Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot boot normal or safe mode


  • This topic is locked This topic is locked
32 replies to this topic

#1 airnupe

airnupe

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 30 June 2012 - 11:32 AM

Running Dell Dimension E510 computer with Win XP SP 2/3 and MS Security Essentials. Couple weeks ago, my wife started getting Mailer Daemons (sp?) for returned emails indicating that she was sending out spam email. Ran malware bytes, Trend Micro online and MS Security, revealing several Trojans...Trojgen.r11c9fh, fakeav.bmc, exploit:java/blacole.fu. I thought that the Trojans had been cleaned then I got the black screen saying that "Windows had not closed properly." I could not boot into Safe mode to run any malware programs. I attempted to start Windows normally, and got the BSOD. I tried to return to last known condition once and now when I boot up I get BSOD with:

Stop:0x0000007E and kdcom.dll error.

I've run Dell Diagnostics and have no errors. I even created a Recovery disk but get BSOD when I run Chkdsk. I've run out of things to try. Help, my wife is bugging me about fixing the computer.

Scott

Edited by hamluis, 30 June 2012 - 12:24 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:14 PM

Posted 30 June 2012 - 11:34 AM

Try to run File checker from Recovery CD, this command from command prompt:

sfc /scannow

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:14 AM

Posted 30 June 2012 - 12:05 PM

This looks like TDL4 rootkit.Let me ask a malware response team member to help you

good luck

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:14 AM

Posted 30 June 2012 - 12:23 PM

Try to run File checker from Recovery CD, this command from command prompt:

sfc /scannow


If this was simply a boot problem, that might be a good suggestion. However...given the detailed background of malware on the system...I think that we need to esnure that the system is free of malware before going any further.

Moving topic to Am I Infected.

Louis

#5 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:14 PM

Posted 30 June 2012 - 12:28 PM


Try to run File checker from Recovery CD, this command from command prompt:

sfc /scannow


If this was simply a boot problem, that might be a good suggestion. However...given the detailed background of malware on the system...I think that we need to esnure that the system is free of malware before going any further.

Moving topic to Am I Infected.

Louis


I agree, but sometimes running the sfc /scannow command will bring the system back to boot. Unbootable systems require different techniques (Linux live CD's, Farbar Recovery Tool, etc...)

Edited by ElFasso, 30 June 2012 - 12:28 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:14 PM

Posted 01 July 2012 - 04:49 AM

You cannot run SFC from an XP recovery CD, this will only work on Vista/7 recovery environment.

@ airnupe, please do the following.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 airnupe

airnupe
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 July 2012 - 08:02 AM

Elise,
I was beating my head against the wall trying to run SFC on the recovery panel. I ran xPud and am attaching the MRB zip file. It was small, so I hope it worked ok.

Scott

Attached Files

  • Attached File  mbr.zip   583bytes   5 downloads


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:14 PM

Posted 01 July 2012 - 08:28 AM

There seems to be a problem with the partition structure here. Is it correct that your Windows partition is around 230 GB?

Download xPUDtd and save it to an USB drive. (if the download opens in a separate tab, right-click the link and select Save Link/Target As)
  • Remove the USB & xPUD CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on xPUDtd to extract and run it.
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [Analyse] and press Enter to continue.

Posted Image

Select Quick Search and press Enter.

If you receive a warning, select continue and press Enter.

At the following screen please see if the correct partition structure is displayed (meaning that Testdisk should show you the right sizes of partitions you know you have on disk). If you are not sure just quit at this point and post me the Testdisk log created on your USB drive.

Press Q repeatedly until TestDisk exits and post the log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 airnupe

airnupe
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 July 2012 - 08:43 AM

Yes I have a 250 GB hard drive. Am I to use xPud to access the internet and download the file or download to thumbdrive and access it on the sick computer via xPud?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:14 PM

Posted 01 July 2012 - 09:16 AM

You can do both, its usually a bit simpler to download it before hand on flash drive, but usually xPUD internet should work without too much work either.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 airnupe

airnupe
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 July 2012 - 09:41 AM

Downloaded to flash drive. Accessed the drive and file through xPUD. Double clicked on testdisk_win.exe but nothing happens.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:14 PM

Posted 01 July 2012 - 10:28 AM

My apologies, I only now noticed I had posted the instructions for testdisk from windows, not the linux variant. I updated my instructions, and I think this time you'll find them easier to follow. :)

Sorry for any confusion this may have caused!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 airnupe

airnupe
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 July 2012 - 11:09 AM

That worked. Here is the log....

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,986 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:14 PM

Posted 01 July 2012 - 11:17 AM

You quit too early, can you go one step further (usually Quick Search or simply Continue) so TD can detect the actual partition structure on the disk.

It should display something like:

1 * Dell Utility 0 1 1 7 254 63 128457
2 P HPFS - NTFS 8 0 1 29754 254 63 477885555
3 P CP/M 29755 0 1 30392 254 63 10249470

Once you see something similar to this, press Q until you exit the program and post me the new log (please copy/paste the log, do not attach it).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 airnupe

airnupe
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 01 July 2012 - 12:50 PM

Tried again....on the fourth step it asks if Testdisk should search for partition under Vista, the first test I ran, I said Yes, this second one, I said no. I have quit on this following screen in green that has:

FAT16 >32M ........
P HPFS -NTFS ......
P FAT32 LBA ......
it says structure OK. This has been where I quit.

Attached Files


Edited by airnupe, 01 July 2012 - 12:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users