Windows has recovered from a serious error

[knight1fox3]

Hello,

I help with the maintenance on a friend's PC to keep it free of viruses and spyware. Upon running Spybot Search & Destroy (v 1.6.2), it gets about 25% complete and the system crashes and automatically reboots. Upon reboot, a windows message pops up indicating the system has recovered from a serious error. I did some research on this message and common causes. I found that often the error can be pin-pointed by looking that the windows dmp file. This particular fault is definitely repeatable and each dmp file looks the same so I am certain the information in the dmp file is fairly accurate. The system specs are as follows:

Windows XP (32-bit) SP3
AMD Athlon XP 2.2GHz
ASUS A7N8X mobo
2 GB of DDR400 Corsair RAM
ATI Rage vid card (don't know the model off hand)

I have all the latest drivers installed including the mobo BIOS. All windows updates have been done as well. Attached is the information I extracted from the dmp file using windows debugger. According to the info, the root cause seems to be the "ntoskrnl.exe" file. I would like to get some feedback from anyone on if I am interpreting the dmp file info correctly. Also, does this error point to potential hardware (mainly memory) failure? I have not tried re-seating components and cleaning the dust out. I have known this to help in some cases. Any additional feedback on this issue would be greatly appreciated. Let me know if I need to provide any additional information. Thanks in advance!

 

[almcneil]

Your friend's computer either has file system corruption or Windows system corruption. I'd run a file system check first. If that doens't solve the problem then a Windows Repair.

To run a file system check, My Computer -> Lock Disk (right-click) -> Properties -> Tools -> Error Checking -> Check Now -> (select both options/checkboxes) -> Start -> (restart computer)

Repost with results.

-- Andy

 

[knight1fox3]

Your friend's computer either has file system corruption or Windows system corruption. I'd run a file system check first. If that doens't solve the problem then a Windows Repair.

To run a file system check, My Computer -> Lock Disk (right-click) -> Properties -> Tools -> Error Checking -> Check Now -> (select both options/checkboxes) -> Start -> (restart computer)

Repost with results.

-- Andy

Thanks for the quick response Andy. I will run the file system check and report back with the results as soon as I can.

 

[knight1fox3]

Thanks for the quick response Andy. I will run the file system check and report back with the results as soon as I can.

Ok I ran the system file checker. I believe the log file was then stored in the root directory of C:\ (called bootex.txt). Are these the results you wanted to see? See below for the contents of bootex.txt:

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 236 unused index entries from index $SII of file 0x9.
Cleaning up 236 unused index entries from index $SDH of file 0x9.
Cleaning up 236 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

199141708 KB total disk space.
34133428 KB in 62912 files.
21456 KB in 5224 indexes.
0 KB in bad sectors.
142176 KB in use by the system.
65536 KB occupied by the log file.
164844648 KB available on disk.

4096 bytes in each allocation unit.
49785427 total allocation units on disk.
41211162 allocation units available on disk.

Internal Info:
10 0d 01 00 33 0a 01 00 27 6b 01 00 00 00 00 00 ....3...'k......
eb 1f 00 00 02 00 00 00 1a 08 00 00 00 00 00 00 ................
72 9c c2 01 00 00 00 00 00 ae 4c 2d 00 00 00 00 r.........L-....
7c 63 40 08 00 00 00 00 0e 07 d2 d4 02 00 00 00 |c@.............
c6 87 ad ed 07 00 00 00 6e 60 cb 00 0b 00 00 00 ........n`......
99 9e 36 00 00 00 00 00 90 38 07 00 c0 f5 00 00 ..6......8......
00 00 00 00 00 d0 56 23 08 00 00 00 68 14 00 00 ......V#....h...

Windows has finished checking your disk.
Please wait while your computer restarts.

 

[almcneil]

OK, try running Spybot again and see if it crashes.

-- Andy

 

[knight1fox3]

OK, try running Spybot again and see if it crashes.

-- Andy

Crashed again about 25% through the Spybot scan. I've attached the dmp file. I believe this one indicates a driver fault but it doesn't say where. Any additional thoughts on this? Thanks again.

 

[almcneil]

After revewiing everything we've done so far, a Windows Repair is the next logical step.

Repost if you need help initiating a Windows Repair.

-- Andy

 

[Bobbye]

If you still need help, you may be able to locate an Error in the Event Viewer that corresponds to the time of the 'serious error' message. That will give us additional information to troubleshoot.

I suggest you hold off on a reformat or reinstall and do this first:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock on message.

I don't do dump files and it doesn't sound like Andy opened them either. The Error in the Event Viewer should point to the driver.

 

[knight1fox3]

If you still need help, you may be able to locate an Error in the Event Viewer that corresponds to the time of the 'serious error' message. That will give us additional information to troubleshoot.

I suggest you hold off on a reformat or reinstall and do this first:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock on message.

I don't do dump files and it doesn't sound like Andy opened them either. The Error in the Event Viewer should point to the driver.

Hi Bobbye,

Thanks for the reply. Consequently, I tried Andy's suggestion above on doing a windows repair. That seemed to make things worse to the point where I could not even boot. I was able to return the system to the "Last Known Good Config" and from there I ran a system restore. Things are back to normal now and I am able to boot normally. However, the system crash still persists. I just tried running Spybot again and sure enough, windows crashed and the system rebooted itself. As you requested, below are the two errors in the System log. No relevant errors were reported in the Applications log. There were multiple instances of each error shown below, so I only pasted the results once for each.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 10/4/2009
Time: 6:01:13 PM
User: N/A
Computer: SERENITY
Description:
The description for Event ID ( 7023 ) in Source ( Service Control Manager ) cannot be found.
The local computer may not have the necessary registry information or message DLL files to
display messages from a remote computer. You may be able to use the /AUXSOURCE= flag
to retrieve this description; see Help and Support for details. The following information is part
of the event: IPSEC Services, The specified module could not be found.


Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Date: 10/4/2009
Time: 6:01:24 PM
User: N/A
Computer: SERENITY
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed
to initialize. The specified module could not be found.


For more information, see Help and Support Center at "h t t p : / / g o . m i c r o s o f t . c o m / f w l i n k / e v e n t s .a s p".

 

[Bobbye]

Regarding Error Event ID 20006, Source: Rasman> Please see this:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008020203163548

The fix calls for a Registry Edit. Before you do this, you should back up the Registry.
Manual steps to back up the registry in Windows XP:

• [1] Click Start, click Run, type %SystemRoot%\system32\restore\rstrui.exe, and then click OK.
  [2] On the Welcome to System Restore page, click Create a restore point, and then click Next .
  [3] On the Create a Restore Point page, type a name for the restore point and then click Create
  [4] After the restore point has been created, click Close.

Note If System Restore is turned off, you receive a message that asks whether you want to turn on System Restore now. Click Yes. Then, in the System Properties dialog box, click to clear the Turn off System Restore check box, click OK, and then repeat this step.
From Microsoft

Then proceed with the regedit as outlined by Symantec.

I don't usually work with dump files, but since yours weren't checked I took a look- I also note you have posted this in the Spybot forum but at this time, with no reply.

For the dump entries:
See Post #2 for description and explanation of KiFindReadyThread
http://www.osronline.com/showThread.CFM?link=128381

This appears in the dump files: KiFindReadyThread- note there is a similar but different entry KiReadyThread

And this KiChainedDispatch2ndLvl+39appears in relation to avgrsx.exe>> this is the AVG Resident Shield.

I could probably copy and paste all day to impress you with my vast knowledge about this-but-there is no vast knowledge of this in MY head. It is also apparent that no one else is opening your dump files and reading them.

Something is happening to cause interrupts:
Interrupt: http://msdn.microsoft.com/en-us/library/cc267839.aspx

Rather than confuse you further, I will hope someone in the Spybot forum will interpret these for you and guide you to a resolution.

My advice would be to do nothing further until you find what's happening and what options you have for the resolution. Sorry I can't do more.