?
Solved

STOP 0x7e error after major spyware infestation

Posted on 2008-11-05
11
Medium Priority
?
688 Views
Last Modified: 2008-12-04
I have a computer that was constantly rebooting.  I booted to UBCD4WIN and found a ton of malware on the system.  I cleaned it using various tools on the CD and I'm certain it's now clear.  It's still rebooting.

I did a repair install from the XP Home CD and it installs fine until it gets to the last reboot and it reboots again.  

I told you all of that to tell you this..  :)

I disabled autoreboot and get the BSOD with this error:

STOP:  0x0000007E (0xC0000006, 0x806846EA, 0xF7A2B6E8, 0xF7A2B334)

I've searched all over for information about that error and all I can find are references to situations that are not relevant to my issue.  Most of them have "0xC0000005" as the first parameter.  

Can someone point me in the right direction to find out where to begin?  

Oh.. one other thing..  memory tests ok with MemTest86.  
0
Comment
Question by:oldmuttonhead
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 14

Accepted Solution

by:
cuziyq earned 2000 total points
ID: 22887793
You are getting the error because the malware on your system installed a rootkit of some kind.  I suspect that UBCD4WIN didn't remove it; it just broke it.  That's bad because Windows is trying to load it in kernel (unprotected) memory space, and it is failing now because it's broken.

The solution, my friend, is not going to be easy at all.  :-(

You gotta figure out what it is you had, Google the files it used, remove those files, and delete references to it from the registry hive.

Not fun.  Let me know if you need help with the process.  But you might want to consider just reloading the machine.  You could spend hours at this.
0
 
LVL 1

Author Comment

by:oldmuttonhead
ID: 22887826
What you are saying is what I suspected, but I was hoping someone might have better news.  Since it wasn't booting before I removed the spyware, I assume the rootkit must have broke before, possibly by the user attempting to fix it himself.  
0
 
LVL 9

Expert Comment

by:samiam41
ID: 22887848
Depending on how much time you have, you may want to see if you can manually review and fix your MBR or boot.ini file.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 14

Expert Comment

by:cuziyq
ID: 22887912
It wouldn't be the MBR or the BOOT.INI file.  The system sees those and gets past correctly.  It's barfing while trying to load kernel drivers.
0
 
LVL 1

Author Comment

by:oldmuttonhead
ID: 22912884
OK.. after a tedious investigation :) I think the system is infected with a "TDSS" rootkit.  I'm working on getting rid of it now..
0
 
LVL 9

Expert Comment

by:samiam41
ID: 22913372
@cuziyg:  Good call.  

@oldmutonhead:  So that others will know what to use to detect this rootkit, what tool did you use?
0
 
LVL 1

Author Comment

by:oldmuttonhead
ID: 22913385
I didn't use a tool.  I listed the system32 directory by file creation date and found files that start with tdss* that were fairly recent and after a quick Google search I found the information about the tdss rootkit.  
0
 
LVL 9

Expert Comment

by:samiam41
ID: 22913404
; )  

That would work too.  Thanks!
0
 
LVL 6

Expert Comment

by:Jerry Solomon
ID: 22913462
I'm sorry to say that once a system gets this far, you may have to back up data, then format--reinstall.

Things to try as your last chance:
Perform  a system restore (most ubcd's have a utility called ERD commander, which can do this.)
If not, you can used the UBCD to perform a manual system restore, instructions here:

You can replace the registry hive files from a recent restore point folder, which is
c:\system volume information\restore {blah blah}\RPXXXX
to the C:\windows\system32\config\ directory.

Using A43, you rename these:
c:\windows\system32\config\sam to sam.old
c:\windows\system32\config\security to security.old
c:\windows\system32\config\software to software.old
c:\windows\system32\config\default to default.old
c:\windows\system32\config\system to system.old

Then Using A43, you rename and copy these
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

to:
c:\windows\system32\config\sam
c:\windows\system32\config\security
c:\windows\system32\config\software
c:\windows\system32\config\default
c:\windows\system32\config\system
Then reboot.
If the restore is successful, then immediately download and install SDfix
from: http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
reboot in safe mode, and let it clean out the system.
the problem with cleaning the latest spyware/malware infections from PE, is that it deletes certain files that break windows, so I don't do that anymore. SDFix won't break windows in the cleanup process.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses
Course of the Month17 days, 10 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question