Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD STOP C000021A 0xC0000005 after virus and spyware


  • Please log in to reply
7 replies to this topic

#1 bmarone

bmarone

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 March 2011 - 12:18 AM

Greetings,

I pulled a computer out of cold storage last week. It was clean and running pretty well until yesterday, when I inadvertantly left many Chrome windows up all day. Came back to a mess, machine dragging slow, could launch taskmgr but the crawl made it unusable. I've cleaned viruses and malware dozens of times, and so jumped right to my trustee BartPE USB, batch-updated to latest sigs for SpyBot and antivirus. It found and I cleaned a few viruses and a few more malware. Can give those details later if important.

However, starting up I now get the wonderful BSOD, "STOP: C000021A {Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status of 0xC0000005 (0x00000000 0x00000000)". This occurs after the graphical screen draws but immediately before the logon/GINA box should appear.

The machine is XP SP2. I have the licensed CD for it, and know I can do a repair install. However, can someone enumerate some things to check specific to this error. I've already checked winlogon.exe, userinit.exe, csrss.exe, all seem the correct version. The question is, what does Winlogon do at start, or what registry/INI settings can I check to see if the malware is still hooked in?

Also, in the process I used Nirsoft's RegScanner, and found a slew of InProcServer GUIDs whose keys were added/updated yesterday. But still, rather than searching through each one to see if it's related, what's the best thing to target? I've got 10+ years of experience in registry-level support of XP, so please don't shy from more technical suggestions how to figure out the problem. Links to technical description of what the Winlogon is doing at that point would also be great. I know I can use said BartPE flash drive and copy off data & reformat. Instead, I'd like to consider this an exercise in further honing skills, in support of a corporate environment. Particularly if it's something "easy" I'm missing.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:24 AM

Posted 04 March 2011 - 01:21 AM

Let's see if we can glean a little more information.


Please download BlueScreenView
No installation required.
Double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 bmarone

bmarone
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 March 2011 - 02:24 AM

Thank you. (I may be thankful on each step.) Never used BlueScreenView. But unfortunately, I had set this machine to make no crash dumps, not even minidumps, carryover from my large NT dumps days.

I looked up and found info on the CrashControl Key, set the CrashDumpEnabled DWORD to 3 instead of 0, rebooted and STOP'd, no files.
Did so for all 4 ControlSet004 keys for good measure, and rebooted and STOP'd a few times, and still no files in C:\Windows\MiniDump.
All other regvals in CrashControl are good, standard, seem correct.

Could minidumps happen only after you login? I can't make/confirm the change in the UI as I can't login. Or maybe is there another reg setting to change other than in CrashControl?

#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:24 AM

Posted 04 March 2011 - 02:44 AM

Why not just enable it in Startup and recovery? Restart the computer and wait for the BOSDs.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 bmarone

bmarone
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 March 2011 - 03:00 AM

BSOD happens before you can login, immediately before the login screen should occur. You need to login to use Explorer, My Computer, Properties, etc...

Noticed the ERSvc had been disabled, more resource-saving measures. I changed it to Automatic (2), rebooted and Stop'd a few, still no files. Recovery Console is also installed, and I am able to get the cmd prompt, and it shows ERSvc is set to Auto.

#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:24 AM

Posted 04 March 2011 - 03:18 AM

Have you tried to run either sfc /scannow or chkdsk /f /r from the recovery console?

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 bmarone

bmarone
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 04 March 2011 - 08:23 AM

The Recovery Console is not a full shell and is limited in terms of its commands. There's no SFC, and CHKDSK only has the /R, not the /F, though it may do the same. It ran and didn't find/fix anything.

Running SFC on the BartPE, if it even works, would make a mess as it was built with SP3. I can't boot the machine, even to Safe Mode Command Prompt, to run the SFC properly.

#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:24 AM

Posted 04 March 2011 - 11:37 AM

This Microsoft article may be of some use to you.

If this doesn't help you may want to try the repair installation.

I would also suggest installing SP3, as of last July Microsoft no longer XP unless it has SP3.

Edited by dc3, 04 March 2011 - 12:44 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users