Random reboots driver, PSU, RAM?

[ericcothran]

I have recently started having issue that my PC just reboots with no error messege. I have been told it could be a virus, drivers, PSU, ram, etc., I got a blue screen error on the last reboot and it is as follows.
Stop: c000021a {Fatal System Error} The Windows logon process system process terminated unexpectedly with the status of 0xc0000005 (0x00000000 0x00000000)
the system has been shutdown

I've taken out ram, did all critical updates on microsoft website, ran spybot S&D in safe mode, and checked all wires and plugs. Any thoughts or ideas what I got going on?

 

[Route44]

Have you/can you scan for infections? I know you did Spybot but your need something deeper and more powerful like your antivirus, malwarebytes, and/or superantispyware.

Have you in any way changed your administrative rights so that certain files and folders will no longer open?

Have you run Memtest on your RAM?

Here is your error as defined by auhma.org:

0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED

This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised. Security can no longer be guaranteed. Because Win XP can’t run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur as a result of malware infestation or when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.

 

[ericcothran]

I haven't changed any admin rights. I ran 2 memtest for 3-4 hours. Spybot did find 3 files in safe mode of virtumonde.dll could this have been it and would it have gotten it cleaned?

 

[gbhall]

an error of C000005 is invariably associated with a hardware problem. Can be network card/ram/HDD/add-on card etc and sometimes due to a conflict within a driver. Essentially, C000005 is an attempt to write to an invalid address. It is too general an error to be more specific, perhaps a memory dump would be useful to someone?

 

[Route44]

I haven't changed any admin rights. I ran 2 memtest for 3-4 hours. Spybot did find 3 files in safe mode of virtumonde.dll could this have been it and would it have gotten it cleaned?

First, virtumonde.dll is a serious infection. I strongly recommend going to our Virus and Malware removal forum read the UPDATED 8 Step sticky, follow all the steps in proper order as given, and post there with the three required logs attached.

And as gbhall writes minidumps might be a good idea.

 

[ericcothran]

i started doing scans in the order of the forum, and avast found a good many viruses and the ccleaner cleaned a good bit. Now I'm going to start them over and post some results, but I noticed all my font was in what looked like wingding. How did that happen and how do I fix that?

 

[Route44]

Infections can cause all kinds of issues including messing with the fonts. As to how to fix it I am not sure so I don't want to give advice with knowledge I don't have!

Right now the main issue is to get you clean. Someone here will be able to help you with the font issue. Avast is good. Malwarebytes and Superantispyware are also excellent. It will be interesting to see if they detect anything.

 

[ericcothran]

ok, here is what I have gotten from hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:50 PM, on 10/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\ups.exe
c:\windows\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=c:\windows\explorer.exe
O2 - BHO: (no name) - {06738F10-A332-4394-BC90-4912FDCDBF9a} - C:\WINDOWS\system32\fzkjgfrs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74E7705A-B516-4613-8854-8AC92F8D4143} - c:\windows\system32\hyblcje.dll
O2 - BHO: (no name) - {a58f570a-7866-e761-2cc7-c579e810c56c} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-1844237615-2000478354-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1844237615-2000478354-839522115-1004\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - S-1-5-21-1844237615-2000478354-839522115-1004 Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User '?')
O4 - S-1-5-18 Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User '?')
O4 - .DEFAULT Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe (User 'Default user')
O4 - Startup: FINAL FANTASY XI (2).lnk = C:\Program Files\PlayOnline\SquareEnix\FINAL FANTASY XI\polboot.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1232650802875
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vckwxkrh - C:\WINDOWS\SYSTEM32\hyblcje.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5860 bytes

 

[Route44]

This needs to be posted over at the Virus and Malware removal forum but keep in mind that you also need to attach the Malwarebytes and Superantispyware logs as well,otherwise you may not get the help you need.

They also need to know that you went through all 8 steps.

 

[Bobbye]

Moderator please delete this thread. The problem is being handled elsewhere. There are 4 threads.

 

[momok]

Bobbye: report the post in future as it gets the attention of all the mods.

No need for deletion. Thread closed.