Avatar of Michael_D
Flag for Canada asked on

Cannot run any antivirus or boot in safe mode


my comp got infected with some weird stuff. (Running Win XP pro)
It does not allow me to run none of the following (at least those I try to run )

- AVG antivirus
- HijackThis
- SpyBot S&D
- SuperAntiSpyware (this one actually runs but when I am scanning files it constantly results in blue screen at srosa.sys file)

When I try to reboot into safe mode I get blue screen too...

Any advice what I can do in this situation?

Anti-Virus AppsVulnerabilities

Avatar of undefined
Last Comment

8/22/2022 - Mon

Download SDFIX and what is the Number on the Blue Screen 0x00000000

If you have a windows XP disk I would run a repair installation. That should fix a few of the problems, but every now and then a virus might sneak through. Once you do the repair boot into safe mode with networking and install AVG and run it, just to be safe.

You wouldn't happen to know what kind of virus you have do you? if you know I might be able to help you manually remove it -- but booting into safe mode is a pretty big deal, and if you can't do it a repair installation would be a quick fix.

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

youngrmy: it says
STOP: 0x0000007B (0xF789E524, 0xC0000034, 0x00000000)
maskedweasel: I will try to run Win Setup later. I dont know what malware caused the problem

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.html

Navigate to and delete the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"drvsyskit" = "%System%\drivers\hidr.exe"

Navigate to and delete the following registry subkeys:


Next download and run combofix
Download  combofix.exe and save it to your desktop
Close any open browsers.
Before starting ComboFix disable and exit any anti-virus software, anti-spyware or any other security related software as they may interfere with ComboFix's operation.
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you and display it on your desktop called c:\combofix.txt. By default this log is located on your 'C' drive. Post that log in your next reply along with a fresh HJT log as well
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Next post a hijack this logfile

go here and run this online scanner


Are you getting the blue screen only in safe mode or also in normal mode ?
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

You maybe on the right way. Any ideas how to remove it without Norton?

You first need to remove the registry keys as i posted from the norton article above
then you need to delete this executable hidr.exe there may also be a hidrr.exe and a hidrrr.exe you need to delete all of these.


I am getting blue screen only in safe mode

I deleted HKEY_CURRENT_USER\Software\FirstRRRun
but two others are not there
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

I cannot run combofix as well - It says it is not valid Win32 application

STOP: 0x0000007B  indicates a HD Controller Problem but if a virus is causing this I agree with briancassas that it is either bagle or Parite virus.

REALLY now? thats interesting.. does that happen when you try and run ANY program? Whatabout when you try and run a link? I had a  client with a PC issue that had that problem not too long ago.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

I am currently running bitdefender'd online scan. I hope it will be able to at least identify the virus.
I will post results when it done

Dn't be suprised if bit defender closes since you are getting the not a valid win32 application errors.

The virus is doing that it is locking you out of the system.

go to start search files or folders make sure you have selected advanced then shot hidden files and folders and search sub folders then type in hidr see if it finds it delete all references of hidr i.e. hidr hidrr hidrrr.

Also go to task manager and check for odd running proceses... Can you run Hijack this or is that also giving you the same error ? if you can run it and post a log file.

bitdefender is working - so far found:

EST to finish is about 2 hours but long time no new infections

All infected files are reported to be deleted
Your help has saved me hundreds of hours of internet surfing.

One thing you should do is turn off your system restore. Right click MY Computer- Properties -Restore Tab and  Check TURN OFF SYSTEm restore. when the virus scans are complete then go back and turn your system restore back on.

I have my system restore turned off.

BTW there is new worm is found:  Rootkit.Bagle.G

You may want to consider backing up all of your files (documents, pictures, so forth) at this point by slaving the drive or by using an external drive to put the data onto and then doing a wipe and reload the number of Rootkits, worms and so forth that have been found indicates to me this machine has had low or no security on it and is severly compromised.  Yes the infections can be cleaned to some point but when it gets into rootkits I never really trust a system fully. I know if it were me and I discovered all that it would be a backup wipe and reload. I would then scan all the files I backed up to make sure nothing was hiding out in them before putting them back on the system.

You either were missing service packs, windows updates or downloaded something from a P2P network or something similar or these things were already on your system when you installed AVG as these should not have gotten through AVG. This is a serious infection to have the security programs on the system that you have and be infected this much. If you still want to work through it I am willing to help but like I said my recommendation at this point would be back up your data, wipe the drive and reload
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Actually I think the only problem is  Rootkit.Bagle.G
This one indeed came from P2P 2 days ago.
All others are found in outlook.pst file or in Jpg files in temporary files folder in IE
I am not using IE or outlook for more than a year

But Rootkit.Bagle.G definitely passed AVG's security somehow.  
Any idea how to remove it?

P.S. I am currently able to boot in safe mode - I found .reg file that fixed it but still cannot run AV programs.
I am backing up all important files right now in case if I will be unable to remove the rootkit and have to reinstall windows

Briancassin has the right idea.  If you are completely deadset on not reloading this drive, then you should pull the drive out anyway and slave it, and run a complete virus scan that way.  Once thats complete you might want to try getting into safemode and disabling just about every service and startup item that doens't have to do with windows or your antivirus.  Then run an extra scan just in case.

However at this point you'd be spending more time trying to clean these pesky little guys then reloading the system would take. (under an hour in most cases)

Well I tried to go to safe mode and got blu screen again
It seems that I had to do as suggested and reload the system
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Bagle won't let you run any apps, it also borks your safe mode keys that's why safe mode won't work,

Try this: Re-download Combofix,

NOTE: this is very important, while saving Combofix.exe to your desktop, you need to rename it to Combo-Fix.exe (see the difference?) you need to rename it before you actually download to your desktop otherwise Bagle will jump in.)

Renaming Combofix when it is already in your desktop will not work....you need to rename it BEFORE it is actually downloaded to your desktop.

Disable your antivirus,
After Combo-fix is on your desktop,
From the run box type the following:

"%userprofile%\desktop\ComboFix.exe" /KillAll

Some are successful removing Bagle with IceSword....some had success with the Avast(beta)

Bagle keeps a hatelist of filenames and when it sees combofix it attacks it....
maybe it might even attack Combo-Fix, if so, then rename it to some other name before you download it.

IMHO - Even if renaming combofix does end up removing  the Bagle infection the system was so compromised I would be seriously concerned about what else may be hiding out undetected in the system.

Normally I am all for seek and destroy and kill all malware, viruses but in this case 1 year of stuff sitting in outlook undetected is not good at all. Also the type of threats that were on the system were not little ones. They were ones that come with multiple payloads attached.

For example it was identified that one of the infections is Netsky.D
one of the things it does is the following

W32/Netsky-D attempts to delete the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME

My concern would be the known infections are gone but the system could have COM, registry damage, file damage, or has more hidden rootkits and the system is left with security holes like swiss cheese.

There is no way we could go through every nook and cranny on this. This is obviously a judgement call that has to be made.
It comes down to can you 100% guarantee the system is 100% free of any potential threats I can't personally based on what has been discovered along the way.

If this is trully one of those times where the system cannot be wiped and reloaded for a particular reason then I would seriously consider running all of these tools and if after running several of them your still finding things I still stand by recommendation though either which way, backup important items wipe and reload then scan backed up items before putting them back on the system.  

spybot seek and destroy
pc tools spyware doctor (available for free google apps)
trial version of webroot
CA PestPatrol scanner http://ca.com/us/securityadvisor/pestscan/

Panda Active Scan
Bitdefender - you already ran this one
Symantec Online Scanner
TrendMicro Online Scanner
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

I was able to run Combofix after renaming it (new download with new name)
But it was not able to clean my system properly. Still cannot run mt antivirus and other stuff

So I will be reloading the system.  I backed up all my important files on DVDs and scanned with AVG on other computer. Nothing found ....

I am going to award points to briancassin because he was the first who diagnosed the problem and helped me out. Some may say that anybody can give an advice to wipe the system but in my case I guess it is the best solution.

I thank all experts for helping me

Thank You,

Sorry I didn't have a better answer for you... The system just got hammered with too many things.

At least with this option providing you cleanse your data before reloading you'll know your system is 100% clean and secure.

Don't forget to run all the windows updates.

I would also recommend getting the following tools to reside on your system

PC Tools Spyware Doctor it is part of google pack and is free if you have no problem with the google downloader. If you do then Spybot adware and/ or superanti spyware just do not load more then one real time scanner from any of these

http://www.siteadvisor.com  - warns you before going to a website through search engines results and also if you are on a bad site the bar will turn red. This prevents you from getting on bad sites to begin with.

For anti virus if you got the ram to handle it I would go panda anti virus for pay for av for free I would go AVG.

Zone alarm offers a free version of there firewall. You can download that but make sure you tell it you want to manually configure internet access as the automatic configuration sometimes it does not setup right under automatic and blocks something you do not want blocked.

Also spyware blaster is very good http://javacoolsoftware.com it prevents the install of malicious items can be used in combination with everything else does not impact the systems performance in any way.


>>>But it was not able to clean my system properly. <<<
Combofix only removes nasties that it recognized during the first run, we use its CFScript function to delete baddies in the second run, that's why we always ask for the CF log.

Anyway, reformatting and reloading is a wise decision.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck