Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD after running ASWMBR to remove TDL4


  • This topic is locked This topic is locked
4 replies to this topic

#1 DirusCanis

DirusCanis

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 22 July 2011 - 02:13 PM

I have a laptop that was infect with the TLD4 Rootkit. This laptop belongs to my daughter's best friend.

I ran ASWMBR and after it's required reboot all I get is a BSOD. I can no longer get back into Windows.

It kicks up.
STOP: 0x0000007B (0x80786B58, 0xC000000D, 0x00000000, 0x000000000)
Along with a message to run CHKDSK /F, which comes back clean saying it can find no errors. CHKDSK /R is no different.

The startup repair utility hasn't been able to fix the issue.
Problem Event Name: StartupRepairOffline
Problem Signature 01: 6.1.7600.16385
Problem Signature 02: 6.1.7600.16385
Problem Signature 03: unknown
Problem Signature 04: 21200706
Problem Signature 05: AutoFailover
Problem Signature 06: 9
Problem Signature 07: NoRootCause

System Restore doesn't work to fix the issue.

I've also tried bootsec /fixmbr, /fixboot, /nt60 ALL etc didn't work.

Safe Mode was locked out before I removed the rootkit, and still BSOD after hanging on classpnp.sys when i try to log into it.

Anyone ever been able to successfully fix an issue like this without a reinstall? I can't do a repair reinstall as I don't have the Win 7 x86 disc that was used on this laptop and all I have x64 installed on my personal PC.

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 22 July 2011 - 02:34 PM

Hi DirusCanis,

Welcome to Bleeping Computer. I will assist you with the issue.

I will move this topic to the appropriate forum.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:47 PM

Posted 22 July 2011 - 02:41 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 DirusCanis

DirusCanis
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 July 2011 - 01:59 PM

I solved it by using "bootsect /nt60 c: /force"

Previous attempts showed as "operation completed successfully" so i didn't pay attention to the message about it possibly not being reliable due to not being able to unmount the drive or something like that.

I just needed to add the /force argument as well.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,696 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 23 July 2011 - 04:44 PM

Thanks for letting me know and glad the issue is resolved.:)

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users