[JeffMellinge]

I'm using win 2000. Been fine for 5years, no BSoD's at all. My niece was on my computer looking at someone's myspace and then it shut down and when it rebooted, I got this fine message:
Stop: 0x0000001E (0xC000005, 0x81DB0C8E, 0x00000001, 0x00000097) KMODE EXCEPTION COULD NOT BE HANDLED.
(sometimes, after a reboot, it has the 1E then 0x000001D, 0xEB41B4E4, 0x81DB4C8E, 0xC0000400)
I went into safemode and did a search for all files modified around the time she was on it. There was some spyware which I deleted after running Hijackthis. I have reduced the amount of virtual memory as well. Unfortunately, my virus program will not run during safemode so I don't know if there's a virus (hijackthis would notice it right?)
I have no idea what all the numbers in the error refer to. If anyone does, that could help me in fixing this and finding out what hardware or driver went haywire.
Can this just happen all of the sudden like this? I have not installed any new hardware or programs for awhile either.
Please help.
thanks
Jeff

[JeffMellinge]

Here is my hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 8:00:31 PM, on 10/12/2005
Platform: Windows 2000 SP1 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = WWW.ESPN.COM
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\Jeff Mellinger\Application Data\Mozilla\Profiles\default\ckq6lrhg.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Jeff Mellinger\Application Data\Mozilla\Profiles\default\ckq6lrhg.slt\prefs.js)
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Startup: Netscp.lnk = C:\Program Files\Netscape\Netscape\Netscp.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://F:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

Also, this is what I listed a couple days ago regarding my kmode exception problem:

I'm using win 2000. Been fine for 5years, no BSoD's at all. My niece was on my computer looking at someone's myspace and then it shut down and when it rebooted, I got this fine message:
Stop: 0x0000001E (0xC000005, 0x81DB0C8E, 0x00000001, 0x00000097) KMODE EXCEPTION COULD NOT BE HANDLED.
(sometimes, after a reboot, it has the 1E then 0x000001D, 0xEB41B4E4, 0x81DB4C8E, 0xC0000400)
I went into safemode and did a search for all files modified around the time she was on it. I have reduced the amount of virtual memory. Unfortunately, my virus program will not run during safemode so I don't know if there's a virus (hijackthis would notice it right?)
I have no idea what all the numbers in the error refer to. If anyone does, that could help me in fixing this and finding out what hardware or driver went haywire.
Can this just happen all of the sudden like this? I have not installed any new hardware or programs for awhile either.
Please help.
thanks
Jeff

[Cheeseball81]

Welcome to TSG, JeffMellinge

I have merged your threads.
Please do not create multiple threads for the same issue.
Continue posting only here.
Thank you

[Rollin' Rog]

Is a driver file mentioned in the Stop message?

You can test unsigned drivers by going to start and running

verifier.exe

accept the default options and reboot.

IF you get a STOP message note the driver mentioned -- that is what is important.

Then you must reboot into Safe Mode and run:

verifier /reset

or you will get the same stop on every reboot.

http://support.microsoft.com/default...b;en-us;244617

[JeffMellinge]

I have run verifier before. I don't know much about it. But I ran it again and had it verify all the drivers, then I rebooted into safemode again and ran the verify / reset command you mentioned. It did not appear to do anything...because I rebooted normally and the exact same KMODE exception came up. It still does not mention any specific drivers by name, just the 0x......junk.
When I first encountered the KMODE exception on Sunday, it mentioned this: pcmciide.sys. I googled it and found not a single mention of it anywhere. I deleted it. The next time I rebooted, it mentioned this file: srvnkipx.sys. I deleted it as well. Ever since then, a normal reboot results in the KMODE exception with the 0x.... and no mention of specific drivers. I did not empty the recycle bin in the event that I may need to bring back those two files for some reason.
I went to the microsoft support page you directed me to. I do not know enough about that stuff to make an adequate attempt at doing what they suggest. I would need some steps to help me through it.
thanks
Jeff

[valis]

here's some info on it:
http://www.tek-tips.com/faqs.cfm?fid=730

and here's where the suggested fix from MS lies:
http://support.microsoft.com/kb/q275678/

good luck, this sounds like a fun one. I also saw an article that stated you could hvae been infected with a virus, but that applied only to the 2k servers.....

[Rollin' Rog]

Well, I'm not sure what you are deleting since neither of those driver files gets any google hits as spelled.

However if we assume the first 3 or 4 letters are correct, the first might refer to an external card of some kind:

http://www.google.com/search?client=...utf-8&oe=utf-8

... and anything beginning with "srv" would likely refer to a client/server application -- perhaps a database.

On the other hand, randomly named files that get no hits on google are generally malware -- but these are rarely ".sys" files

My gut suspicion is that PC-cillin may be acting up -- so you might want to try uninstalling that as a test.

If you used driver verifier to verify all the drivers, not just the unsigned ones, you've done about all you can do with that.

[JeffMellinge]

I am trying to uninstall the anti-virus program but it is telling me that the Windows Installer service could not be accessed and to contact support personnel to verify that the WI service is properly registered. how am I supposed to uninstall something in safemode if it won't let me? (I have never had trouble uninstalling anything before.)

[Rollin' Rog]

If you are actually trying to uninstall it in Safe Mode, don't. Use normal mode. Note any errors if you receive them there.

If you continue to get the same message in normal mode, try the resolution here:

http://support.microsoft.com/default...;en-us;Q315346

You can also try installing the update for Windows installer:

http://support.microsoft.com/kb/893803/

[JeffMellinge]

Um, remember, I cannot get into normal mode due to my loving KMODE exception message. Safemode is the best I can do. Are there any parts to the pc-cillin program I can delete manually that would possibly do the trick?

[Rollin' Rog]

Ah, didn't know that. I thought you had used Driver Verifier and gotten a normal boot, for one thing. Verifier only verifies when you reboot the system.

If you choose VGA mode from the f8 boot menu, can you get a "normal" boot?

You should also physically remove any external devices -- scanners, printers, external drives, etc. Simplify the hardware setup.

Testing the ram is still in the cards here as well.

Also if you can install "msconfig", you can try following Microsoft Clean Boot instructions.

http://www2.whidbey.net/djdenham/Msconfig.htm
http://support.microsoft.com/default...b;EN-US;310353

[JeffMellinge]

Ok, so first I tried booting in "VGA mode", no luck, same KMODe exception.
Then I disconnected printer, ethernet stuff, speaker system, still no dice.
Then I downloaded MSconfig and since it does not need to install, it works. I chose the Diagnostic Startup and tried rebooting into normal mode. No help there either, except this time, a new BSoD error appeared:
STOP: 0x00000050 (0xFFFFFFB1, 0x00000001, 0x81DB8C8E, 0x00000000) PAGE FAULT IN NONPAGED AREA.
don't have a clue what that means.
What should I try next?
thanks for all your help
jeff
p.s. it appears that my Firefox browser has lost all it's bookmarks and reverted to it's original homepage for some reason.

[Rollin' Rog]

Try swapping out ram modules.

There are also software testers you can try.

http://www.memtest86.com/

http://oca.microsoft.com/en/windiag.asp

Also have a look at the 050 articles covered here:

http://aumha.org/win5/kbestop.htm

One possiblility is a "rootkit" infection.

http://support.microsoft.com/?kbid=894278&sd=RMVP

Check the eventviewer (run eventvwr.msc) for any corresponding errors that might throw more light on things. Keep looking for driver files that might be mentioned.

If you can install and run "rootkitrevealer" and upload the log, it might have something:

http://www.sysinternals.com/Utilitie...tRevealer.html

[JeffMellinge]

Ok, I have to go out for a few hours, but here is the latest from the EventLog from the last time I booted:


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/14/2005
Time: 12:21:45 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The Tmfilter service depends on the Vsapint service which failed to start because of the following error:
No attempts to start the service have been made since the last boot.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/14/2005
Time: 12:21:45 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error:
No attempts to start the service have been made since the last boot.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/14/2005
Time: 12:21:45 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
A device attached to the system is not functioning.


Event Type: Error
Event Source: asc
Event Category: None
Event ID: 9
Date: 10/14/2005
Time: 12:21:00 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The device, \Device\Scsi\asc4, did not respond within the timeout period.
Data:
0000: 0010000f 00600001 00000000 c0040009
0010: 50000101 00000000 00000001 00000000
0020: 00000000 00000000 00000000 00000006
0030: 00000001 00000007


Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1003
Date: 10/14/2005
Time: 12:22:11 PM
User: N/A
Computer: FPST-COMPUTER
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0050FC649AB2. The following error occured:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Data:
0000: 00000079


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 10/14/2005
Time: 12:22:26 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The following boot-start or system-start driver(s) failed to load:
tmtdi


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Date: 10/14/2005
Time: 12:22:29 PM
User: N/A
Computer: FPST-COMPUTER
Description:
The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
No attempts to start the service have been made since the last boot.


Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10/14/2005
Time: 12:22:56 PM
User: NT AUTHORITY\SYSTEM
Computer: FPST-COMPUTER
Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.


So i noticed a couple of mentions of the Trend Micro in there. It does appear that it is one of the problems...now if I could just uninstall it......
I will be back around 5pm PDT and will work on the problem further
thanks
jeff

[Rollin' Rog]

Some of the errors may be due to removal of the ethernet card or Safe Mode boots.

While the Trend entry is interesting, no blue screen stop error should have occured in a "Diagnostic" boot using msconfig since presumably no Trend services or startups would have been started in that configuration. This is almost equivalent to a "Safe Mode" boot except that basic hardware drivers are loaded here which are not loaded in Safe Mode.

It's what is loading, and what resources it is trying to use, rather than what is not that is the key

The error occuring during the Diagnostic boot would be most interesting if a driver were mentioned. You can look for Save Dump entries in the event viewer, but I doubt they will show anything more than the actual Blue Screen Stop which you copied faithfully.

This is why I think Ram has to be the immediate focus right now. And if nothing there, we can possibly look further for a boot sector trojan if you can run that "rootkitrevealer".