1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

FBI Virus / BSOD

Discussion in 'Virus & Other Malware Removal' started by UptheCreek, Dec 29, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    Kevin,

    Sucess. We are getting deep now!

    Here is the testdisk log:
    +++++++++++++++++++++++


    Tue Jan 1 15:12:25 2013
    Command line: TestDisk
    TestDisk 6.12-WIP, Data Recovery Utility, April 2010
    Christophe GRENIER <[email protected]>
    http://www.cgsecurity.org
    OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
    Compiler: GCC 4.4 - Jul 27 2010 17:00:22
    ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
    /dev/sda: LBA, HPA, LBA48, DCO support
    /dev/sda: size 156301488 sectors
    /dev/sda: user_max 156301488 sectors
    /dev/sda: native_max 156301488 sectors
    /dev/sda: dco 156301488 sectors
    Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
    /dev/sr0 is not an ATA disk
    Hard disk list
    Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63, sector size=512 - ATA ST980813AS
    Disk /dev/sdb - 8103 MB / 7728 MiB - CHS 1021 250 62, sector size=512 - SMI USB DISK
    Disk /dev/sr0 - 397 MB / 379 MiB - CHS 194262 1 1 (RO), sector size=2048 - HL-DT-ST CDRW/DVD GCC4244
    Partition table type (auto): Intel
    Disk /dev/sda - 80 GB / 74 GiB - ATA ST980813AS
    Partition table type: Intel
    Interface Advanced
    Geometry from i386 MBR: head=255 sector=63
    NTFS at 0/1/1
    get_geometry_from_list_part_aux head=255 nbr=2
    get_geometry_from_list_part_aux head=8 nbr=1
    get_geometry_from_list_part_aux head=16 nbr=1
    get_geometry_from_list_part_aux head=32 nbr=1
    get_geometry_from_list_part_aux head=64 nbr=1
    get_geometry_from_list_part_aux head=128 nbr=1
    get_geometry_from_list_part_aux head=240 nbr=1
    get_geometry_from_list_part_aux head=255 nbr=2
    1 * HPFS - NTFS 0 1 1 9728 254 63 156296322
    NTFS, 80 GB / 74 GiB
    ntfs_boot_sector
    1 * HPFS - NTFS 0 1 1 9728 254 63 156296322
    NTFS, 80 GB / 74 GiB
    NTFS at 0/1/1
    NTFS at 0/1/1
    filesystem size 156296322
    sectors_per_cluster 8
    mft_lcn 786432
    mftmirr_lcn 9768520
    clusters_per_mft_record -10
    clusters_per_index_record 1
    Boot sector
    Status: OK
    Backup boot sector
    Status: OK
    Sectors are identical.
    A valid NTFS Boot sector must be present in order to access
    any data; even if the partition is not bootable.
    Boot sector Backup boot sector
    0000 eb52904e 54465320 .R.NTFS eb52904e 54465320 .R.NTFS
    0008 20202000 02080000 ..... 20202000 02080000 .....
    0010 00000000 00f80000 ........ 00000000 00f80000 ........
    0018 3f00ff00 3f000000 ?...?... 3f00ff00 3f000000 ?...?...
    0020 00000000 80008000 ........ 00000000 80008000 ........
    0028 81e45009 00000000 ..P..... 81e45009 00000000 ..P.....
    0030 00000c00 00000000 ........ 00000c00 00000000 ........
    0038 480e9500 00000000 H....... 480e9500 00000000 H.......
    0040 f6000000 01000000 ........ f6000000 01000000 ........
    0048 c55c0c94 880c9466 .\.....f c55c0c94 880c9466 .\.....f
    0050 00000000 fa33c08e .....3.. 00000000 fa33c08e .....3..
    0058 d0bc007c fbb8c007 ...|.... d0bc007c fbb8c007 ...|....
    0060 8ed8e816 00b8000d ........ 8ed8e816 00b8000d ........
    0068 8ec033db c6060e00 ..3..... 8ec033db c6060e00 ..3.....
    0070 10e85300 68000d68 ..S.h..h 10e85300 68000d68 ..S.h..h
    0078 6a02cb8a 162400b4 j....$.. 6a02cb8a 162400b4 j....$..
    0080 08cd1373 05b9ffff ...s.... 08cd1373 05b9ffff ...s....
    0088 8af1660f b6c64066 [email protected] 8af1660f b6c64066 [email protected]
    0090 0fb6d180 e23ff7e2 .....?.. 0fb6d180 e23ff7e2 .....?..
    0098 86cdc0ed 0641660f .....Af. 86cdc0ed 0641660f .....Af.
    00A0 b7c966f7 e166a320 ..f..f. b7c966f7 e166a320 ..f..f.
    00A8 00c3b441 bbaa558a ...A..U. 00c3b441 bbaa558a ...A..U.
    00B0 162400cd 13720f81 .$...r.. 162400cd 13720f81 .$...r..
    00B8 fb55aa75 09f6c101 .U.u.... fb55aa75 09f6c101 .U.u....
    00C0 7404fe06 1400c366 t......f 7404fe06 1400c366 t......f
    00C8 601e0666 a1100066 `..f...f 601e0666 a1100066 `..f...f
    00D0 03061c00 663b0620 ....f;. 03061c00 663b0620 ....f;.
    00D8 000f823a 001e666a ...:..fj 000f823a 001e666a ...:..fj
    00E0 00665006 53666810 .fP.Sfh. 00665006 53666810 .fP.Sfh.
    00E8 00010080 3e140000 ....>... 00010080 3e140000 ....>...
    00F0 0f850c00 e8b3ff80 ........ 0f850c00 e8b3ff80 ........
    00F8 3e140000 0f846100 >.....a. 3e140000 0f846100 >.....a.
    0100 b4428a16 2400161f .B..$... b4428a16 2400161f .B..$...
    0108 8bf4cd13 66585b07 ....fX[. 8bf4cd13 66585b07 ....fX[.
    0110 66586658 1feb2d66 fXfX..-f 66586658 1feb2d66 fXfX..-f
    0118 33d2660f b70e1800 3.f..... 33d2660f b70e1800 3.f.....
    0120 66f7f1fe c28aca66 f......f 66f7f1fe c28aca66 f......f
    0128 8bd066c1 ea10f736 ..f....6 8bd066c1 ea10f736 ..f....6
    0130 1a0086d6 8a162400 ......$. 1a0086d6 8a162400 ......$.
    0138 8ae8c0e4 060accb8 ........ 8ae8c0e4 060accb8 ........
    0140 0102cd13 0f821900 ........ 0102cd13 0f821900 ........
    0148 8cc00520 008ec066 ... ...f 8cc00520 008ec066 ... ...f
    0150 ff061000 ff0e0e00 ........ ff061000 ff0e0e00 ........
    0158 0f856fff 071f6661 ..o...fa 0f856fff 071f6661 ..o...fa
    0160 c3a0f801 e80900a0 ........ c3a0f801 e80900a0 ........
    0168 fb01e803 00fbebfe ........ fb01e803 00fbebfe ........
    0170 b4018bf0 ac3c0074 .....<.t b4018bf0 ac3c0074 .....<.t
    0178 09b40ebb 0700cd10 ........ 09b40ebb 0700cd10 ........
    0180 ebf2c30d 0a412064 .....A d ebf2c30d 0a412064 .....A d
    0188 69736b20 72656164 isk read 69736b20 72656164 isk read
    0190 20657272 6f72206f error o 20657272 6f72206f error o
    0198 63637572 72656400 ccurred. 63637572 72656400 ccurred.
    01A0 0d0a4e54 4c445220 ..NTLDR 0d0a4e54 4c445220 ..NTLDR
    01A8 6973206d 69737369 is missi 6973206d 69737369 is missi
    01B0 6e67000d 0a4e544c ng...NTL 6e67000d 0a4e544c ng...NTL
    01B8 44522069 7320636f DR is co 44522069 7320636f DR is co
    01C0 6d707265 73736564 mpressed 6d707265 73736564 mpressed
    01C8 000d0a50 72657373 ...Press 000d0a50 72657373 ...Press
    01D0 20437472 6c2b416c Ctrl+Al 20437472 6c2b416c Ctrl+Al
    01D8 742b4465 6c20746f t+Del to 742b4465 6c20746f t+Del to
    01E0 20726573 74617274 restart 20726573 74617274 restart
    01E8 0d0a0000 00000000 ........ 0d0a0000 00000000 ........
    01F0 00000000 00000000 ........ 00000000 00000000 ........
    01F8 83a0b3c9 000055aa ......U. 83a0b3c9 000055aa ......U.
    ntfs_boot_sector
    1 * HPFS - NTFS 0 1 1 9728 254 63 156296322
    NTFS, 80 GB / 74 GiB
    NTFS at 0/1/1
    NTFS at 0/1/1
    filesystem size 156296322
    sectors_per_cluster 8
    mft_lcn 786432
    mftmirr_lcn 9768520
    clusters_per_mft_record -10
    clusters_per_index_record 1
    Boot sector
    Status: OK
    Backup boot sector
    Status: OK
    Sectors are identical.
    A valid NTFS Boot sector must be present in order to access
    any data; even if the partition is not bootable.
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Is your version of XP an OEM version or standard MS version. Is the copy of XP CD OEM version or standard MS version,

    Next, do this please and attach the MBR.zip file....

    Download Dumpit from here: http://noahdfear.net/downloads/dumpit Save to your USB flash drive

    • Remove the USB flash drive and insert it in the sick computer
    • Boot the Sick computer
    • Press F12 and choose to boot from the USB
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • Click on sdb1 (sdb1 represents the USB drive).
    • Double click on the dumpit file.
    • A black window will pop-up and it will dump and zip the MBR to your USB drive.
    • Press Enter to exit the black window.
    • Click on HOME tab and choose Power Off to turn off xPUD.
    • Remove the USB drive and insert it back on your working computer.
    • Locate the mbr.zip file in your USB drive and attach it when you reply.

    Kevin....(y)
     
  3. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    Kevin,

    Fail

    Clicking on your link to download dumpit results in opening a notepad document with computer gibberish:

    3ÏLó«ùéþ¢A¢&#8218; ù&#8216;! N÷ë¼úoº_ó£¸Æ Ù!ÓÄM9ê°%n&#8212;©uWk¥fØk±Ì¬è&#8221;³K1Ö;°S&#402;;Ý[email protected]@³ç;ï½î××£Öº[[µnÎûîù¹çÜsï}÷tvG½ñ`¤&¦J_Ù§&#381;>MMM Φ&#8224;,&#352;OCãÜ:Éé&#339;ÛTßÔXßØØ %Þp&#8240;×+û}͵U¥¾
    ¿çTÉa_3?ÔÐ,ÊݱæFg½ì Ó²kvfÍx&#732;bðÈiQÓ39Ûï5õõòí,qGc
    ü±NSIZ²¢U² ú&#8482;;î&#8250;&#8250;åºì$"&#402;&#382;°W&#8216;}ä¨W&#8225;t3f&#8216;\$bZXçÕÁéª[email protected]Ý&#353;s]Y¤

    I went ahead and saved that notepad file and attempted the instructions, but it did not work.

    Efforts fo find the download on Nofear.net did not work. It looks to be a behind the scenes website this forum uses.

    My XP CD is a copy of an OEM CD. My friend tells me his orginial CD went bad and his computer guy created a copy for him. It is a legit liscense.
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
  5. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    Success
     

    Attached Files:

    • mbr.zip
      File size:
      2.1 KB
      Views:
      2
  6. Macboatmaster

    Macboatmaster Trusted Advisor Spam Fighter

    Joined:
    Jan 14, 2010
    Messages:
    22,409
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Boot sector is good, mbr is also good. What exactly happens now if you try to boot the system in Normal mode, ensure there are no CD`s or USB sticks in use.

    Do you get a black screen with any alerts such as NTDLR is missing?
     
  8. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    OK.

    But please note that the other post - while on a similar topic - has nothing to do with this. On ANOTHER computer (my clean computer) I am trying to figure out how to be prepared.
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK, I see this reply...

    Edit... Also see reply from Cookiegal...
     
  10. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    It starts to boot.

    The a screen comes up that says:

    We appologize for the invovieneces but Windows did not start successfuly. A recent hardware or software change might have cased that.

    Blah, blah, blah

    It then asks me if I want to boot into safe mode, safe mode with netorking, safe mode with command prompt or start windows normally.

    Starting normally results in the BSOD. 0x0000007b

    The BSOD screen appears immiediately. (Immediately, as if a virus is directing the computer to put up that sreen. -- that is just a guess/descsription -- but I want to give you a feel for the computer's behavior.)

     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    As you are probably aware 0x0000007b errors can mean several things, as there were already known viral issues that was an issue that needed checking first.
    I did expect maybe the system restore would help, that was a negative, Obviously the boot sector and mbr also needed checking, they both appear to be ok.

    That error can also indicate a possible hardware issue, possibly even the Hard drive. You do have a XPCD available so I would like to see if you can boot to the recovery console and do some checks.....

    • Place in your Windows XP Installation CD, and reboot.

      You should see this:

      [​IMG]

      If you don't see the above, try pressing the F10 or F12 keys during boot and selecting the CDRom device from the list.
      If that doesn't work, enter BIOS Setup by pressing the F1, F2, F10 or Del key during boot and modifying the
      Boot Order or Boot Priority to make the CD/DVD first boot device and the HD second.
    • Press any key to start Windows Setup (Don't worry.. we're not actually using setup at this point)
    • Wait a while for setup to start, until you see the following screen, then press the R key.


      [​IMG]

    • Wait until you see this screen, and enter the number of your main installation. (Typically 1 for C:\Windows)


      [​IMG]
    • Press Enter.
    • If prompted to do so, enter your Administrator password. If you don't have one, leave it blank and press enter.
    • From the command prompt, type CHKDSK /R /F hit the enter key. ***Note the space between CHKDSK and /R also /R and /F
    • let that run, type EXIT then hit enter key..
    • Remove the CD and re-boot

    Let me know if that makes any difference...

    Kevin
     
  12. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    Kevin,

    I have followed these directions.

    I successfuly did them until the very last direction.

    Where you asked me to:

    > If prompted to do so, enter your Administrator password. If you don't have one, leave it blank and press enter.
    From the command prompt, type CHKDSK /R /F hit the enter key. ***Note the space between CHKDSK and /R also /R and /F

    I was prmoteped for an Admin password and I do not have one. I entered the comand CHKDSK /R /F (space between the command and the R and the F).

    The computer responded "Command parameters not valid."
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Yep sorry about that, can you run that again. this time run as this chkdsk /f /r I have written the script incorrect. This is the link I use http://www.ehow.com/way_5478963_xb-error-fix.html

    A colleague is actually querying the context of that fix for XP. I`m not 100% sure myself, try again with the re-written script, if it comes back as an error again I`ll ask my colleague for advice...
     
  14. Macboatmaster

    Macboatmaster Trusted Advisor Spam Fighter

    Joined:
    Jan 14, 2010
    Messages:
    22,409
  15. UptheCreek

    UptheCreek Thread Starter

    Joined:
    Dec 29, 2012
    Messages:
    25
    Kevin,

    First the R and F issue.

    The script on the ehow tech is wrong.

    I started inputting all possible combinaitons of chkdsk, /r , /f, and spaces.

    The bingo winner: chkdsk /r/f (Space after chkdsk but not between /r and /f.)

    Back to the computer issue....

    The chkdsk is at 71% and climbing slowly.

    I am sending this without any further info so that you and your collegues do not spend time figuring r and f stuff.

    I will report the results when they arrive.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1082913

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice