STOP 0x7e error after major spyware infestation

Posted on 2008-11-05
Last Modified: 2008-12-04
I have a computer that was constantly rebooting.  I booted to UBCD4WIN and found a ton of malware on the system.  I cleaned it using various tools on the CD and I'm certain it's now clear.  It's still rebooting.

I did a repair install from the XP Home CD and it installs fine until it gets to the last reboot and it reboots again.  

I told you all of that to tell you this..  :)

I disabled autoreboot and get the BSOD with this error:

STOP:  0x0000007E (0xC0000006, 0x806846EA, 0xF7A2B6E8, 0xF7A2B334)

I've searched all over for information about that error and all I can find are references to situations that are not relevant to my issue.  Most of them have "0xC0000005" as the first parameter.  

Can someone point me in the right direction to find out where to begin?  

Oh.. one other thing..  memory tests ok with MemTest86.  
Question by:oldmuttonhead
    LVL 14

    Accepted Solution

    You are getting the error because the malware on your system installed a rootkit of some kind.  I suspect that UBCD4WIN didn't remove it; it just broke it.  That's bad because Windows is trying to load it in kernel (unprotected) memory space, and it is failing now because it's broken.

    The solution, my friend, is not going to be easy at all.  :-(

    You gotta figure out what it is you had, Google the files it used, remove those files, and delete references to it from the registry hive.

    Not fun.  Let me know if you need help with the process.  But you might want to consider just reloading the machine.  You could spend hours at this.
    LVL 1

    Author Comment

    What you are saying is what I suspected, but I was hoping someone might have better news.  Since it wasn't booting before I removed the spyware, I assume the rootkit must have broke before, possibly by the user attempting to fix it himself.  
    LVL 9

    Expert Comment

    Depending on how much time you have, you may want to see if you can manually review and fix your MBR or boot.ini file.
    LVL 14

    Expert Comment

    It wouldn't be the MBR or the BOOT.INI file.  The system sees those and gets past correctly.  It's barfing while trying to load kernel drivers.
    LVL 1

    Author Comment

    OK.. after a tedious investigation :) I think the system is infected with a "TDSS" rootkit.  I'm working on getting rid of it now..
    LVL 9

    Expert Comment

    @cuziyg:  Good call.  

    @oldmutonhead:  So that others will know what to use to detect this rootkit, what tool did you use?
    LVL 1

    Author Comment

    I didn't use a tool.  I listed the system32 directory by file creation date and found files that start with tdss* that were fairly recent and after a quick Google search I found the information about the tdss rootkit.  
    LVL 9

    Expert Comment

    ; )  

    That would work too.  Thanks!
    LVL 6

    Expert Comment

    I'm sorry to say that once a system gets this far, you may have to back up data, then format--reinstall.

    Things to try as your last chance:
    Perform  a system restore (most ubcd's have a utility called ERD commander, which can do this.)
    If not, you can used the UBCD to perform a manual system restore, instructions here:

    You can replace the registry hive files from a recent restore point folder, which is
    c:\system volume information\restore {blah blah}\RPXXXX
    to the C:\windows\system32\config\ directory.

    Using A43, you rename these:
    c:\windows\system32\config\sam to sam.old
    c:\windows\system32\config\security to security.old
    c:\windows\system32\config\software to software.old
    c:\windows\system32\config\default to default.old
    c:\windows\system32\config\system to system.old

    Then Using A43, you rename and copy these

    Then reboot.
    If the restore is successful, then immediately download and install SDfix
    reboot in safe mode, and let it clean out the system.
    the problem with cleaning the latest spyware/malware infections from PE, is that it deletes certain files that break windows, so I don't do that anymore. SDFix won't break windows in the cleanup process.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
    For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now