Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue screen even in Safe Mode, no Recovery Console


  • This topic is locked This topic is locked
30 replies to this topic

#1 SabineDJ

SabineDJ

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 13 October 2011 - 05:17 PM

I have a Dell XPS 360 computer with a partioned hard drive, 1 partition Vista (unused until now), the other XP.

I did a reboot requsted by Malwarebytes following removal of some Trojans, and got a blue screen. All attempts to reboot (normal mode, safe mode, last known working configurarion) resulted in the same blue screen, the STOP numbers differing:

STOP: 0x0000007B (0xBA4C3524, 0xC0000034, 0x00000000, 0x00000000 (Normal mode, last known working configuration)
STOP: 0x0000007B (0xF7893524, 0xC0000034, 0x00000000, 0x00000000).(Safe mode)

The Dell Windows XP reinstall CD does not appear to have the recovery console on it. It displays a blue screen with "Windows Setup" at the top and no further text or options. The following messages then appear at the bottom of the screen:

Press F6 if you need to install a third party SCSI or RAID driver
Press F2 to start Automatic System Recovery (asks for a floppy recovery disk, which I do not have; don't even have a floppy drive)
Setup is loading files (lots of different files)...
Setup is starting Windows

I then get a blue screen with :

STOP: 0x0000007B (0xF78D2524, 0xC0000034, 0x00000000, 0x00000000).

Vista boots up OK and from there I've run chkdsk /r, malware check and virus checks on the XP section.

I have a Dell Drivers and Utilities CD which includes some diagnostic utilities, and ran from this the standalone memory test and hardware diagnostics test.

I have searched for memory dumps on the XP drive (from Vista) as described in your miniguide, including hidden and protected files, and also did an Advanced Search on the whole XP drive looking for dump files, but have found nothing.

I have not installed any new hardware.or drivers that could have caused the problem.

I would be so grateful if you could help me to repair my system.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:10 PM

Posted 14 October 2011 - 01:50 AM

Hello and :welcome: to the BC forums.

Please post the log created by Malwarebytes.
  • You will find it at the following location:
    C:\Documents and Settings\<username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 October 2011 - 08:39 AM

Hello, and many thanks for the welcome.

I had actually run Malwarebytes twice before rebooting, so am posting both logs. (ouch – don’t like the look of that “Delete on reboot” in the first one, which I completely failed to notice at the time.)

_________________________________________________________________________________


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7910

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/10/2011 02:36:18
mbam-log-2011-10-10 (02-36-18).txt

Scan type: Quick scan
Objects scanned: 178155
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI (Virus.RLoader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\acpi.sys (Virus.RLoader) -> Delete on reboot.
c:\documents and settings\Tim\local settings\Temp\E10.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Tim\local settings\Temp\E11.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

________________________________________________________________

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7910

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/10/2011 14:47:36
mbam-log-2011-10-10 (14-47-36).txt

Scan type: Quick scan
Objects scanned: 177696
Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Tim\local settings\Temp\jar_cache3149143416258897591.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Tim\local settings\Temp\jar_cache7071715019785035136.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 14 October 2011 - 09:16 AM

While in VISTA, which drive letter is assigned to the XP instalation?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 October 2011 - 10:49 AM

XP is Drive E.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 14 October 2011 - 02:03 PM

Open a command prompt in Vista (Click on the orb, type CMD and press Enter)

Copy and paste the following command to the prompt (including the quotation marks) and press Enter. Wait until it finishes the search. It should produce a Log.txt on the desktop. Post its contents.

Dir /a E:\Windows\acpi.sys /s >"%Userprofile%\desktop\log.txt"

Type exit and press Enter to leave the command prompt window.

Edited by JSntgRvr, 14 October 2011 - 02:05 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 October 2011 - 04:10 PM

Contents of log.txt:


Volume in drive E is XP
Volume Serial Number is E0A4-6151

Directory of E:\Windows\ServicePackFiles\i386

13/04/2008 19:36 187,776 acpi.sys
1 File(s) 187,776 bytes

Directory of E:\Windows\system32\drivers

13/04/2008 19:36 187,776 acpi.sys
1 File(s) 187,776 bytes

Total Files Listed:
2 File(s) 375,552 bytes
0 Dir(s) 119,087,759,360 bytes free

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 14 October 2011 - 05:57 PM

You mentioned one hard drive, two partitions? How are you able to boot to each partition? Throughout a boot menu, or pressing F12 to select the corresponding partition?

We will need to check if the registry entry for this driver is present. These are the only two issues reflected in the Malwarebytes log.

You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • You will be able to see which folder represents your XP installation. Please let me know.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 14 October 2011 - 08:42 PM

I can choose the partition through a boot menu, which defaults to XP after a short while if no option is selected.

I have made the CD and downloaded the files to the USB, but can't get past the first screen of xPUD. I get this:

Not enough memory to load specified image.

boot:


... and then am returned to the welcome screen,

#10 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 15 October 2011 - 09:00 AM

To clarify my previous post, the screen I can't get past is the one with the language choices. I suspect the welcome screen comes later.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 15 October 2011 - 09:24 AM

That error is undocumented. Perhaps a bad download or burn? Have you tested the CD in another computer?

Let me do some testing in my machine. Perhaps we can get the information I need throughout VISTA.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 15 October 2011 - 12:10 PM

Tried the CD in another computer and it gets to the Welcome to xPUD screen ok.

One thing I only just remembered; I don't know if the memory diagnostic test I did a few days ago actually terminated OK. I left it overnight and next day found the usual blue screen.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 15 October 2011 - 01:07 PM

There are not that many tools we can use to scan that partition. Most of the tools scan the default partition based of its contents. Do you have a Windows XP install CD?

What I want is to check if the acpi service is enumerated in the registry as the Malwarebytes report indicates it was removed.

Open an Administrator command prompt (Click on the orb, type CMD, at the top of the start menu, right click on the command and select run as an administrator). If successful, copy and paste the following command in the prompt and press Enter.

Copy E:\windows\system32\config\system "%Userprofile%\Desktop"

If you do not have a permission error (Access denied), a new file, system, will appear on your desktop.

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 SabineDJ

SabineDJ
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 15 October 2011 - 02:06 PM

I have the XP reinstallation CD provided by Dell, but haven't been able to get it to do anything (I described in my first post what happens when I try to boot from it). I also have the XP reinstallation CD from my previous computer, but that was a different version of XP so I don't suppose it's any use here.

Followed your instructions and now have the file "system" on my desktop.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:10 AM

Posted 15 October 2011 - 02:33 PM

Lets check the contents of that file.

Download the enclosed folder. [attachment=109295:Test.zip]

Save and extract its contents to the desktop. Once extracted, open the folder and right click on the LoadHive.bat file and select "Run as an administrator". If successful, a log.txt will be produced on the desktop. Please post its contents in your next reply.

Edited by JSntgRvr, 15 October 2011 - 02:34 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users