Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Stop: 0x0000007B, computer won't boot


  • Please log in to reply
89 replies to this topic

#1 j d a

j d a

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 21 June 2011 - 08:56 AM

Hello, I am new to these forums and I have just a little bit of knowledge about computers. Hopefully enough that I can follow instructions! I think this is the correct forum as my issues started after some sort of bot was detected on my computer, so I think that something has infected my computer.

Here is the situation:
Computer: Dell Dimension 3100 from 2006 running Windows XP Media Center Edition
AVG (free version) and RU Botted (Trend Micro) both run on this computer. I also have MBAM downloaded and do occasional scans with it, as well as SpyBot Search & Destroy.

Yesterday afternoon while web-browsing in IE I got a small pop-up in the lower right corner, from RU Botted indicating that a Bot had been detected. It said the BOT could not be removed. It all happened fast so I did not catch the name of the Bot. All programs open on my computer began to shut down. I panicked and here is where I did something that probably did not help - instead of letting the computer finish shutting itself down I just hit the power button to instantly turn it off.

I can now no longer get my computer up and running. Upon starting I get the Dell screen (and can get into the Set-Up or Boot menus) and then I get a black screen with the choices of how to start my computer (Safe Mode, Safe w/Networking, Safe Mode w/Command Prompt, Last Known Good Config, and Start Windows Normally).

If I try any of the Safe Mode options I get a bunch of info scrolling by and then the Blue Screen, if I try Last Known Good Config or Start Windows Normally I briefly get the Windows splash screen and the the Blue Screen. The Blue Screen says:

A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen theis Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:
***STOP: 0xoooooo7B (0xBA4C3524, 0xC0000034, 0x00000000, 0x00000000)

Not sure if this is notable, but in the interest of full disclosure, the above is after trying to boot in Last Known Good Config or Start Windows Normally. Trying to boot in any of the safe modes gets the same message, but the first string after the parentheses is 0xF789E524.

I don't know how I would check for viruses or run CHKDSK if I can not get the computer started. I have the Reinstallation CD but can not seem to boot from CD (internal DVD r/w drive is junk that never really worked from the time we bought the computer, so we have an external DVD r/w drive and the computer does not seem to boot from the external DVD drive).

I ran Hard Drive Diagnostics from the Boot menu and got the following:
Drive 0: Samsung HD160JJ/P Pass
Drive 1: Samsung HD160JJ/P Pass
Drive 2: HL-DT-ST DVD+/-RW GWA4164B - Diagnostics not supported
Drive 3: No device

Not sure when I last backed up (backed up to a DVD using external drive and left the DVD in NY, I am in London) but it's at least 6 months and there is plenty of new stuff that has not been backed up that I would hate to lose. I'm hoping the fact that my hard drives passed the diagnostics is a sign that all data is not lost....

The IT firm that helps my husband's company suggested taking my computer, pulling the hard drive out, taking all of the data off of it, reformatting the drive, reinstalling the OS from scratch and then putting the data back on it. After a bit of googling I thought I would check here to see if there were any other measures I can take before doing that.

I am posting from a netbook on my home wireless. It has USB ports (and I have a USB stick), but no DVD/CD drives.

Edited to add: Just realized I can connect my external DVD drive to my netbook if needed, though since the desktop internal DVD drive isn't working, I am not sure if this matters at all.

Any ideas?

Thank you in advance.

Edited by j d a, 22 June 2011 - 05:58 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 01 July 2011 - 05:20 PM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

It sounds likely that you have a backdoor rootkit that infected the Master Boot Record. We can hopefully recover. Do you have a clean computer and an empty USB flash drive? We can create a bootable environment to boot the infected computer from the USB flash drive and work through the error; or at least access your files.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 02:22 AM

Hello etavares, thank you for working with me. Just so you know, I am in London, so some replies may be a litle delayed due to the time difference, depending on your location. I have a netbook available as well as 2 empty USB flash drives (1G and 256Mb). If the netbook is not powerful enough for what we need, I can access desktop computers at my husband's office.

Thanks again.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 05:29 AM

No problem. I am 5 hours behind you in time. Please answer my questions about if you have the Windows CD? It should be the same version (Ideally Windows XP Media Edition, although I think any XP installation CD will work for what we need to do). That is the easiest way to fix this issue. We will not reinstall, but it does have a repair functionality that is easy to use.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 06:41 AM

Sorry, yes, I do have the Windows XP Media Center Edition 2005 with Update Rollup 2 CD that was provided when we bought the computer.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 07:16 AM

OK, let's repair the MBR. This is the typical cause of this error if there were signs of a virus ahead of time.

  • Insert the Windows XP CD-ROM into the CD-ROM drive in the infected computer, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
    • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your XP-CD.
  • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When prompted to choose a windows installation, type 1 and press enter.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
  • A command prompt will open
  • Type fixmbr and press enter.
  • Confirm to rewrite the MBR if asked. When done type EXIT and press Enter to reboot.
  • Let me know what happens now when you start up your computer.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 08:08 AM

I am unable to boot from the CD. I did change the Boot settings in the Bios, and Onboard or USB CD-Rom Drive is number one in the list. The internal DVD r/w drive does not work (stopped working shortly after we purchased the computer, has nothing to do with this infection). We have an external DVD r/w drive that is connected via USB, but the computer does not seem to be trying that drive when attempting to boot. The message I get is
"Floppy diskette seek failure
Strike the F1 key to continue, F2 to run the setup utility."

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 10:00 AM

Hello, j d a.
Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Copy/paste the following command and press enter:

    dd if=/dev/sda of=mbr.txt bs=512 count=1
  • When done a file, mbr.txt, will be created on your USB drive. Please attach that file to your reply.

Please note - all text entries are case sensitive

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 10:55 AM

Ok - I followed the instructions, but I am thinking I might have taken the USB drive out too quickly as I am now showing a sdb1 and sdc1 drive and when I opened the USB on the clean computer there was no mbr.txt file. I could see the mbr.txt file on the sdb1 drive so I reinserted the USB and copied & pasted that file. I am attaching it to this. Let me know if I need to do the whole process over again, and if so, from what step (formating the USB, restarting the infected computer, etc.)

thanks & sorry for the mistake!

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 11:46 AM

OK, that dump does appear to be infected. Lets fix it.

Try this please.

  • Download xPUDtestdisk.exe and save it to your USB flash drive we just installed XPUD on.
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer from the flash drive.
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 or sdc1 is likely your USB again.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot. Let me know what happens.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 03:09 PM

I am in the process of following your instructions, but I want to check something with you before I continue, for fear of making a mistake. I have done everything up to (and inclusive of) Type testdisk/testdisk_static and press Enter. It says "No such file or directory."

The drives showing under mnt are: sda1, sda2, sda3, sdb1

When I click on sdb1 it appears to be full of files that do not appear on my USB drive when it is in my clean computer, and I do not see any of the files we downloaded onto it from the clean computer. Last time, when I was trying to get the mbr.txt file for you I pulled my USB drive out of my sick computer, with the computer still on, and then when I didn't see the mbr.txt file on it I put it back into the sick computer. That was when the sdc1 drive appeared, which did have the files that are on the USB drive and I copied & pasted the mbr.txt file from sdb1 to sdc1 to get back onto my clean computer to send it to you.

My inclination right now would be to pull out the USB drive & reinsert it, which would presumably make the sdc1 drive appear under mnt, and then proceeding with the rest of your instructions. Does this sound like the correct course of action?

Thank you.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 04:32 PM

That should work...plug and unplug. sdb1 is likely another drive...perhaps one of the external ones; or a 2nd physical hard drive.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 02 July 2011 - 05:13 PM

That worked. I'm up to the step that I should be selecting [Intel] partition. However, I seem to have an intermediate screen that says Hidden Sectors are present and it is asking me if I should Continue, even if there are hidden data. Should I continue?

Also - the listing of drives showed two identical drives - I think maybe I have a partitioned hard drive. I have never used anything but the C:/ drive, so just selected the first of the two listed drives.

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:56 AM

Posted 02 July 2011 - 06:14 PM

Do you have two operating systems? Or just the one?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 j d a

j d a
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 03 July 2011 - 01:35 AM

I am only aware of one operating system. I dug out the original order confirmation from Dell and it says 320GB (2x160GB) 7200rpm SATA Hard Drive - Dual HDD Config - No Raid. It came preinstalled with XP and we have not added any other operating systems to the computer. If the question is whether XP is installed separately on each HD, I don't know the answer to that question. Possibly not relevant, but another line item does say Free HDD Upgrade - 160GB SATA - 250GB SATA, though I am not sure they actually did that as when the drives appear in the testdisk screen it says 160 GB / 149 GiB - ATA Samsung HD160JJ/.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users