Overzealous Client tries to fix Virus - BSOD System won't boot

I just picked up a new client that took it upon himself to try and remove the 2012 XP Security virus.  He claimed he used combofix along with malware bytes to remove the virus.  Needless to say after running combofix the system will not boot in normal or safe mode and gives a blue screen of 0X0000007E with no specified system file.  I was planning on running Kaspersky rescue disk to try and remove whatever is left on the system, but I'm thinking it may be a system file that needs to replaced.

Typically I have an OS that loads up in order to remove the bug, but in this case I am at a bit of a loss.  How can I determine what system file needs to be replaced?  Is Kaspersky rescue disk a good option for trying to resolve this issue?

Thanks in advance,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sean ScissorsProgram Analyst IICommented:
After doing some research it seems that particular error is more over a hardware issue or driver issue. Not so much a corrupted system file. However one such solution I found was XP SP3 could have gotten corrupted from the virus. If you have the install XP install disk I suggest trying the following solution below.

a) Boot with Windows XP reinstallation disk.
b) When you receive the Welcome to Setup message, press R to start the Recovery Console.
c) Select the correct Windows XP installation that’s listed. And enter the password for Administrator.If you dont have any password press enter.
d) At the command prompt, type cd $ntservicepackuninstall$\spuninst, and then press ENTER.
e) On next prompt, type batch spuninst.txt, and then press ENTER.
f) After Windows XP SP3 is removed, type exit, and then press ENTER.
g) Restart your computer it should work.
DmorandaAuthor Commented:
Thanks for the quick response.

The system throws the same blue screen on trying to boot off the XP reinstallation disc.  

Any ideas?
DmorandaAuthor Commented:

Actually this time it was 0X0000007B
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Sean ScissorsProgram Analyst IICommented:
So when trying to boot from the CD it throws the bluiescreen as well? Make sure that in the bios (which you should have no problem accessing unless the MOBO went out) that the primary boot drive is the CD/DVD drive first. If you need help configuring that let us know the model and type of the computer to help get you through the Bios menu. After setting your primary boot device to the CD drive it should automatically start the windows disk without much effort. From there is when you enter the Recovery Console.
DmorandaAuthor Commented:
Yeah not a problem setting the CD rom as the first boot device.  I even strike a key to boot off the disc when it prompts.  It spins up for a while, but then throws a blue screen: 0X0000007B
Sean ScissorsProgram Analyst IICommented:
Pertaining to your EDIT comment...if that's the case there is a great article on possible solutions you can run through from about.com.


If you have any questions on what they are suggesting to do let us know. Still though it sounds like it could be hardware and just a coincidence it's happening at the same time they had a virus. Hard to say at this point.

However it's not possible to get a bluescreen before the Bios spash screen considering at that point, Windows is not even running yet and BSOD are from windows, not a motherboard.
DmorandaAuthor Commented:
I can boot into a linux environment without any problems (Parted Magic).  Doesn't that tell us that the hardware is working just fine?  I know it has something to do with the rootkit that affected the system.  I just don't know how to get in and remove it....
Sean ScissorsProgram Analyst IICommented:
Essentially if you can boot from Linux then yes it means the hardware is probably fine however if the case is that you can't boot from the windows CD at all then that is quite odd. Usually no matter how messed up a computer is if you boot from the install disk then you can just reformat or try and do the recovery console. I've never heard of a case where a computer Blue screens when trying to boot from the install disk. As I said before, it just doesn't make sense as Windows is not even running at that point yet.
DmorandaAuthor Commented:
Is it possible that I need to specify a driver on the windows install?  Would it blue screen if I didn't have a raid driver installed before getting to the main menu?
Sean ScissorsProgram Analyst IICommented:
Well I suppose if you aren't able to enter the Bios that maybe the MOBO drivers could be having an issue. Resetting the CMOS or taking the battery out waiting a few minutes and putting it back in might do the trick. Truthfully if you can't get into the Bios that is a major issue, not just a cause of a virus usually.
DmorandaAuthor Commented:
Ok I was finally able to get into recovery console.  Not sure where those BSOD's were coming from, but I'm not running the batch spuninst you suggested.  I'll keep you updated as to how it goes on reboot.  Thanks for your help.
Sean ScissorsProgram Analyst IICommented:
Glad you got to the recovery console. From there you should be able to take care of it. It sounds like the worst thing it did was possibly corrupt the MBR but there are ways to fix that through Recovery Console. Let us know how it goes.
DmorandaAuthor Commented:
On reboot after spuninst another BSOD (on normal & safe mode):



DmorandaAuthor Commented:
Should I go ahead and run fixboot and fixmbr and in what order?
Sean ScissorsProgram Analyst IICommented:
I think at this point if you can get back into recovery console I would start running different hardware checks yes. Fixboot and FixMBR (don't think order matters too much but not sure) also see if you can run a chkdsk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
For the time and effort, it would be usually quicker, more practical and long term effective to image the drive fully, test the structure, then format and do a clean install, update, then lock down via Secunia PSI or similar tool, install an antivirus with internet security package, then manually retrieve what files and data you require.
Fixing a corrupted system when it is at this point, is often going to result in repeat problems, as Windows and third party programs will require reinstallation over the top of each other, causing system issues, blue screens of death, fatal exceptions left right and centre, plus various random problems which you are most likely never going to get to the bottom of.

If you have something like an ERD cd/dvd, MS DART recovery or anything licensed, then these are practical working tools to try and repair a problem.  (There are a number of ERD options via google, though MS DART you need to be licensed to use).

Working with Recovery Mode with XP is not 100%, so when you get to this point if you can fix it quickly then fine, if not then you need to consider other options.

Especially as often with these sort of virus's let too many other wild cards through to come back again and again, if the system is too compromised your practical method is as suggested, backup, format, clean install, lockdown then the problem is not usually going to come back.
Any probs post and I'll try and help.
If it's what combofix did then try undoing it. Combofix creates 2 Erunt backups so I would try restoring from the backup via Recovery Console first but up to you.
Let me know if you go for that and I'll post the commands.

I'm thinking it may be a system file that needs to replaced.
Usually combofix is a pretty safe tool, and it won't just delete any system files unless there is a clean replacement available.
DmorandaAuthor Commented:
Thanks for the additional responses.  There is some really good information here.  As Andrew mentioned, I want this system to be stable and not have repeat problems.  With that in mind I decided last night to do a thorough backup and am now in the process of reinstalling windows.

Thanks to everyone for their help.  I really appreciate your time.

DmorandaAuthor Commented:
Decided to format and reinstall windows to fix the problem.  Thanks to all for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.