TechSpot

Random reboots driver, PSU, RAM?

By ericcothran
Oct 14, 2009
  1. I have recently started having issue that my PC just reboots with no error messege. I have been told it could be a virus, drivers, PSU, ram, etc., I got a blue screen error on the last reboot and it is as follows.
    Stop: c000021a {Fatal System Error} The Windows logon process system process terminated unexpectedly with the status of 0xc0000005 (0x00000000 0x00000000)
    the system has been shutdown


    I've taken out ram, did all critical updates on microsoft website, ran spybot S&D in safe mode, and checked all wires and plugs. Any thoughts or ideas what I got going on?
     
  2. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Have you/can you scan for infections? I know you did Spybot but your need something deeper and more powerful like your antivirus, malwarebytes, and/or superantispyware.

    Have you in any way changed your administrative rights so that certain files and folders will no longer open?

    Have you run Memtest on your RAM?

    Here is your error as defined by auhma.org:

    0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED

    This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised. Security can no longer be guaranteed. Because Win XP can’t run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur as a result of malware infestation or when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.
     
  3. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    I haven't changed any admin rights. I ran 2 memtest for 3-4 hours. Spybot did find 3 files in safe mode of virtumonde.dll could this have been it and would it have gotten it cleaned?
     
  4. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    an error of C000005 is invariably associated with a hardware problem. Can be network card/ram/HDD/add-on card etc and sometimes due to a conflict within a driver. Essentially, C000005 is an attempt to write to an invalid address. It is too general an error to be more specific, perhaps a memory dump would be useful to someone?
     
  5. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    First, virtumonde.dll is a serious infection. I strongly recommend going to our Virus and Malware removal forum read the UPDATED 8 Step sticky, follow all the steps in proper order as given, and post there with the three required logs attached.

    And as gbhall writes minidumps might be a good idea.
     
  6. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    i started doing scans in the order of the forum, and avast found a good many viruses and the ccleaner cleaned a good bit. Now I'm going to start them over and post some results, but I noticed all my font was in what looked like wingding. How did that happen and how do I fix that?
     
  7. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    Infections can cause all kinds of issues including messing with the fonts. As to how to fix it I am not sure so I don't want to give advice with knowledge I don't have!

    Right now the main issue is to get you clean. Someone here will be able to help you with the font issue. Avast is good. Malwarebytes and Superantispyware are also excellent. It will be interesting to see if they detect anything.
     
  8. ericcothran

    ericcothran TS Rookie Topic Starter Posts: 59

    ok, here is what I have gotten from hijackthis.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:59:50 PM, on 10/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\ups.exe
    c:\windows\explorer.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: Shell=c:\windows\explorer.exe
    O2 - BHO: (no name) - {06738F10-A332-4394-BC90-4912FDCDBF9a} - C:\WINDOWS\system32\fzkjgfrs.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {74E7705A-B516-4613-8854-8AC92F8D4143} - c:\windows\system32\hyblcje.dll
    O2 - BHO: (no name) - {a58f570a-7866-e761-2cc7-c579e810c56c} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-21-1844237615-2000478354-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-1844237615-2000478354-839522115-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
    O4 - S-1-5-21-1844237615-2000478354-839522115-1004 Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User '?')
    O4 - S-1-5-18 Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User '?')
    O4 - .DEFAULT Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User 'Default user')
    O4 - Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232650802875
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: vckwxkrh - C:\WINDOWS\SYSTEM32\hyblcje.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5860 bytes
     
  9. Route44

    Route44 TechSpot Ambassador Posts: 11,966   +70

    This needs to be posted over at the Virus and Malware removal forum but keep in mind that you also need to attach the Malwarebytes and Superantispyware logs as well,otherwise you may not get the help you need.

    They also need to know that you went through all 8 steps.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Moderator please delete this thread. The problem is being handled elsewhere. There are 4 threads.
     
  11. momok

    momok TS Rookie Posts: 2,265

    Bobbye: report the post in future as it gets the attention of all the mods.

    No need for deletion. Thread closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...