Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware doctor infection removal and then error c000021a (fatal system error)


  • Please log in to reply
6 replies to this topic

#1 dantnx

dantnx

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 29 September 2010 - 03:42 PM

Hi,

I have fundamentally the same problem as Laura H from this thread http://www.bleepingcomputer.com/forums/topic342716.html.

I've had problems with these fake antivirus programs before and they really did a number on my laptop. I treated the problem using various tools mostly malware bytes and deleting some suspect files.

Been working fine for the most part however today out out of nowhere I was attacked by malware doctor. I deleted the suspect file from the temporary internet files folder and ran malware bytes that detected trojan and deleted. Shortly after drwatson ??? was shut down and some time later I think explorer shut down because my desktop went back to basics....no theme,desktop wallpaper etc. the windows 95 look if you grasp what I'm trying to get at. I thought it was no big issue and in my own time restarted laptop when I realized audio wasn't working after trying to play a film.

Upon restart I get the blue screen with the same message as Lauras. So for the most part I'm in the same situation as Laura with some minor differences such as I didn't use Spy doctor etc.

I have Kaspersky AV installed which has been inefficient in protecting my laptop lately, especially from these fake AV attacks. I am using Windows Firewall which I know is a bad idea.

Myrti was helping Laura resolve the issue and I have followed her instructions upto the following actions:

'locate this file and right click it > choose rename > rename it to userinit.txt
now we will do the same for explorer.exe and winlogon.exe and hlp.dat and rename the filefind.txt after each search in explorer.txt, winlogon.txt and hpl.txt respectively. ''

I will paste the text from these files below. Laura couldn't access her USB in xPUD so Myrti went off on a different direction which I cannot follow. If Myrti could tell me what I need to do after creating the text files it would be of a really great help. Anyone else is also welcome to put in their 2 cents too.




Search results for userinit.exe

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/dllcache/userinit.exe
24.0K Aug 4 2004

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/system32/userinit.exe
24.0K Aug 4 2004

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/e9500597a78495f397efb821e37bf356/userinit.exe
25.5K Apr 14 2008

39b1ffb03c2296323832acbae50d2aff /mnt/sda1/WINDOWS/ERDNT/cache/userinit.exe
24.0K Aug 4 2004




Search results for explorer.exe

d594ea4ac1c0e4675ef2f0063950abef /mnt/sda1/Program Files/Malwarebytes' Anti-Malware/explorer.exe
1.0M Jul 23 13:19

f2ca5f1467b05dd200373abcb034cb0e /mnt/sda1/WINDOWS/system32/dllcache/explorer.exe
1008.0K Aug 4 2004

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda1/WINDOWS/SoftwareDistribution/Download/e9500597a78495f397efb821e37bf356/explorer.exe
1009.5K Apr 14 2008

a0732187050030ae399b241436565e64 /mnt/sda1/WINDOWS/ERDNT/cache/explorer.exe
1008.0K Aug 4 2004

cc1e71bb2025625c999c1eb3c126bbb5 /mnt/sda1/WINDOWS/explorer.exe
1008.0K Aug 4 2004



Search results for winlogon.exe

af2bf5320da47fc541c66814b2bb1d1e /mnt/sda1/WINDOWS/system32/dllcache/winlogon.exe
490.5K Aug 4 2004

ed0ef0a136dec83df69f04118870003e /mnt/sda1/WINDOWS/SoftwareDistribution/Download/e9500597a78495f397efb821e37bf356/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda1/WINDOWS/ERDNT/cache/winlogon.exe
490.5K Aug 4 2004

Search results for hlp.dat

a4ec5c2e51814d684b2b0a1d8441ced1 /mnt/sda1/Documents and Settings/All Users/Documents/Server/hlp.dat
34.9K Aug 4 2004

Thank you !!!!

Can anyone tell what is wrong with the system from the text files or is it too early to tell yet?


Btw I am running Windows XP, not sure about SP, prob 1 maybe 2.

To confirm safe mode, last known config and all other options lead to blue screen with error message.

EDIT: Posts merged ~BP

Edited by Budapest, 29 September 2010 - 04:31 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:51 AM

Posted 29 September 2010 - 09:29 PM

Hello,

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 dantnx

dantnx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 29 September 2010 - 11:32 PM

Hi,

I've looked at the guide however unless I'm mistaken I cannot follow any of the steps there. I cannot access my OS. Like Laura H, after the windows loadings screen comes up after boot it instantly goes to blue screen with error message

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down.

The same if I try to start OS in any other way for e.g. last good config. Only when I try to boot up in safe mode there is no blue screen, it just restarts without loading anything.

I posted in the malware log forum as that is where Laura H's thread was based who has the same problem as me.


Someone please help me resolve this/

Thanks.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:51 PM

Posted 30 September 2010 - 05:01 AM

Hi,

ok, let's do this. Boot from xPUD again and go to the file manager by pressing File. Then navigate to /mnt/sda1/windows/system32 and rename winlogon.exe to winlogon.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/cache and copy the winlogon.exe there. Drop it into /mnt/sda1/windows/system32

Then go to /mnt/sda1/windows and rename explorer.exe to explorer.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/lcache again and copy explorer.exe. Drop explorer.exe into /mnt/sda1/windows.


Then reboot and let me know if that helped at all.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 dantnx

dantnx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 30 September 2010 - 01:50 PM

Hi,

I nsvigated to system32 but there there is no winlogon.exe. There is a file named windowslogon.manifest.

By looking at the text files I posted in the first post I can see that the winlogon file exists in the system 32 folder but within the dllcache folder. Are you referring to those?

I renamed that and copy pasted from erdnt/cache folder.

Same with explorer.exe.

I restarted computer however am still met with with the blue screen with same error message. :thumbsup:




Hi,

ok, let's do this. Boot from xPUD again and go to the file manager by pressing File. Then navigate to /mnt/sda1/windows/system32 and rename winlogon.exe to winlogon.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/cache and copy the winlogon.exe there. Drop it into /mnt/sda1/windows/system32

Then go to /mnt/sda1/windows and rename explorer.exe to explorer.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/lcache again and copy explorer.exe. Drop explorer.exe into /mnt/sda1/windows.


Then reboot and let me know if that helped at all.

regards myrti



#6 dantnx

dantnx
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 30 September 2010 - 02:02 PM

Yes!! I did some research and found out dllcache folder acts as a backup folder sometimes. So I''m fuessing my winlogon.exe from system32 was deleted. I moved winlogon.exe file there and restarted and it worked. Thank you!!

On startup however the first thing to come up was the antimalware doctor scanning thing telling me I have viruses etc. I need to get rid of it to stop it doing this again. I'm going to try malware bytes again but i don't think it will work. What do you suggest?

Hi,

I nsvigated to system32 but there there is no winlogon.exe. There is a file named windowslogon.manifest.

By looking at the text files I posted in the first post I can see that the winlogon file exists in the system 32 folder but within the dllcache folder. Are you referring to those?

I renamed that and copy pasted from erdnt/cache folder.

Same with explorer.exe.

I restarted computer however am still met with with the blue screen with same error message. :thumbsup:




Hi,

ok, let's do this. Boot from xPUD again and go to the file manager by pressing File. Then navigate to /mnt/sda1/windows/system32 and rename winlogon.exe to winlogon.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/cache and copy the winlogon.exe there. Drop it into /mnt/sda1/windows/system32

Then go to /mnt/sda1/windows and rename explorer.exe to explorer.exe.bad. Then go to /mnt/sda1/WINDOWS/ERDNT/lcache again and copy explorer.exe. Drop explorer.exe into /mnt/sda1/windows.


Then reboot and let me know if that helped at all.

regards myrti



#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:51 PM

Posted 01 October 2010 - 04:05 AM

Hi,

did you use the folders I indicated or did you use the files from dllcache?

The files in dllcache have been infected, as well as the ones that where in the normal folder. Which is why they got deleted in the first place.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users