Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hitman Pro caused fatal system error c000021a trying to remove t5rc.dl


  • Please log in to reply

#1
Sunny7

Sunny7

    Member

  • Member
  • PipPip
  • 35 posts
The problem originally occurred in June 2011. I finally got a new computer, but still would like to boot up this one.

Hitman Pro said it was going to delete the t5rc.dll malware on reboot, I waited for the reboot, but instead got the windows blue screen with a fatal system error c000021a. the logon process terminated unexpectedly 0xc0000135. The system shut down.

I could not reboot even to safe mode. I brought the computer in to the repair shop. They cleaned off all the viruses and spyware, and tried to reboot 3 times with a windows xp boot disc. They continued to get the blue screen and could not log into windows. They said that the windows files are corrupted, and the hard drive needs to be wiped clean.

Subsequently, Hitmanpro support finally responded to me and told me to do the following. Then stopped responding to my emails:

"Try to start your computer from the Windows 7 dvd-rom or from Windows Repair and start a Command Prompt.
Use the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:

bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd"

Since I was running Windows XP and not Windows 7, I used the Windows XP Installation disk to bring up Windows Repair console.

I did fixmbr and fixboot commands. The "rebuildbcd" command was not an option in the repair console.

Both commands appeared to work, and then I tried to reboot the computer, but got the following error message "The system is not fully installed. Please run setup again."

I ran a chkdsk /r command in case there was a disk problem. It corrected a few minor disk problems.

I tried to reboot into safe mode with networking. It seemed to recognize that I had Windows XP Service pack 3 installed (it was displayed on the corners of the screen), but I got the same error message, "The system is not fully installed. Please run setup again."

The only help I can find to correct this is a Windows XP support is Article ID: 320279 - "The system is not fully installed" error message after you run Sysprep and restart. I do not know if this is applicable, as I did not run sysprep.

Operating System: Windows XP Professional - SP3
Dell Dimension Series, Intel Pentium 4 Processor at 3.2 ghz with HT Technology

One other piece of information: In my original contact with Hitman Pro support, they indicated that perhaps winlogon.exe and explorer.exe were infected with a sophisticated malware, and Hitman Pro tried to restore safe versions of these critical system files. But somehow something went wrong.

This is where I am right now. I would still like to boot up this computer, and any assistance would be greatly appreciated. Thank you.

Edited by Sunny7, 16 January 2012 - 01:16 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
This is a common result of using hitman pro on certain infections.

It may be hopeless without a repair install but we can try.

Get Hiren's Boot Disk:

http://www.hirensbootcd.org/download/
This a BIG! Zip File so save it. Then right click on it and Extract all. Put a blank CD in the drive and then double click on BurnToCD.cmd. When it finishes you boot off it and run the MiniXP program. This will give you a fake XP desktop. You should be able to use it to visit your sick hard drive. If you can get that far then there is hope for it. Do you see one or more folders C:\found.00x where x can be any digits? Find the newest one and open it up until you find a list of files. What are they?

Under all programs you should find MBRWizard. If you can find it have it do a /list

mbrwiz  /list

(Perhaps you can take pictures of the screen with a digital camera and attach them to your next post?

Ron
  • 0

#3
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hello Ron,

Thank you for responding to my post. Even though Hitman Pro was recommended by Zone Alarm Support as a second malware check, I have subsequently seen many problems reported on the web using this software. I have learned my lesson.

May I clarify something with you: After I burn the CD with the boot information, I use the CD on my old XP computer to try to boot from? Is that correct?

Also, I would like to mention that I did copy off data from the old computer's hard drive to at least salvage my personal files and data. There are some programs loaded on the old computer that I would like to use a little more if I can get this machine booted up. They would be difficult (or impossible) to load on my windows 7 laptop.

Please excuse any questions, as I do a lot of reading, but I am no expert. Thanks.
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP

I use the CD on my old XP computer to try to boot from? Is that correct?


Correct tho it wouldn't hurt to try booting from the CD on your working PC just to make sure it works.
  • 0

#5
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hello Ron,

I created the boot cd, and used it to create a fake xp desktop. I have access to my old hard drive. I was not able to find
c:\found.00x. I only found "notfound.htm c\windows\pchealth\helpctr\system\errors"

I ran the mbrwiz and this is what I got (do not have a camera easy to access).

Disk:0 MBR/GPT: MBR
Size: 111.76gb CHS: 14589 255 63
Sectors: 234375000 Disk Signature: 0x9dc96e9e
Partitions: 2 Partition Order: 1 2
Mediat type: Fixed Interface: IDE
Description: ST3120026AS

Pos idx type/name size boot hide start sector total sectors dl vol label
1 1 de-dell 39m no no 63 80,262 <none>
2 2 07-ntfs 111g yes no 80,325 234,291,960 C: <none>


I wonder if my fixboot command was a mistake as my drive was ntfs, not fat?

Unfortunately, this editor is not keeping my spaces between items. I did try to key the spaces in.

Edited by Sunny7, 21 January 2012 - 04:56 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
You have a Dell so fixmbr was not the best choice. I think they have a nonstandard MBR.

http://support.dell....1&isLegacy=true



Let's see if we can modify http://support.microsoft.com/kb/307545 for use with Hiren's.

They tell us to:

copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

You could do this from a command prompt but I assume the miniXP has a version of Explorer (Right click on Start and select Explore or Start, All programs, Accessories, Windows Explorer )
so you could use it to go to c:\windows\system32\config

then select these 5 files (Hold down the Ctrl button and click on each)
system
software
sam
security
default
(Right click and select Cut.)

Now move to C:\Windows\tmp and right click and Paste.

What this does is make copies of the 5 files which make up the registry and then delete them from their usual spot.

Now

Look at C:\System Volume Information

If you can't see inside it then:

Start Windows Explorer.
On the Tools menu, click Folder options.
Click the View tab.
Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
Click Yes when the dialog box that confirms that you want to display these files appears.
Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.
Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot

Look at the dates and pick one when things were working OK (before the infection)

From the Snapshot folder, copy the following files to the c:\windows\system32\config folder:

_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

Right click on each and Rename them to
default
security
software
system
sam

Close explorer and reboot.

If you do not have any System Restore files then you can try a repair install.

http://www.geekstogo...air-windows-xp/
  • 0

#7
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hello Ron,

Thanks for the tip about Dell having a nonstandard MBR. It would have been nice if Hitman Pro support would have mentioned this. I also saw the fixmbr command in various articles around the web, but nothing specific about problems with Dell having a nonstandard MBR. Duh!

Before I begin, a couple of questions:

1. "Let's see if we can modify http://support.microsoft.com/kb/307545 for use with Hiren's."

I read this support document, and it said not to use on a computer with an OEM-installed operating system. Dell installed my operating system, although I did all the updates up to and including Windows XP - SP3. Will this be a problem for me?

2. "Close explorer and reboot."

This time am I to reboot without the Hiren's CD Disk in the CD Drive? Is this correct?

Thanks again for all of your help.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
I've done it on a Dell before. I expect you have already lost the ability to restore it how it came from the factory when you ran fixmbr.

Yes once you have made the changes then you cross your fingers and hope it boots on its own.
  • 0

#9
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
During the night I was thinking that I should ask you if I should run the Dell equivalent of fixmbr that you linked me to the other day before trying this other approach.

Based on your response from last night, I guess that running the Dell fixmbr would probably just muddle things up more than they are already. Is that a correct assumption?
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
You can try it if you want to. I assume we can always run fixmbr again if it doesn't help.

The procedure I gave you backs up the registry files before we do anything so we can always put it back the way it was.
  • 0

Advertisements


#11
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hello my new best friend, Ron!

I did some more reading about the fixmbr in Dell's and found out that the link for the Dell MediaDirect Repair Utility driver usually has the following compatability. Mine is a Dimension 8300.

http://www.dell.com/...riverId=R121517

Systems
inspiron 640m
inspiron 9400/E1705
inspiron I6400/E1505
XPS Desktop M1210
XPS Desktop M140
XPS Desktop M1710
XPS Desktop M2010 Operating Systems
Windows XP

I also read the following pages and wondered if running fixmbr might not have been that big of a deal for me.

http://en.community....5/19670233.aspx

http://www.goodells.net/dellrestore/

So, I proceeded to follow your instructions regarding the snapshot folder. I used a restore date a couple of days before my infection.

I got to the welcome screen, but the system tells me that "This copy of windows must be activated with microsoft before you can log on. Do you want to activate windows now?"

I answer "yes," then it gives an msobe.exe application error. The instruction at "0x7e1e37b4" referenced memory at "0x00000000" The memory could not be written. Then it logs me out of my settings.

I do not have the computer hooked up to the internet right now. It is a wired connection to my router. I didn't want to go to the web until I was ready to deal with viruses and Malware again. Is this my problem or is something else going on?

By the way, I am so grateful for your help :P

Also, I should mention that before I did anything with fixmbr, I made copies of the various folders on the hard drive ie. system, dell etc. to a backup hard drive. It was a very rough copy - copy this whole folder and its contents to the backup. Not every file copied over well, but maybe there might be something in the backup if I totally goofed up the mbr.

Edited by Sunny7, 25 January 2012 - 07:07 PM.

  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
Unlikely that you have saved any mbr info. It takes a special program to do that.


You can't activate that way without being on line so try being on line first then if that doesn't help see if this does:

BTW anyone trapped in the loop: you must activate < = > msoobe.exe error. ( 0x7726381C, memory could not be "written")

This program can be run from the window command prompt. I found that the activation error loop will let you F8 during bootup then select "Safe Mode with Command Prompt" to invoke the cmd.exe window.

Then, for my environment

c:\windows\ie7\spuninst\spuninst.exe

This prompted the uninstalll wizard which despite some heart-rending pauses worked fine. Type "Exit" to end cmd.exe and then <ctrl-alt><del> >> Task Window > Shutdown >Restart.


  • 0

#13
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi Ron,

The first method didn't work, so I tried the command prompt idea.

This wants to uninstall ie7, and warns me about all the programs that possibly won't work if I uninstall ie7. Will it save all of my settings, favorites etc. if I uninstall ie7?

I'm really confused about this fix right now. I have used ie7 for quite a long time, and I'm not sure what deleting it will do to my current set-up.

Thanks.

p.s. I do have all the disks that Dell shipped with my computer, including the Windows XP reinstallation CD, and even a Service Pack 2 CD. I guess that I am confused about this authentication stuff...

Edited by Sunny7, 27 January 2012 - 04:22 PM.

  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
I don't know about uninstalling IE and keeping your favorites.

If you have an XP CD that is really just XP and not some sort of return to how it left the factory CD then you can do a repair install. You will then need to install SP2 and SP3 and whatever other 100 updates are needed but it should save all your files and favorites:

http://www.geekstogo...air-windows-xp/
  • 0

#15
Sunny7

Sunny7

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
The more I think about it, uninstalling IE7 should be no worse than starting fresh on my new computer. I do have a backup, so I should be able to import my favorites from that. I don't know if any of the programs that use IE will care whether or not I have deleted and then reinstalled IE. If this actually works, it is definitely less scary to me than doing the repair install and running Windows XP thru all of its updates again.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP