Startup BSOD

danielw94 · 09-29-2009, 03:02 PM

I've been living with this problem for quite a few weeks now. Whenever my computer starts up (whether it's a reboot or just a normal boot), I recieve a blue screen with just this text:

STOP c000139
The procedure entry point ntoskrnl.ExiAcquireFastMutex could not be located in the dynamic link library HAL.dll

Once I recieve this message I just reboot and it boots up fine. I've run scans with both avast home edition and spybot, and the problem still persists. I have a lenovo thinkpad x61 tablet running vista business sp2. Any help would be great.

Thanks,
Daniel

DT Roberts · 09-29-2009, 03:09 PM

Please follow the instructions here: http://www.techsupportforum.com/1871981-post2.html

It will give us logs about your system specs and the BSOD's.

danielw94 · 09-29-2009, 06:11 PM

Here are the zips.

DT Roberts · 09-29-2009, 06:37 PM

Interestingly enough, there are no memory dumps in the files you posted. Please navigate to C:\Windows\Minidump and zip all of its contents to your next post.

danielw94 · 09-29-2009, 06:40 PM

The folder's empty

DT Roberts · 09-29-2009, 07:01 PM

...Hm.

Either Windows isn't recording your BSOD's, or something's deleting them...something like malware. When I took at your system logs, I found quite a few strange things:

Code:

Event[14]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-29T16:59:46.000
  Event ID: 2001
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: daniellaptop
  Description: 
Microsoft Antimalware has encountered an error trying to update signatures.
 	New Signature Version: 
 	Previous Signature Version: 1.67.129.0
 	Update Source: Microsoft Update Server
 	Update Stage: Search
 	Source Path: http://www.microsoft.com
 	Signature Type: AntiVirus
 	Update Type: Full
 	User: NT AUTHORITY\SYSTEM
 	Current Engine Version: 
 	Previous Engine Version: 1.1.5101.0
 	Error code: 0x80072efe
 	Error description: The connection with the server was terminated abnormally

Microsoft Antimalware shouldn't fail.

What's worse - pay close attention to the text in red

Code:

Event[2171]:
  Log Name: System
    Source: bowser  
  Date: 2009-09-21T10:14:35.720
  Event ID: 8003
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: daniellaptop
  Description: 
The master browser has received a server announcement from the computer DEENA that believes that it is the master browser for the domain on transport NetBT_Tcpip_{013784F3-6F79-47FD-BEBB-BFF1C0682128. The master browser is stopping or an election is being forced.

The source name is BOWSER not BROWSER (don't even ask how I noticed that)! I'm unsure of the legitimacy of this. It could just be a misspelling, but Microsoft is pretty good about that kind of thing and it's always better to be sure.

I recommend that you start a post in the Security section of the forum. Please follow these steps before posting: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Keep us informed. Good luck.

danielw94 · 09-29-2009, 07:09 PM

Well, the thing is, it only started happening after i turned off my computer in the middle of an update, so i'm not so sure it's malware. I've also had the microsoft antimalware problem on another computer i think it was just an isolated incident.

DT Roberts · 09-29-2009, 07:15 PM

Okay, I'm sorry that I was mistaken. When does it happen during boot - do you see the Windows logo at all?

danielw94 · 09-29-2009, 07:20 PM

This is what happens. I turn on the pc, i get to the

Once that goes away it is black for a few seconds then up comes the blue screen. No logo or welcome screen.

DT Roberts · 09-29-2009, 07:27 PM

Okay. Windows should be recording crash dumps by this time. I can see that they aren't getting recorded at all in the system log:

Code:

Event[2996]:
  Log Name: System
  Source: volmgr
  Date: 2009-09-19T18:59:29.084
  Event ID: 46
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: daniellaptop
  Description: 
Crash dump initialization failed!

To change this, go to the Control Panel>System>Advanced tab>Startup and Recovery. Once there, click Settings. Make sure you have a check mark next to "Write and event to the system log". Once you do that, try to replicate the problem and turn the PC on or do whatever it is that you have to do to get the BSOD. Once you get it, check back in C:\Windows\Minidump. Hopefully that will give us a dump to work with. Good luck.

danielw94 · 09-29-2009, 07:54 PM

I enabled the option you told me to and caused the bsod. Unfortunately the minidump folder is still empty.

**jcgriff2** · 09-29-2009, 10:46 PM

Code:



AllocatedBaseSize 	3031               
CurrentUsage  		59           
Description      	C:\pagefile.sys  
InstallDate 		20080722130944.000000-240  
Name             	C:\pagefile.sys  
PeakUsage  		462        
        
Description           	'pagefile.sys' @ c:\  
InitialSize 		3031         
MaximumSize 		4000

The above information from WMI indicates that you have a manually set page file. "AllocatedBaseSize" = 3031 MB, which is less than the 3072 MB installed RAM. This may be what is causing the "no dump" condition.

Please do this to reset page file -
1. boot into SAFEMODE
2. turn page file OFF
3. re-boot - back into SAFEMODE
4. turn page file back on -- setting = "system managed"
5. re-boot

Then, unfortunately, perform a task that leads to BSODs. Then check for a memory dump c:\windows\minidump

Regards. . .

jcgriff2

.

danielw94 · 09-30-2009, 06:09 PM

Did what you said. Still nothing in the minidump folder.

danielw94 · 10-02-2009, 03:16 PM

Any ideas?

danielw94 · 10-15-2009, 11:18 AM

Anyone there?

**jcgriff2** · 10-19-2009, 09:12 PM

Hi -

InfalliblexOne figured this one out many posts ago. It appears to me that you are infected. These are not normal event viewer entries. My recommendation is to cut your losses and re-install Vista.

Regards. . .

jcgriff2

.

Code:


Event[10316]:
  Log Name: System
  Source: Service Control Manager
  Date: 2009-09-06T17:17:00.000
  The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T16:06:02.000
  Description: 
Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	User: NT AUTHORITY\SYSTEM
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: 
 	Action: Remove
 	Error Code: 0x80508023
 	Error description: The program could not find the spyware and other potentially unwanted software on this computer. 
 	Status: 
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:



Event[10320]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:56:06.000
  Description: 
Microsoft Antimalware has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: file:C:\Users\Bialik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNR0OT17\1[1].htm->(SCRIPT0000)
 	Detection Origin: Internet
 	Detection Type: Concrete
 	Detection Source: Real-Time Protection
 	Status: Suspended
 	User: DANIELLAPTOP\Daniel
 	Process Name: C:\Windows\msa.exe
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:

Event[10322]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:31:40.000
  Description: 
Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	User: NT AUTHORITY\SYSTEM
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: 
 	Action: Remove
 	Error Code: 0x80508023
 	Error description: The program could not find the spyware and other potentially unwanted software on this computer. 
 	Status: 
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10324]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:21:42.000
  Description: 
Microsoft Antimalware has detected a suspicious behavior.
 	Name: TrojanDropper:Win32/Adropper!behavior
 	ID: 1413621794
 	Severity: High
 	Category: Suspicious Behavior
 	Path: file:C:\Windows\msa.exe;process:3652
 	Detection Origin: Local machine
 	Detection Type: Suspicious
 	Detection Source: Real-Time Protection
 	Status: Executing
 	User: DANIELLAPTOP\Daniel
 	Process Name: C:\Windows\msa.exe
 	Signature ID: 717259538433
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0
 	Fidelity Label:  Medium
 	Target File Name:

Code:


Event[10325]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:21:42.000
  Description: 
Microsoft Antimalware has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: file:C:\Users\Bialik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9MXX4BSJ\1[1].htm->(SCRIPT0000)
 	Detection Origin: Internet
 	Detection Type: Concrete
 	Detection Source: Real-Time Protection
 	Status: Suspended
 	User: DANIELLAPTOP\Daniel
 	Process Name: C:\Windows\msa.exe
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10326]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:11:25.000
  Description: 
Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	User: NT AUTHORITY\SYSTEM
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: 
 	Action: Remove
 	Error Code: 0x80508023
 	Error description: The program could not find the spyware and other potentially unwanted software on this computer. 
 	Status: 
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10327]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T15:01:25.000
  Description: 
Microsoft Antimalware has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Renos&threatid=2147609530
 	Name: TrojanDownloader:JS/Renos
 	ID: 2147609530
 	Severity: High
 	Category: Trojan Downloader
 	Path: file:C:\Users\Bialik\AppData\Local\Microsoft\Windows\Temporary Internet
 Files\Content.IE5\9MXX4BSJ\1[1].htm->(SCRIPT0000)
 	Detection Origin: Internet
 	Detection Type: Concrete
 	Detection Source: Real-Time Protection
 	Status: Suspended
 	User: DANIELLAPTOP\Daniel
 	Process Name: C:\Windows\msa.exe
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10329]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T14:21:47.000
  Description: 
Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020
&name=Trojan:Win32/Sirefef.gen!C
 	User: NT AUTHORITY\SYSTEM
 	Name: Trojan:Win32/Sirefef.gen!C
 	ID: 2147626685
 	Severity: Severe
 	Category: Trojan
 	Path: 
 	Action: Remove
 	Error Code: 0x80508023
 	Error description: The program could not find the spyware and other potentially unwanted software on this computer. 
 	Status: 
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10330]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T14:21:47.000
  Event ID: 1008
  Description: 
Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:WinNT/Sirefef.A&threatid=2147626635
 	User: NT AUTHORITY\SYSTEM
 	Name: Trojan:WinNT/Sirefef.A
 	ID: 2147626635
 	Severity: Severe
 	Category: Trojan
 	Path: 
 	Action: Remove
 	Error Code: 0x80508023
 	Error description: The program could not find the spyware and other potentially unwanted software on this computer. 
 	Status: 
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

Code:


Event[10331]:
  Log Name: System
  Source: Microsoft Antimalware
  Date: 2009-09-06T14:14:28.000
  Description: 
Microsoft Antimalware has detected a suspicious behavior.
 	Name: TrojanDropper:Win32/Adropper!behavior
 	ID: 135376832
 	Severity: High
 	Category: Suspicious Behavior
 	Path: file:C:\Users\Bialik\AppData\Local\Temp\b.exe;process:928
 	Detection Origin: Local machine
 	Detection Type: Suspicious
 	Detection Source: Real-Time Protection
 	Status: Executing
 	User: DANIELLAPTOP\Daniel
 	Process Name: C:\Users\Bialik\AppData\Local\Temp\b.exe
 	Signature ID: 717259538433
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0
 	Fidelity Label:  Medium
 	Target File Name:

Code:


Event[10332]:
  Log Name: System
  Source: Microsoft Antimalware
  Description: 
Microsoft Antimalware has detected spyware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.gen!C&threatid=2147626685
 	Name: Trojan:Win32/Sirefef.gen!C
 	ID: 2147626685
 	Severity: Severe
 	Category: Trojan
 	Path: file:C:\Windows\win32k.sys:2
 	Detection Origin: Local machine
 	Detection Type: Concrete
 	Detection Source: Real-Time Protection
 	Status: Suspended
 	User: NT AUTHORITY\SYSTEM
 	Process Name: C:\Users\Bialik\AppData\Local\Temp\b.exe
 	Signature Version: AV: 1.65.450.0, AS: 1.65.450.0
 	Engine Version: 1.1.5005.0

09-29-2009, 03:02 PM	#1 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Startup BSOD I've been living with this problem for quite a few weeks now. Whenever my computer starts up (whether it's a reboot or just a normal boot), I recieve a blue screen with just this text: STOP c000139 The procedure entry point ntoskrnl.ExiAcquireFastMutex could not be located in the dynamic link library HAL.dll Once I recieve this message I just reboot and it boots up fine. I've run scans with both avast home edition and spybot, and the problem still persists. I have a lenovo thinkpad x61 tablet running vista business sp2. Any help would be great. Thanks, Daniel

09-29-2009, 03:09 PM	#2 (permalink)
DT Roberts Windows Tech Team Join Date: Jun 2009 Location: Massachusetts Posts: 1,171 OS: Windows 7 RTM (x64), Vista SP2, XP Pro, Windows 7, Ubuntu 9.04 My System	Re: Startup BSOD Please follow the instructions here: http://www.techsupportforum.com/1871981-post2.html It will give us logs about your system specs and the BSOD's. __________________ A+ Certified Technician Using Device Manager Shrinking Partitions

09-29-2009, 06:37 PM	#4 (permalink)
DT Roberts Windows Tech Team Join Date: Jun 2009 Location: Massachusetts Posts: 1,171 OS: Windows 7 RTM (x64), Vista SP2, XP Pro, Windows 7, Ubuntu 9.04 My System	Re: Startup BSOD Interestingly enough, there are no memory dumps in the files you posted. Please navigate to C:\Windows\Minidump and zip all of its contents to your next post. __________________ A+ Certified Technician Using Device Manager Shrinking Partitions

09-29-2009, 06:40 PM	#5 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD The folder's empty

09-29-2009, 07:09 PM	#7 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD Well, the thing is, it only started happening after i turned off my computer in the middle of an update, so i'm not so sure it's malware. I've also had the microsoft antimalware problem on another computer i think it was just an isolated incident.

09-29-2009, 07:15 PM	#8 (permalink)
DT Roberts Windows Tech Team Join Date: Jun 2009 Location: Massachusetts Posts: 1,171 OS: Windows 7 RTM (x64), Vista SP2, XP Pro, Windows 7, Ubuntu 9.04 My System	Re: Startup BSOD Okay, I'm sorry that I was mistaken. When does it happen during boot - do you see the Windows logo at all? __________________ A+ Certified Technician Using Device Manager Shrinking Partitions

09-29-2009, 07:20 PM	#9 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD This is what happens. I turn on the pc, i get to the Once that goes away it is black for a few seconds then up comes the blue screen. No logo or welcome screen.

09-29-2009, 07:27 PM	#10 (permalink)
DT Roberts Windows Tech Team Join Date: Jun 2009 Location: Massachusetts Posts: 1,171 OS: Windows 7 RTM (x64), Vista SP2, XP Pro, Windows 7, Ubuntu 9.04 My System	Re: Startup BSOD Okay. Windows should be recording crash dumps by this time. I can see that they aren't getting recorded at all in the system log: Code: Event[2996]: Log Name: System Source: volmgr Date: 2009-09-19T18:59:29.084 Event ID: 46 Task: N/A Level: Error Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: daniellaptop Description: Crash dump initialization failed! To change this, go to the Control Panel>System>Advanced tab>Startup and Recovery. Once there, click Settings. Make sure you have a check mark next to "Write and event to the system log". Once you do that, try to replicate the problem and turn the PC on or do whatever it is that you have to do to get the BSOD. Once you get it, check back in C:\Windows\Minidump. Hopefully that will give us a dump to work with. Good luck. __________________ A+ Certified Technician Using Device Manager Shrinking Partitions

09-29-2009, 07:54 PM	#11 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD I enabled the option you told me to and caused the bsod. Unfortunately the minidump folder is still empty.

09-29-2009, 10:46 PM	#12 (permalink)
jcgriff2 Moderator, Microsoft Supp Join Date: Sep 2007 Location: Palm Springs, California / Southern New Jersey Posts: 10,062 OS: Windows 7, Vista Ultimate My System	Re: Startup BSOD Code: AllocatedBaseSize 3031 CurrentUsage 59 Description C:\pagefile.sys InstallDate 20080722130944.000000-240 Name C:\pagefile.sys PeakUsage 462 Description 'pagefile.sys' @ c:\ InitialSize 3031 MaximumSize 4000 The above information from WMI indicates that you have a manually set page file. "AllocatedBaseSize" = 3031 MB, which is less than the 3072 MB installed RAM. This may be what is causing the "no dump" condition. Please do this to reset page file - 1. boot into SAFEMODE 2. turn page file OFF 3. re-boot - back into SAFEMODE 4. turn page file back on -- setting = "system managed" 5. re-boot Then, unfortunately, perform a task that leads to BSODs. Then check for a memory dump c:\windows\minidump Regards. . . jcgriff2 . __________________ . . . . . . . . BSOD Posting Instructions B Expecting a reply and waiting > 36 hours ? Send a PM to me containing a link to your thread My availability will be limited through ~ December 1, 2009

09-30-2009, 06:09 PM	#13 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD Did what you said. Still nothing in the minidump folder.

10-02-2009, 03:16 PM	#14 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD Any ideas?

10-15-2009, 11:18 AM	#15 (permalink)
danielw94 Registered User Join Date: Sep 2009 Posts: 9 OS: Windows Vista SP2, Windows 7 RC1	Re: Startup BSOD Anyone there?