Windows Crashes Unexpectedly

[czar]

My PC (ASUS N61JV) is misbehaving. It powered off unexpectedly. When I Switched it back on, only thing i could see was a Blue Screen. I ran all the required tests and am attaching the reports for your convenience including jcgriff2 and Blue Screen View & My Event Viewer Reports by NirSoft. I am using x64 bit version of Windows 7. I am really freaking out, Will provide any further info you may need. Thanks

 

[yowanvista]

• Stop overclocking the CPU - even a minor overclock can cause timing issues inside the OS if anything fails, either in the OS, or in the hardware. This should be done as the first thing.
• Update any and all device drivers, and any software that uses filter drivers (antivirus, antimalware, 3rd party firewalls, etc.) to their latest supported versions for Windows 7. This may take some time and research, but it's important this be done if and when possible.
• Run one, and only one, antivirus/antimalware application and firewall (if using a 3rd party one) at any one time - having multiple I/O filter drivers on a system can cause delays, corruption, and even crashes.
• Run chkdsk /f on the OS volume (usually C: ), which should require a reboot to run. Another "just in case", considering we did have an issue to a file on disk.

Run a scan of Malwarebytes

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: fffff8a008265fe0, String that identifies the problem.
Arg2: 0000000000000000, Error Code.
Arg3: ffffffffc0000001
Arg4: 0000000000100960

Debugging Details:
------------------


BUGCHECK_STR:  0xc000021a_0

ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.

EXCEPTION_PARAMETER1:  fffff8a008265fe0

EXCEPTION_PARAMETER2:  0000000000000000

EXCEPTION_PARAMETER3:  ffffffffc0000001

EXCEPTION_PARAMETER4: 100960

ADDITIONAL_DEBUG_TEXT:  initial session process or

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  smss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff800034e183e to fffff80003087d00

STACK_TEXT:  
fffff880`041e64e8 fffff800`034e183e : 00000000`0000004c 00000000`c000021a fffff880`041e6608 fffffa80`03b99960 : nt!KeBugCheckEx
fffff880`041e64f0 fffff800`032ce2c1 : fffffa80`04c5ace6 fffff880`041e6ca0 00000000`00000100 fffffa80`04c43890 : nt!PoShutdownBugCheck+0xae
fffff880`041e6570 fffff800`030d47cd : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`0058f401 : nt!ExpSystemErrorHandler2+0x5e1
fffff880`041e67a0 fffff800`034b44a1 : 00000000`c000021a 00000000`00000004 00000000`00000001 fffff880`041e6b58 : nt!ExpSystemErrorHandler+0xdd
fffff880`041e67e0 fffff800`034b6223 : 00000000`c000021a fffffa80`00000004 fffff8a0`00000001 fffff880`041e6b58 : nt!ExpRaiseHardError+0xe1
fffff880`041e6b10 fffff800`03086f93 : fffffa80`04f37060 00000000`00000001 00000000`0058f458 fffff800`0337ebc4 : nt!NtRaiseHardError+0x1a1
fffff880`041e6bb0 00000000`7751264a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0058f438 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7751264a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExpSystemErrorHandler2+5e1
fffff800`032ce2c1 cc              int     3

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!ExpSystemErrorHandler2+5e1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4d9fdd5b

FAILURE_BUCKET_ID:  X64_0xc000021a_0_nt!ExpSystemErrorHandler2+5e1

BUCKET_ID:  X64_0xc000021a_0_nt!ExpSystemErrorHandler2+5e1

Followup: MachineOwner
---------

 

[zigzag3143]

I agree with yowanvista and suggest a bit further,

This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode. Microsoft Windows cannot run without WinLogon or CSRSS. Therefore, this is one of the few cases where the failure of a user-mode service can shut down the system.

I would start with either a malwarebytes scan or Super Anti-spyware scan.

 

[czar]

• Stop overclocking the CPU - even a minor overclock can cause timing issues inside the OS if anything fails, either in the OS, or in the hardware. This should be done as the first thing.
• Update any and all device drivers, and any software that uses filter drivers (antivirus, antimalware, 3rd party firewalls, etc.) to their latest supported versions for Windows 7. This may take some time and research, but it's important this be done if and when possible.
• Run one, and only one, antivirus/antimalware application and firewall (if using a 3rd party one) at any one time - having multiple I/O filter drivers on a system can cause delays, corruption, and even crashes.
• Run chkdsk /f on the OS volume (usually C: ), which should require a reboot to run. Another "just in case", considering we did have an issue to a file on disk.

Run a scan of Malwarebytes

• I didn't overclock my laptop, is it possible that some software might have overclocked it, by itself?? How do i stop it?
• I have checked my drivers, its all updated as far as i know
• I run only Microsoft Security Essentials and Windows In-built firewall
• I ran the chkdsk /f utility as admin, and it ran through all its tests and then restarted. How do i check the results of the tests?
• I ran a Quick Scan of Malware bytes, and it found two infections in the registry, which i have hence removed. Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6879

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

17-06-2011 11:43:56 PM
mbam-log-2011-06-17 (23-43-56).txt

Scan type: Quick scan
Objects scanned: 188982
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Are these infection in the registry responsible?

I agree with yowanvista and suggest a bit further,

This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode. Microsoft Windows cannot run without WinLogon or CSRSS. Therefore, this is one of the few cases where the failure of a user-mode service can shut down the system.

I would start with either a malwarebytes scan or Super Anti-spyware scan.

This is Scary, What do i do if the CSRSS has been compromised?

Thanks yowanvista and zigzag3143 for bearing with me

 

[zigzag3143]

More than possible. Two possibilities. malware, or a change to the critical OS files (modded OS, corruption, etc). IN any case security is compromised.

 

[czar]

How do i know what the problem is, and what do i do?

 

[zigzag3143]

How do i know what the problem is, and what do i do?

1-If malware run malwarebytes and report results

2-If a modified operating system re-install an un-modied one.
where did you get win 7 from and what version is it?

My money is on malware if you havent altered the OS.

 

[czar]

How do i know what the problem is, and what do i do?

1-If malware run malwarebytes and report results

2-If a modified operating system re-install an un-modied one.
where did you get win 7 from and what version is it?

My money is on malware if you havent altered the OS.

I haven't altered the OS, and Malwarebytes' did detect two infection in the registry, Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6879

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

17-06-2011 11:43:56 PM
mbam-log-2011-06-17 (23-43-56).txt

Scan type: Quick scan
Objects scanned: 188982
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Value: svchost -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[zigzag3143]

just to be sure reboot and re-run. If clean we can move on.

 

[czar]

just to be sure reboot and re-run. If clean we can move on.

I ran scans again, and thankfully no threats were detected.

Also, I enabled Driver Verifier to check for corrupted drivers, and almost instantly, i got a BSOD. Here are dumps attached.

 

[zigzag3143]

just to be sure reboot and re-run. If clean we can move on.

I ran scans again, and thankfully no threats were detected.

Also, I enabled Driver Verifier to check for corrupted drivers, and almost instantly, i got a BSOD. Here are dumps attached.

Good Job

FINALLY

These driver verified crashes were Related to Huawei Technologies Co., Ltd. USB Modem/Serial Device Driver.

YOURS FROM 2008

Update with newest available.

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\K\Desktop\Minidump\061811-37752-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols;srv*e:\symbols
*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Machine Name:
Kernel base = 0xfffff800`0301b000 PsLoadedModuleList = 0xfffff800`03260650
Debug session time: Fri Jun 17 16:43:24.810 2011 (GMT-4)
System Uptime: 0 days 0:01:42.872
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
Loading unloaded module list
.................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C9, {22f, fffff88008886a04, fffff98016b96b40, 0}

Unable to load image ewusbmdm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ewusbmdm.sys
*** ERROR: Module load completed but symbols could not be loaded for ewusbmdm.sys
Probably caused by : ewusbmdm.sys ( ewusbmdm+1a04 )

Followup: MachineOwner
---------

 

[czar]

Good Job

FINALLY

These driver verified crashes were Related to Huawei Technologies Co., Ltd. USB Modem/Serial Device Driver.

YOURS FROM 2008

Update with newest available.

Thanks man, much appreciated, hopefully no more problems

 

[zigzag3143]

Good Job

FINALLY

These driver verified crashes were Related to Huawei Technologies Co., Ltd. USB Modem/Serial Device Driver.

YOURS FROM 2008

Update with newest available.

Thanks man, much appreciated, hopefully no more problems

My pleasure and good luck