Constant reboots - bugcheck 0x1000007f

[grt3kl]

Greetings, everyone.
I've visited these forums several times for other computer problems I've had, but this is my first post. I ended up posting this here because, unlike a lot of other forums, topics here seem to get real answers.

Here's my issue:
I have been dealing with constant reboots for nearly 4 months on my work laptop. I updated virtually every driver, ran the memory test at startup, replaced the motherboard, uninstalled all programs that I thought could be responsible, and I can't even remember what else.

I attached the two most recent crash dump files. I have at least 50 more of them if needed. Also, here is the record that gets added to the system event viewer every time this happens:
The computer has rebooted from a bugcheck. The bugcheck was: 0x1000007f (0x00000008, 0x80042000, 0x00000000, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini031609-02.dmp

It all started where the laptop would just randomly reboot. When Windows would begin to initialize (the wallpaper would load and the lovely logon chime would begin), the laptop would then reboot again. Sometimes this happened 4 or 5 times before Windows finally loaded. After playing around for awhile, I figured out that this was only happening when my laptop was in the docking station. Undocked, it never seemed to happen. I tried a few other docking stations and the laptop did the same thing with all of them. This is when my company replaced the motherboard. After the replacement, everything worked fine...for about two days.

This went on for at least a month. If I didn’t reboot, it only crashed once in a while. So, once I finally got it booted up (it took 17 tries one day), I was usually good to go. I decided to troubleshoot the thing more and determined that the crashing on startup was only occurring when I was connected via Ethernet. Knowing this now, the whole docking station thing probably had nothing to do with the docking station and everything to do with the Ethernet connectivity. When I unplugged the Ethernet cord, it booted up fine. I thought, “Oh, I’ll just make a habit of plugging it in after Windows loads.” So, I did that. I plugged the Ethernet cord in and the laptop rebooted. It didn’t always happen immediately like that, but it was usually within a few minutes.

So, for about 2 months, I connected to the network using wireless only. No Ethernet at all. It still rebooted, but only once in a while - maybe once or twice a week. I do want make a note, though. When I say it “reboots randomly,” it’s not like I’m just sitting here looking at the screen and it reboots. It seems to always be triggered by something I do. Like, I’ll click and icon, press a key, etc., and it will reboot.

I installed XP SP3, uninstalled and reinstalled all wired and wireless network drivers, ran another memory test, and checked everything I could think of. With Ethernet plugged in, I docked my laptop (which was on standby) this morning and it rebooted. I typed up this whole thing and it rebooted (this is version 2, which I typed in Word for the sake of AutoSave). I’m at the end of my string. My company wants to reformat this thing – they’re practically forcing me to hand it over. I would like to avoid this by all means, so please offer any suggestions you might have.

Thanks a lot!
-Greg

 

[mflynn]

1. How often, can you run long enough to run some tests?

2. Does it do this in Safe Mode?

Mike

 

[grt3kl]

1. How often, can you run long enough to run some tests?

2. Does it do this in Safe Mode?

Mike

Right now, it's only happening occasionally. If it goes the way it has been going for the last week or so, it will happen about once a day. So I should definitely be able to run some tests.

I haven't tested it extensively in Safe Mode. I've gone into Safe Mode to run virus scans, spyware scans, etc., but I haven't really left it in that state for a long period of time. I suppose that might be a good approach. I should note that I unchecked virtually all startup programs in msconfig>startup, but that didn't seem to resolve anything.

 

[Route44]

Mike, grt3kl, if you guys don't mind I did look at the minidumps and both are 0x7F and the first was ANALYSIS_INCONCLUSIVE (Unknown Module), EXCEPTION_DOUBLE_FAULT and the Bucket ID was ZEROED_STACK.

The second one identified the driver Teefer.sys which belongs to Sygate Personal Firewall.

grt3kl, you are in good hands with mflynn.

 

[grt3kl]

Thanks, Route44. I am very glad to hear that I'm in good hands. I remember one of the techs here mentioning something about Teefer.sys, but that was months ago and I can't recall what he said. I do know that the second crash today occurred after I clicked on an error message related to SMC.exe, which I know is part of Sygate Personal Firewall (Symantec Protection Agent - same thing?). Unfortunately, I have to have that installed, as it's part of my company's security policy.

I attached a few more crash dump files in case they are needed.

Thanks again, mflynn and Route44!

 

[mflynn]

Do they require "a" Firewall or specifically Sygate?

I assume this is your computer but used to connect to the company Server or is this your computer at the office?

It could be that Sygate needs to be uninstalled and reinstalled, but don't do that yet.

This could be caused by a conflict with your virus scanner or other Malware/virus protections or even Malware that you have.

So lets do the below it will tell us about the items above and confirm you are clean.

So do the below....

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner if you already have one, ask me before installing a Firewall).
avg

Most importantly update MalwareBytes (MBAM) and SuperAntiSpyware (SAS)!

Before you scan with either MalwareBytes or SuperAntiSpyWare do the Extra Configs below these have become most important lately

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Mike

 

[grt3kl]

My company requires the specific Sygate firewall that I have installed. It’s a laptop that I use both at home and work, but it is owned by my company.

I did uninstall and reinstall Sygate about a week ago. I am running McAfee VirusScan Enterprise +AntiSpyware Enterprise 8.5.0i. I ran a full virus scan last week and it came back clean. My JRE is Version 5.0 Update 9 (1.5.09). The programs I write use this version of the JRE and I cannot update it to a newer version.

I followed the 8 steps and made sure to configure the extra settings you mentioned. Last night, I also ran Memtest86+. It went through 7 passes and came back with 0 errors.

Thanks again for all your help!

 

[mflynn]

Ok those look good. Other than the fact Temp cleaning was behind!

Humor me and do the below.

Deeper Temp clean....

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

--------------------------------------------------------------------------------------------------------

Finally lets get some unnecessary Services out of the way.

Do the below...

Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!

This will do all of the above for you except those needed by Wireless (Laptop).

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit

If you use a Domain Server at work (if you have trouble Logging in) then run Control panel Admin Tools Services and set Net Logon back to Start Automatically and then click the Start to start it. Your Compant IT person can confirm what you need here.
--------------------------------------------------------------------------------------------------------

Lastly...

--------------------------------------------------------------------------------------------------------
Run these two to do a special and deeper Malware scan. If these pass you are confirmed clean of Malware.

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

EDIT: You may get some errors if you do not have one of the services listed above. These can be ignored. You should notice a boost in startup/shutdown and general use by trimming these unneeded services.

 

[grt3kl]

Sorry about the Temp cleaning being behind...

Alright, I ran ATF-Cleaner and KCleaner several times each. I created a new restore point. I ran Disk Cleanup and had it clear all previous restore points. I ran your SC script but omitted the Net logon part, as I do need that. So far, I haven't seen any negative effects from disabling all those services.

Finally, I ran ComboFix, HJT, and SDFix following your detailed directions (logs attached). Everything seemed to go as planned. It was extremely difficult to get SDFix on this computer, though! Apparently, the security policy here doesn't allow this file to be downloaded. I had to call someone from home to download it, rename it as a JPG file, and email it to me. Then, before it let me download it, I still had to run "sc pause mcshield" to let it come through. Ugh...

With that being said, though, I think I did everything correctly. Please let me know what you think. Again, thanks so much for all your help. This has been a great experience so far.

 

[mflynn]

I doubt it was blocked by IT! But this often happens when Malware itself knowing that SAS is a powerful cleanup tool takes steps to specifically block SAS.

In any case both of these found issues so do the below

Uninstall combofix
Start-run
type
combofix /u
click OK

Then redownload combofix and rename it 12cbf34 while downloading it to the desktop. Or after downloading rename it.

Then run it under new name.

Also run SAS again to see a clean log!

NOTE: Understand I am only cleaning the slate so to speak and hopefully to even fix the unknown issue. But if it does not fix it it will surely be easier to work on the specific Dump knowing all else is right with the OS!

Mike

 

[grt3kl]

Mike,

I successfully uninstalled ComboFix using your directions. I downloaded it again, renamed it, and ran it again. I also ran SAS when it was done (it came back clean!).

Attached are the new log files. Thanks.

 

[mflynn]

OK good!

One question occurred to me, does this happen more at the Office than home or more/less or about the same?

These are last 2 cleanup steps before directly addressing the mini dumps and BTW have they lessened or improved any!

If you get nothing else from these steps you should definately notice faster in general and quicker startups and shutdowns.

Step1:
Autoruns/Runscanner cleanup

Make sure hidden files and folders are shown. Open Windows Explorer click Tools or View and then Folder Options-View.

Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

Download install and run AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

When you reach the bottom the go back to top and click the first entry under The Everything Tab (to begin the search from that point) and search again in case any were missed.

This is a bunch of old stuff that M$ thought you might or would need that no longer exist, or for computers that are assumed to have SCSI or AMD processors but do not, or that you have Intel but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for anything you want, if needed.

Then look carefully through all the Everything entries and delete anything that you may have had but uninstalled and thought were gone. If you are sure delete these also.

Next

Then get install and run:
RunScanner http://www.runscanner.net/download.aspx

Click Scan computer
Double click all Red lines to select, then click Item fixer and remove them.

Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.

Step2:

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Process Idle Tasks
Repair Permissions
Reset WMI/WBEM
Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!

Mike

 

[grt3kl]

I really don't use the laptop much outside of the office, so I can't say. It's actually never happened outside of the docking station, though, so I doubt it would happen at home. The last time the computer crashed was when I was making my first post here, so it's been two days. As much as I want to think that it's completely fixed, there have been times in the past where it didn't happen for several days at a time. I've got my fingers crossed, though...

I ran Autoruns and RunScnanner, following your directions. Everything seemed to go well. I rebooted and ran each of them again. It did seem like Windows started up a little quicker...

I then downloaded and ran Dial-A-Fix. I did all of the things you mentioned but did not notice any errors. I rebooted and ran it again. Again, no errors at all.

Let me know what you think. Thanks!

 

[mflynn]

OK I guess we wait for now!

I found 2 other possibilities if it does happen again.

First Windows Defender has caused this, if it happens again uninstall Defender long enough to confirm it is the cause.

Realtek HD Audio drivers have caused this, the cure was the very latest drivers
Latest HD Audio drivers,: http://www.realtek.com.tw/downloads/...Audio CODECs

I would run ComboFix once more just to install the Recovery Console.

When convenient I would first do a chkdsk
Start-Run
type
chkdsk c: /f /r
click Ok

It will need exclusive access and request to do it on next boot. So reboot to allow.

Then Defrag.

Good luck.

Consider the below...

Thread Closing-------------------------------------------------------------------

Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

Remove ComboFix
Start-Run
type
combofix /u
Hit enter or click OK.

Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.


Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

If prompted to Reboot click, Yes.
OTCleanit will delete itself when finished, If not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.
-------------------------------------------------------------------------------------
Every two weeks or so, run MBAM and SAS until clean.

They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

If they find something they can not clean, then get back to us.

Additionally run CCleaner. ATF-Cleaner and KCleaner.
----------------------------------------------------------------------------------------
I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to be used with and to co-exist with other Virus scanners.

Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

It's like looking at it with 2 sets of eyes and from a different angle.

It works like some Firewalls do to learn what is good/bad.

After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

As it queries you about the prompt to help you determine to approve or not you can google it with one click.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

A Disk Scan (chkdsk) and Defrag are in order.

Mike

 

[grt3kl]

I had this thread open and was going to write a response sometime today to let you know that everything has been working fine. Then, just as I'm about to walk away from my desk to grab lunch, it rebooted. If I recall correctly, I was in the process of connecting to a network share in Windows Explorer when it happened. The event description looks the same as the old ones:

The computer has rebooted from a bugcheck. The bugcheck was: 0x1000007f (0x00000008, 0x80042000, 0x00000000, 0x00000000). A dump was saved in: C:\WINDOWS\Minidump\Mini032009-01.dmp.

Should I have them reformat this thing or is there still troubleshooting to do?

Thanks.