Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD 0x0000007B and FRST64.exe


  • This topic is locked This topic is locked
7 replies to this topic

#1 Injection_Mold

Injection_Mold

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 14 December 2012 - 04:14 PM

I started getting a BSOD 0x0000007B. I booted from the Win7 disk to do a repair and it failed to automatically fix the booting issues. I used command prompt and tryed to run a sfc /scannow which did not work because it said it had to reboot to finish the repair option. I went in and deleted the pending.xml and I proceed to run sfc /scannow /offbootdir=c:\ /offwindir=c:\windows and it went through the verification process and would not proceed from there. I also ran a chkdsk and it found no errors. I have also run bootrec /fixmbr and a fixboot c:\. So I downloaded FRST64.exe and ran a scan. Which gave me the FRST.txt. And now I am stuck and dont know how to proceed. Any help would be much appreciated. Also, I hope I posted this in the correct forum. Thanks in advance.

Contents of FRST.txt below.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-12-2012
Ran by SYSTEM at 14-12-2012 15:22:58
Running from H:\Josh Temp\Farbar
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-09-13] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-06-17] (IDT, Inc.)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM-x32\...\Run: [Easy Dock] [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKU\HP.Admin\...\Run: [SearchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe [591248 2011-03-03] (Oberon Media )
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

==================== Services (Whitelisted) ===================

2 Retrogamer_2zService; C:\Program Files (x86)\Retrogamer_2z\bar\1.bin\2zbarsvc.exe [36864 2011-03-20] (Retrogamer)

==================== Drivers (Whitelisted) =====================

2 WIBUKEY; C:\Windows\System32\DRIVERS\WibuKey64.sys [103224 2010-12-02] (WIBU-SYSTEMS AG)
3 Wibukey2_64; C:\Windows\System32\Drivers\Wibukey2_64.sys [16896 2010-12-02] (WIBU-SYSTEMS AG)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========



==================== One Month Modified Files and Folders =======

2012-12-14 14:59 - 2012-12-14 14:59 - 00000000 ____D C:\FRST
2012-11-19 21:33 - 2012-09-20 14:01 - 00000000 ____D C:\users\HP.Admin
2012-11-19 21:33 - 2012-08-13 08:55 - 00000000 ____D C:\Program Files (x86)\alotappbar
2012-11-19 21:33 - 2010-11-20 23:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2012-11-19 21:33 - 2010-09-16 01:09 - 00000000 ____D C:\Users\All Users\CinemaNow
2012-11-19 21:33 - 2009-07-13 19:20 - 00000000 __RSD C:\Windows\Media
2012-11-19 21:33 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2012-11-19 18:14 - 2012-08-13 08:54 - 00022090 ____A C:\INSTALLHELPER.LOG
2012-11-19 16:30 - 2012-09-20 16:02 - 01569396 ____A C:\Windows\WindowsUpdate.log
2012-11-19 16:02 - 2011-12-18 21:18 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-11-19 15:58 - 2009-07-13 20:45 - 00030176 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-11-19 15:58 - 2009-07-13 20:45 - 00030176 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-11-19 15:53 - 2009-07-13 21:13 - 00796870 ____A C:\Windows\System32\PerfStringBackup.INI
2012-11-19 15:49 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-11-19 15:49 - 2009-07-13 20:51 - 00693065 ____A C:\Windows\setupact.log

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-19 16:38:43
Restore point made on: 2012-11-19 18:13:49

==================== Memory info ===========================

Percentage of memory in use: 24%
Total physical RAM: 3893.86 MB
Available physical RAM: 2956.32 MB
Total Pagefile: 3892.06 MB
Available Pagefile: 3052.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:445.2 GB) (Free:383.22 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:20.26 GB) (Free:2.95 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.08 GB) FAT32
4 Drive g: (W7SP1_HOMEPREMIUM) (CDROM) (Total:5.23 GB) (Free:0 GB) UDF
5 Drive h: () (Removable) (Total:7.47 GB) (Free:0.27 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive y: detected. Check for MBR/Partition infection.

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7648 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB
Partition 4 Primary 103 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 20 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 1024 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H NTFS Removable 7647 MB Healthy

=========================================================

Last Boot: 2012-11-19 16:33

==================== End Of Log =============================

Edited by hamluis, 14 December 2012 - 05:28 PM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 14 December 2012 - 05:59 PM

Hello Injection_Mold,

Welcome to the forum.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
TDL4: custom:26000022 <===== ATTENTION!
end
Now please enter System Recovery Options and select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Also restart, let it boot normally and tell me how it went.

#3 Injection_Mold

Injection_Mold
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 15 December 2012 - 12:44 AM

Hello Farbar, thank you for taking on my issue.

I let it reboot normally and still receiving the BSOD listed above. One thing I left out is that the computer will not boot at all into windows. Everything I do is at cmd in win7 disk. Any ideas?

Contents of Fixlog.txt

Fix result of Farbar Recovery Tool (FRST Written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-15 00:26:45 Run:1
Running from H:\Josh Temp\Farbar

=========================================

==== End of Fixing ====

Edited by Injection_Mold, 15 December 2012 - 12:51 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 15 December 2012 - 05:55 AM

You made a mistake when making the fixlist.txt,so the fix did nothing because where was no right script to process.

Please download Attached File  fixlist.txt   51bytes   4 downloads
Redo the step in previous post.

#5 Injection_Mold

Injection_Mold
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 17 December 2012 - 09:18 AM

Thank you, Farbar! I thought I had that fixlist.txt correct.. Apparently I did not. After running the fix everything seems to be working properly. I really appreciate your help, Farbar.

Contents of fixlog.txt below.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2012
Ran by SYSTEM at 2012-12-15 17:24:43 Run:2
Running from H:\Josh Temp\Farbar

==============================================


The operation completed successfully.
The operation completed successfully.

==== End of Fixlog ====

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 17 December 2012 - 12:30 PM

Great. :thumbup2:

The malware entry is removed. Do you want me to check the rest for any malware leftover and vulnerabilities like the fact that there seems no antivirus installed?

#7 Injection_Mold

Injection_Mold
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:24 AM

Posted 17 December 2012 - 01:15 PM

This was a laptop I was working on and just had never used FRST64.exe before. So I got stuck when I went to use it because I failed to do my due diligence on what were the proper procedures to using that software. The laptop was heavily infected when I first got it. At the point of using FRST64.exe I was finishing up and the BSODs came about and I had tried other fixes with no luck and came across frst64.exe. I have cleaned up some errors I was seeing in the event logs and I have also now put MSE on it. It should be good to go now. I really do appreciate your help and frst64.exe is a nifty lil piece of software.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:24 PM

Posted 17 December 2012 - 01:26 PM

Glad to hear and are most welcome. :)

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users