STOP 0x7B and viruses

[usasma]

I've found (on a Vista 32 bit system at work) that there is a virus infection that will change the ACL's of a system in order to prevent booting.

I'm running SUBINACL in Windows PE Mode to (hopefully) reset the ACL's.

The registry is mounted - but I don't know if SUBINACL will find it. Since the registry is mounted in the HKLM key of the PE Mode, it's presumable that the commands will fix it.

Then I should be able to use normal fixes to enable booting without the STOP 0x7B

I'll report back with more details as things progress.

 

[zigzag3143]

Ugh, how did you get that?

 

[CarlTR6]

That one is nasty. Do keep us informed.

 

[usasma]

Still having issues with fixing the ACL
- SUBINACL didn't work
- Tried ICACLS *.* /reset /T /C - and dunno if it worked

Only way I've got to see if it's "fixed" is to run Startup Repair and let it fail - the "Details" of the failure will list "CorruptAcl"

 

[JMH]

This I will follow with interest........

 

[usasma]

It's looking like the culprit was atapi.sys (I have to check with the tech who discovered this to find out how).
Funny thing is that we used a different recovery CD and it fixed it without any further issues.
I'm able to boot into Windows and can remove the rest of the "crud" from the system.

Additional note - system has both Trend Micro and Norton antivirus installed

 

[CarlTR6]

Thank you for the update. I am glad to hear you are well on your way to a clean system again.

 

[JMH]

It's looking like the culprit was atapi.sys (I have to check with the tech who discovered this to find out how).
Funny thing is that we used a different recovery CD and it fixed it without any further issues.
I'm able to boot into Windows and can remove the rest of the "crud" from the system.

Additional note - system has both Trend Micro and Norton antivirus installed

Ugh!..............
Glad to hear things are [ almost] working again.....

 

[usasma]

Well, it's "sorta" working. I'm still not happy with it, but I didn't get to talk with the other tech today - and I don't work again until Monday.

 

[JMH]

What you are still "unhappy" with can wait........in the meantime enjoy your weekend.

 

[Capt.Jack Sparrow]

Great Thread !! Thanks for sharing the info with us John !!

- Captain

 

[usasma]

It was found in a "private" posting - and the blame was laid on atapi.sys or some other storage controller drivers (especially nVidia or Intel). In short, boot to another "live" OS and check to ensure that the storage drivers are the most updated version available (and that the date/time stamps are accurate).

SEPARATE ISSUE:

We also found smss.exe missing in several XP systems - evidenced by STOP 0x6F errors and due to McAfee (this isn't the same issue as the svchost.exe problem with McAfee Enterprise). Replacing it (in PE mode) fixes the issue. Replacing it with the wrong version gave us a STOP 0x71 error

 

[Tews]

Someone is on a mission.. :roflmao:

 

[rougespook]

First, my apologies for commenting to this thread due to it's age. This is the exact issue that I am dealing with. My HDD works fine as the slave but not the master drive.

My question is this. Will I be able to make the necessary repairs to the drivers if the drive is a slave or should I make it the master and boot with a Live CD? Secondly, should I run a virus / malware scan it prior to attempting the repairs called out below?

Thank you.

 

[usasma]

It depends on what's causing this. Recently we've seen an increase in infections by the TDSS rootkit.
At work we clean the partition table of it with Trend Micro's command line scanner - which renders the system unbootable.
Then we run Startup Repair 3 times from an installation disk.
If that doesn't allow the system to boot, then we go into a Command Prompt and run:

bootrec /fixmbr

and

bootrec /fixboot

So far that has fixed every instance of this infection. Every system that I've tried it on has been SATA - so I don't have any knowledge about the Slave/Master differences.

BUT, be aware that I am not an anti-malware professional - so backup your stuff BEFORE trying any of this!