Solved

Computer continuously blue screens and reboots

Posted on 2008-06-16
18
1,129 Views
Last Modified: 2008-08-25
Hi there,

I'm having a bit of trouble with my home built server running Microsoft Windows 2003, with VMWare with a few linux images on it.

About a month ago it did this, but it happened about every 20 min or so.  I did a memtest and found that I had a bad stick of ram and then replaced it.  I did a memtest after I put in the new ram and it came up fine.  I'm not sure why this is happening now.

Here are some of the specs of the computer:

MSI 945P Neo5-F LGA 775 Intel 945P ATX Intel Motherboard
Intel Core 2 Duo E6550 Conroe 2.33GHz LGA 775 65W Dual-Core Processor Model BX80557E6550
Broadway Com Corp OKIA-BLACK-550 550W ATX Power Supply
4GB of RAM all same brand, but not all the same exact model

In there error log here is the error:

Error code 1000008e, parameter1 c0000005, parameter2 a813ad3f, parameter3 f7626aa0, parameter4 00000000.

When sending the error report, Microsoft tells me it is a problem with a device driver.

I have checked, and I have all of the latest drivers over at MSI.

Anyone have any input?

Thanks
0
Comment
Question by:nsavoie
  • 11
  • 3
  • 2
  • +1
18 Comments
 
LVL 26

Expert Comment

by:PCBONEZ
Comment Utility

You may have a variant of this virus which fakes being a driver:
http://support.microsoft.com/kb/903251/en-us
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
This thread refers to a problem similar to yours:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21729266.html#a15913510

In this case the virus was a rogue driver : i386p.sys (http://www.greatis.com/appdata/d/i/i386p.sys.htm)

I would suggest scanning your pc with Hijackthis:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Please post the scan log here.
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
Here is the log of HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:09 AM, on 6/17/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.CW-MAIN\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Inetpub\wwwroot\hottproxy\HoTTProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\VMware\VMware Server\bin\vmware-vmx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.CW-MAIN\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [04EB85A6_7175_4E87_9583_3D80793AD067] Temporary value - please remove
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2563267524-1697408974-720798080-1009\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Backup User')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.cw-main\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194569529046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210180000659
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://cw-main.criticalwire.com:1024/VirtualServer/activex/VMRCActiveXClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = criticalwire.com
O17 - HKLM\Software\..\Telephony: DomainName = criticalwire.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DF5B2D2-F894-420B-8394-29E42B834BB8}: NameServer = 76.243.116.174,68.94.156.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = criticalwire.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = criticalwire.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8813 bytes
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
The last 6 Minidumps can be found here:

http://citrix.criticalwire.com/minidump.zip
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
I did a stress test with the following:

http://mersenne.org/gimps/p95v2414.zip

And it said:

FATAL ERROR: Rounding was 0.5, expected less than 0.4
Hardware failure detected, consult stress.txt file.
Execution halted.

Where do I go from here to test which piece of hardware it was?

Thanks everyone.
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
Sorry one more thing.  I was poking around in the event log and found this:

The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000008e (0xc0000005, 0xa813ad3f, 0xf7626aa0, 0x00000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP.

This is available here:

http://citrix.criticalwire.com/memory.zip

(Although it is quite big.  About 65mb)
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
I'm going to be doing a few tests on it tonight, including memtest.  Is there anything else that I should try?
0
 
LVL 26

Expert Comment

by:PCBONEZ
Comment Utility
If you will be inside the case anyway take a look at the capacitors while you are in there. Look for bloating or split tops.
www.badcaps.net
I don't suspect that is the problem here but it takes like 30 seconds to check when you are in there anyway.

.
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
I didn't get your response until after I was at the server, I can check back tomorrow.  The memtest passed 5 times with no errors.  

hmm ?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:phototropic
Comment Utility
OK. Your HJT log is showing some issues, but not the infection that might cause the symptoms you describe. To be doubly sure, you could check the registry for the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\msctl32.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386p

If both are absent, then it looks like trouble shooting hardware is the way forward...
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
=/ Nothing ..Man wouldn't that of been nice if this was a software problem! Here are two pictures of the registry just to be sure I didn't miss anything.

http://citrix.criticalwire.com/registry1.png

http://citrix.criticalwire.com/registry2.png

I'm going back to the server later today to check the capacitors.

What other tests should I try?
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
Sorry, I forgot these pictures too.. The capacitors look ok... (No bulging or leaking)

http://citrix.criticalwire.com/capacitor1.jpg

http://citrix.criticalwire.com/capacitor2.jpg

http://citrix.criticalwire.com/capacitor3.jpg
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
Just providing some more information incase anyone needs it:

Here is my Motherboard:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813130099

And here is my power supply:

http://www.newegg.com/Product/Product.aspx?Item=N82E16817162018
0
 
LVL 1

Author Comment

by:nsavoie
Comment Utility
Made some progress tonight.  As of last night, my computer wouldn't boot.  I thought that the problem was completely separate from this problem that I've been having but I don't think it was.

Right now I have to sticks of PNY and two sticks of Kingston,  Putting in the Kingston does not allow me to see any picture on the screen, but both the PNY work.  I'm bringing the Kingston back and going to see if I can get some PNY.  Hopefully this was the entire problem and would explain the blue screening!

I'll update as soon as I get the new RAM.

Thanks for your input everyone.
0
 
LVL 23

Expert Comment

by:phototropic
Comment Utility
Swapping RAM is the simplest fix...

Good luck!
0
 
LVL 2

Expert Comment

by:bkdragon23
Comment Utility
If your problem persists with the new ram, these are other potential problem areas that might cause these types of problems:

-Power Supply (Check Voltage / Swap with Known-Good unit of sufficient Wattage)
-Video Card (Check Capacitors here too, but more likely a video memory problem if this is the culprit)
-Processor (It's always a pain to find a known good for this one)

If you have any known-good components to swap with your existing hardware, that would be the best. Make sure you do not swap more than one component at a time so you know which one it was.

I have also taken a look at the minidumps, and these were the drivers that potentially caused the failures:

SiWinAcc.sys - NForce SATA driver (recommend re-installing driver) [OCCURRED 1 TIME]
ntkrnlmp.exe - Core windows driver (suggests hardware failure) [OCCURRED 1 TIME]
vmx86.sys - VMWare driver (it happened a lot, but not sure if re-installing VMWare will fix this problem) [OCCURRED 4 TIMES]

With the ntkrnlmp.exe file being one of the causes, and the SATA driver being another, I would recommend you try running your SATA hard drive with the IDE turned off in BIOS (assuming you have the OS on SATA and you have an IDE controller to turn off).

All-in-all, I still think it is hardware related. Keep us posted and Good Luck!
0
 
LVL 2

Expert Comment

by:bkdragon23
Comment Utility
By the way, this is when we start the bets on which component it is.  I say, Power Supply (hehe).
0
 
LVL 1

Accepted Solution

by:
nsavoie earned 0 total points
Comment Utility
Alright, I think the problem was faulty RAM, either that or the Kingston 1gb sticks that I had weren't compatible with the latest bios of my mb.

Haven't had any problems yet!  Will post again if anythin comes up
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now