2 replies to this topic

[Andy Spragg]

When I logged on just now, MBAM informed me, as the PC was still finishing booting up, that it had successfully blocked access to 89.28.93.247. I checked this and it's somewhere in Moldova. (Not the first time recently that MBAM has blocked an IP address while PC is still finishing booting up; and not the first time I've been probed from Moldova, either). A couple of minutes later I was browsing (around the webpage for the latest upgrade to NoScript, though I don't know if that's pertinent) and the PC shut down abruptly displaying the following BSOD:

Stop 0xC000021a (Fatal system error)
The Windows Logon Process system propcess terminated unexpectedly with a status of 0xc0000005 (0x0,0x0).
The system has been shut down.

It didn't look like a normal BSOD, it looked like a Driver Verifier BSOD. Also, it didn't leave a minidump when I rebooted. (I have been using Driver Verifier recently, but it's not currently active. I know this for a fact because when I was last using it, it picked up a boot-time issue with Online Armor, reproducibly giving me a BSOD at boot time, and the only way I was able to boot normally was to go into safe mode and delete the current Driver Verifier settings).

Bit worried about this one in view of what had just happened while I was logging on. Just did a MBAM quick scan and it came up clean, as usual. Any thoughts?

[marktreg]

This particular BSOD occurs when either Winlogon.exe or Csrss.exe stops running.

See this page:

http://support.microsoft.com/kb/156669

I also know for a fact that certain malware can alter or replace the Winlogon.exe file, because I fix PCs with similar problems all the time.

It might be a good idea to post some MBAM & HJT logs in the HJT forum, just to be safe.

[Andy Spragg]

Thanks, Mark. An interesting MS link. I've set up Dr Watson as suggested, so if it happens again, I'm ready. I've also done the AV/MBAM/HJT scans and posted the latter two logs in the HijackThis forum.