Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › BSOD on startup after virus removal from HDD
New Posts  All Forums:Forum Nav:

BSOD on startup after virus removal from HDD

post #1 of 8
Thread Starter 
Hello, I have a hard drive that BSOD 3 seconds after startup (0x0000007B). I am trying to recover data off this hard drive. The BSOD started after i removed 6 viruses:
1) Exploit:Win32/Pdfjsc.KJ Severe
2) Adware:Wind32/NewDotNet High
3) Exploit:Java/CVE-2010-0840.A Severe
4) Exploit:Java/CVE-2010-0094.BD Severe
5) TrojanDownloader:Java/Rexec.C Severe
6) Exploit:Java/CVE-2010-0094.CB Severe

Here is what i have tried:
Repair from OEM Microsoft XP CD - Couldn't detect CD to complete repair finished from cd

Thanks in advance,
Kevinb123123
post #2 of 8
The virus had corrupted some system file which got removed or changed during the virus removal. try to boot up using some linux boot disk, or try windows safe mode. back up data and reinstall windows.
    
CPUMotherboardGraphicsRAM
Phenom II X4 955BE ASUS M4A88TD-V-EVO/USB3 MSI GTX 560Ti TwinFROZR II OC Corsair XMS3 2x2GB 1600MHz C9 
Hard DriveOSMonitorPower
2x500GB Seagate Windows 7 Ultimate 32bit Samsung 20" B2030 Corsair TX650 V2 
Case
CM HAF932 (painted black) 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Phenom II X4 955BE ASUS M4A88TD-V-EVO/USB3 MSI GTX 560Ti TwinFROZR II OC Corsair XMS3 2x2GB 1600MHz C9 
Hard DriveOSMonitorPower
2x500GB Seagate Windows 7 Ultimate 32bit Samsung 20" B2030 Corsair TX650 V2 
Case
CM HAF932 (painted black) 
  hide details  
Reply
post #3 of 8
If u can plug the disk into another windows computer (that works) you should be able to run a disk check and it will most likely repair the missing files.
    
CPUMotherboardGraphicsRAM
i5 2500K @ 4.5 GA-P67A-UD3-B3 EVGA 570 8GB Gskill 1600mhz 
Hard DrivePower
1.5TB CORSAIR 850TX 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i5 2500K @ 4.5 GA-P67A-UD3-B3 EVGA 570 8GB Gskill 1600mhz 
Hard DrivePower
1.5TB CORSAIR 850TX 
  hide details  
Reply
post #4 of 8
Quote:
Originally Posted by leopold1985;12360049 
The virus had corrupted some system file which got removed or changed during the virus removal. try to boot up using some linux boot disk, or try windows safe mode. back up data and reinstall windows.

This, I'll explain why below.
Quote:
Originally Posted by Kirby1;12360081 
If u can plug the disk into another windows computer (that works) you should be able to run a disk check and it will most likely repair the missing files.

While that might repair the sectors that could be bad it won't repair files properly. chkdisk (or whatever) can't tell you if a file part is missing, it can't fix "lost data".

Think of it like this, the virus attaches itself to parts of the file in a way that you (might) have to physically remove part of the file. The original file might be like this (binary example):

10110110110

Now the virus attached itself, giving the file this:

10110<11>0110

That represents the virus attaching itself to the functions located within the brackets. The brackets represent the virus code as well as the embedded attachment. When you get a BSOD it's generally the result of the virus being embedded too well, causing the AV software to remove file code.

Before clean:
10110<11>0110

After clean:
101100110

This causes a problem, the original code that the system is looking for is gone and that can cause a KP, or BSOD.

So what do you do? You can run Windows repair, but if your backup files (if any) were also infected and repaired they could be missing code too. The Windows repair on the install disc might be able to use the file on disc (if any) to replace the original with an original copy on the install disc, but that could cause problems later down the road. You could be using a less secure file or even take the chance of re-infection booting the same system (might not be fully clean).

I recommend backing up any data that can not be infected, or at least data types with the least chance of infection (mainly exclude .exe, .msi, anything that "installs" or runs on it's own). Media files, such as mp3 or videos, can be infected but generally aren't and I always keep those and haven't had a problem yet.

After backing up the crucial files then I would recommend doing a format, not because you have to but to make sure you delete everything and don't have the chance of "accidently" running a rogue file.
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
post #5 of 8
Quote:
Originally Posted by mushroomboy;12361773 
This, I'll explain why below.



While that might repair the sectors that could be bad it won't repair files properly. chkdisk (or whatever) can't tell you if a file part is missing, it can't fix "lost data".

Think of it like this, the virus attaches itself to parts of the file in a way that you (might) have to physically remove part of the file. The original file might be like this (binary example):

10110110110

Now the virus attached itself, giving the file this:

10110<11>0110

That represents the virus attaching itself to the functions located within the brackets. The brackets represent the virus code as well as the embedded attachment. When you get a BSOD it's generally the result of the virus being embedded too well, causing the AV software to remove file code.

Before clean:
10110<11>0110

After clean:
101100110

This causes a problem, the original code that the system is looking for is gone and that can cause a KP, or BSOD.

So what do you do? You can run Windows repair, but if your backup files (if any) were also infected and repaired they could be missing code too. The Windows repair on the install disc might be able to use the file on disc (if any) to replace the original with an original copy on the install disc, but that could cause problems later down the road. You could be using a less secure file or even take the chance of re-infection booting the same system (might not be fully clean).

I recommend backing up any data that can not be infected, or at least data types with the least chance of infection (mainly exclude .exe, .msi, anything that "installs" or runs on it's own). Media files, such as mp3 or videos, can be infected but generally aren't and I always keep those and haven't had a problem yet.

After backing up the crucial files then I would recommend doing a format, not because you have to but to make sure you delete everything and don't have the chance of "accidently" running a rogue file.

Nice explanation thumb.gif
post #6 of 8
Quote:
Originally Posted by Thingamajig;12361874 
Nice explanation thumb.gif

Right, people don't know how a virus works. I learned at least one semester of C++, though I knew HTML/PHP ect... before that. What people don't know is how a virus actually attaches itself to a file (injection). Libraries and .exe files in their readable state look like:

int main ()
{
int x=5;
int m=2;
int c=8;
int y = mx+c;
cout << y;
return 0;
}

Now if we embedded malicious code we would want that code to inject in a way so that that function alters itself like this:

int main ()
{
int x=5;
int m=2;
int z=10;
int c=8;
int v=55;
int y = (mx)^z+cv;
cout << y;
return 0;
}

If the malicious code does it in such a way that it replaces the values now, like this:

int main ()
{
int x=5;
int k=2;
int z=10;
int c=8;
int v=55;
int y = (kx)^z+cv;
cout << y;
return 0;
}

We now can't remove the virus without destroying the function. We would end up getting:

int main ()
{
int x=5;
int c=8;
int y = x+c;
cout << y;
return 0;
}

That's because m was removed by our second example, which results in a dead function after virus removal. This is problematic, your original program or code can no longer run. What do you do? Replace all the original code (the file) with something that works. However this isn't always possible, the code could be added from a service pack or update. This breaks the system and the best means of fixing it is reinstalling.

People have NO idea how a virus works, which is problematic. It's no different than a game hack, trainer, cheats, anything that does memory injection. You could even destroy a function, removing parts, and create it in a way that requires memory injection for the system to work. The system now becomes dependent on the malicious code to function, causing removal to procure the same results.

Even though I don't use AV, ever, I'm extremely aware of how malicious code runs and gains access on a machine. It's one of the reasons why I hate Internet Explorer. It's KNOWN to have bugs that MS has said they won't ever fix, even in IE9 some of those problematic functions are there. It's a terrible thing to include in an OS, you'd be better off with Chrome or FF as a shipped standard. Even if they had to pay licensing fees they would be creating a better world and they know it.

[edit] I thought I should give a code example so people can't say "I don't get it, how does it remove file chunks".
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
Current Rig
(14 items)
 
  
CPUMotherboardGraphicsRAM
FX-8350 4.6GHz@1.44v GA-990FXA-UD3 R4.0 HD 7950 (1100/1450) 8G Muskin DDR3 1866@8CLS 
Hard DriveOptical DriveOSMonitor
1TB WD LiteOn DVD-RW DL Linux/Windows 19" Phillips TV 1080p 
PowerCaseMouseMouse Pad
OCZ 600W Generic Junk Logitech MX400 Generic Junk 
Audio
SBL 5.1 
  hide details  
Reply
post #7 of 8
If the OP is only interested in recovering some user (non-OS) files, then slaving the drive in another PC would be my suggestion.

Copy out the desired files, then wipe the drive and reinstall the OS, copy the files back in, done.
PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-6700K eVGA Classified K eVGA GTX970SSC G.Skill F4-3600C16-16GTZ 
Hard DriveOptical DriveCoolingOS
2x Samsung 960 EVO M.2 RAID0 Samsung SH-S223L Custom Loop D5 Vario, Thermochill PA140.3, Heat... W7 U SP1 x64 
MonitorKeyboardPowerCase
Viewsonic VX2770 Logitech Corsair AX1200, APC RS1500 LCD Thermaltake VG4000SNA  
Mouse
Logitech 
  hide details  
Reply
PC
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-6700K eVGA Classified K eVGA GTX970SSC G.Skill F4-3600C16-16GTZ 
Hard DriveOptical DriveCoolingOS
2x Samsung 960 EVO M.2 RAID0 Samsung SH-S223L Custom Loop D5 Vario, Thermochill PA140.3, Heat... W7 U SP1 x64 
MonitorKeyboardPowerCase
Viewsonic VX2770 Logitech Corsair AX1200, APC RS1500 LCD Thermaltake VG4000SNA  
Mouse
Logitech 
  hide details  
Reply
post #8 of 8
If it's a corrupt or missing system file, pop in the XP install disk, boot to a c:\ prompt from the install disk.

At the command promp, type "sfc /scannow" (there is a space between the c and the /). This is the built in system file checker (sfc) in windows. It will replace any corrupt or missing system files in your windows install with the version on the disk.
Rusty Metal
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 2600K ASUS P8P67 PRO NVIDIA GeForce GTX 580 Corsair Vengeance 
Hard DriveHard DriveHard DriveOptical Drive
2 x Corsair Performance 3 SSD 128 GB; RAID 0 2 x Western Digital Black 1TB; RAID 0 Western Digital Black LG BluRay - RE/DVD+/-DL Burner  
Optical DriveCoolingOSMonitor
LG 24x super-multi  Corsair H70 Windows 7 Professional x64 DELL U2711 
KeyboardPowerCaseMouse
logitech G19 Corsair AX750 Coolermaster Storm Sniper Logitech Performance MX 
Audio
Creative Sound Blaster X-Fi Titanium Fatal1ty Pro  
  hide details  
Reply
Rusty Metal
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7 2600K ASUS P8P67 PRO NVIDIA GeForce GTX 580 Corsair Vengeance 
Hard DriveHard DriveHard DriveOptical Drive
2 x Corsair Performance 3 SSD 128 GB; RAID 0 2 x Western Digital Black 1TB; RAID 0 Western Digital Black LG BluRay - RE/DVD+/-DL Burner  
Optical DriveCoolingOSMonitor
LG 24x super-multi  Corsair H70 Windows 7 Professional x64 DELL U2711 
KeyboardPowerCaseMouse
logitech G19 Corsair AX750 Coolermaster Storm Sniper Logitech Performance MX 
Audio
Creative Sound Blaster X-Fi Titanium Fatal1ty Pro  
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Windows
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Windows › BSOD on startup after virus removal from HDD