[HORN60056]

Greetings and thanks for prior help. New problem may relate to older , unresolved freeze problems.

New problem -= can not load Roxio CD&DVD burning software. Goes so far (probably most of the way thru setup - past writing sys reg values and updating. Then CD drive starts and I get BAD_POOL_HEADER and blue screen physical memory dump. I have done most of their stuff including msconfig to disengage all startup items, and looked for prior Roxio programs in Remove Programs (none).

Older problems - freeze during Windows startup - usualy at about 14 of 30 bar runs across the startup screen ( note in Safe Mode, hangs at "win/sys32/driver/Mup.sys).
Also occasional ( daily to weekly) hard freeze purely at random times and conditions. Only unplugging computer and restarting regains control - Windows does not recognize the abnormal shutdown.

I have several registry fixers in use. Suggestions Please

[Rollin' Rog]

>>>Can you give me a link to any previous thread so I can see what kinds of problems were being dealt with there?

>>> Also post a Hijackthis scanlog here :

Download and install HijackThis. Run it and select "do a system scan and save the log file". Then copy/paste the contents of the log to a reply

http://www.trendsecure.com/portal/en...ols/hijackthis


>>> Finally: I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to %systemroot%\minidump and copy the last few minidump files to that folder.%systemroot% is normally c:\windows. They are numbered by date. You can paste that address in address bar to get there.
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non-system driver causing the error, if one exists for it.

Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

Beginners Guides: Diagnosing Bad Memory


Memtest86 - A Stand-alone Memory Diagnostic

[HORN60056]

Thanks; I hope I have attached some files. The first , trend secure, should be fine.

The minidumps look like the files you are after, but the path was not as you suggested.

Haven't uploaded (or attached) files in techguy, so it seems questionable.

Dave

[HORN60056]

More - I am trying to send the ZIP files ( they seem small, so don't know if this is necessary)

[Rollin' Rog]

I'm not seeing the log file -- you can just copy/paste that to a reply.

The files have to be zipped because the file type would not otherwise be permitted for an upload -- you don't need to zip them separately -- you can do the whole folder.

Mup.sys errors, by the way -- are usually hardware related -- even a USB mouse can cause one if bad.


%systemroot% = "c:\windows"

Where did you find the minidump folder if not there?

The errors are for a "bad pool header" in a core memory management module.

It does not tell us what is causing the corruption.

I do see F Secure's fsbldrv.sys as an unloaded module -- this is for their "black light" rootkit detection module; If these problems began after installing F Secure -- it would be a prime suspect.

Quote:

Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;
*************************************************************************** ****
* *
* Bugcheck Analysis *
* *
*************************************************************************** ****

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: e1975000, The pool entry we were looking for within the page.
Arg3: e1975cb0, The next pool entry.
Arg4: 1b961b96, (reserved)

More info on generic causes >> http://aumha.org/a/stop.php#0x19

We may be able to find out by running "driver verifier". Make sure you can start and return from Safe Mode before running it:


USING DRIVER VERIFIER

Windows has a built in driver tester that may find something.
Before using it you must ensure that you can start in Safe Mode and return from it. If verifier issues a STOP screen, rebooting in Safe Mode is the only way to reset it.

In its default configuration verifier tests "unsigned" drivers, but you can have it test all drivers under maximum conditions.

There's less to it than meets the eye in this MS article:

http://support.microsoft.com/default...b;en-us;244617

To run verifier simply go to Start > run and enter:

verifier.exe

and select "standard configuration" and follow the prompts.
It will run on the next reboot. If it finds something you will get a Blue Screen STOP message.
Ignore the STOP parameters -- they are specific to verifier. The only thing important is the driver file name if it finds one.

If you get a STOP screen you will have to reboot to Safe Mode and run verifier again and have it "delete existing settings"

If you do not get a STOP message you can run it again checking all drivers; driver verifier will continue to run on every boot up until you run:

verifier /reset

or use the graphical interface to delete existing settings.

[HORN60056]

Here is the one item - this stuff get deep. Will look into others soon.
In WINDOWS I found a folder called MINIDUMP.

Thanks. Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:57 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\PC Protection Plus\Anti-Virus\fsgk32st.exe
C:\Program Files\PC Protection Plus\Common\FSMA32.EXE
C:\Program Files\PC Protection Plus\Anti-Virus\FSGK32.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Protection Plus\Common\FSMB32.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\PC Protection Plus\Common\FCH32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Protection Plus\Anti-Virus\fsqh.exe
C:\Program Files\PC Protection Plus\Common\FAMEH32.EXE
C:\Program Files\PC Protection Plus\FSPC\fspc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\PC Protection Plus\FWES\Program\fsdfwd.exe
C:\Program Files\PC Protection Plus\Anti-Virus\fssm32.exe
C:\Program Files\PC Protection Plus\FSAUA\program\fsaua.exe
C:\Program Files\PC Protection Plus\FSAUA\program\fsus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Protection Plus\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Serif\PagePlus\12.0\Program\PagePlus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\PC Protection Plus\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Protection Plus\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\PC Protection Plus\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190764431926
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/Driver...aSmartScan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.2.cab
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\PC Protection Plus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\PC Protection Plus\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PC Protection Plus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\PC Protection Plus\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OKI OPHC DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHCLDCS.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

--
End of file - 7011 bytes

[Rollin' Rog]

Well my suspicion would definitely be F-Secure here; it has a lot of fingers in a lot of pies.

And you have little else of consequence loading.

You might be able to get some confirmation of this by running in "clean boot" mode for a while, without actually uninstlaling it. However you will be without any protection during that period so you will have to exercise appropriate caution.

First, restart in Safe Mode if necessary -- (tap the f8 key promptly on startup and choose the Safe Mode option from the boot menu) or Normal mode

Then:

Run msconfig and select the "Services" tab. Check "Hide Microsoft Services" and then disable the rest. Also uncheck "load startup group" on the general page.

See this link for detailed information:


http://support.microsoft.com/kb/929135 << for Vista, but applies equally to XP, and better written.

Now restart and test the issue at hand

If no problems, run msconfig and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in “selective” startup mode – you should note what these are before beginning. They will need to be de-selected again.