Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange shutdown error message in XP Pro 6

Status
Not open for further replies.
RBHirsch

RBHirsch

Technical User
Sep 13, 2007
49
US
After finally disabling Spyware Doctor, the serious problems being produced by it seemed gone. So I totally unninstalled the software.

But, it was still after me. When I went onto the Internet, I had no connection. I confirmed that my network was OK, on another machine. So I tried again, and when the "no access" message box came up, and XP offered to help with the problem, I decided to let Windows XP Pro "fix" the problem. It came up with a message box stating that (sorry, I didn't copy down the exact message) a layer/file (or something) from PC Tools (the company behind Spyware Doctor) was the culprit, and did I want it removed. I clicked on OK, rebooted, and all seemed well - IE 7 and my OE mail were back in place.

But now, all of a sudden, when I shut down my system, and the shutdown has gone about half was through, a blue screen with this message appears

STOP: c000021a {Fatal System Error}
The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)
The system has been shut down.

At this point, I just kill the power, as Windows has been shutdown, but not in the proper event sequence et al.

I don't understand what the logon process has to do with shutting down, unles somehow, I've been logged on incorrectly.

I'm the only user, and administrator. I have not set up any password, so when I turn on my machine, it just boots up, asking nothing more of me.

Can anyone give me an idea of what that message means, and what I can do to get rid of it?

I'm perfectly willing to edit the Registry, or go into the users' setup screens, or whatever is needed to resolve this issue.

Thanks

Ron Hirsch
 
Sort by date Sort by votes
0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED

This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised. Security can no longer be guaranteed. Because Win XP can’t run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur as a result of malware infestation or when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.

GoBack Causes a Stop Error C000021a {KB 316503} Win XP
Internet Explorer Maintenance Policies May Cause an Access Violation in Winlogon {KB 318666} Win XP Pro

Source: aumha.org

"STOP: c000021a (Fatal System Error)" Error Occurs

Just a few things to look at...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Hi Ben,

Thanks for the links. I had done a search in Google, but I guess I had too much text in the search field.

The third link you noted would seem to be the most applicable one, but it goes back to Win 2000.

Here's some added info - both of these error messages have occurred on a random intermittent basis

1. In the past, I would occasionally get an error message after the system had just booted, that there was a "problem" with Windows Log-on. The message box could just be dismissed, and all appeared normal after that.

2. This current problem on shutdown, is not every time I shut down, but on occasions - so far, about 1/2 the time. Since it occurs on shutdown, there is no visible negative result, other than the fact that XP may well have missed saving some of the settings which it normally does, and comments on when shutting down.

3. A suggested workaround in Win 2000 was to change the name of My Computer. Is this also applicable in XP Pro SP2? Will the renaming impact any of my normal computer activities?

If indeed the renaming will work, that would seem to be easiest and most straightforward approach. Do I have to do anything other than go into SYSTEM>COMPUTER NAME>CHANGE NAME, and just key in a shorter name? I plan on deleting 7 of the 14 characters in the name which now exists

There is a note in that window that the change may affect access to network sources. This computer is the primary computer and is hard wired to my router. Other machines are using wireless.

Thanks again for your help, and any other info you can offer.

Ron Hirsch
 
Upvote 0 Downvote
Have a look at this in relation to the continuing saga with Spyware Doctor (thread779-1414661). Particularly look at the Winsock fix for SP2 machines.

WinXP Connectivity Issues
Lost Connectivity after Registry or Malware Cleanup
faq779-4625

These next are for you to look at, if Ben's suggestions don't solve your problem

Will it Start and run correctly (Shutdown) in Safe Mode. Can you check out how it runs if you login as any other user in Normal Mode?

If it is a profile problem then this may help.
811151 - How to Copy User Data to a New User Profile


To get further information about errors look in your Event viewer.

Look in the System or Application folder. You can get to the Event Viewer via right click My Computer icon and select Manage.

Any errors logged in the Event Viewer can be expanded by double clicking on the error line.

Take any event error I.D. number and search for it on these sites.


You can also turn off "automatically restart after an error" so it will just halt at the fault and display the full Stop Error and blue screens.

Right-click My Computer, and then click Properties .
On the Advanced tab, click Settings under Startup and Recovery .
Click to clear the Automatically restart check box under System failure , and then click OK . The error message on a blue screen should remain on the screen so you can record the error information.



If the error occurred after installing a device driver or application, try using Safe Mode and removing the driver or program.

To check your RAM.


To check your Hard Drive.

The drive manufacturer will have free diagnostic software to check your drive for problems.

Try running ChkDsk to check your drive for errors. Right click your Drive icon/ Properties/ Tools/ Error Checking.
Check both boxes.


To check your drivers.

HOW TO: Verify Unsigned Device Drivers in Windows XP


To check conflicting software.

310353 - How to Perform a Clean Boot in Windows XP

316434 - HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP

310560 - How to Troubleshoot By Using the Msconfig Utility in Windows XP




Removing adware & spyware
faq608-4650

Will check your computer for spyware and adware.



See if you have any services that are flagging as "Starting" but not actually running.


Some general things to try.



Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.

If they don't work you could try repairing windows itself by running it over itself. You will lose all your windows updates but your files will be untouched.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP (Q315341)
 
Upvote 0 Downvote
Hi Linney,

Thanks for all the time and effort you put into your reply. I have saved your stuff, and Ben's stuff for future reference. I will look through all your suggested sites and references.

I gave you 2 stars for all your work. I would have done 3, but I was afraid that I would get chastised for that. :)

I had already cleared the automatic restart of Windows when these "crashes" occur. I did that when Spyware Doctor started its acts of "terrorism" against my system. Since there is no screen capture capability available there, when the screen has lots of stuff on it, I shoot it with a digital camera. If it's just a small message, I can write it down.

What I don't understand is why these situations only occur occasionally. I haven't seen the one I mentioned at startup occur since the one I see now occasionally at shutdown started to appear. Neither of these situations has really caused any apparent grief, as the current crash comes during XP's shut down. And the error message during startup could be dismissed with no apparent consequences.

By the way, I do have HijackThis. Is this forum an appropriate place to post, or should I use a special site for HijackThis, when that occasion arises?

Thanks again -

Ron Hirsch
 
Upvote 0 Downvote
Yes you may post hijackthis logfiles here.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
@Ron - Linney basically covered everything... and what applies to w2k also applies to xp (98% of the time), there are some differences, which is why w2k = Windows 5.0 and XP = Windows 5.1 (w2k3 = Windows 5.2 and Vista = Windows 6.0)...

do follow up on what Linney suggested, then we can figure out where the problem lies... Intermittent problem, suggests that a permission problem is not the cause, rather a rogue service/program - thus Linney's suggestion to do a SFC /SCANNOW just to cover the system files for possible corruption...

as to the HJT logfile, like EFreak mentioned, it is valid to do so... we would love to discern the log for you...




Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Hi Ben,

Thank you for your message.

Things had reached the stage where I got a crazy error message every time I shut down, and basically the shutdown crashed.

But bootups were fine, and all seemed normal, with the system functioning smoothly, until shutdown. So I went in and changed my computer name cutting it down to 4 characters. This required a reboot, and of course, when shutting down, the shutdown crashed again, with a "log-on" error message. I was concerned that this would void the name change I made, as the "Saving your settings" message never displayed prior to the crash. But apparently the name change did survive the crash. When I rebooted, I checked, and the new name was in place.

So I tried a shutdown again, and it went through very smoothly - no crash. Yesterday, prior to this, the shutdown crashes were "occasional". But crashes occurred every time I shutdown this morning. Hopefully the name change will stop the shutdown crashes permanently. It's hard for me to fathom the role that Spyware Doctor played in all of this. But it definitely was the "trigger" mechanism for all my recent weird problems.

I generated a HiJackThis log file. It is pasted in below. Any feedback would be very much appreciated.

Thee are several lines in there noting PC Tools - they are the company behind Spyware Doctor, which is of course history with me now. Possibly some addition is required to get rid of them.

Ron Hirsch

++++++++++++++
Logfile of HijackThis v1.99.1
Scan saved at 5:22:51 AM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\PhraseExpress\PhraseExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\GPSoftware\Directory Opus\DOpus.exe
E:\Programs-archive-E\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmflp03\BrStDvPt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\acrotray.exe
O4 - HKLM\..\Run: [PhraseExpress] C:\Program Files\PhraseExpress\PhraseExpress.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: PhotoCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.https
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
 
Upvote 0 Downvote
Fix, using HJT:

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

From what I see, you may have too much going on in the background, meaning: With AVG and ZoneAlarm installed, make sure that the ZA AV is turned off... other than that it is clean...

in the RUN BOX or DOS BOX (CMD (CLI)) issue the following commands:

netsh winsock reset

this will get rid of all these and reset them to factory state:

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

REBOOT

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Ben,

You and Linney are fantastic. It's hard to believe that this site, and people like you two exist, and provide the HELP that you do, and so quickly.

I would like to thank both of you personally, but of course I have no personal contact info for either of you.

I want to make a contribution to this excellent site. What is the best path to do that?

I will run the steps you noted to clear out the (mostly PC Tools) junk, and reboot, and hopefully my computer and I will be back on good terms once again.

It's hard to believe that Spyware Doctor has caused me so much grief. It is (presumably) one of the top rated programs in its field.

At least it has expanded my personal knowledge base in the areas involved.

Ron
 
Upvote 0 Downvote
You are welcome...

I want to make a contribution to this excellent site. What is the best path to do that?
Click to expand...
Although I am not affiliated with Tek-Tips in anyway, other than being a member, you could DONATE to Tek-Tips if you wish, which would help keep this Forum alive, by either clicking on any of the Click Hereto donate. buttons or by following this link:

PS: I do this mostly to expand my knowledge and to let others benefit from my collected knowledge... I still get overwhelmed by the knowledge that Linney just pulls from his hat [smile]

PSS: Personal Information is usually kept pretty tightly locked up here[censored], to reduce SPAMMING and unwelcome soliciting... so do not fret over it... all is cool[thumbsup2]...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Ben,

It does appear that I spoke prematurely.

I had 4 normal shutdowns, and then one which had a crash, with a BSOD, and an error message. I didn't record the message. But when it does occur again, I will do so.

The strange part is that the system boots smoothly, and the error message comes about in shut down, when the normal screen would read "saving your settings". That does not appear, just a blue blank Windows screen shows with the cursor arrow for a few moments. The the screen goes black, and then a BSOD DOS screen with the error message shows.

Looks like I'll have to review all the other info from Linney, and keep working on things.

Even if this situation has no deadly effects, I just don't like things which aren't normal, and indicate that something is amiss.

Ron
 
Upvote 0 Downvote
Yes, do let us know the BSOD error...

you may end up having to try the last thing that Linney mentioned in his post, the REINSTALL or IN-PLACE UPGRADE...

keep us posted...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Thanks for all the kind words, I much appreciate it, but I'm only one small cog in the forum which is made up of many excellent and knowledgeable members who persistently come together in an effort to solve each and others problems.

What is this entry in your log?
O15 - Trusted Zone: *.https

When you check your Event Viewer, check any "Information" line that mentions "savedump" and you should (hopefully) find reference to "recovered from a bug check". This may be the Stop Error that you see flashing on your screen.

SHUTDOWN & RESTART TROUBLESHOOTING
 
Upvote 0 Downvote
Thanks for the star although I can take no credit for this one. Linney and Badbigben are the ones to thank which I see you have done.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Thanks to all of yo for your ongoing support.

The shutdown error message is back to the original one

STOP: c000021a {Fatal System Error}
The Windows Logon Process System process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)
The system has been shut down.

RE Linney's question
What is this entry in your log?
O15 - Trusted Zone: *.https

I'm afraid I have no idea what that is. You and Ben are probably in a far better position to tell me. Can/should I have HiackThis remove it??

I will check the event viewer information line for any line that mentions "savedump" and see if I (hopefully) find reference to "recovered from a bug check".

Remember, the shutdown crash does not always occur. If I boot up, which always goes normally, and then immediately shut down, all is usually normal - no crash messages. This might seem to say that something which runs after bootup creates the problem. So, I'm going to start removing various startup items, to see if the crash scenario is impacted.

I'll also check out Linney's most recent link supplied.

I'd like to avoid having to do a REINSTALL or IN-PLACE UPGRADE. I do have a copy of the XP SP1 install disk, with SP2 slipstreamed in. But I've been reading recent reports of problems doing "upgrade" installs, having conflicts with various Windows security updates and patches.

I'll keep posting any new info I come up with.

Ron



 
Upvote 0 Downvote
Here's an update on things.

1. I disabled several recent additions in the startup folder - no effect.

2. Remember, if the system is shut down immeidately after booting up, no problems.

3. I booted up, and IE, OE, and NoteTab - shutdown with no problems.

4. I ran a bunch of different programs after booting, shut down came up with the same error message.

5. One of the documents I've read states that the type of problem I'm having is not a "shutdown" problem, but a "powerdown" problem, and states strongly that there is a significant difference.

6. I have looked over the Event viewer, and there are some repeating error windows shown in there, and I have captured those windows, but of course as a jpg. I don't suppose there is any way to add jpeg images into a message here? If not, I could just copy out the significant text items and include that in a post

6. Typically now, the error screen on power down occurs intermittently, based upon what I have done while working. In the real world, the shutdown process, when an error mode occurs, is probably somewhat similar to just powering down the commmputer without going through the formal shutdown process. What damages can/will occur under those conditions?

7. I have avoided doing any Registry "cleaning", as I'm not sure what cleaner can do a "proper" job. I always have the option to a current image save of C:, via True Image, in case the "cleaning" had disasterous effects. Can anyone recommend a good Reg cleaner.

8. One other rare occasional error message referred to a "Hard problem", which is apparently related to the Hard Disk (C I assume). So, I decided to change the drive for the paging file. I went into and added a large paging file on D. The paging file "change" apparently did not remove the paging file on C. Can/should both of them be there with no problems?

9. I ran chkdsk on drive C. Of course this was done during the succesive bootup period. It passed with flying colors - no bad sectors or errors noted.

I think a Registry cleaning should possibly be the next step - what do you think?

Ron Hirsch





 
Upvote 0 Downvote
When is the last time you blew out all the dust from your computer?

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
I came across this document, and it reflects my case very strongly.


I don't think this has been noted up to now in this thread

It references the exact problem I believe I have. I have seen references to Winlogon.exe. and csrss.exe during the many shutdown crashes on my machine.

Below is an extract from that MS article

I ran the steps 1 and 2 in a DOS window. I believe I already had Dr. Watson set as the default system debugger, as I saw a DrWatson log in the root of my C drive from 6 months ago.

When I ran each of the steps, the only thing that seemed to happen was that a C:\Windows\System folder listing came up, showing a few dozen *.DRV, and other files.

I would say that that the Winlogon.exe. and csrss.exe files are the ones involved here - I have seen them noted in some of the crashes.

Hopefully those who are more up on this subject can clarify the steps I should follow from here on.

Thanks

Ron

++++++++++++++++++++
SUMMARY
This article is intended for advanced computer users. If you are not comfortable with advanced troubleshooting, you might want to ask someone for help or contact Technical Support.

When you use a server or a workstation that is running one of the operating systems that is listed in the "Applies to" section, you may receive the following error message:
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x0000000)
The system has been shutdown.
Note The parameters in parentheses are specific to your computer configuration and may be different for each occurrence.
Back to the top

CAUSE
The STOP 0xC000021A error occurs when either Winlogon.exe or Csrss.exe fails. When the Windows NT kernel detects that either of these processes has stopped, it stops the system and raises the STOP 0xC000021A error. This error may have several causes. Among them are the following:• Mismatched system files have been installed.
• A Service Pack installation has failed.
• A backup program that is used to restore a hard disk did not correctly restore files that may have been in use.
• An incompatible third-party program has been installed.

Back to the top

RESOLUTION
To troubleshoot this problem, you must determine which of these processes failed and why.

To determine which process failed, register Dr. Watson as the default system debugger (if it is not already the default debugger). Dr. Watson for Windows NT logs diagnostic information about process failures to a log file (Drwtsn32.log). Also, you can configure this program to produce memory dump files of failed processes that you can analyze in a debugger to determine why a process fails.

To set up Dr. Watson to trap user-mode program errors, follow these steps:

1. At a command prompt, type System Root\System32\Drwtsn32.exe -I, and then press ENTER.

This command configures Dr. Watson as the default system debugger.

2. At a command prompt, type System Root\System32\Drwtsn32.exe, and then select the following options:

Append to existing log file
Create crash dump
Visual Notification
 
Upvote 0 Downvote
Hola Ron,

you can let HJT fix that line, I did not mention it as I did not deem it as a problem (there is no HTTPS domain)...

as to the Stop Error you are getting, is not exactly the same, though it is related...

hmmm, compare the version numbers of your Winlogon.exe or Csrss.exe against mine:

My Versions:

Winlogon.exe 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

Csrss.exe 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

note: I got three instances of the above, using SEARCH, they are located in, C:\WINDOWS\$NtServicePackUninstall$ with a version number 5.1.2600.0 (original), C:\WINDOWS\system32 and C:\WINDOWS\ServicePackFiles\i386 with the above version numbers...

4. I ran a bunch of different programs after booting, shut down came up with the same error message.
Click to expand...
see if you can isolate a single program that causes the problem to reoccur...

as to what REG CLEANER to use, well that is a subject to discussion, as there are many out there that do a good job...

I use REGHEALER, it costs but it allows me full control to what I do, it is basically for the more advanced user that knows what he is doing...

there is REGISTRY MECHANIC, costs aswell, but easier to use...

JV16 PowerTools, excellent but also costs, somewhere in between the above...

NTRegOpt - Freeware, and a basic one click deal on cleaning out the REGISTRY...
GlariSoft Registry Repair - I am not familiar as to how this one works or not, thus I would not recommend it, and it costs aswell...

and there are lots more... some of the others may have other suggestions and annotations to the above...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bobadams52
  • Locked
  • Question
error 12 program swcocx in mas90
Replies
0
Views
186
bobadams52
bobadams52
VicM
  • Locked
  • Question
Task Scheduler message persistence?
Replies
3
Views
225
VicM
VicM
hamburg18w
  • Locked
  • Question
Task Host is Stopping the Shutdown
Replies
1
Views
388
Ign3us
Ign3us
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
284
pjw001
pjw001
Flinx
  • Locked
  • Question
Windows 10 Strange problems recently appear caused by microsoft ransomeware protection
Replies
3
Views
381
Andrzejek
Andrzejek

Part and Inventory Search

Sponsor

Back
Top