Win 2K crashes setting up network connection

I'm trying to fix my son's computer for him. We're both stumped.

He picked up a rogue spyware program. We've gotten rid of that, and the system runs fine when there is no network cable attached. Win 2K blue-screens and reboots as soon as we plug in a network cable. If the cable is connected when starting, Windows will blue-screen when the startup routine reaches "Setting up network connections..."

The error message on the blue screen is not visible for long enough to read it in either case, but I think it is the same message in both BSODs.

I have tried uninstalling his network adapter. It re-instals itself without any announcement that it is doing so on the next startup. I was hoping that the re-install would ask for the Win 2K distribution CD-ROM so that it would get a fresh set of files rather than re-using what's on the hard drive and is possibly corrupted. (No, there have been no error messages to that effect.)

On the last attempt, the network adapter didn't install properly. The Device Manager yellow-flagged it with an error message that read, "Windows cannot load the drivers required for this device. (Code 31)". The Windows Troubleshooter says that "Code 31" indicates a failure in another device that the network adapter depends on, but there is no indication as to what that might be.

The network adapter is on the motherboard. Windows recognises it as "NVIDIA nForce MCP". SiSoft Sandra reports the system as "HP Pavilion 04", the motherboard as "Microstar Int'l Co. Model MS-6367", and the O/S as "Windows 2000 Pro Workstation ver 5.00.2195 SP3".

Just to make life difficult, the motherboard driver disk is not available. Lost in the mists of time.

Can anyone offer a clue or a suggestion? Or even a fix?

 

>>> Win 2K blue-screens and reboots... The error message on the blue screen is not visible for long enough to read it in either case, but I think it is the same message in both BSODs. <<<

Hi Rob...

OK, first things first... we gotta get to that "error message" info first! Stop Errors are quite the pain but it's not too hard to get to the solution once we know the exact message.

Unfortunately, Windows occasionally encounters a problem during startup that results in these annoying STOP error messages. Depending on the system configuration, the blue screen may not be displayed long enough to record - or even read - the particular error information (as you mentioned above in your post).

In Windows 2000, the default setting is for the computer to ‘reboot automatically’ when any fatal error occurs. If that fatal error only occurs when you're shutting down, the system reboots automatically. Using the workarounds listed at the webpage link listed below, you can alter the startup process so that the all-important information about the STOP error message can be gathered.

Here's the Microsoft Knowledge Base link: Windows Restarts Continuously with Blue Screen

The steps listed there disable the ‘Automatically Reboot’ option in the original Windows installation. After you follow these steps, you should be able to gather information from the STOP error message and consequently resolve the problem that prevents the computer from starting. We’ll need that error message info to diagnose your problem.

Important Note: If you’ve never tried using Registry Editor before just take them steps slowly and one at a time. Also you might want to copy and print this STOP error message info at that link to paper if you do not have another computer handy.

Good Luck!

 

Thanks, Compuable. I was wondering how I could get at the blue-screen error message. I'll do as you suggest, and post again shortly. But not tonight -- it's already past my bedtime.

But if there are other ideas out there, I'm still interested!

 

Thanks again for the tip, Compuable.

I see that the instructions you referred me to require an alternate installation of Windows to edit the Registry. Is that only because the writer was assuming that it was not possible to start the original Win2K installation at all?

Let's put that another way. My son's system will run, as long as the network cable is not connected. Can I edit the Registry as indicated from the original Win2K installation?

Setting up an alternate installation is going to take time and hard drive space that I don't have right now, so I'd like to avoid the alternate installation if I don't need it.

If I do need the alternate Windows installation, could I do that by removing the hard drive from my son's machine, mounting it in another system that is also running Windows, and editing my son's Registry from there? If so, would the second system have to be Win2K Pro, or are there other variants of Windows that could be used to edit the Win2K Registry that way?

 

After writing the last message, it occurred to me that when the system is running, maybe it's possible to disable the auto-reboot feature without resorting to an alternate install. Sure 'nuff; there's a setting in Administrative Tools --> Computer Management.

That got me a BSOD that stayed up as long as I needed it. The STOP message reads:
*** STOP: 0x0000001E (0xC0000005, 0x00000000, 0x00000000, 0x00000000) KMODE_EXCEPTION_NOT_HANDLED
There was an additional message that confirmed a successful dump of physical memory to disk. I haven't found that file yet, but it'll be large. Disabling the auto-reboot feature warned me that starting swapfile space needed to be a minimum 480MB to be able to write the dump to disk.

Anyway, Compuable, if you can make sense of the STOP message, I'd be delighted. What does it tell me that I need to know?

 

The problem is still unresolved. But I have an update.

I disabled the on-board LAN adapter, and uninstalled it from Windows. Then I installed a 3Com 3C905-TX card that I had lying around. Startup was normal, and Windows correctly identified the card. So I plugged in the LAN cable, and got the same BSOD with a Stop error that had exactly the same output as previously. Again, the memory dump to disc was successful -- but I haven't figured out yet how to find and read that dump.

Any further thoughts, Compuable? Anyone?

 

Are you sure that lan cable is not from the microwave or toaster oven? Could your modem be the cause? Does any other pc work on this same connection?. ed

 

Are you using Zone Alarm for a firewall?

 

A fair question, seeing that I haven't said anything about the LAN.
The cable is fed by a D-Link DI-604 router; I use that cable for setting up computers on a regular basis and have had no problems with it or the other computers (2) that are also hooked to the same router at the same time.

I suppose that it is possible that the cable has just gone bad, but it's rather unlikely. Thanks for the thought. I'll keep the possibility in mind.

 

Heres a read from Microsoft on this problem,

http://support.microsoft.com/kb/275678

 

Nope. On my son's machine, only whatever comes with Windows. If that -- I haven't checked, but I will. If it's enabled, I'll try disabling it to see if it still crashes.

Thanks for the thought.

 

Thanks, tunered. That gives me an approach or two to try.

 

At the risk of treading on Chas's corns, there are several rootkits that can cause continual restarting as the rootkit payload races windows for the lan resource.

Go to http://www.greatis.com/security/Removal_Spooldr.exe_Spooldr.sys_rootkit.htm

and download (free) reanimator .zip (towards the bottom in the centre panel)
Upack and run, following the instructions
When 'rootkitno' is running, at boot before windows
open a command window and run sfc /scannow.
This will replace any rogue tcpip.sys or other rogue files.
It may be worth the system file checker anyway.

If this does indeed stop the problem
Take the pc to the Major Geek malware clinic for a full checkup

 

Hey Rob,

Any luck finding a fix? I am seeing the exact same thing.

 

@Qlites, there are lots of reasons why a pc continually restarts.

Rob's problem started after spyware removal - we don't know the circumstances.

So it is unlikely yours are the same.

You should start your own thread .
Explain the circumstances that lead up to the problem.
State the stop error if known
State your operating system and service pack.

@Rob

I'd also be interested to know if 'rootkitno' helped as I have seen this several times before.

 

The continual-restart was because the OS was set to restart itself after crashing. Once I turned that off, that broke the loop. When the machine crashed, it stayed crashed until I cycled the power.

Reanimator found and removed two baddies: bot.dll and netdtect.sys. SFC \SCANNOW didn't report anything, but did replace the copy of TCPIP.SYS that was in \SYSTEM32\DLLCACHE with an older file. The version that was replaced had a file date that was very close to when the system was infected, and had a string at the end referring to wdfmzrx.sys -- which to me is highly suspicious. SFC may have replaced other files as well.

Unfortunately, after all that -- my son's system still crashes as soon as I plug in the LAN cable. Same BSOD and stop code. Same result if I boot with the LAN cable attached -- it crashes shortly after "setting up network connections" appears on the screen during the system boot.

Time for a re-install, I guess. I'm out of ideas, guesses, hints, and support.

 

Thanks for the fedback, Rob.

It's an unfortunate fact of rootkit life that format and reinstallation is the only certain way to remove some rootkits.

Make sure that you delete all partitions, create new ones and reformat before you start reinstalling.
Rootkits cannot install themselves from a limited user account, so surf the net from one of these.


The good news is that the Greatis software puts a pre-windows shield on your system. I am currently testing this and have not seen a breach yet.

 

Hey Rob,

I had the same issue where as soon as I plugged in the ethernet cable it would BSOD. The computer had a ton of Virus/Trojans and after using several different Anti Virus/SPy software programs I finally was able to fix the issue. Different programs picked up different Virus/Trojans so I am not sure which specific Virus/Trojan was causing the issue. I used the following programs.

CounterSpy
Autoruns
RegRun Reanimator (Thanks for the link studiot)

Good luck with it.

 

Thanks for the thought. I've run all of the above -- but now that I've stepped on a couple of rootkits (thanks to Reanimator), maybe I should go back and re-run CounterSpy and AVG.

That reminds me. I still haven't done the HiJackThis thing.

 

Thanks for the heads-up, studiot.

If you'd left me to my own devices, I would have reformatted only C:, then reinstalled. There are two other partitions on that physical drive.

If you'd care to educate us a little further -- why do I need to redo the entire disk, not just the O/S partition?

 

Studiot's post of 09-08-07, 03:29 (#13) was probably closest to the mark.

I gave up on the messing about, and installed a Win XP Pro SP1 upgrade over top of the Win2K installation. That seemed to be successful, and allowed me to remove Norton System Works, which hadn't been updated since its subscription ran out two years ago. The change also allowed me to install and update AVG Free, and to update the existing installation of Spybot S&D. Those scans identified another 50-odd threats, and removed them. Nearly all of the malware executables found were in \WINNT\SYSTEM32 -- which was no longer in use, as the system was booting into Win XP, not Win2K. The scan also turned up a boot sector virus that previously had not been identified.

My theory is that those trojans, etc. were no longer active because of the O/S change, which allowed them to be identified and removed. As further support for that theory, plugging in the LAN cable did <b>not</b> result in an immediate BSOD after the upgrade to Win XP.

Anyway, the system now seems to be clean and operating normally -- and my son does not have to replace application and utility software. Which is a good thing. He didn't get the distribution disks with the machine when his mother gave it to him.

Hopefully, my son now understands the perils of surfing the web without adequate protection -- and of downloading codecs from less-than-reputable websites that offer streaming video. He was lucky there: that one installed a silent dialler that dials 900 numbers without the user's knowledge to run up charges that go to the owner of the 900 number. The dialler got nowhere only because there was no phone line connected to the modem in his machine.

 

Glad you got there in the end delousing can be tough.