• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

BSOD on restart Windows 8.1 0xc000021a WINLOGON_FATALERROR


PK89

New Member
Posts
8
#1
Greetings,

I receive a BSOD everytime I restart windows 8.1 or whenever windows restarts automatically to install updates (although it finishes updating successfully on reboot) with error code 0xc000021a. Besides that, the PC works normally. A few days ago the problem was reversed, i.e. Windows crashed on shut down with the same error but not on restart, this happened after I uncheched the Turn on fast startup option in power options which apparently solved similar problems for other people. I had to perform a Windows Refresh, keeping both files and installed apps intact, to reverse the PC in the previous condition so now it crashes again on restart but afterwards boots normally, though with some delay. I tracked the problem to Winlogon process terminating unexpectedly but I don't know how to fix the problem since a reinstallation of Windows didn't solve it. I suspect that a third party program is causing the problem and since I kept all of them after the refresh it still causes problems. Since I am not an expert however I could be totally wrong. The last incident happened today (18/02/2014) on restart due to a windows update. I would greatly appreciate any help offered on this matter.

Thank you
 

My Computer

System One

  • OS
    Windows 8.1
Posts
1,883
#2
Hi,

Uninstall Freeride Games or whatever software you have made by them etc...

Code:
4: kd> lmvm X5XSEx_Pr148
start             end                 module name
fffff800`04e12000 fffff800`04e24000   X5XSEx_Pr148   (deferred)             
    Image path: \??\C:\Program Files (x86)\FreeRide Games\X5XSEx_Pr148.Sys
    Image name: X5XSEx_Pr148.Sys
    Timestamp:        Thu Aug 02 08:51:27 2012 (501A77CF)
    CheckSum:         00017C75
    ImageSize:        00012000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
Update Realtek HD Audio codec driver:

RTKVHD64 RTKVHD64.sys Tue Nov 27 08:48:01 2012 (50B4C491)

Update Synaptics touchpad driver:


SynTP SynTP.sys Fri Nov 30 02:38:37 2012 (50B8627D)

Uninstall Rapport:

RapportCerberus64_59849 RapportCerberus64_59849.sys Sat Sep 21 17:47:05 2013 (523E13D9)
RapportEI64 RapportEI64.sys Wed Jan 22 13:35:14 2014 (52E00F62)
RapportHades64 RapportHades64.sys Wed Jan 22 13:35:12 2014 (52E00F60)
RapportKE64 RapportKE64.sys Wed Jan 22 13:35:12 2014 (52E00F60)
RapportPG64 RapportPG64.sys Wed Jan 22 13:35:32 2014 (52E00F74)

Update from Lenovo (you'll have to e-mail them or something. Nobody knows how to update this and it seems to cause issues on 8(.1) universally):

LhdX64 LhdX64.sys Mon Jan 11 10:06:58 2010 (4B4B3E92)

Uninstall Daemon Tools Lite and replace it with PowerISO:

dtsoftbus01 dtsoftbus01.sys Thu Jun 20 03:22:51 2013 (51C2ADCB)

Uninstall Avast. Use removal tool for it after. Set Windows Firewall and Windows Defender to Automatic and start them too:

aswMonFlt aswMonFlt.sys Tue Jan 21 12:11:16 2014 (52DEAA34)
aswRdr2 aswRdr2.sys Fri Oct 11 07:11:37 2013 (5257DCE9)
aswRvrt aswRvrt.sys Fri Oct 04 03:48:58 2013 (524E72EA)
aswSnx aswSnx.sys Tue Jan 21 12:11:09 2014 (52DEAA2D)
aswSP aswSP.sys Tue Jan 21 12:17:55 2014 (52DEABC3)
aswStm aswStm.sys Tue Jan 21 12:18:41 2014 (52DEABF1)
aswVmm aswVmm.sys Mon Dec 09 02:04:51 2013 (52A56B93)

Enjoy.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
Posts
1,360
#3
Among other things you have a nasty virus on this computer. You need to wipe the drive and reinstall Windows.

rikvm_3A60B698.sys Mon May 14 03:49:40 2012 (4FB0B914) <== Stealth MBR rootkit/Mebroot/Sinowal/TDL4
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise
Posts
1,883
#4
Among other things you have a nasty virus on this computer. You need to wipe the drive and reinstall Windows.

rikvm_3A60B698.sys Mon May 14 03:49:40 2012 (4FB0B914) <== Stealth MBR rootkit/Mebroot/Sinowal/TDL4
lol

You know, the instant I saw the funk in the stack (literally like 3 seconds into it), I knew that. It completely slipped my mind while investigating further. I even seen the driver itself and mentally blocked myself from saying, for some reason.

lol again. I'm losing it here!!!!!! Good find man.

The red is what I mean.

Code:
STACK_TEXT:  
ffffd000`316886b8 fffff803`c5d81da5 : 00000000`0000004c 00000000`c000021a ffffd000`247a93f8 ffffe000`006f5870 : nt!KeBugCheckEx
ffffd000`316886c0 fffff803`c5d7a320 : ffffe000`018cb400 ffffd000`316887d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
ffffd000`31688700 fffff803`c5b654b3 : ffffe000`018cb040 00000000`00000000 00000000`c0000004 ffffd000`31688900 : nt! ?? [COLOR=#ff0000][B]::OKHAJAOM::[/B][/COLOR]`string'+0xe30
ffffd000`31688840 fffff803`c5b5d900 : fffff803`c5fa2853 00000000`00000001 ffffd000`31688a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
ffffd000`316889d8 fffff803`c5fa2853 : 00000000`00000001 ffffd000`31688a58 00000000`c0000004 00000000`00000006 : nt!KiServiceLinkage
ffffd000`316889e0 fffff803`c5ed73a3 : ffffe000`018cb040 ffffd970`ed2f6eb8 ffffe000`018cb180 00000000`00000000 : nt! ?? [COLOR=#ff0000]::NNGAKEGL::[/COLOR]`string'+0x6cee3
ffffd000`31688aa0 fffff803`c5b04e32 : fffff803`c5b04d78 00000000`00000000 00000000`00000002 ffffe000`018cb040 : nt!PopPolicyWorkerAction+0x63
ffffd000`31688b10 fffff803`c5aad1b9 : fffff803`00000002 ffffd000`31688bd0 00000000`80000000 fffff803`c5cdde20 : nt!PopPolicyWorkerThread+0xba
ffffd000`31688b50 fffff803`c5a992e4 : 00000000`31011f1a ffffe000`018cb040 ffffe000`018cb040 ffffe000`00260900 : nt!ExpWorkerThread+0x2b5
ffffd000`31688c00 fffff803`c5b602c6 : fffff803`c5cfa180 ffffe000`018cb040 fffff803`c5d52a80 ffffd000`31688d90 : nt!PspSystemThreadStartup+0x58
ffffd000`31688c60 00000000`00000000 : ffffd000`31689000 ffffd000`31683000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
and very unusual for sure:

Code:
----- ETW minidump data unavailable-----
Probably caused by : ntkrnlmp.exe ( nt! ?? ::OKHAJAOM::`string'+e30 )
Glad to be part of "team" here, where 2 or more heads really are actually better than one.

Well, at least OP knows what to do and not to do with new install after drive wipe. :)
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus

PK89

New Member
Posts
8
#6
Hello,

Thank you very much for the help. I uninstalled FreeRide Games (which I really don't know what it is, maybe came preinstalled) and Rapport and updated the drivers. Now windows restarts normally, I suspect FreeRide Games was the problem. How does the virus you mention operate? I never had any other problems with the PC . Thanks again for the help.
 

My Computer

System One

  • OS
    Windows 8.1
Posts
1,360
#7
TDL-4 is a highly advanced, fourth generation botnet found worldwide (over a quarter of infected machines are in the US) and the name of the rootkit that runs the botnet (also known as Alureon). Over 4.5 million machines were infected with it in the first three months of 2011, and the botnet continued to grow after that.

It was often noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller.It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting other malware.
Source: TDL-4 - Wikipedia, the free encyclopedia

Link: http://www.eightforums.com/tutorials/2299-clean-install-windows-8-a.html
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise
Posts
1,883
#9
I have been reading up on it the past 10 minutes or so.

It seems that it might actually be a file included with Cyberlink software and the only people that complain about it are people that used some overly aggressive Norton tool to "find" it.

I think a good idea is to upload the .sys file to Jotti's malware scan

C:\WINDOWS\system32\Drivers\rikvm_3A60B698.sys

If it gets reported as totally clean, then perhaps a Killdisk use is not in order. I would then just delete the driver, delete the Regedit subkey for it, reboot and make sure it did not return.

If it gets reported as anything malware, then Killdisk it is. The crash was very unusual though, so it could still in fact be the rootkit. And I did see mention that it messes up booting. No coincidence perhaps.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus

PK89

New Member
Posts
8
#10
Sorry but I don't see the file in the directory you mention and even if I did the website doesn't "see" any of the . sys files in the directory when I try to upload something from there.
 

My Computer

System One

  • OS
    Windows 8.1
Posts
1,883
#11
Ok, ya then it really is a rootkit driver, unfortunately. No normal driver would hide itself.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus

PK89

New Member
Posts
8
#12
After searching for this rootkit I ran rootkit scans with various tools (kaspersky, bitdefender, mcafee) which specifically state that they scan for the MBR infection. None of them found infection in my PC. Are you sure that I have an infection in my computer? I don't want to reset everything for no reason. Again, thanks for the help even though this doesn't concern my original problem.
 

My Computer

System One

  • OS
    Windows 8.1
Posts
1,360
#13
Allow me to clarify something.. If infact you are infected with a rookit you need to seek advice from an expert who is trained to deal with these things. This particular infection should be taken very seriously, it is not your average popup flash game. You can find many different guides on how to remove TDL4 across the internet. However, unless you are trained to know what to look for the infection will continue to return until its been removed by someone who knows what to look for. Several special tools are required in order to detect and completely remove the infection.

You have two options.. You can attempt to remove it and risk loosing your security & privacy. OR you can reinstall everything and be assured that the infection gone.

In my opinion the amount of time wasted cleaning the infection you would be better off reinstalling Windows. I have personally dealt with this rootkit and its not worth the time.

Additionally, as per forums rules members are not allowed to discuss malware. You can find help here if you choose.. Virus, Spyware and Malware Removal | PC Help Forum
 
Last edited:

My Computer

System One

  • OS
    Windows 8.1 Enterprise

PK89

New Member
Posts
8
#16
One more thing actually, in order to specify your observation rikvm_3A60B698.sys Mon May 14 03:49:40 2012 (4FB0B914) in other forums which discuss malware issues, is it possible for you to tell me where exactly in the files I sent you is it found? And why is it dated at 2012? I bought this laptop less than a year ago. Thank you.
 

My Computer

System One

  • OS
    Windows 8.1
Posts
1,360
#17
Of course, this information was contained within the crash dump file dated: 2/18/2014 @ 7:36A.M.

This rootkit was discovered back in 2011. Their have been many different variants with updated components over the course of several years. It looks like the one you have is dated 2012 because that's when the file was created. Not necessarily when you were infected but rather when the file was created by its author.

Code:
fffff800`04e12000 fffff800`04e24000   X5XSEx_Pr148 X5XSEx_Pr148.Sys Thu Aug 02 08:51:27 2012 (501A77CF)
[COLOR=#ff0000][B]fffff800`04e42000 fffff800`0548b000   rikvm_3A60B698 rikvm_3A60B698.sys Mon May 14 03:49:40 2012 (4FB0B914)[/B][/COLOR]
fffff800`0548b000 fffff800`05499000   vwifimp  vwifimp.sys  Thu Aug 22 07:36:15 2013 (5215F7AF)
fffff800`05499000 fffff800`054e4000   mrxsmb10 mrxsmb10.sys Thu Aug 22 07:35:42 2013 (5215F78E)
fffff800`054e4000 fffff800`05501000   Ndu      Ndu.sys      Thu Aug 22 07:35:42 2013 (5215F78E)
fffff800`05501000 fffff800`055aa000   peauth   peauth.sys   Thu Aug 22 07:36:07 2013 (5215F7A7)
fffff800`055aa000 fffff800`055b5000   secdrv   secdrv.SYS   Wed Sep 13 09:18:38 2006 (4508052E)
fffff800`055b5000 fffff800`055f8000   srvnet   srvnet.sys   Wed Sep 11 05:31:45 2013 (52303881)
fffff800`05602000 fffff800`0569a000   srv      srv.sys      Sat Oct 05 07:01:15 2013 (524FF17B)
fffff800`0569a000 fffff800`056c7000   tunnel   tunnel.sys   Thu Aug 22 07:35:45 2013 (5215F791)
fffff800`056c7000 fffff800`056e8000   WudfPf   WudfPf.sys   Thu Aug 22 07:37:21 2013 (5215F7F1)
fffff800`056e8000 fffff800`05726000   WUDFRd   WUDFRd.sys   Thu Aug 22 07:36:50 2013 (5215F7D2)
fffff800`05726000 fffff800`0572f000   mshidumdf mshidumdf.sys Thu Aug 22 07:39:06 2013 (5215F85A)
fffff800`0572f000 fffff800`05746000   aswStm   aswStm.sys   Tue Jan 21 12:18:41 2014 (52DEABF1)
fffff800`0578c000 fffff800`0579a000   monitor  monitor.sys  Thu Aug 22 07:36:37 2013 (5215F7C5)
fffff800`057ee000 fffff800`057f9000   rdpvideominiport rdpvideominiport.sys Thu Aug 22 07:38:52 2013 (5215F84C)
fffff803`c4b70000 fffff803`c4b79000   kd       kd.dll       Thu Aug 22 07:40:43 2013 (5215F8BB)
fffff803`c5a0c000 fffff803`c618d000   nt       ntkrnlmp.exe Wed Oct 30 18:52:12 2013 (52718D9C)
fffff803`c618d000 fffff803`c61fc000   hal      hal.dll      Sat Sep 21 04:01:36 2013 (523D5260)
fffff960`00008000 fffff960`00421000   win32k   win32k.sys   unavailable (00000000)
fffff960`006aa000 fffff960`006b3000   TSDDD    TSDDD.dll    unavailable (00000000)
fffff960`00911000 fffff960`0094c000   cdd      cdd.dll      unavailable (00000000)
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise
Posts
1,883
#19

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model Number
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
Posts
7
#20
can you please look into my problem too...:(

http://www.eightforums.com/bsod-crashes-debugging/41234-bsod-windows-takes-too-long-start.html

I was referred here by MasterChief but I'd want to have in depth analysis on my problem as well :(
In depth analysis = Killdisk, Windows install.
Hi masterchief i have more questions on my thread can you reply on them I dont want to derail this thread since its not mine :D sorry for looking impatient
 

My Computer

System One

  • OS
    Windows 8