STOP 0x7e error after major spyware infestation

I have a computer that was constantly rebooting.  I booted to UBCD4WIN and found a ton of malware on the system.  I cleaned it using various tools on the CD and I'm certain it's now clear.  It's still rebooting.

I did a repair install from the XP Home CD and it installs fine until it gets to the last reboot and it reboots again.  

I told you all of that to tell you this..  :)

I disabled autoreboot and get the BSOD with this error:

STOP:  0x0000007E (0xC0000006, 0x806846EA, 0xF7A2B6E8, 0xF7A2B334)

I've searched all over for information about that error and all I can find are references to situations that are not relevant to my issue.  Most of them have "0xC0000005" as the first parameter.  

Can someone point me in the right direction to find out where to begin?  

Oh.. one other thing..  memory tests ok with MemTest86.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You are getting the error because the malware on your system installed a rootkit of some kind.  I suspect that UBCD4WIN didn't remove it; it just broke it.  That's bad because Windows is trying to load it in kernel (unprotected) memory space, and it is failing now because it's broken.

The solution, my friend, is not going to be easy at all.  :-(

You gotta figure out what it is you had, Google the files it used, remove those files, and delete references to it from the registry hive.

Not fun.  Let me know if you need help with the process.  But you might want to consider just reloading the machine.  You could spend hours at this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oldmuttonheadAuthor Commented:
What you are saying is what I suspected, but I was hoping someone might have better news.  Since it wasn't booting before I removed the spyware, I assume the rootkit must have broke before, possibly by the user attempting to fix it himself.  
Depending on how much time you have, you may want to see if you can manually review and fix your MBR or boot.ini file.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

It wouldn't be the MBR or the BOOT.INI file.  The system sees those and gets past correctly.  It's barfing while trying to load kernel drivers.
oldmuttonheadAuthor Commented:
OK.. after a tedious investigation :) I think the system is infected with a "TDSS" rootkit.  I'm working on getting rid of it now..
@cuziyg:  Good call.  

@oldmutonhead:  So that others will know what to use to detect this rootkit, what tool did you use?
oldmuttonheadAuthor Commented:
I didn't use a tool.  I listed the system32 directory by file creation date and found files that start with tdss* that were fairly recent and after a quick Google search I found the information about the tdss rootkit.  
; )  

That would work too.  Thanks!
Jerry SolomonNetwork  AdministratorCommented:
I'm sorry to say that once a system gets this far, you may have to back up data, then format--reinstall.

Things to try as your last chance:
Perform  a system restore (most ubcd's have a utility called ERD commander, which can do this.)
If not, you can used the UBCD to perform a manual system restore, instructions here:

You can replace the registry hive files from a recent restore point folder, which is
c:\system volume information\restore {blah blah}\RPXXXX
to the C:\windows\system32\config\ directory.

Using A43, you rename these:
c:\windows\system32\config\sam to sam.old
c:\windows\system32\config\security to security.old
c:\windows\system32\config\software to software.old
c:\windows\system32\config\default to default.old
c:\windows\system32\config\system to system.old

Then Using A43, you rename and copy these

Then reboot.
If the restore is successful, then immediately download and install SDfix
reboot in safe mode, and let it clean out the system.
the problem with cleaning the latest spyware/malware infections from PE, is that it deletes certain files that break windows, so I don't do that anymore. SDFix won't break windows in the cleanup process.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.