BleepingComputer.com: BSOD STOP C000021A 0xC0000005 after virus and spyware

Greetings,

I pulled a computer out of cold storage last week. It was clean and running pretty well until yesterday, when I inadvertantly left many Chrome windows up all day. Came back to a mess, machine dragging slow, could launch taskmgr but the crawl made it unusable. I've cleaned viruses and malware dozens of times, and so jumped right to my trustee BartPE USB, batch-updated to latest sigs for SpyBot and antivirus. It found and I cleaned a few viruses and a few more malware. Can give those details later if important.

However, starting up I now get the wonderful BSOD, "STOP: C000021A {Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status of 0xC0000005 (0x00000000 0x00000000)". This occurs after the graphical screen draws but immediately before the logon/GINA box should appear.

The machine is XP SP2. I have the licensed CD for it, and know I can do a repair install. However, can someone enumerate some things to check specific to this error. I've already checked winlogon.exe, userinit.exe, csrss.exe, all seem the correct version. The question is, what does Winlogon do at start, or what registry/INI settings can I check to see if the malware is still hooked in?

Also, in the process I used Nirsoft's RegScanner, and found a slew of InProcServer GUIDs whose keys were added/updated yesterday. But still, rather than searching through each one to see if it's related, what's the best thing to target? I've got 10+ years of experience in registry-level support of XP, so please don't shy from more technical suggestions how to figure out the problem. Links to technical description of what the Winlogon is doing at that point would also be great. I know I can use said BartPE flash drive and copy off data & reformat. Instead, I'd like to consider this an exercise in further honing skills, in support of a corporate environment. Particularly if it's something "easy" I'm missing.

Thanks in advance.

Let's see if we can glean a little more information.


Please download BlueScreenView
No installation required.
Double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Thank you. (I may be thankful on each step.) Never used BlueScreenView. But unfortunately, I had set this machine to make no crash dumps, not even minidumps, carryover from my large NT dumps days.

I looked up and found info on the CrashControl Key, set the CrashDumpEnabled DWORD to 3 instead of 0, rebooted and STOP'd, no files.
Did so for all 4 ControlSet004 keys for good measure, and rebooted and STOP'd a few times, and still no files in C:\Windows\MiniDump.
All other regvals in CrashControl are good, standard, seem correct.

Could minidumps happen only after you login? I can't make/confirm the change in the UI as I can't login. Or maybe is there another reg setting to change other than in CrashControl?

Why not just enable it in Startup and recovery? Restart the computer and wait for the BOSDs.

BSOD happens before you can login, immediately before the login screen should occur. You need to login to use Explorer, My Computer, Properties, etc...

Noticed the ERSvc had been disabled, more resource-saving measures. I changed it to Automatic (2), rebooted and Stop'd a few, still no files. Recovery Console is also installed, and I am able to get the cmd prompt, and it shows ERSvc is set to Auto.

Have you tried to run either sfc /scannow or chkdsk /f /r from the recovery console?

The Recovery Console is not a full shell and is limited in terms of its commands. There's no SFC, and CHKDSK only has the /R, not the /F, though it may do the same. It ran and didn't find/fix anything.

Running SFC on the BartPE, if it even works, would make a mess as it was built with SP3. I can't boot the machine, even to Safe Mode Command Prompt, to run the SFC properly.

This Microsoft article may be of some use to you.

If this doesn't help you may want to try the repair installation.

I would also suggest installing SP3, as of last July Microsoft no longer XP unless it has SP3.

This post has been edited by dc3: 04 March 2011 - 12:44 PM