BSOD on start up, Error 0x0000007B

[Kaktussoft]

c:
cd \programdata
ren  "AVG Secure Search"  "AVG Secure Search.save" 
ren  AVG2012  AVG2012.save
cd  "\program files (x86)"
ren AVG  AVG.save
ren  "AVG Secure Search"  "AVG Secure Search.save"

All commands are succesfull? If so reboot and post results. Don't uninstall AVG yet!

sure you did all of this? (I editted post later). please look again

 

[Kaktussoft]

Don't reset bios. But do the following. Be sure to boot from DVD, so not from F8!!

BTW: what rootkit did you have? And how did you remove it?

TDSS rootkit?
If so:
C:\WINDOWS\system32\TDSSciou.dll - Win32/Agent.ODG trojan
C:\WINDOWS\system32\TDSSliqp.dll - Win32/Agent.OIK trojan
C:\WINDOWS\system32\TDSSnrse.dll - Win32/Agent.OIK trojan
C:\WINDOWS\system32\TDSSoeqh.dll - Win32/Agent.ODG trojan
C:\WINDOWS\system32\drivers\TDSSmhct.sys - Win32/Agent.ODG trojan

c:
cd \windows\system32
attrib  -h  -s  tdss*.*
del  tdss*.*
cd  drivers
attrib -h -s  tdss*.*
del  tdss*.*

All gone? Now just to be sure you have correct MBR bootcode:

bootrec/fixboot
bootrec/fixmbr

reg  query  HKLM\win7sys\Microsoft\Windows\CurrentVersion\Run
reg  query  HKLM\win7sys\Microsoft\Windows\CurrentVersion\Runonce

Any strange startup items?

reg  unload  hklm\win7sys

 

[doiob]

Going to double check tomorrow i need some sleep right about now. Thanks for all your help il be back

 

[Kaktussoft]

Or download Data Recovery | AVG Rescue CD | AVG Ireland . Download the ISO, burn it and boot from it. Scan for virusses. Anything found? Cleaned?

 

[Golden]

BTW: what rootkit did you have? And how did you remove it?

This is critical information to identify. Unless you can exactly identify it, you will often find that the best solution to get a 100% guarantee the system is clean, is to perform a clean install after running a DISKPART and CLEAN or CLEANALL.

I know its not ideal, but its the safest solution.

Regards,
Golden

 

[doiob]

Ok i will give you as much info on the rootkit as i can. I can not remember it name of exact location. I am 100% sure it was removed as all it stopped effecting my computer. It was a google redirect rootkit that made google chrome use 50+ cpu and would redirect many google links in both chrome and Firefox. I could not use TDSS as the process was killed on launch no matter what i renamed it. So i used PC tools root killer, im sorry i dont remember its exact name. I did try and run tdss but it was never running long enough to do anything.

I searched system 32 and drivers with "dir tdss*" found nothing. I will try and find the exact name of the rootkit remover i used.

 

[doiob]

All avg folder have been renamed with .save at the end.

 

[Kaktussoft]

Please do what has been asked in #12

 

[doiob]

Ok im doing the #12 now. Earlier today i was running the avg scan it took an incredible long time but that was to be expected however it ended at 54% on a java file with the message Scan ended with unknown return code!

 

[doiob]

#12 the first line worked but the others gave me "ERROR: The system was unable to find the specified registry key or value." Im going to try them again as i may have stuffed it up somewhere somehow.

 

[Kaktussoft]

Ok im doing the #12 now. Earlier today i was running the avg scan it took an incredible long time but that was to be expected however it ended at 54% on a java file with the message Scan ended with unknown return code!

Very strange. View things about the state now.

• AVG is still installed but some files/folders have been renamed. You have to reinstall it later and remove the renamed stuff.
• TDDS rootkit has been killed but not totally! Or at least there is corrupt stuff now
• TDDS can download/install all sorts of malware/viruses on it's own. Most likely many virusses are on your system. Impossible to proof system is clean.
• An offline virusscan (so boot from DVD) is the best thing to (try to) clean them. In win7 the virus is active and can fool the antivirus!

The stop 7B is an error in th AHCI and/or IDE driver stuff.

atapi.sys, msahci.sys, iastor.sys, iastorv.sys most likely some (or all) of them have been infected.

It's a very nasty rootkit!! Allmost impossible to clean totally.

Do you have many applications on system? Many special settings? What I mean... is a reinstall a total dissaster for you?

 

[doiob]

Ok i ran it again this is what i got.
hklm\win7sys\system\select /v default couldnt find the reg key
msahci = 0x0
pciide = 0x3
atapi = 0x0
iastor = 0x0
iastorv =0x3

Those were the results. i will try and get hklm\win7sys\system\select /v default to work.

 

[doiob]

I would prefer to avoid a re install but im no fool i have known for some time that it has been on the cards. I would like to regain control of the computer one last time but i expect this to be the last hara for this install of windows. Yes you were right about the viruses according to avg before it stopped it found countless. if there is no solution by monday night here i will most like back as much as possible with Ubuntu and then re install. Yes this was my first tango with a rootkit, i had never in-counted one before so my early countermeasures were completely ineffectual. I had believed i had gotten the last laugh but perhaps it was premature. At the very least this last week has taught me much about computers in general.

 

[Kaktussoft]

Ok i ran it again this is what i got.
hklm\win7sys\system\select /v default couldnt find the reg key
msahci = 0x0
pciide = 0x3
atapi = 0x0
iastor = 0x0
iastorv =0x3

Those were the results. i will try and get hklm\win7sys\system\select /v default to work.

My fault... command is different! I editted post 12.

 

[Kaktussoft]

msahci = 0x0=>starts on boot...fine
pciide = 0x3=>no ide on boot...quite normal
atapi = 0x0=>starts on boot...fine
iastor = 0x0=>starts on boot...fine. It's the INTEL SATA storage driver
iastorv =0x3=>no iastorv on boot....quite normal. You use iastor instead

 

[doiob]

Results for the first line default = 0x1

 

[Kaktussoft]

I would prefer to avoid a re install but im no fool i have known for some time that it has been on the cards. I would like to regain control of the computer one last time but i expect this to be the last hara for this install of windows. Yes you were right about the viruses according to avg before it stopped it found countless. if there is no solution by monday night here i will most like back as much as possible with Ubuntu and then re install. Yes this was my first tango with a rootkit, i had never in-counted one before so my early countermeasures were completely ineffectual. I had believed i had gotten the last laugh but perhaps it was premature. At the very least this last week has taught me much about computers in general.

Why the heck don't you make backups!!
You have a win7 installation DVD? Valid license? You know how to reinstall? You know how to backup this instance of win7 (for example with ubuntu) and restore files later? Only restore documents like mp3,doc,xls,jpg etc! Not system files!

 

[doiob]

I back up all my work files at the end of every trimester so i only need to retake some files. I have the sintallation DVD + valid license. No i do not know how to back up instances of windows 7 and would love to learn how if you have the time. My laptop has a feature that automatically restores it to the factory state purging everything that is what i will use.

 

[Kaktussoft]

First totally clean your disk using diskpart clean (clean all is not necessary). Clean overwrites only the first 1MB on physical disk.... and that's were MBR and partition table are located. Fast and enough in this case.
If course to be done in "recovery environment">command prompt. Now you are sure rootkit is totally vanished
http://www.sevenforums.com/tutorials/52129-disk-clean-clean-all-diskpart-command.html

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

[doiob]

I do have one question regarding partitions. Say for example something like this were to happen again and the OS was corrupted in some way. If i had the OS on its own partition ( a: ) and my programs and files on an other ( b: ) could i re install windows over a: with out wiping b:?

If it got to this stage again i would simply re-install this is simply an example