Infected computer with BSOD and stop error c000021a

DrKlahn,
Great point. I don't want to risk losing my co-workers files, so I will back them up. Can I just back up documents and settings to external drive? or is that a bad idea since the drive had infections? I have autoplay disabled on my computer. I can hook infected hd up externally and copy files to usb drive. Is that ok, instead of image of hd?
After backing up files, you can walk me through the next step. I don't have any XP Home CD for install, so I am trying to avoid reinstall or I will have to find software. I have XP Pro genuine cd's so hopefully it can be fixed in recovery console. I just don't know what needs to be done to fix logon stop error.

Do you have the system disks? Can you run diagnostics to check the hardware? Since you have the Windows disk, can you run SFC /SCANNOW from the Recovery Console?

Souseran,
I don't think it's hardware. I am pretty sure it's from the infections which the computer had. There were several trojans and other viruses, but if you think I should run hardware scan, then I can. I'm going to backup files first as DrKlahn suggested.

Also have a look at the suggestions in this MS article>
How to troubleshoot a "STOP 0xC000021A" error:
http://support.microsoft.com/kb/156669

If still unresolved, see if this earlier thread helps>
"Stop Error C000021A-how can I fix this mess":
https://www.experts-exchange.com/questions/20825379/Stop-Error-C000021A-how-can-I-fix-this-mess.html

Back up your data.  

Then look in the logs of the anti-malware programs you used and see if they found an infected driver. ntfs.sys is a frequent target. So is cdfs.sys.

A lot of viruses these days infect a required system file in order to make the system unusable after an offline scan.

I always copy my scan logs to a file in Documents and Settings/all users/desktop so I can review them in case of this kind of problem.

The problem you are running when copying while the system is down deals with SID and mismatches as well as some files may have been EFS encrypted access to those is not possible.

Make sure that the disk that came with the latop is not a recovery disk that will erase all data/reformat to restore the system to its original condition.

If it is a regular windows install you let the first prompt for repair console pass and select install and on the second pass select the repair install option.  All this process does is remove the windows files that might have become corrupt and  then starts the install of windows on the existing partition.

This process will also correct the registry which might be what the issue is. i.e. does it say that ntldr or system can not be found etc?

There are ways to rename the existing ones and copy the ones from the CD using the recovery console.


You need to drill down based on the exact error message.

Going to back up data, then run sfc /scannow as suggested above. Will update after I complete those steps. Thanks for the help so far. Be back in a bit.

cannot run sfc /scannow it doesn't show as a valid command in recovery console.

Here is exact error with bsod:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down.

It sounds as though the machine is still infected.  
Although you previously ran MBAM, AVG, & SAS scanners, your best shot may be to hook up the  hard drive externally once again, and run ComboFix.

Download ComboFix and save to Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log here please.  Someone here will write a short script, IF its necessary.
Do not mouseclick Combofix's window while it is running, because it may stall.  
ComboFix should be run in normal mode.

If you need it > 
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Finally, if ComboFix finds nothing try Hitman Pro 3, a 2nd opinion Malware scanner:
http://www.surfright.nl/en/hitmanpro

I'm backing up data today and going to try to run combofix before I have to leave for my in-laws for dinner. I will post the log back here, but it may not be for a day or two because of the holiday. That makes sense that it could still be infected. Hopefully that gets its fixed.

Can I run combo fix if I hook the bad hard drive up to my laptop via sata to usb adaptor? Will it still scan the attached devices? My laptop is XP Tablet, and the infected drive I'm hooking up is XP Home, but I want to make sure it's no problem before running combofix.

Ok, my computer has somehow also gotten infected. AVG just alerted me that mbam is infected. I can't run mbam. Might just be a fake, but I am going to clean my computer before hooking that dirty drive back up to it. I was trying to open mbam to disable so I could run comboFix and AVG said there was a trojan in mbamcore.dll and another mbamnet.dll I tried running combofix, but it told me that AVG conflicts and that i need to uninstall AVG first. Is this correct? I need to uninstall AVG and not just disable it?

A recommended method of running ComboFix is to try downloading it to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine, then try this key combination to reach a Run box>
Windows Logo+R: Run dialog box

Also, try renaming MBAM in the same manner suggested for ComboFix.exe
Disabling AVG should be sufficient, no need to uninstall it at this time.

If you continue to have difficulties, try Hitman Pro 3, a 2nd opinion Malware scanner:
http://www.surfright.nl/en/hitmanpro

ComboFix is telling me it cannot run without first uninstalling AVG. I cannot run it without uninstalling AVG. Can anyone confirm this?

Boot your system in safe mode. Use regedit to access the hive on the other systems hard drive to correct the msgina.dll reference. the user should then be able to boot the system in safe mode and run sfc /scannow.

And you will be left to fixing your issue.

>>ComboFix is telling me it cannot run without first uninstalling AVG<<

Then i would completely uninstall it (add/remove programs), simply to get ComboFix running.  
You still need to rename ComboFix, but its a very capable tool and may well resolve the infection problem.

If you have a severe infection preventing you from doing much of anything, I'd look at Dr. Web CureIt. When you launch a scan, it basicall locks the machine so nothing else is opened. Its the only one out there that can detect and cure some of the TDSS variants as well.

While you have the drive slaved, I'd look in that drive's Windows/System32/Drivers folder, sort it by date in Details view, and see what the "recent" last few modified drivers. Depending on what you find, you might need to mount the SYSTEM hive, and delete some services...

Could also be in the mbr even at this point....

msgina.dll was the problem. I was able to repair with windows disk. Thanks to all for the help. I couldn't run combo fix with AVG installed, so I just ran several more scans with MBAM and SAS and was able to clean it all up and save users data. I will split points accordingly. Sorry for the delay, but I was away for the holiday.

No problem, glad you were able to resolve it.

without a dum -  i can't help better...tx for feedback