1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

STOP: 0x0000001E KMODE EXCEPTION NOT HANDLED

Discussion in 'Windows XP' started by JeffMellinge, Oct 12, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    I'm using win 2000. Been fine for 5years, no BSoD's at all. My niece was on my computer looking at someone's myspace and then it shut down and when it rebooted, I got this fine message:
    Stop: 0x0000001E (0xC000005, 0x81DB0C8E, 0x00000001, 0x00000097) KMODE EXCEPTION COULD NOT BE HANDLED.
    (sometimes, after a reboot, it has the 1E then 0x000001D, 0xEB41B4E4, 0x81DB4C8E, 0xC0000400)
    I went into safemode and did a search for all files modified around the time she was on it. There was some spyware which I deleted after running Hijackthis. I have reduced the amount of virtual memory as well. Unfortunately, my virus program will not run during safemode so I don't know if there's a virus (hijackthis would notice it right?)
    I have no idea what all the numbers in the error refer to. If anyone does, that could help me in fixing this and finding out what hardware or driver went haywire.
    Can this just happen all of the sudden like this? I have not installed any new hardware or programs for awhile either.
    Please help.
    thanks
    Jeff
     
  2. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    Here is my hijack log:
    Logfile of HijackThis v1.99.1
    Scan saved at 8:00:31 PM, on 10/12/2005
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = WWW.ESPN.COM
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Documents and Settings\Jeff Mellinger\Application Data\Mozilla\Profiles\default\ckq6lrhg.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jeff Mellinger\Application Data\Mozilla\Profiles\default\ckq6lrhg.slt\prefs.js)
    O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\Program Files\AdwareFilterToolBar\AdwareFilter.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Netscp.lnk = C:\Program Files\Netscape\Netscape\Netscp.exe
    O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\AdwareFilter.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/bobrun/PuzzleBobbleLauncher.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} (HpodPCFileCtrl2 Class) - file://F:\MEMDISC\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

    Also, this is what I listed a couple days ago regarding my kmode exception problem:

    I'm using win 2000. Been fine for 5years, no BSoD's at all. My niece was on my computer looking at someone's myspace and then it shut down and when it rebooted, I got this fine message:
    Stop: 0x0000001E (0xC000005, 0x81DB0C8E, 0x00000001, 0x00000097) KMODE EXCEPTION COULD NOT BE HANDLED.
    (sometimes, after a reboot, it has the 1E then 0x000001D, 0xEB41B4E4, 0x81DB4C8E, 0xC0000400)
    I went into safemode and did a search for all files modified around the time she was on it. I have reduced the amount of virtual memory. Unfortunately, my virus program will not run during safemode so I don't know if there's a virus (hijackthis would notice it right?)
    I have no idea what all the numbers in the error refer to. If anyone does, that could help me in fixing this and finding out what hardware or driver went haywire.
    Can this just happen all of the sudden like this? I have not installed any new hardware or programs for awhile either.
    Please help.
    thanks
    Jeff
     
  3. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG, JeffMellinge :)

    I have merged your threads.
    Please do not create multiple threads for the same issue.
    Continue posting only here.
    Thank you :)
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Is a driver file mentioned in the Stop message?

    You can test unsigned drivers by going to start and running

    verifier.exe

    accept the default options and reboot.

    IF you get a STOP message note the driver mentioned -- that is what is important.

    Then you must reboot into Safe Mode and run:

    verifier /reset

    or you will get the same stop on every reboot.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;244617
     
  5. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    I have run verifier before. I don't know much about it. But I ran it again and had it verify all the drivers, then I rebooted into safemode again and ran the verify / reset command you mentioned. It did not appear to do anything...because I rebooted normally and the exact same KMODE exception came up. It still does not mention any specific drivers by name, just the 0x......junk.
    When I first encountered the KMODE exception on Sunday, it mentioned this: pcmciide.sys. I googled it and found not a single mention of it anywhere. I deleted it. The next time I rebooted, it mentioned this file: srvnkipx.sys. I deleted it as well. Ever since then, a normal reboot results in the KMODE exception with the 0x.... and no mention of specific drivers. I did not empty the recycle bin in the event that I may need to bring back those two files for some reason.
    I went to the microsoft support page you directed me to. I do not know enough about that stuff to make an adequate attempt at doing what they suggest. I would need some steps to help me through it.
    thanks
    Jeff
     
  6. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    75,367
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well, I'm not sure what you are deleting since neither of those driver files gets any google hits as spelled.

    However if we assume the first 3 or 4 letters are correct, the first might refer to an external card of some kind:

    http://www.google.com/search?client=opera&rls=en&q=pcmci&sourceid=opera&ie=utf-8&oe=utf-8

    ... and anything beginning with "srv" would likely refer to a client/server application -- perhaps a database.

    On the other hand, randomly named files that get no hits on google are generally malware -- but these are rarely ".sys" files

    My gut suspicion is that PC-cillin may be acting up -- so you might want to try uninstalling that as a test.

    If you used driver verifier to verify all the drivers, not just the unsigned ones, you've done about all you can do with that.
     
  8. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    I am trying to uninstall the anti-virus program but it is telling me that the Windows Installer service could not be accessed and to contact support personnel to verify that the WI service is properly registered. how am I supposed to uninstall something in safemode if it won't let me? (I have never had trouble uninstalling anything before.)
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  10. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    Um, remember, I cannot get into normal mode due to my loving KMODE exception message. Safemode is the best I can do. Are there any parts to the pc-cillin program I can delete manually that would possibly do the trick?
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ah, didn't know that. I thought you had used Driver Verifier and gotten a normal boot, for one thing. Verifier only verifies when you reboot the system.

    If you choose VGA mode from the f8 boot menu, can you get a "normal" boot?

    You should also physically remove any external devices -- scanners, printers, external drives, etc. Simplify the hardware setup.

    Testing the ram is still in the cards here as well.

    Also if you can install "msconfig", you can try following Microsoft Clean Boot instructions.

    http://www2.whidbey.net/djdenham/Msconfig.htm
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353
     
  12. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    Ok, so first I tried booting in "VGA mode", no luck, same KMODe exception.
    Then I disconnected printer, ethernet stuff, speaker system, still no dice.
    Then I downloaded MSconfig and since it does not need to install, it works. I chose the Diagnostic Startup and tried rebooting into normal mode. No help there either, except this time, a new BSoD error appeared:
    STOP: 0x00000050 (0xFFFFFFB1, 0x00000001, 0x81DB8C8E, 0x00000000) PAGE FAULT IN NONPAGED AREA.
    don't have a clue what that means.
    What should I try next?
    thanks for all your help
    jeff
    p.s. it appears that my Firefox browser has lost all it's bookmarks and reverted to it's original homepage for some reason.
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Try swapping out ram modules.

    There are also software testers you can try.

    http://www.memtest86.com/

    http://oca.microsoft.com/en/windiag.asp

    Also have a look at the 050 articles covered here:

    http://aumha.org/win5/kbestop.htm

    One possiblility is a "rootkit" infection.

    http://support.microsoft.com/?kbid=894278&sd=RMVP

    Check the eventviewer (run eventvwr.msc) for any corresponding errors that might throw more light on things. Keep looking for driver files that might be mentioned.

    If you can install and run "rootkitrevealer" and upload the log, it might have something:

    http://www.sysinternals.com/Utilities/RootkitRevealer.html
     
  14. JeffMellinge

    JeffMellinge Thread Starter

    Joined:
    Oct 12, 2005
    Messages:
    43
    Ok, I have to go out for a few hours, but here is the latest from the EventLog from the last time I booted:


    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 10/14/2005
    Time: 12:21:45 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The Tmfilter service depends on the Vsapint service which failed to start because of the following error:
    No attempts to start the service have been made since the last boot.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 10/14/2005
    Time: 12:21:45 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error:
    No attempts to start the service have been made since the last boot.


    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 10/14/2005
    Time: 12:21:45 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error:
    A device attached to the system is not functioning.


    Event Type: Error
    Event Source: asc
    Event Category: None
    Event ID: 9
    Date: 10/14/2005
    Time: 12:21:00 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The device, \Device\Scsi\asc4, did not respond within the timeout period.
    Data:
    0000: 0010000f 00600001 00000000 c0040009
    0010: 50000101 00000000 00000001 00000000
    0020: 00000000 00000000 00000000 00000006
    0030: 00000001 00000007


    Event Type: Warning
    Event Source: Dhcp
    Event Category: None
    Event ID: 1003
    Date: 10/14/2005
    Time: 12:22:11 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0050FC649AB2. The following error occured:
    The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    Data:
    0000: 00000079


    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 10/14/2005
    Time: 12:22:26 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The following boot-start or system-start driver(s) failed to load:
    tmtdi


    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 10/14/2005
    Time: 12:22:29 PM
    User: N/A
    Computer: FPST-COMPUTER
    Description:
    The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    No attempts to start the service have been made since the last boot.


    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10010
    Date: 10/14/2005
    Time: 12:22:56 PM
    User: NT AUTHORITY\SYSTEM
    Computer: FPST-COMPUTER
    Description:
    The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.


    So i noticed a couple of mentions of the Trend Micro in there. It does appear that it is one of the problems...now if I could just uninstall it......
    I will be back around 5pm PDT and will work on the problem further
    thanks
    jeff
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Some of the errors may be due to removal of the ethernet card or Safe Mode boots.

    While the Trend entry is interesting, no blue screen stop error should have occured in a "Diagnostic" boot using msconfig since presumably no Trend services or startups would have been started in that configuration. This is almost equivalent to a "Safe Mode" boot except that basic hardware drivers are loaded here which are not loaded in Safe Mode.

    It's what is loading, and what resources it is trying to use, rather than what is not that is the key

    The error occuring during the Diagnostic boot would be most interesting if a driver were mentioned. You can look for Save Dump entries in the event viewer, but I doubt they will show anything more than the actual Blue Screen Stop which you copied faithfully.

    This is why I think Ram has to be the immediate focus right now. And if nothing there, we can possibly look further for a boot sector trojan if you can run that "rootkitrevealer".
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/406960

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice