Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c000021a Blue Screen


  • This topic is locked This topic is locked
28 replies to this topic

#1 chodgins

chodgins

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 August 2010 - 09:39 AM

Big trouble here!

Hopefully you guru's can help me out...

Dell D830 laptop with XP Professional - Build 2600 xpsp_SP3-gdr

Getting "STOP: c000021a {Fatal System Error}
"The windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)".
"The system has been shut down'.

Saw this for the first time yesterday and now getting it almost immediately after start up regardless of safe mode. In normal mode, it does run long enough for me to see "SecurityTool" start a virus scan. I did not install "SecurityTool".

Thus far, I have not been about to keep it running long enough to do any kind of diagnostics.

Thought I'd ask the experts for advice before I make the problem worse (if that is possible)...

Any help is greatly appreciated!

Edited by Pandy, 04 August 2010 - 01:12 AM.
Moved from AII to the most appropriate forum ~Pandy


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:21 AM

Posted 02 August 2010 - 10:37 AM

FWIW: 05 and 21a errors are often malware-related, IMO.

Security Tool is definitely malware.

I am moving you to the Am I Infected forum, where someone will instruct you on what steps to take.

Please be patient smile.gif.

Louis

#3 jcanes

jcanes

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 02 August 2010 - 06:39 PM

i also have the exact error. i have a dell latitude D620. xp pr0 sp3. im lost and have no clue what to do now. ive fought off some malware in the past, but this one has me beat.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 02 August 2010 - 06:42 PM

You could try scanning with the Dr.Web LiveCD.

http://www.freedrweb.com/livecd/

Note that the scan takes a long time.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jcanes

jcanes

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 02 August 2010 - 06:45 PM

ill give it a shot. ill let you know how it works out. thanx

#6 jcanes

jcanes

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 02 August 2010 - 06:51 PM

wont let me download. cant get past the login screen that pops up after the download icon

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 02 August 2010 - 06:56 PM

Direct link:

ftp://ftp.drweb.com/pub/drweb/livecd/minD...iveCD-5.0.3.iso

It is a 135MB download.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 August 2010 - 07:22 PM

Thanks Budapest,

I downloaded the ISO file, copied it to a CD, tried to boot the infected computer from the CD. I still get the Windows log on screen and regardless of wether I log in or not, I still get the c000021a.

I was able to get the command ">DrWtsn32.exe -I" entered earlier today and I can see where it is mentioning WINLOGON.EXE, but it crashes too quickly to read anything or get files.

Will the ISO file work as a boot CD???

Appreciate the help!

Chet

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 02 August 2010 - 07:27 PM

QUOTE(chodgins @ Aug 3 2010, 10:22 AM) View Post
Will the ISO file work as a boot CD???

Yes but you must burn the file "as an ISO".

http://pcsupport.about.com/od/toolsofthetr...burnisofile.htm
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 August 2010 - 11:10 PM

Thanks Budapest.

Got it burned as an ISO image and booted from it. Have tried to run in normal (default) mode and safe mode.

It loads a bunch of modules and then says: (without the " marks).

"Cannot find boot device"

"BusyBox v1.14.2 (2010-01-22 20:04:57) built-in shell (ash)"
"enter 'help' for a list of built-in commands."

"/bin/sh: can't access tty; job control turned off"
"#"

If I enter "help", I get the following:

Built-in commands:
" . : [ [[ alias bg break cd chdir command continue echo eval exec"
" exit export false fg hash help jobs kill let local printf pwd"
" read readonly return set shift source test times trap true type"
" ulimit umask unalias unset wait"

I tried "continue", but it just takes me back to a "#" prompt.

Any clues about what is going on here???

Thanks,

Chet

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 02 August 2010 - 11:18 PM

I have no idea what that is all about.

My only suggestion would be to try a different boot CD (here are a couple):

http://www.free-av.com/en/products/12/avir...cue_system.html
http://www.f-secure.com/en_EMEA/security/tools/rescue-cd/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 02 August 2010 - 11:42 PM

Thanks!

Got the first link to download and created CD. Scanning now, but looks like it will take a while.

I'll post the results ASAP.

This is by far the worst virus situation I've even been involved with...

Would be lost without the help!

#13 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 August 2010 - 08:15 AM

Completed the Avira scan, but unfortunately can't think of a way to get the log file off the infected machine...?

Scan Results:
Directories - 15006
Scanned Files - 626887
Alerts - 5925
Suspicious - 0
Repaired - 0
Deleted - 0
Renamed - 0
Quarantined - 0
Warnings - 4

I set the scanner to try and repair the files, but was unsucessful. If I set it to rename or delete the files, I'm not going to have a working system anyway after getting rid of 5925 files!

99% of the alerts is becuase the file "contains the detection pattern of" some virus.

I do see some that are identified:
"/Windows/system32/winlogon.exe - is the trojan horse TR/Spy.507904.8"
"/Windows/system32/atapi.sys - is the trojan horse TP/Patched.gen"
"/Windows/temp/usow.exe - is the trojan horse TR/PSW.Zbot.143360.Y.2"
"/Windows/temp/E.tmp - is the trojan horse TR/Agent.94208"

Also see a few "trojan horse" warnings under the "system volume information" sub-directories.

I'll try the other link to the ISO scanner, but any advice is appreciated!

Many thanks,

Chet

#14 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 August 2010 - 09:00 AM

Now trying the F-Secure Rescue CD.

Unfortunately, it will automatically try to disinfect any malware and will rename the files if the disinfect fails.

Am I so far down the road that this is my only option or would I be better off to try and replace WINLOGON.EXE???

Have a feeling I'm about to step off into the abyss...



#15 chodgins

chodgins
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 03 August 2010 - 01:42 PM

I keep waiting on someone to tell me not to do this...?

If I do rename 5900+ files, what will I do next???

The abyss is scaring me!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users