Solution: STOP Error 0x0000007b (0xfffff880009a98e8 0xffffffffc000000d 0x0000000000000000…)

Hoo boy, this one’s a doozy.

So following the removal of certain rootkits (such as Rootkit.Boot.SST.a, which is associated with the Windows Recovery rogue), you may find that your Windows boot configuration data has been totally corrupted. Worse yet, the usual steps to remedy (such as those described in my earlier post about TDL4 and the resulting blue screen) all fall apart when you reach the bootrec /RebuildBCD command, which returns the message:

Total identified Windows installations: 0

Geez.  This essentially means that the bootrec command cannot identify your Windows installation, even though the Windows Recovery Environment has no trouble doing so upon starting.  So, now what?

Sometimes it’s as simple as opening up your favorite disk partitioning software and marking the C: partition as ACTIVE, and if there are still problems, subsequently recovering the boot data as I mentioned in the TDL4 post (keep in mind however that the System Managed partition is typically Active normally on a Windows 7 system thanks to the isolated boot partition that it uses).  This problem occurs because of some modern rootkits which create a hidden, encrypted partition at the end of the system drive and mark it as Active and Primary (while simultaneously marking the standard boot partition as Inactive).  This infection has been covered in other recent blog posts as well.

Sometimes, however, the BCD is totally corrupted and this doesn’t even work.  At this point, most every source on the internet comes up a dead end.  Everyone ends up reformatting or reinstalling Windows overtop their existing partition; nothing else seems to work.

You might not think it’d be helpful, but there’s an intimidating post over at the EasyBCD NeoSmart site which explains how to manually rebuild the Vista bootloader from the ground up in catastrophic situations.  As it turns out, this procedure applies to Windows 7 as well (which uses the same bootloader and BCD structure), and it’s the key to your recovery here.

It’s no easy feat however, so roll up your sleeves and get ready to do some typing.  Here’s the full procedure from start to finish:

  1. Boot to the Windows Recovery Environment either by selecting Repair Your Computer when Windows fails to boot, by inserting the Windows installation disc, or by using a Windows ERD/MS DART disc (if you happen to have access to one, that is).
  2. Cancel the recovery attempt if it tries to start on its own (it will fail anyway) and then choose the advanced options link at the bottom of the window.
  3. Choose to open the Command Prompt.
  4. Here’s the fun part.  Once at the prompt, enter the following commands one by one.  Take care not to mistype anything, and be sure to replace C: with whatever your system drive happens to be:

bootrec.exe /fixmbr
bootsect.exe /nt60 all /force
bcdedit /export C:\BCD_Backup
attrib -h -s C:\boot\BCD
ren C:\boot\BCD BCD.old
bcdedit /createstore c:\boot\bcd.temp
bcdedit.exe /store c:\boot\bcd.temp /create {bootmgr} /d “Windows Boot Manager”
bcdedit.exe /import c:\boot\bcd.temp
bcdedit.exe /set {bootmgr} device partition=C:
bcdedit.exe /timeout 10
attrib -h -s C:\boot\bcd.temp
del c:\boot\bcd.temp
bcdedit.exe /create /d “Windows 7″ /application osloader

At this point, note the value within the curly braces {……..} as you will need it during the next steps.  Replace the dots within the curly braces below with that entire string on each line.  NOTE:  To make this easier, once you type it once, you can press the Up arrow to restore the last command and simply edit that line for the next one.

bcdedit.exe /set {…..} device partition=C:
bcdedit.exe /set {…..} osdevice partition=C:
bcdedit.exe /set {…..} path \Windows\system32\winload.exe
bcdedit.exe /set {…..} systemroot \Windows
bcdedit.exe /displayorder {…..}
bcdedit.exe /default {…..}
bcdedit.exe /set {…..} locale en-US

Thanks to Bitt Faulk for the final line, which restores the correct Windows loading screen as well.  You will need to replace the en-US entry with something different representing your region if you are not in the US.

Then you’re back in Windows, miraculously.  No reinstall necessary!

Side effects?  A little.  Hopefully you can handle not having the nifty new Windows 7 startup animation screen, because this will lose it for you.  Instead, you’ll be stuck with the old-school plain Jane Windows Vista progress bar.  You’ll also lose any special boot options you had previously.  But as a last resort, this works, and it’s still just as quick as ever.

Apart from that, once you’re back in Windows, of course, you’ll still have to disinfect the rest of the way.  In my customer’s case, the system damage was actually so bad that I ended up performing an in-place upgrade (the Vista/7 equivalent of a Repair Install), but after that, everything was great.  It was a triumph for sure, and yet another situation where the usual solution of reformat/reinstall was not necessary.  Now you know how to avoid it!

I hope you’ve found this post useful–if so, please take a moment to leave me a comment!

If you need computer help in the Louisville, KY area, there’s simply no one better.  Give me a call today!

Donate to say "Thanks" if this post has helped save you time and money! :-)

80 thoughts on “Solution: STOP Error 0x0000007b (0xfffff880009a98e8 0xffffffffc000000d 0x0000000000000000…)

  1. Excellent work my friend!! I’ve been working on a computer for a client that’s had this same problem. Your procedure worked flawlessly! Thank you very much!! +1

  2. Thanks for this, had a Rootkit.Boot.SST.b (as reported by kaspersky) wreaking havoc on a friend’s laptop, a bit of poking around with bcdedit seems to have fixed it

  3. You are the man! I was getting a blue screen of death for 2 day searching google for answers until I finally got to this page. Thank you so much whoever you are!!!!!!

  4. Excellent job. I was giving the offline defender beta a go thinking it would be pretty tame it removed the rootkit just fine but of coure then I couldn’t boot. Thank you very much inspired solution.

  5. WOW! I was just about to reimage my machine when I found your post! Thanks so much! I can handle the vista boot image, I can’t tell you how grateful I am! I have been working on this issue for a week, at least for 25 hours! I read so many posts, and tried LOTS of different things. Thank you so much!

  6. Sweet fix, However, wouldnt boot back up after i restarted, looking for \Windows\system32\winload.exe , so i ran through a startup and repair from a windows 7 cd and if by magic it boots back into windows. also the Rootkit.Boot.SST is now not detected by tdsskiller.

  7. Sounds like Startup Repair replaced an infected system file that was previously deleted by your AV or other disinfecting tool. Either way, glad to hear you got it working! Thanks for the feedback.

  8. this solution worked perfect. Was very close to wipe and reinstall and this saved me some serious time. Thanks

  9. Please help!!! when I insert the “bcdedit.exe /set {…..} osdevice partition=C:” line, it returns “The element data type specified is not recognized, or does not apply to the specified entry.” The computer is using Windows 7.

  10. You did replace the contents of the curly braces {} with that of your hard disk’s volume ID as specified, right?

  11. Thanks! I figured it out and the solution worked out great! now when the computer starts it automatically loads the boot manager, which is fine. It wants me to choose between “Windows Boot Manager” and “Windows 7 Home Premium (Recovered)”. Of course I choose the obvious, but is there any way to delete the “Windows Boot Manager” option? Note: I’ve tried msconfig and it doesn’t show in the boot list and I’ve tried to remove it manually in the c:\boot.ini file but windows says file not found. I am thoroughly confused by this.

  12. Hey A E,

    I think I know exactly what’s happening actually. Vista and 7 no longer use the boot.ini file for this sort of thing; they use the BCD (boot configuration data) instead. Try this:

    Click Start > RIGHT-click Computer > Choose Properties > Click “Advanced System Settings” > Click Advanced > and under “Startup and Recovery” click Settings…

    Here, in this dialog, you can choose the default operating system and even uncheck the option to display a list at all to allow it to boot immediately to Windows 7. I hope this helps!

  13. Thank you so much for trying to help but it is unfortunately not working for me. I have the same error code for about 2 days now. And I have tried countless solutions on other sites. Everything works fine until I get up to the line that reads
    “attrib -h -s C:\boot\BCD”
    It returns the message:
    The system cannot find the file specified.
    Would really appreciate the help Thank You!

  14. Hey Selz,

    That’s all right; it means the BCD is missing. Simply continue on with the rest of the procedure and see if it helps.

    Before you go through the trouble of typing all of it, however, be sure you check to see if the proper partition is set to Active with some sort of partition manager. You can actually use diskpart to do this as well (it’s pretty easy, Google provides excellent explanations). Sometimes you can get by with simply changing the Active partition to the OS/Windows partition and then following the much shorter BCD recovery steps I outlined in a previous post (TDL4 removal leads to STOP Error).

    Let me know if I can help!

  15. Oh my gosh! Oh my gosh! Oh my gosh…you are the king! Thanks SOOO much for posting this. I have been pulling out my hair trying to fix a co-worker’s son’s notebook. I finally stumbled across this posting and am so psyched that it worked!! Thanks again!

  16. @DJ Dougiefresh , I just had the same experience and did the same thing. Using the guidance from this site and then doing the win 7 disk it came up fine. It didnt work just doing the win 7 disk without the above fix, so its complicated but it works.

  17. Thank you, it worked! I used TDSSKiller which could only detect suspicious activity in the MBR but had no option to remove it. After applying your steps I was unable to boot into Windows but doing Startup repair fixed it. TDSSKiller no longer detects the rootkit.

  18. As I was trying all of this, I came to attrib -h -s C\boot\BCD and it says “path not found C:\boot”. So I continued and entered the next step and it said “the system cannot find the file specified. Please help!!

  19. Keep going. It simply means that your BCD is not currently found on the system drive.

    Do you have a System Reserved partition? If so, you could try making it the active partition and then trying to boot before commencing with the rest of the procedure.

  20. Another satisfied customer. Worked like a charm. Only thing is, I had to include the braces “{” when entering the values in the 2nd part of the instructions. The way I initially read it, I thought it meant only enter the values (minus the braces).

    Thanks!

  21. OMG!!! You are a genius!!!! Microsoft should totally hire you seeing that you know their system more than they do. I am so grateful.

    THANKS A BUNCH!!!!!!!!!!!!!!!!!!!!!!!!!

  22. Please help! Im at the bcded.exe/store c:\boot\bcd.temp create {bootmgr} /d stage and I’m getting back “A description for the new entry must be specified. Run “bcded /?” For command line assistance. The parameter is incorrect.” Where did I go wrong?

  23. DISREGARD LAST POST! However…I finished everything, it all says it was completed successfully, but nothing happened!

  24. Hey Clarissa,

    What do you mean nothing happened? Can you still not boot? Are the symptoms identical, or have they changed?

  25. Had the Smart HDD Virus. Removed it with Norton Power Eraser. Rebooted and got the 07B BSOD. CHKDSK fixed a few disk issues, but it did not solve the boot issue. Removed RAM, reseated, no change.

    Like DJ, I also followed the steps above, and all the commands completed OK. Because I had a Dell Vostro 3550 laptop, it had two partitions. After rebooting, the \Windows\system32\winload.exe error was because while Dell had the C:\boot folder and the BCD info, Windows 7 was on the D partition while using the Windows recovery tool, thus we should have entered:

    bcdedit.exe /set {bootmgr} device partition=D:
    bcdedit.exe /set {…..} device partition=D:
    bcdedit.exe /set {…..} osdevice partition=D:

    I also threw in a Windows 7 recovery DVD and let it repair that oversight. After rebooting again, the winload.exe error was fixed but I was back at the original BSOD.

    Even though the Windows 7 logo comes up for two seconds before the BSOD, running bootsec /ScanOs still shows 0 total identified Windows installations.

    Repeated all the BCD rebuild steps, with the correct partition info this time, which fixed the winload.exe error but I’m still stuck with the original BSOD.

  26. I am literally stunned. My wife’s computer wouldn’t boot a month or so ago, and I thought I had tried every way I knew how to fix it. I had even completely reinstalled, and it still wouldn’t boot. As I was typing all this stuff in I was thinking “No way this works after everything else I have tried.” But now its working fine again. othersteve you are the man.

    My system drive was X:\Windows\system32 on my wife’s Inspiron 1545, so I had to use X:\Windows\system32\boot wherever it says C:\boot if that helps anyone.

  27. Thank you. Solution work great. Thanks to ChrisB also. My laptop was a Dell Inspiron also and had to do the substitution for the system drive. Tried other solutions and this is the only one that worked. Life saver.

  28. IN the part where you write the {… ..} If I understand you are supposed to put volume information in the brackets.. What do you write there if the volume has no label?

    Thanks

  29. In the instructions it stats to replace the dots with “that entire string” but I am unsure what that entire string is. :) anyone reading this please let me know what I need to do here. Almost finished.

  30. Sorry guys.. Never mind my previous post. I firgured it out. And thanks alot for the tips!!
    This worked great.

  31. Pingback: » Removing Rootkit.Boot.SST.a leaves you with unbootable Windows 7 » Remove-Malware.com

  32. Having the same problem on a computer with Windows XP installed. Do I use the same steps?

  33. Hey A E,

    Nope, it won’t work on XP. That’s because XP doesn’t rely on a BCD for boot parameters.

    I am only hazarding a guess here, but if you’re getting a similar error on XP, you might first check your RAM or hard drive for problems. If those check out, then try doing something like this:

    1. Try booting to the Windows Recovery Console (boot to the CD, then press R on the screen shown here: http://pcsupport.about.com/od/fixtheproblem/ss/rconsole_3.htm )

    2. Log onto the Windows install by following the instructions. Once at the next prompt, type:

    fixmbr
    fixboot

    Then reboot and see what happens.

    -Steve

  34. This worked great for me too! Well, it didn’t work right away. I got a different unable to boot message at first, but then i was able to boot to windows 7 CD and run the start-up repair 2 more times, but it got me booted! Start-up repair did not work before performing the steps above so thanks!

    Thanks for the help!
    John

  35. This worked perfectly for me. Thanks!

    In order to fix the boot animation issue, you can run this command after reboot in an elevated command prompt:

    bcdedit /set {current} locale en-US

    You’ll want to replace “en-US” with your correct locale if your locale is not US English. Examples include ja-JP, de-DE, es-ES, pt-BR, zh-CN, zh-TW, fr-FR, and fi-FI.

    I imagine that you can also do this at repair time by replacing “{current}” with the new boot manager entry as with all of the other “bcdedit /set” commands.

    This information was taken from here: http://www.mydigitallife.info/fix-and-restore-windows-7-boot-screen-that-changes-to-vista-style/

  36. It kinda worked. I got a scree that said it could not find winload.exe maybe i mistyped however I was able to do a repair right after and it fixed it when befor repair would not work. I got the windows anamation back too.

  37. Hey guys,

    Sorry for the late reply on this topic. I appreciate all the feedback! :-)

    mooky,

    The problem is that detecting the rootkit is very difficult. It isn’t a matter of actually locating the infection in memory (which is hard enough to do thanks to the fact that it loads code from beyond the normal filesystem), but rather halting the installation of the rootkit to begin with. Problem is, in order to do this, the AV must stop the threat at the entry point: the vulnerability, in other words. This is most often something like Java or Adobe Flash Player which is out of date and exploitable, which is why it’s so incredibly important to keep them up to date. But since new vulnerabilities are discovered all the time, and patches are only applied periodically, this is very difficult to manage.

    So it isn’t a matter of using the right or wrong security software, it’s a matter of keeping yourself insulated against the threats. The bottom line: update everything.

  38. hahaha I have been playing with repair problem for a days trying to avoid using installation cd, then I found out the problem with STOP Error 0x0000007b and had searched the solution for another few hours, then I got into this page (which gave me a hope) BUT since I am total zero in os staff and my English comprehension isn’t great, I wasn’t able to find out what suppose to be in {…} instead of …so I put what I had in first part of the commands bootmgr ))))))))))))) now after getting a boot manager with unpleasant sentences…I realized my guessing was wrong))) I decided to give up on that and use installation cd, but I am still curious what is actually suppose to be in { }. Please somebody take your time and feed my curiosity.

  39. YOU my man are a freakin genius!!! Worked like a charm on an HP laptop with Win7 that suddenly stopped booting.

  40. Thanks!!! this helped me boot back up without BSOD; however, none of my programs work and it seems all folders are empty. IS there another step to do to recover those?

  41. Hey Bounce,

    It sounds like you may have been the victim of one of the “File Recovery” or “FakeHDD/FakeReant” rogues that were circulating for the course of the past year and a half or so.

    If that’s the case, try downloading this program and running it:

    http://www.bleepingcomputer.com/download/unhide/

    Once it’s finished, see if the problem is corrected. If not, there’s either something else going on (such as profile corruption) or you may have a deeper problem, possibly created by a previous attempt at repair (such as a System Restore operation that only partially completed). Let me know; I hope this helps!

    PS- Whatever you do, DO NOT clear your temporary files. If you were victimized by one of the aforementioned rogues, your Start Menu and Desktop shortcuts were moved to %TEMP%\smtmp, where they’ll be removed forever if a temp file cleaner runs its course.

    -Steve

  42. i keep getting “The boot configuration data store could not be opened. The system cannot find the file specified”
    I still cannot fix it. Please someone help me.

    Thanks,

  43. OH MY GOD, thank you thank you THANK YOU!!!
    I have tried everything for the last 4 days and was just about ready to smash my fricking computer. So happy, problem seems to be resolved – at least I can get into Windows!!

  44. Takes a lot of help, I did not understand what I have to put in place of the {…..} need help fast. Thank you

  45. Hey Juliano,

    Quoting from my initial post:

    “At this point, note the value within the curly braces {……..} as you will need it during the next steps.”

  46. Pingback: Malware Rootkit causes STOP Error 0x0000007b | How'd You Fix That?

  47. Hello! I followed the instructions and typed everything correctly in the Command Prompt. I did get a few messages saying “An error occurred setting the element data. The request is not supported.” I kept going to the end though and restarted. Now the screen goes to where it says I need to insert the Windows Installation disk. Is there any way to fix this?? :( Please respond as soon as you can, thank you!

  48. Hey Shannon,

    Not sure what’s up in your scenario. Any chance you may have what’s known as a Dynamic disk? You’d probably know if you did, or whoever set up the PC would know. If so, you may be subject to an entirely different set of repair steps in addition to this:

    http://mypkb.wordpress.com/2007/03/28/how-to-non-destructively-convert-dynamic-disks-to-basic-disks/

    You’d (hypothetically) need to convert it to a basic disk first, then try the repair steps as listed to fix the BCD. As always, before you do any of this, I’d highly recommend creating an image (complete backup) of the drive. There’s plenty of free software out there that can do this, whether you can boot or not. Check out Acronis for details, or if you already have a backup, I’d say just go for it.

    The other option is to simply take the computer to an experienced tech. Some problems are too risky for the average user to deal with on their own, and this certainly qualifies I would say. In fact, many of the things I post about here on my blog qualify! ;-)

    Hope this helps and good luck,

    Steve

  49. Holy smokes! This worked flawlessly. Thank you so much for posting this. I actually didn’t even lose my Windows 7 splash screen like you said I would. This system is back to working exactly the way it should. Great work!

  50. Great work. This is how it used to be on the Internets. Learned a lot too, and I’m a old hand.

    -drl

  51. Thanks for the info.

    It didn’t work on dell N5030 unfortunately, still got the bsod. Also lost windows recovery options and don’t have a compatible recovery disc.

  52. Hey westos,

    The solution only applies after the malware has been successfully removed. It sounds like you may still have other issues in play. I would recommend booting to an offline environment (Windows-based) and running Kaspersky’s TDSSKiller for starters to check the boot sectors. After that’s finished, look through your filesystem filter drivers and be sure that no antivirus filter drivers or other AV-like security drivers (i.e. SUPERAntiSpyware, Hitman Pro) are installed and possibly causing problems.

    If all else fails and you need a recovery disc, you can boot to the Windows installation disc. If you still don’t have that, check out this link:

    http://neosmart.net/blog/2009/windows-7-system-repair-discs/

    That should get you at least back into the RE. However from the sound of it you may have some advanced memory/filter-driver related issues still.

  53. Hi Steve,

    I still do not understand what you place in the curly brackets {…..}.

    Your instruction, “At this point, note the value within the curly brackets {……..} as you will need it during the next steps. Replace the dots within the curly braces below with that entire string on each line” does not explicitly tell me what text to insert.

    How about an actual example of what goes in the {…}?

    Carlos

  54. Hey Carlos,

    I really don’t know of a better way to explain it. I don’t have time to produce screenshots for everything as the blog is merely a service I provide optionally to the tech community. After you enter those commands as listed, you should receive a long value (alphanumeric with dashes) within curly braces in the output of the command window. That value is what you need to use throughout the next several steps.

    It should be obvious if you follow the steps!

    -Steve

  55. Hi Steve,

    Thank you.

    This was the missing element, “After you enter those commands as listed, you should receive a long value (alphanumeric with dashes) within curly braces in the output of the command window. That value is what you need to use throughout the next several steps”.

    Before I started entering all these commands I wanted to be completely clear on what to expect.

    Thanks again.

    Carlos

  56. Hi Steve! thanks for this solution!

    I’m currently face with this problem but, I can’t even get to my system drive.

    I did everything I could do with diskpart command. and all I can get is my disk and partitions but not volume.

    sorry for my english.

    If there’s any solution plz let me know

    THANNKS!!

    -GDEV

  57. Hey,

    I was just wondering what code I would enter for an Australian resident.

    I tried en-au but it cannont find the specified file apparently.

    Thanks in advance

  58. False alarm. I redid the whole process and it worked. Problem is now I’m stuck at boot manager saying I need to run my installation disc

  59. Hi,

    I’m at: bcdedit.exe /set {bootmgr} device partition=C:

    Getting:

    The set command specified is not valid.
    Run “bcdedit /?” for command line assistance.
    The parameter is incorrect.

    C: is my OS drive and I can view it’s contents.

    Any help appreciate.

    Kris

  60. Hey Kris,

    That’s odd. It means that you are definitely running bcdedit but that it did not correctly interpret the stuff following that point.

    The only thing I can think of is to retype every bit of the line again from scratch. You’ve got to have a single character that’s off or something. You did use the curly braces, right?

  61. Hi Steve,

    I entered all the required commands then I restarted the computer but the pc is now stuck the starting windows screen.

    Before I entered the commands, a blue screen appeared for less than a second after starting windows screen and the pc restarted.

    Any ideas what to do next? I appreciate any help. Thank you.

  62. Hey there Boris,

    It’s a complete (educated) guess, but to me it’s sounding like you may have a hardware problem on your hands. I would certainly suspect the hard drive, and heavily in fact. If that doesn’t turn up any results I would perform an offline chkdsk /f c: operation to repair any possible filesystem corruption.

    Occasionally drivers and other issues can lead to this as well (i.e. malware), but that seems a distant third possibility given the circumstances.

    Hope this helps, let us know what you find!

    -Steve

  63. Thanks! Been pulling my hair out (what little I have) over this for almost two days and was about to give up myself. This worked perfectly! You are a blessing! many thanks again!

    Andre

  64. I was delighted with this fix after Kaspersky Rescue disk 10 removed the rootkit.boot infection. Great solution and you changed a “brick” into a working laptop

  65. have been working to solve this for over 5hours now…….thanks to all of you especially neo for helping out.

Leave a Reply

Your email address will not be published. Required fields are marked *


7 × seven =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>