Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen After Startup, Unable to run DDS


  • This topic is locked This topic is locked
60 replies to this topic

#1 lmodestow

lmodestow

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 20 April 2012 - 06:11 PM

I beleive that I have the Smart HDD virus. My 64 Bit Dell XPS (W7 Home Prem) won't complete its boot as it gets interrupted with the Blue Screen with the Stop: 0x0000001E (0xFFFFFFFFC0000006, 0xFFFFFA80074E5B8C, 0x0000000000000000, 0x000000007EFA2000). So I am unable to get any log files. Thanks in advance for any help you can offer.

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 20 April 2012 - 06:39 PM

Hi

Please do the following:


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 04:53 PM

Thanks. I'll try it.

#4 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 05:17 PM

Attached is the FRST.txt

Attached File  FRST.txt   30.42KB   12 downloads

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 05:36 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM-x32\...\Run: []  [x]
2012-04-17 20:11 - 2012-04-16 03:42 - 0020480 ____A C:\Windows\svchost.exe
2012-04-16 04:00 - 2012-04-17 17:57 - 0000256 ___AH C:\ProgramData\Kf7WFKyxkBRZAL
2012-04-16 04:00 - 2012-04-16 04:00 - 0000168 ___AH C:\ProgramData\-Kf7WFKyxkBRZALr
2012-04-16 04:00 -  - 0000000 ___AH C:\ProgramData\-Kf7WFKyxkBRZAL
2012-04-16 04:00 - 2012-04-16 04:00 - 0000256 ___AH C:\ProgramData\Kf7WFKyxkBRZAL
2012-04-16 04:00 - 2012-04-16 04:00 - 0000168 ___AH C:\ProgramData\-Kf7WFKyxkBRZALr
2012-04-16 04:00 - 2012-04-16 04:00 - 0000000 ___AH C:\ProgramData\-Kf7WFKyxkBRZAL
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 05:51 PM

just to be clear:

After I save the text file u supplied to the usb drive, do I reattach the usb drive to the bad computer and then run FRST64?

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 06:10 PM

yes, that's correct

then select the "Fix" button

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 08:42 PM

Attached File  Fixlog.txt   724bytes   4 downloads

Attached is the Fixlog file. The reboot was unsuccessful, i.e. same blue screen error.

Should I continue with your instructions?

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 08:49 PM

are you able to boot into safe mode?

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


If you are not able to boot into safe mode either, then please run a fresh FRST log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 09:20 PM

Attached File  FRST.txt   30.6KB   2 downloads

The safe boot almost completed, it seemed, then blue screened. I ran frst64 again and attached is the Frst.txt log

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 09:29 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Last Boot: 2012-03-16 02:50
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 09:41 PM

Attached File  Fixlog.txt   872bytes   1 downloads

To be clear, last time I attached the FRST.txt. Here is the fixlog.txt that you asked for this time.

Reboot resulted in same blue screen.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 09:48 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
script removed
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

Edited by CatByte, 03 July 2012 - 08:54 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 lmodestow

lmodestow
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:32 AM

Posted 21 April 2012 - 09:57 PM

Attached File  Fixlog.txt   582bytes   3 downloads

Boot is . . . . yeah! successful.

okay, please tell me what you did and how I can prevent this from happening again. etc.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:32 AM

Posted 21 April 2012 - 09:59 PM

reset the boot code, but we have a little more work to do to make certain you are clean, so please run ComboFix, instructions in this post here

http://www.bleepingcomputer.com/forums/topic450805.html/page__view__findpost__p__2673858

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users