Infected computer with BSOD and stop error c000021a

Hi Experts,
I have a co-worker's Dell Inspiron 6400 running XP Home and it was badly infected with several viruses and trojans. I removed the viruses by hooking up hard drive externally and ran several scans with malwarebytes, AVG, and superantispyware. I think all infections are removed, but I still receive BSOD with "Fatal System Error" c000021a right after windows boots up. Cannot get to logon screen, safe mode does not work, and last known good config doesn't work either. All options just lead to the same bsod. I have a windows xp pro cd and am wondering if it's possible to repair it from the recovery console. I am running chkdsk /r now from recovery console, but I think I have missing winlogon.exe and possibly more. Any help would be appreciated so I can get logged on this computer and make sure it's clean once and for all. Thanks.
lskairAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sudeep SharmaTechnical DesignerCommented:
How about repair install???

How to Repair Install:  ***Also removes Service Packs***
http://www.webtree.ca/windowsxp/repair_xp.htm#How%20to%20Repair%20Windows%20XP%20by%20Installing%20Over%20top%20of%20Existing%20Setup:

Sudeep
Dr. KlahnPrincipal Software EngineerCommented:
You will get plenty of good advice here, but before trying any of it, I strongly advise you to make an image copy of the disk as it stands.  This way you can try multiple approaches, and no matter what happens, the situation cannot get any worse - you can get back to where things stand now.
lskairAuthor Commented:
DrKlahn,
Great point. I don't want to risk losing my co-workers files, so I will back them up. Can I just back up documents and settings to external drive? or is that a bad idea since the drive had infections? I have autoplay disabled on my computer. I can hook infected hd up externally and copy files to usb drive. Is that ok, instead of image of hd?
After backing up files, you can walk me through the next step. I don't have any XP Home CD for install, so I am trying to avoid reinstall or I will have to find software. I have XP Pro genuine cd's so hopefully it can be fixed in recovery console. I just don't know what needs to be done to fix logon stop error.
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

souseranCommented:
Do you have the system disks? Can you run diagnostics to check the hardware? Since you have the Windows disk, can you run SFC /SCANNOW from the Recovery Console?
lskairAuthor Commented:
Souseran,
I don't think it's hardware. I am pretty sure it's from the infections which the computer had. There were several trojans and other viruses, but if you think I should run hardware scan, then I can. I'm going to backup files first as DrKlahn suggested.
JonveeCommented:

Also have a look at the suggestions in this MS article>
How to troubleshoot a "STOP 0xC000021A" error:
http://support.microsoft.com/kb/156669

If still unresolved, see if this earlier thread helps>
"Stop Error C000021A-how can I fix this mess":
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20825379.html
ComphandyKenCommented:
Back up your data.  

Then look in the logs of the anti-malware programs you used and see if they found an infected driver. ntfs.sys is a frequent target. So is cdfs.sys.

A lot of viruses these days infect a required system file in order to make the system unusable after an offline scan.

I always copy my scan logs to a file in Documents and Settings/all users/desktop so I can review them in case of this kind of problem.
arnoldCommented:
The problem you are running when copying while the system is down deals with SID and mismatches as well as some files may have been EFS encrypted access to those is not possible.

Make sure that the disk that came with the latop is not a recovery disk that will erase all data/reformat to restore the system to its original condition.

If it is a regular windows install you let the first prompt for repair console pass and select install and on the second pass select the repair install option.  All this process does is remove the windows files that might have become corrupt and  then starts the install of windows on the existing partition.

This process will also correct the registry which might be what the issue is. i.e. does it say that ntldr or system can not be found etc?

There are ways to rename the existing ones and copy the ones from the CD using the recovery console.


You need to drill down based on the exact error message.
lskairAuthor Commented:
Going to back up data, then run sfc /scannow as suggested above. Will update after I complete those steps. Thanks for the help so far. Be back in a bit.
lskairAuthor Commented:
cannot run sfc /scannow it doesn't show as a valid command in recovery console.
lskairAuthor Commented:
Here is exact error with bsod:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down.
arnoldCommented:
http://support.microsoft.com/kb/156669

While the drive is attached to the other computer, you need to load the hive from the drive and make sure that HKLM has the correct reference to msgina.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value = GinaDLL REG_SZ

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonveeCommented:

It sounds as though the machine is still infected.  
Although you previously ran MBAM, AVG, & SAS scanners, your best shot may be to hook up the  hard drive externally once again, and run ComboFix.

Download ComboFix and save to Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log here please.  Someone here will write a short script, IF its necessary.
Do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix should be run in normal mode.

If you need it > 
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Finally, if ComboFix finds nothing try Hitman Pro 3, a 2nd opinion Malware scanner:
http://www.surfright.nl/en/hitmanpro
nobusCommented:
i suggest to connect your disk to a working pc, and back it up first (i hope you did that already)
then post the minidump, for more info - find it in  windows\minidumps
lskairAuthor Commented:
I'm backing up data today and going to try to run combofix before I have to leave for my in-laws for dinner. I will post the log back here, but it may not be for a day or two because of the holiday. That makes sense that it could still be infected. Hopefully that gets its fixed.
lskairAuthor Commented:
Can I run combo fix if I hook the bad hard drive up to my laptop via sata to usb adaptor? Will it still scan the attached devices? My laptop is XP Tablet, and the infected drive I'm hooking up is XP Home, but I want to make sure it's no problem before running combofix.
lskairAuthor Commented:
Ok, my computer has somehow also gotten infected. AVG just alerted me that mbam is infected. I can't run mbam. Might just be a fake, but I am going to clean my computer before hooking that dirty drive back up to it. I was trying to open mbam to disable so I could run comboFix and AVG said there was a trojan in mbamcore.dll and another mbamnet.dll I tried running combofix, but it told me that AVG conflicts and that i need to uninstall AVG first. Is this correct? I need to uninstall AVG and not just disable it?
JonveeCommented:
A recommended method of running ComboFix is to try downloading it to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Also, try renaming MBAM in the same manner suggested for ComboFix.exe
Disabling AVG should be sufficient, no need to uninstall it at this time.

If you continue to have difficulties, try Hitman Pro 3, a 2nd opinion Malware scanner:
http://www.surfright.nl/en/hitmanpro
lskairAuthor Commented:
ComboFix is telling me it cannot run without first uninstalling AVG. I cannot run it without uninstalling AVG. Can anyone confirm this?
arnoldCommented:
Boot your system in safe mode. Use regedit to access the hive on the other systems hard drive to correct the msgina.dll reference. the user should then be able to boot the system in safe mode and run sfc /scannow.

And you will be left to fixing your issue.


JonveeCommented:
>>ComboFix is telling me it cannot run without first uninstalling AVG<<

Then i would completely uninstall it (add/remove programs), simply to get ComboFix running.  
You still need to rename ComboFix, but its a very capable tool and may well resolve the infection problem.
JonveeCommented:
lskair,
Meanwhile, if you're still in difficulties, please take a look at an excellent Malware cleaning article by rpggamergirl, there are a number of good points here worth noting:
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html
johnb6767Commented:
If you have a severe infection preventing you from doing much of anything, I'd look at Dr. Web CureIt. When you launch a scan, it basicall locks the machine so nothing else is opened. Its the only one out there that can detect and cure some of the TDSS variants as well.

While you have the drive slaved, I'd look in that drive's Windows/System32/Drivers folder, sort it by date in Details view, and see what the "recent" last few modified drivers. Depending on what you find, you might need to mount the SYSTEM hive, and delete some services...

Could also be in the mbr even at this point....
lskairAuthor Commented:
msgina.dll was the problem. I was able to repair with windows disk. Thanks to all for the help. I couldn't run combo fix with AVG installed, so I just ran several more scans with MBAM and SAS and was able to clean it all up and save users data. I will split points accordingly. Sorry for the delay, but I was away for the holiday.
JonveeCommented:
No problem, glad you were able to resolve it.
nobusCommented:
without a dum -  i can't help better...tx for feedback
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.