Help! Blue Screen after SuperAntiSpyware

[DrewKill]

So I have a computer in for a virus fix and I uninstalled mcafee, installed and ran Malwarebytes, installed and ran SUPERantispyware and on reboot I get a blue screen saying

STOP: c000021a
The Windows Logon Process system process terminated unexpectedly with a status 0xc0000034

It does have to do with the logon process so I copied all the dlls from another windows XP system into that computer. It booted but I got en error saying it couldn't find the fille oddc.dll under winlogin.exe I did copy if from an XP pro system onto a XP home PC
Any ideas?

 

[Xander]

Not that this helps but the error could be anything from a bad uninstall of McAfee, to what was removed by MBAM or SAS. Not necessarily SAS' fault.

The only other reference I can find online to ODDC.DLL is in this thread:
http://icrontic.com/forum/showthread.php?t=35071
...and it's a BHO.

Edit: You only specified a reboot after all 3 steps were done. If you rebooted after each step then, yes, it was probably SAS.

 

[DrewKill]

Yes I did reboot in between each step twice for McAfee, and once for Malwarebytes and SAS. I'm guessing one of the system files was corrupted and SAS removed it. My next idea is to do a repair reinstall and see it that fixes it. right now I'm doing an image backup of the whole drive even though its unbootablem just in case I need to nuke it and reinstall I can grab the files off of the old one.

 

[DrewKill]

Also if anyone know of a way to do a system file checker from a boot CD. Or a tool that does the same thing without being able to boot the OS?

 

[gazza]

I think ERD Commander 5.0 has a system file checker in it.

 

[B Trevathan]

If you think its something that SAS did then check the SAS log to see what it removed, if windows won't load then boot with a live CD like UBCD4WIN and find the log, it will have a path like:
%USERPROFILE%\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 03-18-2011 - 09-50-39.log

 

[MobileTechie]

System Restore?

_______________

 

[DrewKill]

I don't think system restore is possible until I can get into the system. I checked the SAS logs and it did delete a file named ODDC.DLL from the system32 folder. Weird how I can find almost nothing about this DLL anywhere on the internet. I'm almost ready to give up and nuke but if it's just that one file that is keeping me from booting than I don't want to give up.

 

[TLE]

I would load the registry hive and search through for ODDC.dll. See if you can remove any entries from the registry which use this dll as it certianly seems to be malicious. Be careful what you remove though.

 

[MobileTechie]

I don't think system restore is possible until I can get into the system. I checked the SAS logs and it did delete a file named ODDC.DLL from the system32 folder. Weird how I can find almost nothing about this DLL anywhere on the internet. I'm almost ready to give up and nuke but if it's just that one file that is keeping me from booting than I don't want to give up.

The ERD / DART disk does offline system restore. Also UBCD4Win has reg restore wizard.

 

[B Trevathan]

Weird how I can find almost nothing about this DLL anywhere on the internet.

If you can't find any information about a .dll file used in XP then usually that is a good sign it is probably malware. Maybe check with SAS and see why they remove oddc.dll and what malware installs it. Did SAS just delete the one thing, I know it always deletes tracking cookies but no other .dll or .exe files?

What about restoring oddc.dll from quarantine using superantispyware on UBCD4WIN, the machine would still be infected but at least maybe it would be running.

You would think that SAS would have a boot tool to undo the last quarantined items if the computer BSODs and won't load windows. There should be two files for every time things are quarantined like:
\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-18-2011 - 09-50-39.DSC
\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 03-18-2011 - 09-50-39.SBU
I wouldn't think you could un-quarantine from a slaved drive because it might restore to the host drive C: and not the slaved drive.

 

[ZenTree]

I'd echo the manual system restore approach.
Offline sfc is also possible from the recovery console, just read the options (sfc /?)

 

[TLE]

Offline sfc is also possible from the recovery console, just read the options (sfc /?)

Are you sure you can run SFC from Recovery Console? I didn't think SFC was a valid command from within the Recovery Console? If it does work, I have learnt something today.

The MS article doesn't list it http://support.microsoft.com/kb/314058

Rather than doing a N&P, wouldn't you be better of trying a repair install if the option is available.

Just tried the SFC from the recovery console and it reported it as an invalid command.

 

[MobileTechie]

No you can't run SFC from the XP recovery console. You can run it and system restore from the Recovery Environments of Vista and 7 but that's not going to help here.

The ERD is the way forward.

 

[ZenTree]

No you can't run SFC from the XP recovery console. You can run it and system restore from the Recovery Environments of Vista and 7 but that's not going to help here.

The ERD is the way forward.

I stand corrected, I had run from Vista/7, obviously not xp. Apologies.

 

[DrewKill]

Thanks for the help guys. I never found anything the registry about oddc.dll and I tried restoring the quarantine files from SAS of a virtual PC. That didn't work. I ended up doing a nuke and pave. I'm not proud of it but I needed to get it done I spent too much time on it as it was.

 

[MobileGeeks]

Backup and format mate.