Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD 0x7b (0xba4c3524 0xC0000034) after ComboFix crash


  • This topic is locked This topic is locked
53 replies to this topic

#1 torkosborz

torkosborz

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 06:03 AM

Hi,

I have an XP Pro SP2 drive, which was infected with a rootkit. While running ComboFix on it, there was power outage, the computer rebooted and now there's a BSOD 0x7b (0xba4c3524 0xC0000034 0x0 0x0) error, so I can not boot it into windows.

http://msdn.microsoft.com/en-gb/library/ms795508.aspx page explains,
that the second parameter could point me to the corrupted system driver, although I have no idea how to track that information.

Since I don't have the original XP Install CD (plus SP2 was added a lot later), I can not do a SFC /scannow to replace the corrupted driver.

How could I identify the faulty / missing driver, so I could boot into windows and continue from then on?

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 06:14 AM

Hello, please see if you can follow the steps below.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 06:40 AM

Hi,

thank you for the quick response, I have attached OTL.txt here.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 06:47 AM

On first sight this looks like a bad download/burn. Please try to reburn the Iso to a CD at half of the max. speed and re-run the scan.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 07:06 AM

I don't know if it is relevant information, but I have attached another HDD (with XP Home installed, to help debugging) and when I boot into REATOGO-X-PE, the faulty drive is recognized as "D:" and the newly attached as "C:".

OTLPE log was saved to C:.

--------------

Ok, so I have burned a new CD, detached the extra HDD ran the scan again and uploaded the new OTL.txt file.

Attached Files

  • Attached File  OTL.Txt   110.82KB   13 downloads

Edited by torkosborz, 29 March 2010 - 07:42 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 08:37 AM

Okay, that explains the problem smile.gif

Please keep the external drive disconnected when running scans.

Re-run OTLPE and change the value under "Drivers" to "All"
Now click Run Scan and post me the log afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 09:07 AM

Here's the new OTL.txt with drivers set to ALL.

Attached Files

  • Attached File  OTL.Txt   161.54KB   18 downloads

Edited by torkosborz, 29 March 2010 - 09:08 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 09:53 AM

Please check the following two things for me:

1. Does the following file exist? c:\windows\system32\drivers\atapi.sys

2. Please list me the contents of the following folder: c:\qoobox\quarantine\c\windows\system32\drivers (if it exists).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 10:18 AM

1. C:\WINDOWS\system32\drivers\atapi.sys does exist.

2. C:\qoobox folder does not exist at all.

(However I swear I have seen it somewhere before. I did a chkdsk /r from the Recovery Console after the crash which did not fix the 0x7b stop error, but might have deleted the qoobox folder...)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 10:33 AM

Can you give me the computer specs (manufacturer, make, model, number), or if you know, please tell me if you are using a SATA harddrive.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 10:54 AM

I am using a SATA hard drive.

Before the crash, there were also 3 more IDE drives + one IDE DVD writer connected to the computer as well.
(It was an old system with P4, 4Gb RAM, Asus P4P-800x motherboard, with ATI Radeon 9500 AGP videocard.)

However, I have moved the SATA drive into a different computer to rule out bios/battery/ram problems, though the stop 0x7b still present.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 11:33 AM

So the drive that has windows installed on it and is now the only one on the computer, is a standard IDE?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 11:50 AM

It is a SATA drive.

(The IDE drives are removed from the computer.)

The only drive is ONE SATA drive now, with WinXP Pro installed. This is the one having the BSOD stop 0x7b error.

Edited by torkosborz, 29 March 2010 - 11:54 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,320 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:02 PM

Posted 29 March 2010 - 12:11 PM

Thanks for explaining it smile.gif

It would be helpful to know if the SATA driver controller is Intel or NVidia (or otherwise). If you don't know that, its no problem, but it would help me narrow my search down a bit.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 torkosborz

torkosborz
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 29 March 2010 - 12:27 PM

No problem smile.gif Thank YOU for your help trying to solve the case!

The motherboard is a Asus P5KPL-AM SE board with an onboard integrated Southbridge Intel ICH7 chipset.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users