TechSpot

Random BSOD and CD won't read data

By michele31415
Feb 23, 2009
Topic Status:
Not open for further replies.
  1. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Start->Run-> sysdm.cpl
    Advanced Tab
    Error Reporting button
    Enable Error Reporting
    Tick
    Tick

    Apply
    ok
    ok
    You may need to restart
    And wait for a BSOD one day (sometime) :wave:
  2. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Minidump[

    Oh that's not hard at all :) I can make it BSOD anytime I want - just running malwarebytes does it every time. I just tried it and sure enough, less than a minute in I got:

    PFN_LIST_CORRUPT
    STOP: 0x0000004E (0x00000007,0x0002691D,0x00000001,0x00000000)

    Much to my surprise, C:\Minidump was still empty. I thought it was because I hadn't rebooted after changing the settings. So reboot, run MB, and same thing! Turns out I also had "Write debugging information" turned off in System Properties -> Advanced -> Startup and Recovery. So I changed that to "Small memory dump (64 KB)" and ran MB for the third time. Sure enough, before too long I was rewarded with:

    PFN_LIST_CORRUPT
    STOP: 0x0000004E (0x00000007,0x000293CD,0x00000001,0x00000000)

    Minidump file is attached (finally)

    Can you make anything of this?

    PS - while waiting for your reply, I decided to run a 3d Mark 2005 benchmark just to give the machine something to do. It ran fine until the 8th test, which I believe is video, then did:

    MEMORY_MANAGEMENT
    STOP: 0x0000001A (0x00041284,0x08E17001,0x000040CA,0xC05030000)

    More weirdness: on reboot, I got a popup titled "Avira AnitVir Personal - Free Antivirus" that said "Unable to load plugin 'Update' Error: LoadLibrary() failed."

    What do you make of this?
  3. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  4. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Hmmm, well it appears that I'd already done a lot of this stuff before I even got here. I read a lot in the post "Before you post your minidumps, please read this" about over-temp as a cause for BSOD's. But I can run this machine all day without getting one, or I can get one instantly by running malwarebytes. I even added an external muffin fan blowing across the case. The computer is now running cooler than it ever was before it started acting up. I ran Microsoft's windiag memory diagnostics twice, six passes each time and got zero errors. I already did extensive scans of the disk using both scandisk and the Hitachi/IBM low-level diagnostics and found nothing.

    At this point I believe that if nothing else, Occam's Razor is telling me that this is a software problem, not hardware. Can you please be more specific - are you saying I'm on my own as far as interpreting the minidumps goes? DId I do something wrong with the way I posted the minidump in my last message? I'm willing to go through the learning curve involved if I have to. I'm just not quite sure what to make of all this. Thanks.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    It would be far easier just to attach the Minidump, using the paperclip icon, on the toolbar of a new reply, it looks like this -> [​IMG]

    Presently, you have not "attached" anything :confused:
  6. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Oops

    Uh oh - did I forget to attach it? It's possible. I've been known to do strange things at 2 AM. My bad. Anyway, here is (I hope) what I thought I had attached last night. In the meantime, I am downloading the Windows Debugging Tools from Microsoft.

    [...time passes...]

    Follow-up: OK, I have installed the Debugging Tools and looked at the three minidumps I've gotten since yesterday. The first one was while I was running mbam and the debugger claims that the crash was "probably caused by mbamswissarmy.sys". This gives me some measure of confidence that it knows what it's talking about. However, crash no. 2, which happened while running 3D Mark and crash no. 3, which happened while installing the debugger, both had probable causes as "memory_corruption"

    Clicking on the "analyze -v" option give me the further advice that this is "typically caused by drivers passing bad memory descriptor lists (ie. calling MmUnlockPages twice with the same list, etc)" So we're back to suspecting some criver, yes? But ***which one***?
  7. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please uninstall Malwarebytes

    Done :grinthumb

    You may want to check for Viruses\]Malware too (which means download the newest version of Malwarebytes and look here: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions)


    Edit:

    I'd say update all your drivers

    By the way how did removing Malwarebytes go? Did it resolve it?
    Otherwise the 8-Step process would be wise
  8. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    At your suggestion, I uninstalled Malwarebytes though I'm not sure how that would help, but you're the boss. I then tried the CD again - still doesn't work. Then I tried running PCMark05 again. This time it ran to completion. It did not BSOD. Then I re-downloaded Malwarebytes and installed it. In the middle of the install, I got a MEMORY_MANAGEMENT stop. Minidump is attached (hopefully). Note that this crash was before MB started doing a scan - it happened while it was installing its updates and before it brought up its main screen.

    So to recap so far:

    1. MB runs OK in Safe Mode.
    2. MB crashes in normal mode.
    3. PCMark crashes when MB is installed.
    4. PCMark runs OK when MB is not installed.
    5. The CD drive is still not working.
    6. I already reinstalled both the audio and video drivers directly from the Alienware website. However, note that those are now 5 years old and Alienware never updated them. They predate SP3.

    I am leaning towards a bad driver as the cause of the BSOD problem.
    I have no clue as to the cause of the CD problem.

    I'm not felling too well tonight. This will be my last post til tomorrow.
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I'm leaning towards Malware infection
    Might be best to run the above in Safe Mode with Networking

    By the way if you have AVG or Norton or McAfee or some other high intense Antivirus. Remove it fully, I'll supply removal tools too, if you need them

    Install Avira free Antivirus instead
  10. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Hmm, we've already been through this - twice. See posts no. 2, 3, and 16-20. The only anti-virus this machine ever had on it was AVG However, I do not discount the possibility of some remaining malware lurking somewhere.

    Anyway, here's how today started:

    The machine had been idling in normal mode overnight without BSOD'ing. I rebooted in Safe Mode to install Malwarebytes. Running the installer gave me a popup error "vbAccelerator SGrid II Control, Runtime error '0'" while it was installing its files. Clicking OK on that got me a new popup "Runtime error '440': Automation error. I clicked OK that that one and the installer finished.

    Then I got an error "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the Internet". But I am already running Safe Mode with networking. To check this, I started up Firefox and it had no trouble accessing sites on the net.

    So I uninstalled the apparently non-working copy of MB, downloaded it again and installed it again. And got the same message: "Update failed ..." But when I clicked OK to that, this time the main MB screen appeared. So I started doing a Full Scan. It ran to completion and found nothing. Log attached. ??

    Well while I'm waiting to hear from you, just for laughs I ran another Avira scan in Safe Mode. And it turned up this!

    "[DETECTION] Contains recognition of the W95/Blumblebee.1738 Windows virus"

    (log attached) What do you think? False alarm or malware? Anyway, I moved it to quarantine.
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Uninstall Malwarebytes
    Run CCleaner (by the way this program just updated, so download and install over itself)

    Download Malwarebytes again. But once downloaded rename it to MBAM, then set it up
    Then update it, and run a full scan
     
  12. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    OK, MB uninstalled. Downloaded & ran latest ccleaner. Removed 97.2 MB on the first pass, 8K on the second, and 0 on the 3rd through 6th passes. Downloaded latest Malwarebytes and renamed the file from mbam-setup.exe to mbam.exe Ran this file. Got the welcome screen with "check for updates" and "run". Left both checked. Got the same "Update failed error". Clicked OK, got the MB main screen. Exited MB. Went to the MB directory in Program Files and renamed mbam.exe there to mbam1.exe and ran that. DId a check for updates - same error. Started a full scan without having any updates. That's running now. OK, the scan finished - nothing was found.

    Anomaly: Here's something curious I just noticed: in Safe mode, the CD icon in My Computer is called simply "CD Drive(D)". In normal mode, this is labeled "DVD/CD-RW drive (D)". What's up with that?
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  14. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Thanks for the links. Unfortunately, I think I caught whatever virus my PC has. I don't feel so good - I'm heading off to bed. I'm going to have to leave this til tomorrow. I leave you with one new piece of information:

    I let the system run in normal mode, just idling (but with Avira loaded) for two hours while I watched TV downstairs. When I came back, I had a popup from Avira: "C:\System Volume Information\_restore\A013005.dll Contains recognition pattern of the W95/Blumblebee.1738 Windows virus" This is the thrid time I've gotten a warning about this (see post no. 35 above). In that post, I stated I had moved it to quarantine. Now it appears somewhere new. The suggestion from Avira this time is to "Deny Access" so that's what I selected.

    Do you know anything about this "Blumblebee"? Avira didn't have it in its index and I couldn't find out much about it on the web. Some people say its a false alarm, others say it only affects Windows 95 machines (which doesn't seem right since XP can run 95 programs). Later...

    Wait wait - now here's something really weird. I tried to open the folder C"\System Volume Information and got an access denied. This is even though I had Show Hidden Folders set and Allow access to protected files set. I finally resorted to using the cacls command in a DOS window to allow access. The DOS dir command shows no files there Doing a Properties on the folder icon shows it contains 10.3 G in 12,220 files and 337 folders. Double clicking the icon does nothing.
  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Clear & Reset System Restore's Cache

    Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
    * Tick on the checkbox - Turn off System Restore on all drives
    * Click Apply
    Turn it back 'On' by unticking the same checkbox & click Apply, and then OK
  16. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    OK, this is my results for your post no. 38. I checked the list of hidden drivers recommended in the first link, but found none matching the ones mentioned there.

    So I moved on to the second link. I downloaded the Fixes program and ran it. It hung twice as the progress bar was making its way up. Both times I found Alienware's useless BugSolver,exe process running. I killed BugSolver twice and the program finished. It popped up a message saying I had to reboot. Just as I was reaching for the mouse to do that, the machine did an instant shutdown, ie. just power off. When I rebooted, I immdediately got a

    Stop c000021a {Fatal System Error}
    The session manager initialization system process terminated unexpectedly with a status of 0xc0000034 (0x00000000, 0x0000000) The system has been shut down.

    I rebooted again. This time it started Windows but I got a message "The primary display adaptor is not configured properly. To avoid complicating the situation, this program will terminate" (But it didn't say what program). And my video drivers are gone. The machine is now running in straight VGA mode, 800x600 (it sure looks weird - normally it does 1600 x 1050). While I was pondering this, I got another "Blumblebee" warning from Avira, again in System Volume Information. It looks like SVI is infested with these. So I was about to just dump the SVI when I got your post above recommending doing exactly that. So I will do that before proceeding with the rest of the Fixes.

    [...time passes ...]

    I cleared the SVI directory. That went OK. Note to anyone else reading this: there is a step missing in kimsland's procedure above (you might want to edit that) You need to reboot after turning off System Restore for it to actually empty the directory.

    Then I reinstalled the Nvidia drivers and rebooted. The system came up in normal mode at full resolution. I located the runmbam.exe icon on the desktop and double-clicked it. I got a "Missing shortcut" error. So I started over, downloaded Fixit.zip again, extracted the files, moved the Fixes folder to the Desktop, opened that, double-clicked on Fixit.cmd (which ran "The Brute Force Uninstaller"). This time I got no interruptions from BugSolver. Fixit ran to completion. I got the "Reboot now" message and was able to click "Yes" to that. This time Windows apparently ended normally and then rebooted normally. I double-clicked the runmbam.exe icon but got the same "Missing shortcut" error. So I guess I'm done. Now what?

    [...more time passes ...]

    I noticed that the Indexing Service was enable on Drive C, so I decided to uncheck the box for that since it slows down the system. I told it to apply to all folders and subdirectories. It was going along and suddenly stopped with "An error occurred applying attributes to the file: C:\Program Files Access is denied." I clicked Ignore and it started going into Program Files anyway, only to stop with the same error for Program Files\Adobe\Reader 8\AcroRdIF.dll, Common Files\Adobe\ActiveX and AcroIEhelper. Acrobat is not running. It did the same thing for a bunch of files in the Prefetch directory. Is that significant?

    {.. tick tock ...]

    I found this URL: http://support.microsoft.com/?kbid=228985 dealing with the CD drive won't read problem. The first thing that applied was Method 7, Restart using a clean boot, meaning they want me to do a Selective Startup in msconfig. Clearing the Startup items went fine, but when I tried to clear the non-MS services I got "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes". But I am an Administrator (and sole user). I tried unchecking the non-MS services one at a time and it turns out they are all "access denied". So I'm like, what the...? I just exited msconfig and rebooted. Anyway, that didn't work. Neither did forcing PIO only mode on the secondary IDE. Foo.
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  18. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Something's screwy. I downloaded kcleaner and ran it. I got past the "Select language - English" window, then an empty IE window popped up, and then a popup warning:

    "Unable to execute file: http://www.kcsoftwares.com/software
    ShellExecuteEx failed: code 2.
    The system cannot find the file specified."

    However, after dismissing that with an OK, it appeared to finish normally and rebooted the machine by itself. What the ...? Reboot was normal. ZA said something called "RelevantKnowledge" wanted access the Internet three times, so I OK'ed it. 10 minutes later, nothing visible has happened.other than a lot of I/O - the disk activity light is on steady. After 15 minutes, the disk activity has mostly stopped. So I started KCleaner from the Start menu, checking all options. It ran to completion and removed 754 M. I quit the program and rebooted.
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I agree that Kcleaner opens its home site on install, very annoying I always close that when it happens, actually just this one issue will prompt me to let them know that this is the reason why I don't quote using it all that often "call home" is not a great feature, without your consent.

    It doesn't reboot the machine itself ever though, so obviously some other issue, or possibly a temp file trying to hold on

    I'd run it again, possibly in Safe Mode, but it sounds as though you still have spyware installed, so do this:

    Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and a new HJT log
  20. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    Just got your last post (no. 44). The reboot I did after finishing Kcleaner was normal. Following your advice I rebooted again, this time into Safe Mode w/networking. Interesting note: on boot, this time XP gave me a scrren to select Administrator or Owner for login. I'd not been getting that til now. I selected Owner.

    I ran Kcleaner again. This time it deleted 2.14 K. I clicked Stop and ran it again. It deleted 2.14 K again. On a third cycle, same thing - 2.14 K.

    Then I started Firefox to download SDFix. On opening the Firefox window, I got a pop-up that said "1 new add-ons has been installed". Never saw that before. Anyway, Firefox still won't connect to the net in Safe Mode with Networking, so I had to reboot in normal mode.

    Reboot OK. Downloaded SDFix, extracted it, rebooted in Safe Mode. Started SDFix from the cmd window. Ran to completion. I pressed the Any key to reboot. It rebooted with a "Final Check... please wait" screen. About 2 minutes into this, it BSOD'ed with a 0x8E stop.

    I shut down and rebooted. It got to the XP "welcome" screen and hung. The mouse still moves but there was no little tune. No wait, it did come back - that was a very long reboot. But this is odd - the Task Manager opened up by itself but the desktop did not load although there was an explorer.exe process running. I killed than and restarted explorer.exe. That brought up the "Active Desktop Recovery" screen.

    I got out of that and went to Step 11 in the SDFix docs. I ran the RunThis.bat and typed F. The SDFix window opened, it said Final Check, Running Catchme, Please Wait. Finally it finished normally and opened the Notepad window with the report. But I was unable to save this to my file server because it said the network connection was invalid or something. So I rebooted but got a PFN_LIST_CORRUPT STOP: 0x4E during the shutdown.

    Rebooted again. Ran HJT and immediately got an error: An unexpected error has occurred at procedure modRegistry_IniGetString(sFile=system.ini,sSection=boot,sValue=Shell)
    Error #5 - Invalid procedure call or argument.

    I clicked "No" and it finished the report. So attached are: the SDFix report, the Minidump from the crash, and the HJT report. Does this mean anything to you? Weird stuff, eh?
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Memory corruption caused by ZoneAlarm
    Please uninstall ZoneAlarm, whilst you try to get this right

    Open HijackThis and tick and Fix these entries with your browser closed
  22. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    You know, I was poking around the net last night and found several references to ZA causing these types of BSOD. So I turned it off and uninstalled it. Then I ran HJT and checked the three lines you mentioned. By the way, could you please edit out the IP address in the second line? Thanks.

    HJT wanted a reboot. Everything seemed to go OK. ZA is gone. The system is OK while idling. Then I tried an Avira scan and got a 0x1A MEMORY_CORRUPTION (minidump attached). So I guess we're still not there yet.

    *** STOP THE PRESSES ***

    Although I had already run it twice and found nothing, I decided to do another RAM test with windiag. I let it run for 7 full passes of the extended 11 test diagnostics and guess what? On passes 1 and 4, it found errors at three different addresses. Interestingly, the other passes found no errors so this seems to be an intermittent problem, which might fit in with some of the behavior I've been observing.. So tomorrow I am going to swap out the RAM and see what that does.

    [... the next day ...]

    Well I had ordered a new 1G stick last month because I was going to double my memory and I was just waiting to resolve these problems before doing it. So the good news is that I had a new stick on hand. The bad news is that it doesn't fit ! The keyway cutout on the new stick is 1/8" over from where the old one is, so it physically will not go into the slot.

    Turns out I ordered the wrong memory - duh. I needed DDR but got DDR-2 (that's why the keyway was off). Still trying to track down the correct RAM for this machine...

    OK - found two 1G sticks of the correct RAM and replaced both of the existing 512 M's. Confirmed 2G in BIOS. Ran one complete pass of windiag extended tests, no errors found. Booted normal mode, Windows sees 2G.

    Ran Avira. With the new RAM it finished to completion with no detections. This is the first time it has finished in normal mode without BSOD'ing. It looks like we may have resolved that problem. So Kimsland, ar you still there? I think we're ready to proceed.
  23. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Inside the 1 Minidump:
    Hmm I haven't seen Avira fault much.

    What else is running on your system?
  24. michele31415

    michele31415 Newcomer, in training Topic Starter Posts: 33

    "What else is running on your system?"

    At the moment? See the attached procexp report. But did you see where I noted that Avira ran to completion after I replaced the RAM? With the old RAM it BSOD'ed every time. This is the first clean run I've gotten out of it.
  25. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Obviously you need these two running?

    SQL Server​
    VNC Server Free Edition​

    Also does it now work ok or not?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.