Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus cause Fatal System Error c00021a error?


  • This topic is locked This topic is locked
6 replies to this topic

#1 alwayslost

alwayslost

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 16 December 2010 - 10:07 AM

I have been battling a virus(es) on my desktop for the past couple weeks. Yesterday, I downloaded and ran Spybot in safe mode. It listed 7 problems and I chose "fix selected". Spybot fixed 5 of the 7 and then prompted me to reboot to fix the other 2. Admittedly, I was brain-faded so I didn't look closely at what file names or paths it was trying to fix. Since that particular reboot, I have not been able to load windows since; fyi, I am running XP Pro. When I powerup, the computer flashes the Windows XP logo and then ultimately gives me the following message (before prompting me for login info): Fatal System Error c00021a. windows logon process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down.

At this point, I'm not sure if I have a virus problem that has escalated, causing this fatal error, or a completely different problem. I'll give a bit of a background, since it may be relevent. I run Malware Antibyte scans and Advanced System Care (ASC) scans weekly to clean up any issues, but lately the problems would reappear just hours after running the scan. So, a couple of days ago, I downloaded Avast 5 and completed a scan. I also downloaded a freeware called Teamviewer at that time, although i don't think that is part of the problem, despite the timing. Yesterday morning, when booting up the computer in normal mode, I was unable to see any desktop icons or taskbar, I only could see my background. I ran scans using the Malware Antibytes, Avast, ASC in safe mode, both quick and full scans. Every time a couple more viruses were founds, but nothing that solved my login problem. I even ran a bootscan using Avast. I also ran CCleaner. nothing worked. When in normal mode, I tried ctrl+alt+delete and attempted to run explorer.exe (it wasn't showing in my processes) but I always received messages that it could not be found or i that I did not have permission (i was logged in as the admin). Based upon what I read on the internet (I know only enough computer stuff to get myself in trouble), I ran regedit and saw that the shell and userinit were populated with the correct data to launch explorer.exe. I then tried rebooting with the last known good config. I tried restoring to a previous point but, upon reboot, I was always told that the restoration was not successful. I replaced the explorer.exe file in the windows folder and the logon.exe file in the system32 folder with copies from another xp pro machine that was having no problem (i confirmed the same version number). None of these actions fixed the problem, nor did they make things worse (or at least not immediately). Meanwhile, if I simply booted up in safe mode, then everything worked as normal and my desktop icons and taskbar would appear. Yesterday, at the very end of the day, I ran a Malware Antibytes full scan and noted that it found infections in c:\windows\explorer.exe and c:\windows\system32\logon.exe. It couldn't repair them, and I chose not to remove them. I then downloaded and ran spybot... the rest you know from above.

What are my options now? My biggest priority is to recover important files from my desktop and desktop folders. Can this be done? I have my HP Restore Plus disk and Windows XP disk, so I can run a fixmbr but I've read that if a virus has messed with my partitions, that this could make things worse. My first priority is getting copies of the files from my desktop, for which I do not have a backup. Any advice would be greatly appreciated! I should also mention that when I first bought this computer, I created a recovery partion so I have a D: drive showing, I'm just not sure on how/when I'm supposed to make use of it.

I should also add that when I first bought this computer, I chose to create a partion drive for recovery, so I have a D: drive showing, but I'm really not certain if or how I should make use of it. Not sure if that could be helpful in getting access to my files.

Edited by Andrew, 16 December 2010 - 07:36 PM.


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:36 AM

Posted 16 December 2010 - 03:56 PM

Sit tight: An experienced member of the Malware Response Team will be along to assist you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:36 PM

Posted 17 December 2010 - 03:27 AM

Hello, since you have an XP CD, try the following.
I will move this topic to a more appropriate forum.

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 alwayslost

alwayslost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 17 December 2010 - 03:39 PM

Thanks for posting this. Just so I'm clear, in step 4, it states "next... from your clean computer". Does that mean that steps 1 and 2 should be completed from my infected computer? If so, I'm not clear on how to make this happen since I cannot log into it. thanks!

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:36 PM

Posted 18 December 2010 - 08:19 AM

No, all these steps are from the clean computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:36 PM

Posted 30 December 2010 - 06:05 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:36 PM

Posted 08 January 2011 - 06:25 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users