BSOD cannot boot in regular or safe mode

Discussion in 'Software' started by barkeep68, Apr 15, 2012.

  1. barkeep68

    barkeep68 Private E-2

    The BSOD states:
    A problem has been detected and windows has been shut down to prevent damage to your computer.
    Tech Info:
    STOP: 0x0000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000)

    I had a number of infections that spybot and malwaybytes found and fixed, McAfee didn't find anything. I kept looking around for some of my same issues that still persisted, all files hidden, administrator tools empty, cannot run a system restore. I came across your forum that referenced one of my issues and I downloaded combofix, ran it and while it was running the BSOD came up. I tried to reboot in safe mode but still receive BSOD.

    At this moment I am runnig ckdsk /r from the recovery console.

    I orginally posted in malware forum but I think I need to resolve the boot issue before I can address any malware issues, is that correct?

    Any help would be greatly appreciated.

    OS:XP
     
  2. sach2

    sach2 Major Geek Extraordinaire

    If the chkdsk doesn't help which it might.

    7B is often associated with SATA drivers. If you can find your SATA configuration in BIOS, it might be worth a try to set it to ATA or IDE emulation.

    If you give the model of computer or motherboard we might be able to figure out where the setting would be in BIOS. Usually it is under Drives or something like that.

    I'm not sure that the setting switch on a running OS will help but it couldn't hurt to give it a quick try.
     
  3. satrow

    satrow Major Geek Extraordinaire

    0x7B is a common post-partial malware cleanup problem, for instance: the entry point for the malware is still there, say shell='infected system file', that file has been deleted during a cleanup but it's called at boot = BSOD.

    Some generic drivers that may be affected that are vital to Windows are disk, classpnp, ftdisk, partmgr, and FAT or NTFS; there will be others specific to your hardware, esp. SATA and newer tech. Running SFC or a Windows Repair might help, as might multiple uses of 'Last Known Good' to reload old Registry hives prior to infection.

    If you can access the drive from anther computer or boot disk, you may be able to find the logs from the malware programs which are likely to point out the infected file(s) that need to be reinstated from backups.
     
  4. barkeep68

    barkeep68 Private E-2

    Would you recommend running ckddsk /f prior to changing BIOS? I was at a screen where I ran a diagnostic on the memory and there was an opiton for BSOD. In both instaces the test for SATA confidence test was skipped, however, at the conclusion of each test the report was no problems. I don't know if this is important.

    I believe I know where to find the SATA settings, it was on the screen prior to getting to the above mentioned tests.
     
  5. barkeep68

    barkeep68 Private E-2

    satrow, I have attempted a couple of times "Last Known Good" and I kept receiving the BSOD. The only malware progrma logs that would have been generated priort to the BSOD would be malware bytes. I am working off of a laptop, my desk top is down, so I think I could access the but I don't know how to access the drive of the down computer.

    Regarding running SFC or Windows repair, if those are programs, I don't know how to run them since I can't get the computer to boot up. The only thing I have access to is Windows Recovery Console
     
  6. sach2

    sach2 Major Geek Extraordinaire

    If you have done chkdsk /r then no need to do chkdsk /f. The /f is included in the more extensive /r scan.

    Changing the SATA setting won't change anything on the XP drive so if it doesn't help just change it back.

    Edit: See if Satrow can help you more thoroughly. The SATA change was my only suggestion to see if it can jump start you into Windows for further troubleshooting. If it doesn't work then satrow may have better options.
     
  7. barkeep68

    barkeep68 Private E-2

    sach2, I will attempt to change the SATA settings and see if that helps. Thanks for the assistance.
     
  8. barkeep68

    barkeep68 Private E-2

    I ran LISTSVC in recovery console and this came up:
    abp480n5-disabled
    accoca-auto
    ACDaemon-auto
    ACPIEC-disabled
    adpu160m-disabled
    aec-manual
    Afc-manual
    AFD-system
    agp440-disabled
    agpCPQ-disabled
    Aha154x-disabled
    aic78u2-disabled
    aic78xx-disabled
    Alerter-manual
    ALG-manual
    ALG-manual
    AliIde-disabled
    alim1541-disabled
    amdagp-disabled
    amsint-disabled
    AOL ACS-auto
    AppMgmt-manual
    asc-disabled
    asc3350p-disabled
    asc3550-disabled
    aspnet_state-manual
    AsyncMac-manual
    atapi-boot
    Atdisk-disabled
    Atmarpc-manual
    AudioSrv-auto
    audstub-manual
    bcgame-manual
    Beep-system
    BITS-auto
    Browser-maual
    bvrp_pci-manual
    catchme-manual
    cbidf-disabled
    cbidf2k-disabled
    CCDECODE-manual
    cd20xrnt-disabled
    Cdaudio-system
    Cdfs-disabled
    Cdrom-system
    CertPropSvc-auto
    cfwids-manual
    Changer-system
    CiSvc-manual
    ClipSrv-manual
    clr_optimization_v2.0.50727_32-manual
    clr_optimization_v4.0.30319_32-auto
    CmdIde-disabled
    COMMONFX.DLL-auto
    COMSysApp-manual
    Cpqarray-disabled
    CryptSvc-auto
    dac2w2k-disabled
    dac960nt-disabled
    DcomLaunch-auto
    Dhcp-auto
    Disk-boot
    DLABOIOM-auto
    DLACDBHM-system
    DLADResN-auto
    DLAIFS_M-auto
    DLAOPIOM-auto
    DLAPoolM-auto
    DLARTL_N-system
    DLAUDFAM-auto
    DLAUDF_M-auto
    dmadmin-manual
    dmboot-disabled
    dmi-disabled
    dmload-disabled
    dmserver-manual
    DMusic-manual
    Dnscache-auto
    Dot3svc-manual
    dpti2o-disabled
    drmkaud-manual
    DRVMCDG-boot
    DRVNDDM-auto
    DSBrokerService-manual
    DSproct-manual
    dsunidrv-auto
    E100B-manual
    EapHost-manual
    ERSvc-auto
    Eventlog-auto
    EventSystem-manual
    Fastfat-disabled
    FastUserSwitchingCompatibility-auto
    Fax-manual
    Fdc-manual
    Fips-system
    Flpydisk-manual
    FltMgr-boot
    FontCache3.0.0.0-manual
    Fs_ec-system
    Ftdisk-boot
    Gpc-manual
    gupdate-auto
    gupdatem-manual
    HDAudBus-manual
    helpsvc-auto
    HidServ-auto
    HidUsb-manual
    hkmsvc-manual
    hpn-disabled
    hpqcxs08-manual
    hpqddsvc-auto
    HPSLPSVC-manual
    HPZid412-manual
    HPZipr12-manual
    HPZius12-manual
    HSFHWBS2-manual
    HSF_DP-manual
    HTTP-manual
    HTTPFilter-manual
    i2omgmt-system
    i2omp-disabled
    i8042prt-system
    IDriverT-manual
    idsvc-manual
    Imapi-system
    ImapisService-manual
    ini910u-disabled
    IntelIde-disabled
    intelppm-system
    Ip6Fw-manual
    IpFilterDriver-manual
    IpInIp-manual
    IpNat-manual
    IPSec-system
    IRENUM-manual
    isapnp-boot
    JavaQuickStaterService-auto
    Kbdclass-system
    kbdhid-system
    kmixer-manual
    KSecDD-boot
    lanmanserver-auto
    LanmanWorkstation-auto
    lbrtfdc-system
    LmHosts-auto
    McAfee SiteAdvisor Service-auto
    McAWFwk-manual
    McMPFSvc-auto
    mcmscsvc-auto
    McNaiAnn-auto
    McNASvc-auto
    McODS-manual
    McOobeSv-disabled
    McProxy-auto
    McShield-auto
    MDC8021X-auto
    MDM-auto
    mdmxsdk-auto
    Messenger-auto
    mfeapfk-manual
    mfeavfk-manual
    mfeavfk01-manual
    mfedbopk-manual
    mfefire-auto
    mfefirek-manual
    mfehidk-boot
    mfendisk-manual
    mfendiskmp-manual
    mferkdet-manual
    mfetdi2k-system
    mfevtp-auto
    Microsoft Office Groove Audit Service-manual
    mnmdd-system
    mnmsrvc-manual
    Modem-manual
    MODEMCSA-manual
    Mouclass-system
    mouhid-manual
    MountMgr-boot
    mraid35x-disabled
    MRxDAV-manual
    MRxSmb-system
    MSDTC-manual
    Msfs-system
    MSHUBSBVideo-manual
    MSIServer-manual
    MSKSSRV-manual
    MSPCLOCK-manual
    MSPQM-maual
    mssmbioa-manual
    MSTEE-manual
    Mup-boot
    NABTSFEC-manual
    napagent-manual
    NDIS-boot
    NdisIP-manual
    NdisTapi-Manual
    Ndisuio-manual
    NdisWan-manual
    NDProxy-manual
    Net Driver HPZ12-auto
    NetBIOS-system
    NetBT-system
    NetDDE-manual
    NetDDEdsdm-manual
    Netlogon-manual
    Netman-manual
    NetSvc-manual
    NetTcpPortSharing-disabeld
    Nla-manual
    NPF-manual
    Npfs-system
    Ntfs-disabled
    NtLmSsp-manual
    NtmsSvc-manual
    NuidFltr-manual
    Null-system
    nv-manual
    nvsvc-auto
    NwlnkFlt-manual
    NwlnkFwd-manual
    odserv-manual
    ose-manual
    PalmUSBD-manual
    Parport-manual
    PartMgr-Boot
    ParVdm-disabled
    PCI-boot
    PCIDump-system
    PCIIde-boot
    Pcmcia-disabled
    PDCOMP-manual
    PDFRAME-manual
    PDRELI-manual
    PDRFRAME-manual
    perc2-disabled
    perc2hib-disabled
    PlugPlay-auto
    Pml Driver HPZ12-auto
    PnkBstrA-auto
    PnkBstrB-auto
    PnkBstrK-Manual
    PolicyAgent-auto
    PptpMiniport-manual
    ProtectedStorage-auto
    ProtexisLicensing-auto
    PSched-manual
    Ptilink-manual
    PxHelp20-boot
    ql1080-disable
    Ql10wnt-disabled
    ql12160-disabled
    ql1240-disabeld
    ql1280-disabled
    RasAcd-system
    RasAuto-manual
    Ras12tp-manual
    RasMan-manual
    RasPppoe-manual
    Raspti-manual
    Rdbss-system
    RDPCDD-system
    rdpdr-manual
    RDPWD-manual
    RDsessMgr-manual
    redbook-system
    RemoteAccess-disabled
    RimUsb-manual
    RimVserPort-manual
    ROOTMODEM-manual
    RpcLocator-manual
    RpcSs-auto
    RSVP-manual
    SamSs-auto
    SCardSvr-auto
    Schedule-auto
    SCR3XX2K-manual
    Secdrv-manual
    seclogon-auto
    SENS-auto
    serenum-manual
    Serial-system
    Sfloppy-manual
    SharedAdccess-auto
    ShellHWDetection-auto
    Simbad-disabled
    sisagp-disabled
    SLIP-manual
    SONYPVU1-manual
    Sparrow-disabled
    splitter-manual
    Spooler-auto
    sr-boot
    srservice-auto
    Srv-manual
    SSDPSRV-manual
    SSFMONM-auto
    STHDA-manual
    StillCam-manual
    stisvc-auto
    streamip-manual
    swenum-manual
    swmidi-manual
    SwPrv-manual
    symc810-disabled
    symc8xx-disabled
    sym_hi-disabled
    sym_u3-disabled
    sysaudio-manual
    SysmonLog-manual
    TapiSrv-manual
    Tcpip-system
    TDPIPE-manual
    TDTCP-manual
    TermDD-system
    TermService-auto
    Themes-auto
    TlntSvr-manual
    TomTomHOMEService-auto
    TosIde-disabled
    TrkWks-auto
    TVICHW32-manual
    Udfs-disabled
    ultra-disabled
    Update-maual
    upnphost-manual
    UPS-manual
    usbaudio-manual
    usbccgp-manual
    usbehci-manual
    usbhub-manual
    usbprint-manual
    usbscan-manual
    USBSTOR-manual
    usbuhci-manual
    usbvideo-manual
    VgaSave-system
    ViaIde-disabled
    vkquwexg-boot
    VolSnap-boot
    VSS-manual
    w32time-auto
    Wanarp-manual
    wanatw-manual
    WDBtnMgrSvc.exe-auto
    Wdf01000-manual
    WDICA-manual
    wdmaud-manual
    WebClient-auto
    winachsf-manual
    winmgmt-auto
    WinRM-manual
    Winsock-manual
    wlidsvc-disabled
    WLSetupSvc-manual
    WmdmPmSN-manual
    Wmi-manual
    WmiApSrv-manual
    WMPNetworkSvc-manual
    WpdUsb-manual
    WPFFontCache_v0400-manual
    WS2IFSL-systme
    wscsvc-auto
    WSTCODEC-manual
    wuauserv-auto
    WudfPf-boot
    WudfRd-manual
    WudfSvc-auto
    WZCSVC-disabled
    X4HSX32-auto
    xmlprov-manual
    YahooAuService-auto

    These two look suspicious: vkquwexg-boot VolSnap-boot
    Does any of this help identify the problem(s)?
     
  9. barkeep68

    barkeep68 Private E-2

    satrow, can i run SFC or windows repair from the recovery console in XP? All i can access is the recovery console
     
  10. thisisu

    thisisu Malware Consultant

    vkquwexg shouldn't be there, however, it may be a temporary driver used by ComboFix. Volsnap and the rest you listed are legit.

    Since you say the PC BSOD'd while it was running ComboFix, let's try to disable this driver to see if it helps at all.

    Try this command while in the recovery console and press ENTER afterwards:
    • disable vkquwexg
    Then type exit to attempt to reboot normally.
     
  11. barkeep68

    barkeep68 Private E-2

    Response:
    The resgistry entry for th vkquwexg service was found. The service currently has start_type SERVICE_BOOT_START.

    The new start_type for the service has been set to SERVICE_DISABLED.

    Attempted normal re-boot, result was BSOD. Attempted re-boot in safe mode, result was BSOD.
     
  12. thisisu

    thisisu Malware Consultant

    Hrm :|

    I would try these commands next:

    • fixmbr (warning appears, press Y for yes)
    • fixboot (are you sure? Y for yes)
    • exit
     
  13. barkeep68

    barkeep68 Private E-2

    Same result, BSOD in normal and safe mode.
    chasling over in malware forum, which is where I originally started, suggested:

    I suggest that you try following the procedure in the below link to see if fixing your MBR helps:

    Fix MBR using ARCDC
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds