which I do not know).

Edited by Erius, 15 January 2010 - 09:50 AM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 10:37 AM

At this point I am unsure exactly what you want to accomplish. Do you want to reformat and re-install windows? Do you want to rescue data? What do linux and an MBR rootkit have to do with eachother?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 10:53 AM

Hehe, thank you for your patience.

My objective:
Installing windows XP again.

My problem:
It doesn't work, setup loses access to the drive during setup.

What Linux and a rootkit have to do with each other:

Would you have left the system as it was after the rootkit removal we would have been able to fix things

I had two drives installed at the point when it crashed.
The first drive has been formatted several times now, yet doesn't work still for a XP install (but ubuntu installed fine)

The second drive doesn't work for an XP install either, but has not been touched, the original MBR is still there, so if there are traces of whatever might have infected it, I might be able to extract it.

The thing is, the second drive is NTFS formatted, and most(if not all) of the DOS rescue tools don't have write access to NTFS.
(I'm using the ultimate boot disk, by the way)
So I don't know if I can actually save/dump the MBR etc, unless I find a tool that can use/save on the Ubuntu/Linux system, ext4, I think.

Again, thank you for your time, I too see that this is quite the messy situation, but I'm sure it can be fixed.

Edit:
I might be able to use an USB stick to save it, but I'm not sure if that'll fly with DOS.

Edited by Erius, 15 January 2010 - 10:54 AM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:46 AM

Posted 15 January 2010 - 11:00 AM

Did you actually install Ubuntu on the drive that was originally infected? If so, the original MBR is most likely overwritten by GRUB and no rootkit is there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Erius

Erius
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2010 - 11:08 AM

Yep, that's what I did and that's what makes me wonder so much.
I installed Ubuntu on the originally infected drive, after formatting (on all levels) and wiping it before one final wipe before letting Ubuntu install itself and format the whole thing into it's own file-system.

But windows still won't install/work, not even BartPE.

If it's a hardware failure, maybe because of a power surge because of the resetting...(may be a possibility) then why did Ubuntu install, yet Windows is giving me the same old 0x0000007b over and over again, no matter which of the drives I use.

I'm utterly stumped, and I'm going to buy a S-ATA drive on monday... but still, this is just odd.

The disks work fine, it's all peachy, but Windows is acting up forever. First time I was ever thoroughly clueless about something Windows crash related.

Edited by Erius, 15 January 2010 - 11:15 AM.


#15 Giggsteve8

Giggsteve8

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 15 January 2010 - 11:15 AM

Pardon me for jumping in here, but have you run the Seagate diagnostics test?

You can grab the bootable diagnostic tool here: http://www.seagate.com/www/en-us/support/downloads/seatools

That would at least verify (for the most part) whether or not your hardware is bad.

And nevermind, I now see what happens when you try to reinstall. BSOD.

Run memtest86, too... I've had a lot of XP installs fail because of bad memory.

Just my two cents.

Edited by Giggsteve8, 15 January 2010 - 11:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users