Author Topic: General file data corruption with hex D2 FA 01 C0  (Read 8274 times)

0 Members and 1 Guest are viewing this topic.

Saul Luizaga

  • Guest
General file data corruption with hex D2 FA 01 C0
« on: July 29, 2013, 09:17:50 AM »
I hope you can help me, I don't have a clue wha's going on with my PC, I think it's a boot sector virus, but I'm not sure.

Avast! (w/autosandbox, searches for malware root kits on boot), Comodo: AV, D+, Clean Endpoint, auto-sandbox, IObit Antimalware, MalwareBytes Antimalware, nothing detects anything.

Symptoms:
1.- offload on network is disabled and can't be enabled.
2.- keyboard stops working, a few seconds later the mouse, then stays that way or restarts.
3.- When you have your Win 7 64-bit long starts to give BSODs: Windows informs kernel data corruption, 1A (complete Windows hang), 50, 3B, many more.
4.- The computer have a slight lag.
5.- the mouse won't click the first time and sometimes will dobleclick instead of single-click (it's not windows mouse config).
6.- programs crash.
7.-  I have Planetside 2, if you know the game you'll know it's big, 13+ GB, among its files there are 256 that range from 3x MB to 1xx MB, so I made a back up copy on another hard drive and compared with TotalCommander 8 'Synchronize directories' function and it find differences on random files, the thing is when individually compared a some of those pair of files sometimes they're identical, sometimes the only difference is a hex string 'D2 FA 01 C0', seldom times 2 strings, but only on big files, copied or downloaded.

The corruption is progressive and eventually will corrupt the .exe files.

Any ideas?

Edit: I have tried to overwrite the master boot record with a tool called bootsect.exe, it's used to change the partition boot type between WinXP (NT52) and Win WinVista/7 (NT60), reinstalled windows 7 64-bit 6 times, 2 different installers. It could be Seagate hard drive self-corrupting, as I've seen it only once, but I don't think so.

I have tested RAM (2x 4 GB) with Microsoft Memory Diagnostic, extended test suit, extended memory map, 1 1-pass and 2 2-pass, no errors, so si not RAM, MoBo, CPU or Video Card, I booted from a CD-ROM.

That leaves Hard Disk Drive (HDD), I have made a chkdsk c: /r /x and all OK (70 GB partition). The WIndows 7 installers should be OK, so it's either HDD self-corruption or virus/malware/spyware on boot sectros/records.

Can anyone at Avast! please check if there are any virus signatures with those 4 bytes please?
« Last Edit: July 29, 2013, 11:55:03 AM by Saul Luizaga »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: General file data corruption with hex D2 FA 01 C0
« Reply #1 on: July 29, 2013, 11:24:28 AM »
follow guide and attach the requested logs  (not copy and paste)   http://forum.avast.com/index.php?topic=53253.0

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified and check the logs for infections....

if trouble running any of the Tools, try run from safe mode..


Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #2 on: July 29, 2013, 12:07:17 PM »
Thank you, I'll do that, I'll post ASAP
« Last Edit: July 29, 2013, 12:37:02 PM by Saul Luizaga »

Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #3 on: July 30, 2013, 10:05:35 AM »
OK here are the 4 logs.
There was another log produced by OTL, but I can only attach 4 files so, I Pastebin it
« Last Edit: July 30, 2013, 12:08:41 PM by Saul Luizaga »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: General file data corruption with hex D2 FA 01 C0
« Reply #4 on: July 30, 2013, 03:56:11 PM »
The logs look clean, AswMBR has flagged an unknown but that may be Comodo.  However, I will check that out

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #5 on: July 30, 2013, 10:58:14 PM »
The message exceeds the maximum allowed length (10000 characters). SO I pastebin it, again; the forum won't let me use 7-zip attachment.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: General file data corruption with hex D2 FA 01 C0
« Reply #6 on: July 30, 2013, 11:33:18 PM »
The MBR also looks good as it stands I can see no indication of malware.  We could run a scan outside of windows if you wish

Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #7 on: July 31, 2013, 04:02:42 AM »
Kind of you, but I'd like to check the 'unknown' first, I'll post again if I can't find the answer, thank you for your help.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: General file data corruption with hex D2 FA 01 C0
« Reply #8 on: July 31, 2013, 03:52:20 PM »
The unknown is most probably related to sptd.sys (Daemon tools)  CD emulating software

Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #9 on: August 03, 2013, 03:32:59 AM »
Thank you for the tip, I'll keep searching for now.

Saul Luizaga

  • Guest
Re: General file data corruption with hex D2 FA 01 C0
« Reply #10 on: December 02, 2013, 10:06:57 PM »
Nothing worked because it wasn't a virus, bad Win installation nor hard drive failure, it was a bad BIOS, the newer version for some reason weren't working well, I take it back to the newest version that would let a normal PC operation, thanks for all your help.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: General file data corruption with hex D2 FA 01 C0
« Reply #11 on: December 02, 2013, 10:25:48 PM »
Glad it is resolved :)