Recurring BSOD - checking for malware

Hello Major Geeks,

Sorry to have to return, but don't know if it is better to have a hardware failure or malware.

Recently, I have been experiencing repeated BSOD, with either 7A or F4 stop appearing, typically after resuming from Standby or upon starting. Could've sworn there was a sticky on the Software forum on how to deal with this, but couldn't find it.

Asked Prof. Google how to proceed and while I read a MS KB article that suggested these stop codes are related to hardware issues, other posts implied the 7A stop is associated with viruses.

So, prior to heading off the the hardware section, wanted to make sure it wasn't a malware issue, that I need to change passwords, and that my HD is not failing.

Ran the R&R and went well, with 2 exceptions:

1. After Combofix ran and re-booted, I got multiple messages stating that, "Windows cannot find 'NIRKMD'. Make sure you typed the name correctly and then try again. To search fora file, click the start button and then click search."

2. Root Repeal did not run. Got a message, "Could not read the boot sector. Try adjusting the disk access level in the options dialog."

Thanks in advance.

 

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

Hi thisisu,

Thanks for the rapid reply. Appreciate the help.

TDSSKiller found no problems.

MBRCheck found a non-standard/infected MBR. I looked at the options and then promptly exited.

I wonder if this makes a difference - my entire drive is encrypted and there is a "boot guard", in which after the Dell stuff flashes through, a PGP screen pops up before Windows even loads.

Do you think that this might be the cause for MBRCheck's flag?

Thanks again!

 

I doubt that is the reason why the MBR is reported as unknown.

I think we should restore a clean Windows XP MBR to see if that will help as having an infected MBR will often times lead to BSODs.

There are also some minor traces of malware in your logs if I recall correctly.

Do you have your data backed up? As attempting to repair the MBR and it failing will sometimes cause the PC not to boot up afterwards. Typically it is not a problem and can be fixed, I'd just rather be safe.

Please attach the TDSSKiller log, even though it didn't report anything.

 

Hi thisisu,

I ran TDSSKiller again and I copied the results into a Notepad file. Where should it have been?

All my data is backed up and ready to hold my nose and jump in.

Just for my own education, which files were suspicious/malware? I saw that Combofix had removed some files, none of which I thought were malicious.

Thanks again.

 

YOU HAVE AN INFECTED MASTER BOOT RECORD (MBR)!​

_________________________________________________________________​

WARNING​

MBR infections are only worsening and sometimes (rarely) make the computer unbootable after attempting to correct it. We recommend that you back up your data before hand. Then continue with the below if you wish to attempt to remove this infection:
_________________________________________________________________​

Do you have your Windows XP CD? We need it to restore a clean MBR.
If you do not have your Windows XP CD, you can create one with the Recovery Console (which is really all we need), here: Download Windows XP Recovery Console

Then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

If you can get to the command prompt of the Recovery Console, type fixmbr and hit enter. After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

If you were able to run fixmbr, rerun MBRCheck and attach a new log. Also tell me how things are working.

 

Do the above first and then I'll give you a script to remove any leftovers. Sometimes an infected MBR will prevent us from removing certain files until it is fixed.

 

I have a bunch of Dell CDs, as well as a disk that I made that is labeled XP Recovery Console. I made it a while ago.

Just to make sure I am doing this correctly:

1. Is this different from the Recovery Console made with the Combofix step?
2. Should I go into the BIOS to change the order to start up from the disk?

 

The only difference is that the one created by ComboFix is on the hard drive, and the one we want you to use is from a CD. We have much higher success rates if you are using the CD version.

Yes. CD/DVD-rom should be first.

 

Hi thisisu,

I hope you are still there. Went through it as directed, entered fixmbr, and now I get "Error loading operating system." Doing this through iPhone. Please help!

 

Well that's not good.

Try this command while in the recovery console:
bootcfg /rebuild

Let me know what appears when you type this and press ENTER.

 

A whole bunch of commands came up and now at the c:\> prompt.

 

When you type in bootcfg /rebuild

You should see something like the below:

Is this what you are seeing?

If you are at the command prompt, it sounds like you didn't type the command correctly. There is only a space AFTER the bootcfg part.

 

I had typed in /rebuildbcd.

Alas, when I typed in bootcfg/ rebuild, I get the following:
Error: Failed to successfully scan disks for Windows installations. This error may be caused by a corrupt file system, which would prevent Bootcfg from successfully scanning. Use chkdsk to detect any errors.

Note: this operation must comPlete successfully in order for the /add or /rebuild commands to be utilized.

I hope that there is some hope. I can't tell you how worried I am...

 

This basically reiterates what BSOD 0xF4 was telling you. The notes I have on this specific BSOD indicate a heavily corrupted hard disk / failing hard drive. It is a good thing you already have the data pulled off from it.

We can try to resolve this as a temporary fix but you most likely will need to obtain a new hard drive fairly soon.

run the below command from recovery console command prompt: chkdsk c: /r
There is one space after chkdsk and then one more space after c:
This will take a while, you have a 80GB hard drive, i'd imagine it would take you at least 1 hr and a half, especially if it is heavily corrupted which I think it is.

 

No, It didn't take long, as it instantly replied, "The volume appears to containe one or more unrecoverable problems."

Did the fixmbr do this?

 

No, chkdsk reports this because the drive is failing. It probably has multiple bad sectors on it.

RootRepeal looks like it had trouble reading certain parts of it too:

What you might want to try is doing fixmbr again in the recovery console. Sometimes it does not work the first time around.

But at this point I do think your problems are hardware related.

 

Tried that also. Even dug out the original Dell SP2 CDs. No dice. This sucks. Can't believe it went down so quickly.

Thanks for hanging in there with me. If by some miracle an idea pops up let me know. Otherwise, will sign off. Have a good night.

 

Just out of curiosity, how long have you been receiving this 0XF4 BSOD? Days? Weeks? Months?

Oh, you tried reinstalling with the Dell recovery CDs and those failed too? Definitely sounds like a failed hard drive.

No problem. Sorry things did not go our way.

 

Hi thisisu,

Again, thanks for all your help.

To answer your question, this all occurred in less than 48 hours. Tuesday night, no problems working on the 'puter. Wednesday AM, turned on the laptop, got those dreaded high-pitched beeps with an error message stating the hard-drive could not be found, followed by the mad dash to find the "any" key to retry, restart, or abort. ;-)

It was able to boot up, I backed-up all of my data (have a back-up drive at work and at home), and then got intermittent BSODs with either the 7A or F4, either upon restart or from standby. Odd thing, is that a running chkdsk upon restart found no problems. Now, it is a paper-weight. The temporal relation with fixmbr and then it totally dying is a kicker.

Any chance there's a broken or loose cable? Would the Hardware forum be useful??? I know I'm grasping, but I've a ton of work due within a week and don't have the time to get a new laptop.

Thanks.

 

What I would do, is see if BIOS is able to see the hard drive anymore.

However, when you said you tried to reload the computer using your Dell Factory/recovery CDs and that failed. I am fairly confident the hard drive has failed.

I am pretty confident if you were to try to run a hard drive diagnostic tool such as Spinrite on it, that it would get stuck on the very first sector for hours if not days.

Sorry I wish there was more I could do.