Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Doesn't Boot, BSoD***STOP: 0X0000007B (0xBA4E3524, 0xC0000034,0x00000000,0x00000000)


  • This topic is locked This topic is locked
73 replies to this topic

#1 Bassman63

Bassman63

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 26 February 2012 - 11:24 PM


Hi,
Thanks in advance for your assistance with my "situation"!
My computer is a Dell Dimension 4700 Pentium 4 running Windows XP Home Edition,sp3.

My story started with the machine losing it's internet connection. This computer started having AVG quarantining files in response to a trojan infection. (I don't remember the exact message, but a couple of the infected files noted at different times were: netbt.sys and svchost.exe)
After a few of these messages,some time later, the computer stopped recieving it's address from the router.I have a DSL router supplied by my internet provider as the hub of my home network.

This started my quest to repair my internet connection and remove whatever infected this machine.
In my research, I landed on the following site(not Bleeping Computer.com unfortunately)
and followed their recommended steps.
http://forums.majorgeeks.com/showthread.php?t=35407 (Malware Removal Guide)
http://forums.majorgeeks.com/showthread.php?t=139313 (Windows XP Malware Removal/Cleaning Procedure)

I got to the point where it said to run Combofix.(I know better now!) While Combofix was working, a message came up about finding a rootkit infection in the TcpIP stack ? which is "especially difficult to remove". After it performed an automatic reboot, the BSOD cameup.

So.........
While searching the specific BSOD stop message, I found this thread on this site:
http://www.bleepingcomputer.com/forums/topic405193.html (Blue Screen Stop: 0x0000007B, computer won't boot after a Bot was detected - possible infection)
I followed Member:etavares reccomendations for this Blue screen issue and have thus far been able to boot using XPUD (on a USB Stick) and retrieve my data and back it up on an external harddrive.
The tests described in the thread, I was able to do to a point. It became apparent,however,that I would need some professional assistance, as a manual rewrite of one of my files may be needed.
"Thanks to noahdfear for the manual rewrite of your MBR."

Clearly, I'm in way over my head, My BSoD message is still the same as it was.
Thanks.......Help?

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 29 February 2012 - 12:15 PM

Hello, I understand you already have xPUD, but just to be sure I'll include the download link as well.


Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 29 February 2012 - 02:31 PM

Hi Elise,
Thanks for your help.
I have attached the MBR.bin file, zipped, as you requested.
I look forward to your next post.

Attached File  mbr.zip   534bytes   2 downloads

Cheers,
Alan

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 29 February 2012 - 02:59 PM

That looks good. Using xPUD can you please navigate to the following file: /mnt/sda1/qoobox/quarantine/combofix-quarantined-files.txt, copy it to your flashdrive and post it here?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 29 February 2012 - 06:05 PM

Hi Elise,
I've had a look in Quubox/Quarantine/ and "combofix-quarantined-files.txt" is not there. There are two folders:( C), and (Registry_backups); and one file (catchme.log).
I hope this helps!
Cheers,
Alan

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 01 March 2012 - 01:52 AM

Can you also look for the file in the qoobox folder itself?

If its not there, open the C folder in quarantine, and look for \c\windows\system32\drivers. Let me know what files are present there if any.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 01 March 2012 - 10:46 AM

Hi Elise,
I have checked the Quubox folder and the "combofix-quarantined-files.txt" is not there either.
As for the "Quubox/Quarantine/c/windows/" folder, the following files and folders are there:
folder:
$NtUninstallKB6608$, 4.1KB
files:
EventSystem.log.vir, 606bytes
iun6002.exe.vir, 737.3KB
SwSys1.bmp.vir, 0bytes
SwSys2.bmp.vir, 0bytes

There are some files and folders in "$NtUninstallKB6608$" but not "system32/drivers", unfortunately.
I can list the files/folders that are there, if they are helpful.
Please advise.
Cheers,
Alan

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 01 March 2012 - 11:06 AM

In that case lets have a look at the drivers.

Please download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD.
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 01 March 2012 - 02:44 PM

Hi Elise,
I've done what you requested and have attached the file.

Attached File  report.txt   30.32KB   6 downloads


Cheers,
Alan

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 01 March 2012 - 02:58 PM

Please try to boot your computer in safe mode. You will see a list of drivers rolling over the screen. Please let me know what the last file name is you see on screen before you see the BSOD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 01 March 2012 - 08:23 PM

Hi Elise,

At this point in the diagnosis of my computer's problem(s), I should advise you of another "fix" that I threw at it prior to requesting help.
Hopefully it is not going to create more headaches for your analysis.

I found member-usasma's post: Xp Boot "fixes"
(http://www.bleepingcomputer.com/forums/topic138692.html)
and followed this link:
(http://tinyempire.com/notes/ntldrismissing.htm)
I created a Boot CD as described and setup the boot sequence edit as outlined in the text.
Now when booting the machine, the following screen comes up:

1ST TRY THIS seleccione esto primero
2ND TRY THIS essayez ceci en deuxieme
3RD TRY THIS wahlen Sie diesen Third
4TH TRY THIS selezioni questo fourth
5TH TRY THIS selecione este fifth
6TH TRY THIS seleccione este sexto
7TH TRY THIS essayez ceci en septieme
8TH TRY THIS wahlen Sie dieses achte
9TH TRY THIS selezioni questo nono
10TH TRY THIS selecione este decimo

I performed the tests, booting using all the 10 options and found that only option 3 would not show an error message, but take you to the
black "windows did not start sucessfully......."screen
This screen allows you to select:
-Safe mode
-Safe mode with networking
-Safe mode with command prompt
-Last known configuration..........
-Start Windows normally
I've tried all of the above "modes" and they result in the BSoD.

Now....To answer your question...(sorry for the long intro)
when selecting safe mode from the above screen, the last line in the scrolling text before the BSoD, is:
...windows/system32/drivers/agpCPQ.sys

Thanks again for your patience.
Cheers,
Alan

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 02 March 2012 - 03:02 AM

Using xPUD please navigate to /mnt/sda2/Windows/system32/drivers/combo-fix.sys <-- right click this file and select Rename. Rename if to combo-fix.bak

Try to reboot normally now. As this problem happened after a combofix run it is possible that its driver somehow has caused a problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 02 March 2012 - 11:00 AM

Hi Elise,
I renamed the file and tried rebooting, no luck.
I also tried safe mode, no success.
Still goes to the BSoD.
Cheers,
Alan

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,933 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:23 PM

Posted 02 March 2012 - 11:09 AM

Do you see the option to start Recovery Console on startup?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Bassman63

Bassman63
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fredericton, New Brunswick, Canada
  • Local time:09:23 AM

Posted 02 March 2012 - 11:28 AM

Hi Elise,
I have access to the Recovery Console by booting with my Windows XP installation disc.
I have the setup screen on now.
"To repair a Windows XP installation using Recovery Console, press R."
I can proceed, with your direction.
Cheers,
Alan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users