Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c000021a {fatal system error} after using Spyware Doctor to remove Security Suite and Anti Marware Doctor


  • This topic is locked This topic is locked
30 replies to this topic

#1 laura h

laura h

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 25 August 2010 - 07:22 AM

Hello

My computer has windows XP and got infected with Security Suite and Anti Malware Doctor Protection Centre and after going through the guides to remove them, they were still there. I ran the trial version of Spyware Doctor with Antivirus and it identified something like 15 threats (inc. backdoor.trojan, trojan.bamital, trojan.fakeAV, backdoor.agent.LEL, trojandownloader.agent.OGP, dialer.coulomb_Dialer) and 70 infections so I purchased the full version and ran the scan. Then I removed the threats and rebooted as instructed. When I rebooted, my laptop froze on the blue screen with :

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down.

I contacted the Spyware Doctor support but they just told me to contact the laptop manufacturer and do a repair install. I got the laptop second hand and don't have any startup disks. I'm quite a novice with computers so not sure what to do. Also, I have some files that aren't backed up and would like not to lose them.

I've tried rebooting in safe mode, safe mode with networking, normal mode, last know good configuration but everything brings up the same screen.

Please help!
Laura

Edited by laura h, 25 August 2010 - 07:23 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 25 August 2010 - 08:17 AM

Hi Laura,

I hope you could get the money back from spyware doctor at the very least.

Do you have any kind of bootable CD available? Can you create a bootable CD on a different PC to use on your laptop?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 25 August 2010 - 09:05 AM

Hi Myrti - thanks for your help!

No, i don't have a bootable CD. Can you tell me the best way to create one please? I don't want to mess things up further!
Laura

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 26 August 2010 - 01:51 AM

Hi,

let's try this then:
Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.

Now we need to save another file to the USB to run and look for the files that may have been deleted by your AV

Download http://noahdfear.net/downloads/driver.sh and save it to the USB

  • Remove the USB and insert it in the infected computer
  • (the computer should still be booted with xPUD - if it isn't reboot into xPUD)
  • Press File
  • Expand mnt
  • Click on the folder that represents your USB drive (sdb1)
  • Confirm that you see the driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    userinit.exe

  • Press Enter
  • the script will search for this file.
  • After it has finished a report will be automatically saved to the USB drive as filefind.txt
  • locate this file and right click it > choose rename > rename it to userinit.txt
now we will do the same for explorer.exe and winlogon.exe and hlp.dat and rename the filefind.txt after each search in explorer.txt, winlogon.txt and hpl.txt respectively.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 26 August 2010 - 05:58 AM

Hi Myrti

Thanks, I've done this only my usb doesn't show up. sdb1-4 all show empty folders and I've tried the usb in both ports and restarting with the stick already in or putting it in after xPUD has started but still nothing.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 26 August 2010 - 06:41 AM

Hi,

do you know what format that flash drive has? Could you maybe try a different flash drive?

If you still have the xpud-0.9.2.iso you can also create a bootable flash drive:

Download UNetbootin to the desktop of your working computer.
Once the download(s) have completed, double click the unetbootin-xpud-windows-387.exe file to run the installer.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file
  • Verify the correct drive letter is selected for your usb device then click OK
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface.
  • copy the driver.sh onto that flash drive and boot from it.
You should then be able to find driver.sh in the sda1 folder.

regards myrti

Edited by myrti, 26 August 2010 - 06:44 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 26 August 2010 - 09:44 AM

OK I followed the steps but the computer doesn't automatically boot from either usb port. Is there something I need to do in setup to get it to boot from usb? Sorry if this is really obvious, I'm a total beginner with this stuff but enjoying learning so thanks for being patient with me smile.gif

The laptop is a hp compac nc6000

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 26 August 2010 - 10:15 AM

Hi,

you should be able to do this. However I'm not familiar with the HP bios.
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
  • If you see your flash drive there shift it to the top, navigate to Exit and select Exit saving changes.
If the flash drive isn't showing, please let me know if you see an option called multiboot somewhere?

regards myrti

Edited by myrti, 26 August 2010 - 10:16 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 27 August 2010 - 09:53 AM

Hi Myrti

I followed these steps and enabled the mulitboot option. The order was Notebook Multibay first and Notebook harddrive second. I saved changes and exited but it didn't boot from the usb. Same blue screen after windows tried to start..



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 29 August 2010 - 04:11 AM

Hi,

can you get onto the internet when you are in Xupd? If so please try to download the file directly from the link I gave you previously. There is no need to use the flash drive then.

If not please go to Menu and click on Terminal Emulator. Once in terminal type find /mnt/sda1 -iname Explorer.exe.
This will take a while to run through and show you a list of entries. Let me know if the following two entries are present:
/mnt/sda1/windows/explorer.exe
/mnt/sda1/windows/servicepackfiles/i386/explorer.exe

Repeat the same with the following commands:
  • type find /mnt/sda1 -iname winlogon.exe.
    Let me know if the following two entries are present:
    /mnt/sda1/windows/system32/winlogon.exe
    /mnt/sda1/windows/servicepackfiles/i386/winlogon.exe

  • type find /mnt/sda1 -iname csrss.exe.
    Let me know if the following two entries are present:
    /mnt/sda1/windows/system32/csrss.exe
    /mnt/sda1/windows/servicepackfiles/i386/csrss.exe

  • type find /mnt/sda1 -iname hlp.dat.
    Let me know if any entries are found.
If you press the up-arrow the last command you entered reappears, hence you needn't retype the entire command every time, you can just reuse the command you entered the first time and modify the last part.

regards myrti

Edited by myrti, 29 August 2010 - 04:13 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 August 2010 - 01:14 PM

I was unable to connect to the internet and got the following in the Terminal Emulator:

find /mnt/sda1 -iname Explorer.exe.
/mnt/sda1/WINDOWS/system32/dllcache/explorer.exe

find /mnt/sda1 -iname winlogon.exe.
nothing


find /mnt/sda1 -iname csrss.exe.
/mnt/sda1/windows/system32/csrss.exe
/mnt/sda1/windows/system32/dllcache/csrss.exe


find /mnt/sda1 -iname hlp.dat.

/mnt/sda1/WINDOWS/system32/hlp.dat

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 01 September 2010 - 04:43 AM

Hi,

the missing winlogon, is your main problem. Sadly we are missing a replacement.

can you please go to /mnt/sda1/windows/system32 and rename csrss.exe to csrss.exe.bad. Then go to /mnt/sda1/windows/system32/dllcache and copy the csrss.exe there. Drop it into /mnt/sda1/windows/system32

Then go to /mnt/sda1/WINDOWS/system32/dllcache again and copy explorer.exe. Drop explorer.exe into /mnt/sda1/windows.

Finally also copy explorer.exe into /mnt/sda1/windows/system32. Rename explorer.exe in system32 to winlogon.exe.

Then reboot and let me know if that helped at all.

regards myrti

Edited by myrti, 01 September 2010 - 04:43 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 01 September 2010 - 01:37 PM

Hi myrti
I followed your instructions and really thought it had worked but sadly back to the blue screen. The first attempt at rebooting did get past the welcome screen to my blank wallpaper. The cursor could move but there was nothing there other than the wallpaper. I left it for about 15mins but no change. Second attempt and all since have just been the same blue screen with the initial c000021a error message!

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:06 PM

Posted 03 September 2010 - 02:51 AM

Hi,

could you please rerun the scan we did earlier with winlogon, explorer and csrss? Also should you ever get to your empty desktop again, please try to press ctrl-alt-del and then under File click New Task and type explorer into it. This should start explorer and bring up your desktop as you know it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 laura h

laura h
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 04 September 2010 - 01:38 PM

Hi
I did the scan again and got the same results

find /mnt/sda1 -iname Explorer.exe.
/mnt/sda1/WINDOWS/system32/dllcache/explorer.exe

find /mnt/sda1 -iname winlogon.exe.
nothing


find /mnt/sda1 -iname csrss.exe.
/mnt/sda1/windows/system32/csrss.exe
/mnt/sda1/windows/system32/dllcache/csrss.exe






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users