Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Blue Screen STOP 0xC000021A + trojan


  • This topic is locked This topic is locked
37 replies to this topic

#1 symbi

symbi

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 03 January 2011 - 11:45 PM

Dell Dimension E510, Windows XP Media Center, SP3 and most mid-November Windows Updates, I think. I use AVG Free 2011 but update has been erroring out General Error for some time so the databases are badly out of date. My bad - one of many poor decisions in the past 2 days and I really (really) do know better.

On Jan 2 I noticed that some Google searches were getting redirected to random pages and suspected malware. I updated and ran CCleaner (it had been awhile, removed thousands of files/ freed 185 MB of disk space), Windows Defender (no errors), SpyBot S&D (one error corrected, don't recall specifics), MalwareBytes (a few errors corrected, don't rememeber), then tried to run Ad-Aware - AVG interfered with it. I deactivated AVG and was able to install Ad-Aware from an old installer - it downloaded the latest version and requested a reboot. Upon reboot, I had to deactivate AVG for the maximum 15 minutes again, then the new version of Ad-Aware finished its install, updated dbs and started scanning. It seems that in the middle of the Ad-Aware scan, AVG came back to life and flashed a warning screen indicating approx 8 infections...including Trojan horse Patched_c.KAI in winlogon.exe and Virus Win32/Patched.GB in explorer.exe - it did indicate that these are system files and should not be moved. I was multitasking and clicked one of the options in the AVG window (I think I asked it to disinfect, bad, bad idea). That hung the AVG window and caused the Ad-Aware window to stop scanning files. Keyboard & mouse were still responsive and I could access other programs. After about 5 minutes of no change, I clicked the close X in the AVG window. About 1 minute after, it notified that the task could not be killed because it was locked (paraphrase, I didn't write down the exact text), then the computer became completely unresponsive. Another few minutes wait, then hard reset resulting in the first BSOD:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a astatus of 0xc0000034 (0x0 0x0).
The system has been shut down.

Restarting the computer and accessing the f8 boot menu, I was able to get into Safe Mode. I was able to run Ad-Aware in Safe Mode, but it took hours and found no errors. Inexplicably I then ran AVG again - in safe mode it runs in command line mode only. It found the same two infections as above as well as ms.dll with Generic3_c.AERQ, which it moved to the virus vault. Hoping that this was enough to get back to Windows, I restarted only to get the same STOP. I then tried to get back to Safe Mode and now it also gives the same STOP! I then tried the Last Known Good config with the same STOP error. Per the Microsoft Support Pages , this is a problem with either winlogon.exe or csrss.exe...and it does seem that winlogon.exe is infected...

During the list of processes that load before Safe Mode, it was hanging at avgidseh.sys, so after some Internet searching and per suggestions at the AVG forum, I got into Recovery Console from the OEM Windows reinstall disk and renamed a series of avg*.sys files...did not help. Now a safe mode boot attempt hangs at Mup.sys.

Tonight I tried using the AVG Recovery CD install to go into the virus vault and extract ms.dll (into root of C: and a copy into Windows\System32) to see if that would get me any further - it did not. So I used a clean Knoppix 6.4.3 boot disk to get onto the file system and started copying important data onto a spare drive, in preparation for a possible Windows repair from the Dell OS reinstall DVD. It appears that I'll have to get back into Recovery Console and manually uninstall Internet Explorer first and the recovering from a repair install doesn't sound like that much fun and my data should be OK (but I'll back it up anyway!). However, that process should allow me to get back into Windows but won't solve the malware process.

Is it possible to confirm that I'm on the right track, even though I don't yet have DDS or GMER logs to post? And if so, am I in the right place to start? Thanks very much in advance!

Edited by symbi, 04 January 2011 - 06:39 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:31 AM

Posted 09 January 2011 - 06:26 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 09 January 2011 - 11:41 PM

Hi Georgi,

Thank you very much for the reply! I have a bigger problem, though...Windows is not even starting at this point, even in Safe Mode. I can get to Windows Recovery Console from my OEM Windows media, and I can access the drives using a Knoppix boot disk. I'll be glad to try running DDS and GMER via those routes with some extra guidance though I suspect both rely on a functional Windows to be of much good. I am about to try a Windows repair from the boot CD, just to get back into Windows, then to run the scans but wanted to check first to see if that will do more harm than good since I've already botched things up a couple of times on my own. Thanks very much for any guidance you can provide!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 10 January 2011 - 02:36 PM

Hello

I will be helping you from this point forward.

here is what i would like you to do first and also let me know if you have access tyo another windows XP computer

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 01:00 AM

Hi Gringo,

A pleasure to be working with you! I do have access to a second functional Windows XP machine running next to the sick one.

I followed all of your instructions to create a bootable USB with xPUD (latest version - 5.0.11 from October 2010), worked just fine, on a freshly formatted 1 GB USB drive. I moved it to the sick computer and at first I was getting a blinking amber light in the power button, no power at all (new symptom just starting today). I took off the cover, checked front and back USB ports for shorts, reseated the ribbon cable that extends USB from the back master to the front hub, blew everything out with canned air, nothing obvious, but I did get the computer to restart finally. I can only keep it reliably starting by leaving the cover off, suggesting a short somewhere but again nothing obvious. Incidentally, I have also just replaced the CMOS battery (more in a minute) and will do some further testing tomorrow to see if that makes it more reliable.

Once I got the computer to restart regularly, I could not find USB device as a boot option, either in the F12 menu or inside the BIOS - the Dell BIOS Boot Sequence menu lists USB Devices as (not present). I have changed multiple BIOS settings trying to get this to change - disabled USB Controller, restarted, re-enabled, restarted, disabled USB for FlexBay (13 in 1 card reader), even disabled and re-enabled the main hard drive array controller, all to no avail. That gave me the idea to change the CMOS battery since the computer is over 4 years old and I started having the boot problem with flashing amber light. There still may be something shorted in the USB bus somewhere, but I can't find it yet. I have tried moving the USB drive around both back and front USB ports, focusing on ports I know work (keyboard/mouse combo port, USB printer), no luck. A couple of months ago I was having problems with the keyboard failing to be recognized and I would have to swap USB ports around in back of the system to get it to boot. That recently went away (results of my cleaning efforts and carefully inspecting the USB ports, I thought initially), but at one point I was considering buying and installing a PCI USB controller card to add to the system. Something very strange is going on...

A note that my system includes a factory installed Intel ARRAY controller, and my primary boot disk is RAID 0 mirrored. I don't know if the array is messing with USB booting, but wanted to include that for completeness.

Not to give up so easily, I tested the USB with xPUD in the other working computer (Dell Vostro 1000 laptop) and it booted fine. So, next I tried creating a PLoP boot CD to create a boot manager, then pointed it to the USB drive. It either crashed PLoP or failed to boot under many different configurations, until I enabled USB 1.1 but tied the EHCI driver to a specific port and finally got PLoP to load! But, the type of USB driver setup I had to use to get PLoP to work did not include keyboard or mouse support, so xPUD booted but I couldn't do anything and ultimately had to power off.

I wondered if I could run the same commands you requested under Knoppix, so I booted to that drive but I cannot see the USB key anywhere, it doesn't seem to mount properly. I'm not skilled enough with Linux to be sure I'm mounting the drive properly and I don't even know if that will work anyway. I just thought to try downloading the driver.sh file you needed from a Knoppix browser window, running the commands you called for and entering the text log from a Knoppix browser since I know I can get back here that way, but I will have to try that tomorrow based on time.

Thanks for all of your help, sorry to be so difficult!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 11 January 2011 - 01:15 AM

Hello

ok lets try it from a cd

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 08:52 PM

Hi again,

I started working on it this morning and I've got the boot disk and what I need on the USB drive, but now I am fighting with the apparently well known but new to me Dell E510 flashing amber light problem that is supposed to signify a motherboard or power supply issue but is in reality something undetermined. I can get into xPUD and can use the keyboard to select a language and start, but once reaching the Welcome to xPUD screen I have no mouse or (apparently) keyboard control, so I can't take the next steps. Oddly, I have keyboard control booting to a Knoppix disk so I'm going to see if I can execute the bash driver.sh from there and post the results using the Knoppix web browser since I can get to the 'net from that boot disk.

And I'm going to work on troubleshooting the hardware problem, hopefully an old, known good power supply will help.

[EDIT]: I take it back, I was just not patient enough! After SEVERAL minutes, I gained keyboard and mouse control inside xPUD...but the sda and sdb mount points are identical access to the hard drive (perhaps because they are mirrored?). I'll see what I can find....

Edited by symbi, 11 January 2011 - 08:54 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 11 January 2011 - 09:03 PM

if you cant see the usb drive remove it and put it back in


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 09:20 PM

Yes, I'm trying that and no additional mount points show up, I have sda1-4 and sdb1-4. I went to the terminal and ran fdisk -l, the USB is not showing up. I'm swapping USB ports now to see if I can get it to appear. *sigh* intermittent USB availability seems to be another symptom of this Dell E510 problem....

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 11 January 2011 - 09:29 PM

Hello

here is the short version of what I want to do so maybe you can do it with the Knoppix cd but not for sure how

I want to move these files from the good computer to the sick computer

C:\Windows\explorer.exe
C:\WINDOWS\system32\winlogon.exe
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 09:41 PM

OK, I can ftp the files in question from the good computer to a temp directory on my web host, then use xPUD's web browser to put them on the sick computer - do you want the good computer files to overwrite the sick ones or should I put them elsewhere on the drive? I think I have to put them on both the sda2 and sdb2 so the mirror matches, but no big deal.

Edited by symbi, 11 January 2011 - 09:41 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 11 January 2011 - 09:46 PM

do you want the good computer files to overwrite the sick ones - yes

I think I have to put them on both the sda2 and sdb2 so the mirror matches, but no big deal. - put it on both to be safe
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 09:50 PM

OK, done, going to try booting into Windows now?

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:31 AM

Posted 11 January 2011 - 09:54 PM

fingers crossed
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 symbi

symbi
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 11 January 2011 - 10:22 PM

Yeah, that didn't work - now when I try to boot from the internal disk the message Loading PBR for descriptor 2...done flashes by nearly unreadable (has always done that) then where Windows normally tries to boot, the system restarts, neverending loop. Let me see if I can undo that...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users