BSOD on boot, Win7 Fails to start

Initially was in the malware section because I had something called "click.giftload". It was causing several bsods with codes: 0x000000a0 internal_power_error and irql_not_less_or_equal. I did a bootrec /fixmbr & now i cannot get win7 to boot.

Everytime "starting windows" appears, i get a bsod with this code: 0x0000007B (0x80786B58, 0xc000000D, 0x00000000, 0x00000000) there is no message or anything associated. I have a toshiba satellite a305-s6905 that came with win vista and was upgraded to win 7 prof 32-bit. I only have a RECOVERY disc. The installation disc isn't in my possession and I am not able to obtain it (person who has it, my uncle, is in Kuwait (air force)) so any help to at least boot it is appreciated.

Oh I've tried startup repair and was told windows cannot repair the system. I looked at the details and it says startup repair is "offline"? System restore doesn't do anything either. It says: root cause found -> boot status indicates that the OS booted successfully...well, it didn't.

under the Bugcheck analysis it says that THAT root cause is Unknown Bugcheck: Bugcheck a0. Parameters= 0x1, 0x6, 0x870f02c0, 0x0. Repair action:System Restore result: failed. Error code: 0x490. Same error code for repair action: system files integrity check and repair.

 

Could you boot from your Recovery CD, go to the command Prompt again and run bootrec /scanos please, then report back on the resulting message?

 

Okay just to let you know EXACTLY what I did, when i went to command prompt, i had x:\windows\system32>c:

i changed it to just C:\ (i was instructed to do that in the other forum..let me know if i should have left it at the x:\windows\system32>C:

message was:
"successfully scanned windows installations.
Total identified windows installations: 0
the operation completed successfully."

is it possible that my windows 7 was installed in another place, or has it been wiped? I believe i caught the same master boot sector virus that many others have, but malware forum is out of options for me so i came here.

 

Hmm, what happens if you go back to the C: prompt and enter dir?

 

It states:

C:\>dir
volume in drive C is System Reserved
volume Serial Number is 7A9D-EA98

Directory of C:\
8/13/2010 08:21PM <DIR> Temp
0 file(s) 0 bytes
1 dir(s) 73,469,952 bytes free

 

Now do bootrec /RebuildBcd, what's the message?

 

"Successfully scanned Windows installations. Total identified Windows installations: 0. The operation completed successfully."

 

Ok, so it looks like we have a problem, a big problem.

Try changing to D:, E:, F:, etc. and run a dir on any drive you find, noting down the full details reported as you did earlier.

I'm trying to work out if there's any data locked away on another partition, the Tosh pdf for that model laptop states that it has a 320GB hard drive: the dir you ran on C: indicates that C: is only the equivalent of an 80GB drive. Could you remove the drive and check the label for the model number or check the details given in the BIOS for it?

Do you have access to another PC to download tools and burn them to a CD?

 

Sorry, I should have mentioned how to switch from C: to D:, etc. without rebooting.

From the prompt, cd d: should switch the prompt to the D:, cd Q: should take you to Q:, etc. (if I remembered that correctly).

 

Okay ive done as you said:
d:\ has 9 files on it and 10 directories. The directories are: 32788r22fwjfw (whatever THAT is), Intel, MGTools, mySQL, perflogs, program files, temp.ricoh, toshiba update, users, and windows. The 9 files are: 24 autoexec.bat, 10 config.sys, 109 mbam-error.txt, there are six 2,022 TDSSKiller.2.4.21 etc.

Drive E:\ recognizes that it's a repair disc with 1 file and 2 directories.

Drive F:\ isnt specified.

I do have a desktop available. I will be honest and say that i am currently downloading a copy of win 7 prof 32-bit (not admirable, i know..i am highly desperate). I do not plan to use it until you or someone else on this forum cannot aid me. If i have to do a factory reset and wind up back with vista..well, that's a last resort. I have read somewhere that those who have win7 preinstalled can actually burn a copy of their installation from within their harddrive or something. Is that true? If so, perhaps i can get a friend to do that. Thank you so much for helping me btw. Im listening..what's next?

 

D: is your Windows System drive, that's fine, if you can connect that drive to your desktop PC, you should be able to recover any vital files. E: looks like it's the original Vista recovery partition.

Judging by what we can see of your MBR/bootsector, I'm not sure if the Vista recovery will be successful, or whether the hard drive will be usable as a boot drive.

Providing that your downloaded W7 is the same version as your original, you should be able to use your own key to install it and it should validate successfully. The downloaded version may not be exactly as intended by MSFT though - it could be carrying more than you expect.

 

Yes it is literally windows 7 professional 32-bit that i am downloading via torrent :/

pretty much, was my windows 7 OS deleted? That's what it seems like. If this cd does start a new and clean win 7 install, would EVERYTHING be wiped, including any trojans, viruses etc? It will be finished downloading in another hour. I will burn it and try to run it on my laptop. I will report back and let you know how it goes.

 

No, Windows wasn't deleted, but the ability of the computer to access it to boot from was lost - something (likely to be malware) screwed up the MBR > partition table > Windows boot files route, is my guess.

 

Hi,

I don't know if this would be helpful or not. (The problem being that the recovery CD can't identify the Windows installation which would be needed later.) It might be worth a shot before reinstalling.

I'm thinking to set your Windows partition as Active so the computer will try to boot directly from that. If it gets a different error, it may allow you to try to Repair the boot files directly on that Windows partition rather than the System Reserved partition.

From the command prompt:
Type in: Diskpart
Type in: Select Disk 0
Type in: List partition
Look for the number of the D: partition it will have a large number of GB
Type in: Select partition 2 {substitute the correct # for the partition in place of 2}
Type in: active
Type in: exit
Type in: exit

Then restart without the disc and try to boot the computer.
Let us know what the error is and then boot from the CD and see if it identifies the Windows partition and can attempt Startup repair.

 

Okay im trying it. How would i know which number to substitute for the partition?

 

When you do List Partition it will give you a number for each partition and their size. You use the number for the large windows partition.

 

BootMGR is missing
press Ctrl + Alt + Del to restart


i pressed it...same thing as above got listed. Now rebooting from cd..

It said that it identified a problem with Windows and did I want to attempt startup repair? I did, and the same "BootMGR is missing" message continues to appear. Ah, at least no BSOD, I was quite sick of that.

 

Get to the list of 5 options where the command prompt is listed. At the top of that list is Startup Repair. Run that option twice and then try to boot without the CD. (I think you can run it twice in a row--if not then restart the computer to get back to the list and run it the second time.)

 

omg.....OH MY GOD!
You are absolutely WONDERFUL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

That totally worked!!!!
But how do I know that my OS is no longer infected? I'm afraid to try anything for fear that it may happen again. I'm so happy I'm literally in tears and shock! You have just saved all of my college papers that I have to turn in before graduation in two weeks. omg!!!! :cry

 

You don't know that the OS is completely clean yet, get back to your Malware thread to get checked out while we puzzle over why some commands worked yet others didn't - sach2, pass me that big scalpel please.

 

I am! My windows update is functioning and im updating my laptop now. spybot is still picking up on the click.giftload trojan, and MWAM can't find anything, it said that "no malicious items were detected" (then again, it said that the last 1,000 times I tried to run it and look at what happened rolleyes). I wasn't sure if I was "allowed" to continue posting under the SOFTWARE forum about my malware problem, so I went back to my Malware post and updated it. Sorry!

**no violations please!**

Any extra help is SUPER TASTICALLY GREATLY appreciated. I just want it clean now. I don't care what I have to get rid of at this point.

You two are AWESOME! I don't know how to repay you!

 

Do you remember where you downloaded your Recovery CD ISO from? I'd like to try to check if it's the real deal or not.

 

Sure do. From here:

http://neosmart.net/blog/2009/windows-7-system-repair-discs/


I used the 32-bit.

Should I send you the link to where I just downloaded the Win7 "installation" (that I thankfully didn't use)?

 

Hi, I'm glad your back in Windows.

I don't know anything about malware. I just reformatted the one time I had a major problem. I'' read your malware thread but I don't think I will be able to help with that. Does that gift trojan have any symptoms as far as how your OS runs?

One thought is you might want to copy your important papers to a USB thumb drive or CD just so you have an extra copy.

 

Right now, nothing is happening (as far as internet redirection and BSODs). BSOD usually appears whenever I attempt to shutdown or restart. I'm afraid to do that in case it comes up

I had spybot remove the click.giftload...but of course it keeps coming back. I'm just happy that Windows is updating. Internet Explorer is updating too..to IE 9 (although I don't know why because I use Mozilla Firefox) I've download TDSSKiller and I'm trying to run it again. I hear aka read, that if it still stops at 80%, then it means that MBR infection is still present. I'm waiting for CHASLANG to get back online to aid me further. I'll just wait my turn in queue until then.

I did backup my files just now, literally.

Reformatting? Is that what you just had me to do?

 

That's the best known (probably the original) site for the Rec. ISO. No, I don't want the link to a torrent ^^ the boss wouldn't like it!

Agreed on getting your files and stuff backed up ASAP. Also login to all the accounts you've used on the laptop - but from a known clean computer - and change the passwords.

While you're waiting for a reply from the Malware team, I think I'd be re-downloading and reinstalling the scanning tools, update and run them, so you have some logs ready for checking.

Oh, and if you can copy the Spybot details for the clickgift thing, I'd like to see where it's picked it up from, it could be real but it maybe a false positive (I have a few FPs in Spybot currently, they're actually blocks put in place by Spywareblaster to prevent access to some known bad sites).

 

Um...my Windows Update wants me to reboot...should I? I'm kind of scared to :-o

Here is my spybot mini-log (the only thing that it found and "deleted")


--- Report generated: 2011-05-04 14:01 ---

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe


Don't be fooled. It always says it fixes it, but upon reboot. BAM! There it is. Also, I remember when running a Kaspersky Virus tool, that a Java.exploit always came up about 7-8 times as a trojan. I have the latest Java though. Anyway, should I reboot to complete update?

 

Reformatting is wiping the HD and installing the OS fresh. The lazy man's way out. My eyes glass over at the steps needed for proper malware removal. I just don't have the patience for it. But it is the best way if you have programs and documents you need to save. (I keep that stuff backed up in case I need to reinstall, because I know that I eventually will just wipe my HD and start over, rather than clean up properly.)

It looks like TDSSKiller was the next step so we'll see how that goes.

 

Double check that path you just posted. I don't have that key in my Win7. After Internet Explorer the next folder is Main? I don't have a main folder.

***
I'm not sure if that means anything or not. I'm just letting you know. That message comes from SpyBot?

 

Yes it does come from spybot.

I went ahead and rebooted. No BSODs this time! It's updating and I literally just heard the tinkling music of Windows 7 loading in my bedroom I'm going to try to run TDSSKiller now.

Any idea why the bootrec /fixmbr wouldn't work for me, but apparently for everyone else it did?

 

Good Luck! I'm don't want to give any malware advice because I just don't know anything useful.

I'm really not familiar with Bootrec. I've been meaning to read up on it and experiment but never got around to it.

We basically bypassed the normal boot files and wrote a fresh copy on the Windows partition. I'm not really sure how to fix the messed up ones in the System Reserved partition. Windows will run fine this way but I haven't figured out how to copy the good files to the System Reserved partition. I've never bothered. Yes, I am lazy that way! I'll see if I find anything about that over the next couple of days. (Or, maybe the malware people with say something.)

 

Is the System Reserved partition necessary, really? TDSSKiller ran and found an issue with a driver calles spdt..I've logged it so I can attach it in the Malware forum when Chaslang returns. Should I make a Restore point now, just in case?

Thank you guys so much again!

 

It can't hurt to make a restore point. It might come in handy if you get to stuck again using the Recovery Boot CD since that using System Restore is listed as an option. You can always make a better one once you get things totally clean.

**
The System Reserved partition isn't necessary. I think the idea of it is to have the basic boot files separated from the rest of the files on C: so that that they can be worked on without interfering with any personal files/documents being involved. Meaning if that partition had to be deleted or rebuilt or such the rest of the Windows files would still be intact. Basically, a protective layer. I guess that is another thing I should read up on.

 

Don't forget that this was originally a Vista pre-install from Tosh, upgraded to W7 - that's where the attempted mbr recovery might have fallen over.

SpyBot's right to flag that registry string, looks very suspicious.

 

Yes, another windows malicious software detection installed upon shutdown. When i get back home, ill follow the rest of the malware steps as listed so the logs will be ready. Ive deleted that file from spybot numerous times. It keeps resurfacing. Ah well, back to the malware forum i go. Ill post back when/if my system is all clear or if anymore problems arise.

^_^ thanks!

 

Okay. Went back to Malware forum and apparently everything (all of my logs) are clear. ^_^Whoo-hoo!!

The only thing that was getting to me was the extremely slow start-up, but I ran Disc clean-up so now it's MUCH better. Although, my disc defrag doesn't run..but, it really never worked ever since the upgrade to Win7 so that's no biggie.

Before I part (hopefully (and not in a mean way) to never return), is it okay to do a disc clean-up of the E drive with the System Reserved? It says that 70.0MB of 99.9MB is free, which obviously means something is on there. I'm a little OCD about such things. Does it have to stay under My Computer or is there a way to remove it? I've asked in the Malware section, clearly not remembering that they deal with only..Malware :-o I'll be closing asking for that thread to close since I am finished

 

The 100MB partition is the remains of the (hidden) W7 system reserved partition (it contains the Windows Repair tools - allegedly ) created during the Windows install process. It can be removed but you'd (probably) need to go back through the whole repairing boot process again.

There's a way to edit the Registry so that it doesn't show up - if I get this right ^^: call up Regedit and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and create a new REG_DWORD entry named NoDrives, enter the value of 16 to hide the E:. Reboot to test

Try calling defrag from the elevated cmd box, Start > Run > cmd. Then input defrag c:. If it completes successfully, run defrag c: /B for it to layout your boot files for faster boot times. Alternatively, try a good freebie like Puran Defrag. I really think you should steer clear of installing anything new until you've had time to check that everything currently installed is working as expected though.

 

<Too late to edit> Simply removing the drive letter allocation for the partition in Disk Management might hide the drive from Explorer.

 

Hi guys,

I was just reinstalling Win7 this weekend. So I have a couple of HDs with several copies of Win7 on them that I can afford to mess up for testing purposes.

First, you don't want to delete the System Reserved partition from what I can tell. In both HDs I put in my computer the System Reserved partition is active even though I am fairly sure that at some point I did similar to what we did yesterday and made the Windows partition active. So, I believe, Startup Repair changes the System Reserved partition back to active.

One of them has no drive letter assigned and one has a drive letter S:. Both System Reserved partitions are set as Active and both HDs boot when installed alone. (I'll remove the drive letter from S: and see if that HD boots OK on its own--as a test.)

Go to Start and type Disk Management in the Search Box. In the window that opens give us all the Status details for both C: and E:. I want to know which one is Active and which is Boot, System etc.

 

Good call sach2 it'll help us all visualise what the problem(s) my have been during the failed recovery process.

My guess is that the OP's Windows partition is now like mine is (I installed W7 on a pre-formatted drive = no system reserved partition was created, the repair tools are located on the only partition available to the installer), with the Active partition status now assigned to it.

 

Okay the Stats are as follows (according to the thumbnail you attached)

C:/ -> Healthy (System, Boot, Page File, Archive, Crash Dump, Primary Partition)

E:/ -> Healthy (Primary Partition)


I'm going to try Satrow's steps to hide the System Reserved. I know it's silly, but I'm so used to seeing only Local Disk (C and D: (if I have a CD loaded) so to see one that's E:/ throws me off and kind of freaks me out.


WAIT!
Can't I do this instead to hide drive E:/

Here's how to hide a drive using Group Policy Editor:

* Click Start, type gpedit.msc to search field, press enter
* Find and open User Configuration > Administrative Templates> Windows Components > WindowsExplorer
* Double click Hide these specified drives in My Computer

?

 

[Edit]

Also, tried the disc defrag via cmd and the only thing it stated was:

Microsoft Disk Defragmenter
Copyright (c) 2007 Microsoft Corp.

same thing for the defrag c: /B

 

The Group Policy Editor is only available with the higher SKU's (versions) of Windows, if you can use it, fine

When you did the defrag via the cmd, did you wait for the prompt to come back up? Was there no "Invoking defragmentation on ... " message? If not, it might be worth trying it again and just waiting for it to do it's analysis; if the defrag's not been run recently, it might take some minutes (of apparent inactivity) before it reports and then moves on to the defrag proper.

Ok, back to the main event: according to your DiskMan report of the drive, you could theoretically remove the 100MB partition. But with the history of your Windows installation, I'm not sure I would advise you that it's safe to do so. There's little real value in removing the partition, it's too small to add much storage space if you were to combine it with the main partition, and, if it's the first partition on the drive, I think that would probably stop you being able to extend the main partition to make use of it anyway.

 

Well, nothing is as easy as it seems. I had all kinds of ownership issues on these HDs. I was trying to duplicate your situation exactly but things got confused.

Anyway, removing the drive letter doesn't seem to effect the System Reserved partition from working. But I don't see an active partition on your list.

I can't concentrate on this for a couple of hours. So if you can hold off that might be worth the wait.

***
One thing that might be an option is to boot from the repair CD and see if it automatically goes to the box where it asks if you want to fix startup problems. That may set your startup to normal. I just did that on this drive and then removed the drive letter and it looks like below. But I have to go...so I will get back to this thread to discuss options later if you want.

 

Now I check that, I don't either - my brain auto-compensated for the Archive that's (been mistyped?) in it's place

 

Okay so Satrow, after I typed the defrag c: and all what I wrote in the previous message came up, it instantly went back to C:\users > with the blinking underscore indicating it was ready for a command. Like I said, it never really functioned since I upgraded to Windows 7, so no real biggie.

As for System Reserved, I mean...maybe "delete" was too drastic to request. I mean is it possible for me to at least HIDE it? It can stay, I just don't want to see it lol. I'm kind of curious as to what is actually ON it, since 29.9MB of it is in use. I'm tempted to run Disc Cleanup on it, but fear another BSOD. I fear those every time I boot up now Can I remove the drive letter E (sys resrvd) via Disk Management? It said "some programs may not work properly" etc so I canceled. I want to go-ahead before I do anything.

What does it mean when you don't see an Active partition? Is that bad?

 

The contents of the System Reserved partition are a stripped down version of what you have on the Recovery disc - you have the Recovery disc and have a pretty good idea of how to use it now, the SR partition data looks like it was probably borked anyway. Just hide the drive; if, sometime in the future, W7 refuses to load, plug in that Recovery disc and click on the Repair - it should work fine now we've patched the boot process.

It might just mean that the author's brain went into autopilot mode for a few seconds:

If none of your partitions had an Active switch, you'd be back on the smartphone now

 

Alrighty. I removed the letter so now it's not visible

Currently creating another Restore point.

You two are completely awesome. I really owe you my life!!

 

I am standing at this position. But don't have cd . can you tell me how can i go to Startup Repair Option

 

Hi fari and welcome.

Try for 64 bit or here for 32 bit, create a CD from the ISO then boot your computer from the CD.