Windows 7: Windows Crashes Unexpectedly

czar · 17 Jun 2011

My PC (ASUS N61JV) is misbehaving. It powered off unexpectedly. When I Switched it back on, only thing i could see was a Blue Screen. I ran all the required tests and am attaching the reports for your convenience including jcgriff2 and Blue Screen View & My Event Viewer Reports by NirSoft. I am using x64 bit version of Windows 7. I am really freaking out, Will provide any further info you may need. Thanks

**yowanvista** · 17 Jun 2011

Stop overclocking the CPU - even a minor overclock can cause timing issues inside the OS if anything fails, either in the OS, or in the hardware. This should be done as the first thing.
Update any and all device drivers, and any software that uses filter drivers (antivirus, antimalware, 3rd party firewalls, etc.) to their latest supported versions for Windows 7. This may take some time and research, but it's important this be done if and when possible.
Run one, and only one, antivirus/antimalware application and firewall (if using a 3rd party one) at any one time - having multiple I/O filter drivers on a system can cause delays, corruption, and even crashes.
Run chkdsk /f on the OS volume (usually C: ), which should require a reboot to run. Another "just in case", considering we did have an issue to a file on disk.

Run a scan of Malwarebytes

Code:

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: fffff8a008265fe0, String that identifies the problem.
Arg2: 0000000000000000, Error Code.
Arg3: ffffffffc0000001
Arg4: 0000000000100960

Debugging Details:
------------------


BUGCHECK_STR:  0xc000021a_0

ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_PARAMETER1:  fffff8a008265fe0

EXCEPTION_PARAMETER2:  0000000000000000

EXCEPTION_PARAMETER3:  ffffffffc0000001

EXCEPTION_PARAMETER4: 100960

ADDITIONAL_DEBUG_TEXT:  initial session process or

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  smss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff800034e183e to fffff80003087d00

STACK_TEXT:  
fffff880`041e64e8 fffff800`034e183e : 00000000`0000004c 00000000`c000021a fffff880`041e6608 fffffa80`03b99960 : nt!KeBugCheckEx
fffff880`041e64f0 fffff800`032ce2c1 : fffffa80`04c5ace6 fffff880`041e6ca0 00000000`00000100 fffffa80`04c43890 : nt!PoShutdownBugCheck+0xae
fffff880`041e6570 fffff800`030d47cd : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`0058f401 : nt!ExpSystemErrorHandler2+0x5e1
fffff880`041e67a0 fffff800`034b44a1 : 00000000`c000021a 00000000`00000004 00000000`00000001 fffff880`041e6b58 : nt!ExpSystemErrorHandler+0xdd
fffff880`041e67e0 fffff800`034b6223 : 00000000`c000021a fffffa80`00000004 fffff8a0`00000001 fffff880`041e6b58 : nt!ExpRaiseHardError+0xe1
fffff880`041e6b10 fffff800`03086f93 : fffffa80`04f37060 00000000`00000001 00000000`0058f458 fffff800`0337ebc4 : nt!NtRaiseHardError+0x1a1
fffff880`041e6bb0 00000000`7751264a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0058f438 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7751264a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExpSystemErrorHandler2+5e1
fffff800`032ce2c1 cc              int     3

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!ExpSystemErrorHandler2+5e1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4d9fdd5b

FAILURE_BUCKET_ID:  X64_0xc000021a_0_nt!ExpSystemErrorHandler2+5e1

BUCKET_ID:  X64_0xc000021a_0_nt!ExpSystemErrorHandler2+5e1

Followup: MachineOwner
---------

zigzag3143 · 17 Jun 2011

I agree with yowanvista and suggest a bit further,

This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode. Microsoft Windows cannot run without WinLogon or CSRSS. Therefore, this is one of the few cases where the failure of a user-mode service can shut down the system.

I would start with either a malwarebytes scan or Super Anti-spyware scan.

czar · 17 Jun 2011

Quote: Originally Posted by yowanvista

Stop overclocking the CPU - even a minor overclock can cause timing issues inside the OS if anything fails, either in the OS, or in the hardware. This should be done as the first thing.
Update any and all device drivers, and any software that uses filter drivers (antivirus, antimalware, 3rd party firewalls, etc.) to their latest supported versions for Windows 7. This may take some time and research, but it's important this be done if and when possible.
Run one, and only one, antivirus/antimalware application and firewall (if using a 3rd party one) at any one time - having multiple I/O filter drivers on a system can cause delays, corruption, and even crashes.
Run chkdsk /f on the OS volume (usually C: ), which should require a reboot to run. Another "just in case", considering we did have an issue to a file on disk.

Run a scan of Malwarebytes

I didn't overclock my laptop, is it possible that some software might have overclocked it, by itself?? How do i stop it?
I have checked my drivers, its all updated as far as i know
I run only Microsoft Security Essentials and Windows In-built firewall
I ran the chkdsk /f utility as admin, and it ran through all its tests and then restarted. How do i check the results of the tests?
I ran a Quick Scan of Malware bytes, and it found two infections in the registry, which i have hence removed. Here is the log:

Code:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6879

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

17-06-2011 11:43:56 PM
mbam-log-2011-06-17 (23-43-56).txt

Scan type: Quick scan
Objects scanned: 188982
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Are these infection in the registry responsible?

Quote: Originally Posted by zigzag3143

I agree with yowanvista and suggest a bit further,

This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode. Microsoft Windows cannot run without WinLogon or CSRSS. Therefore, this is one of the few cases where the failure of a user-mode service can shut down the system.

I would start with either a malwarebytes scan or Super Anti-spyware scan.

This is Scary, What do i do if the CSRSS has been compromised?

Thanks yowanvista andzigzag3143 for bearing with me

zigzag3143 · 17 Jun 2011

More than possible. Two possibilities. malware, or a change to the critical OS files (modded OS, corruption, etc). IN any case security is compromised.

czar · 17 Jun 2011

How do i know what the problem is, and what do i do?

zigzag3143 · 17 Jun 2011

Quote: Originally Posted by czar

How do i know what the problem is, and what do i do?

1-If malware run malwarebytes and report results

2-If a modified operating system re-install an un-modied one.
where did you get win 7 from and what version is it?

My money is on malware if you havent altered the OS.

czar · 17 Jun 2011

Quote: Originally Posted by zigzag3143

Quote: Originally Posted by czar

How do i know what the problem is, and what do i do?

1-If malware run malwarebytes and report results

2-If a modified operating system re-install an un-modied one.
where did you get win 7 from and what version is it?

My money is on malware if you havent altered the OS.

I haven't altered the OS, and Malwarebytes' did detect two infection in the registry, Here is the log:

Code:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6879

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

17-06-2011 11:43:56 PM
mbam-log-2011-06-17 (23-43-56).txt

Scan type: Quick scan
Objects scanned: 188982
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

zigzag3143 · 17 Jun 2011

just to be sure reboot and re-run. If clean we can move on.

czar · 17 Jun 2011

Quote: Originally Posted by zigzag3143

just to be sure reboot and re-run. If clean we can move on.

I ran scans again, and thankfully no threats were detected.

Also, I enabled Driver Verifier to check for corrupted drivers, and almost instantly, i got a BSOD. Here are dumps attached.

Windows 7: Windows Crashes Unexpectedly

Windows Crashes Unexpectedly problems?