STOP 0x7e error after major spyware infestation

I have a computer that was constantly rebooting.  I booted to UBCD4WIN and found a ton of malware on the system.  I cleaned it using various tools on the CD and I'm certain it's now clear.  It's still rebooting.

I did a repair install from the XP Home CD and it installs fine until it gets to the last reboot and it reboots again.  

I told you all of that to tell you this..  :)

I disabled autoreboot and get the BSOD with this error:

STOP:  0x0000007E (0xC0000006, 0x806846EA, 0xF7A2B6E8, 0xF7A2B334)

I've searched all over for information about that error and all I can find are references to situations that are not relevant to my issue.  Most of them have "0xC0000005" as the first parameter.  

Can someone point me in the right direction to find out where to begin?  

Oh.. one other thing..  memory tests ok with MemTest86.  
LVL 1
oldmuttonheadAsked:
Who is Participating?
 
cuziyqConnect With a Mentor Commented:
You are getting the error because the malware on your system installed a rootkit of some kind.  I suspect that UBCD4WIN didn't remove it; it just broke it.  That's bad because Windows is trying to load it in kernel (unprotected) memory space, and it is failing now because it's broken.

The solution, my friend, is not going to be easy at all.  :-(

You gotta figure out what it is you had, Google the files it used, remove those files, and delete references to it from the registry hive.

Not fun.  Let me know if you need help with the process.  But you might want to consider just reloading the machine.  You could spend hours at this.
0
 
oldmuttonheadAuthor Commented:
What you are saying is what I suspected, but I was hoping someone might have better news.  Since it wasn't booting before I removed the spyware, I assume the rootkit must have broke before, possibly by the user attempting to fix it himself.  
0
 
samiam41Commented:
Depending on how much time you have, you may want to see if you can manually review and fix your MBR or boot.ini file.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
cuziyqCommented:
It wouldn't be the MBR or the BOOT.INI file.  The system sees those and gets past correctly.  It's barfing while trying to load kernel drivers.
0
 
oldmuttonheadAuthor Commented:
OK.. after a tedious investigation :) I think the system is infected with a "TDSS" rootkit.  I'm working on getting rid of it now..
0
 
samiam41Commented:
@cuziyg:  Good call.  

@oldmutonhead:  So that others will know what to use to detect this rootkit, what tool did you use?
0
 
oldmuttonheadAuthor Commented:
I didn't use a tool.  I listed the system32 directory by file creation date and found files that start with tdss* that were fairly recent and after a quick Google search I found the information about the tdss rootkit.  
0
 
samiam41Commented:
; )  

That would work too.  Thanks!
0
 
Jerry SolomonNetwork  AdministratorCommented:
I'm sorry to say that once a system gets this far, you may have to back up data, then format--reinstall.

Things to try as your last chance:
Perform  a system restore (most ubcd's have a utility called ERD commander, which can do this.)
If not, you can used the UBCD to perform a manual system restore, instructions here:

You can replace the registry hive files from a recent restore point folder, which is
c:\system volume information\restore {blah blah}\RPXXXX
to the C:\windows\system32\config\ directory.

Using A43, you rename these:
c:\windows\system32\config\sam to sam.old
c:\windows\system32\config\security to security.old
c:\windows\system32\config\software to software.old
c:\windows\system32\config\default to default.old
c:\windows\system32\config\system to system.old

Then Using A43, you rename and copy these
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

to:
c:\windows\system32\config\sam
c:\windows\system32\config\security
c:\windows\system32\config\software
c:\windows\system32\config\default
c:\windows\system32\config\system
Then reboot.
If the restore is successful, then immediately download and install SDfix
from: http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
reboot in safe mode, and let it clean out the system.
the problem with cleaning the latest spyware/malware infections from PE, is that it deletes certain files that break windows, so I don't do that anymore. SDFix won't break windows in the cleanup process.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.