Link to home
Create AccountLog in
Avatar of nsavoie
nsavoieFlag for United States of America

asked on

Computer continuously blue screens and reboots

Hi there,

I'm having a bit of trouble with my home built server running Microsoft Windows 2003, with VMWare with a few linux images on it.

About a month ago it did this, but it happened about every 20 min or so.  I did a memtest and found that I had a bad stick of ram and then replaced it.  I did a memtest after I put in the new ram and it came up fine.  I'm not sure why this is happening now.

Here are some of the specs of the computer:

MSI 945P Neo5-F LGA 775 Intel 945P ATX Intel Motherboard
Intel Core 2 Duo E6550 Conroe 2.33GHz LGA 775 65W Dual-Core Processor Model BX80557E6550
Broadway Com Corp OKIA-BLACK-550 550W ATX Power Supply
4GB of RAM all same brand, but not all the same exact model

In there error log here is the error:

Error code 1000008e, parameter1 c0000005, parameter2 a813ad3f, parameter3 f7626aa0, parameter4 00000000.

When sending the error report, Microsoft tells me it is a problem with a device driver.

I have checked, and I have all of the latest drivers over at MSI.

Anyone have any input?

Thanks
Avatar of PCBONEZ
PCBONEZ
Flag of United States of America image


You may have a variant of this virus which fakes being a driver:
http://support.microsoft.com/kb/903251/en-us
Avatar of phototropic
phototropic

This thread refers to a problem similar to yours:

https://www.experts-exchange.com/questions/21729266/HOW-to-Fix-Random-BSOD-with-System-Error-code-1000008e.html?anchorAnswerId=15913510#a15913510

In this case the virus was a rogue driver : i386p.sys (http://www.greatis.com/appdata/d/i/i386p.sys.htm)

I would suggest scanning your pc with Hijackthis:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Please post the scan log here.
Avatar of nsavoie

ASKER

Here is the log of HiJack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:09 AM, on 6/17/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.CW-MAIN\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Inetpub\wwwroot\hottproxy\HoTTProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\VMware\VMware Server\bin\vmware-vmx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.CW-MAIN\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [04EB85A6_7175_4E87_9583_3D80793AD067] Temporary value - please remove
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2563267524-1697408974-720798080-1009\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Backup User')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.cw-main\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194569529046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210180000659
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} (Microsoft Virtual Server VMRC Control) - http://cw-main.criticalwire.com:1024/VirtualServer/activex/VMRCActiveXClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = criticalwire.com
O17 - HKLM\Software\..\Telephony: DomainName = criticalwire.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DF5B2D2-F894-420B-8394-29E42B834BB8}: NameServer = 76.243.116.174,68.94.156.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = criticalwire.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = criticalwire.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8813 bytes
Avatar of nsavoie

ASKER

The last 6 Minidumps can be found here:

http://citrix.criticalwire.com/minidump.zip
Avatar of nsavoie

ASKER

I did a stress test with the following:

http://mersenne.org/gimps/p95v2414.zip

And it said:

FATAL ERROR: Rounding was 0.5, expected less than 0.4
Hardware failure detected, consult stress.txt file.
Execution halted.

Where do I go from here to test which piece of hardware it was?

Thanks everyone.
Avatar of nsavoie

ASKER

Sorry one more thing.  I was poking around in the event log and found this:

The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000008e (0xc0000005, 0xa813ad3f, 0xf7626aa0, 0x00000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP.

This is available here:

http://citrix.criticalwire.com/memory.zip

(Although it is quite big.  About 65mb)
Avatar of nsavoie

ASKER

I'm going to be doing a few tests on it tonight, including memtest.  Is there anything else that I should try?
If you will be inside the case anyway take a look at the capacitors while you are in there. Look for bloating or split tops.
www.badcaps.net
I don't suspect that is the problem here but it takes like 30 seconds to check when you are in there anyway.

.
Avatar of nsavoie

ASKER

I didn't get your response until after I was at the server, I can check back tomorrow.  The memtest passed 5 times with no errors.  

hmm ?
OK. Your HJT log is showing some issues, but not the infection that might cause the symptoms you describe. To be doubly sure, you could check the registry for the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\msctl32.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i386p

If both are absent, then it looks like trouble shooting hardware is the way forward...
Avatar of nsavoie

ASKER

=/ Nothing ..Man wouldn't that of been nice if this was a software problem! Here are two pictures of the registry just to be sure I didn't miss anything.

http://citrix.criticalwire.com/registry1.png

http://citrix.criticalwire.com/registry2.png

I'm going back to the server later today to check the capacitors.

What other tests should I try?
Avatar of nsavoie

ASKER

Sorry, I forgot these pictures too.. The capacitors look ok... (No bulging or leaking)

http://citrix.criticalwire.com/capacitor1.jpg

http://citrix.criticalwire.com/capacitor2.jpg

http://citrix.criticalwire.com/capacitor3.jpg
Avatar of nsavoie

ASKER

Just providing some more information incase anyone needs it:

Here is my Motherboard:

http://www.newegg.com/Product/Product.aspx?Item=N82E16813130099

And here is my power supply:

http://www.newegg.com/Product/Product.aspx?Item=N82E16817162018
Avatar of nsavoie

ASKER

Made some progress tonight.  As of last night, my computer wouldn't boot.  I thought that the problem was completely separate from this problem that I've been having but I don't think it was.

Right now I have to sticks of PNY and two sticks of Kingston,  Putting in the Kingston does not allow me to see any picture on the screen, but both the PNY work.  I'm bringing the Kingston back and going to see if I can get some PNY.  Hopefully this was the entire problem and would explain the blue screening!

I'll update as soon as I get the new RAM.

Thanks for your input everyone.
Swapping RAM is the simplest fix...

Good luck!
If your problem persists with the new ram, these are other potential problem areas that might cause these types of problems:

-Power Supply (Check Voltage / Swap with Known-Good unit of sufficient Wattage)
-Video Card (Check Capacitors here too, but more likely a video memory problem if this is the culprit)
-Processor (It's always a pain to find a known good for this one)

If you have any known-good components to swap with your existing hardware, that would be the best. Make sure you do not swap more than one component at a time so you know which one it was.

I have also taken a look at the minidumps, and these were the drivers that potentially caused the failures:

SiWinAcc.sys - NForce SATA driver (recommend re-installing driver) [OCCURRED 1 TIME]
ntkrnlmp.exe - Core windows driver (suggests hardware failure) [OCCURRED 1 TIME]
vmx86.sys - VMWare driver (it happened a lot, but not sure if re-installing VMWare will fix this problem) [OCCURRED 4 TIMES]

With the ntkrnlmp.exe file being one of the causes, and the SATA driver being another, I would recommend you try running your SATA hard drive with the IDE turned off in BIOS (assuming you have the OS on SATA and you have an IDE controller to turn off).

All-in-all, I still think it is hardware related. Keep us posted and Good Luck!
By the way, this is when we start the bets on which component it is.  I say, Power Supply (hehe).
ASKER CERTIFIED SOLUTION
Avatar of nsavoie
nsavoie
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer