Solved BSODs starting up again - 0x0000009F

[jpaulm]

I have just had a rather unproductive interchange with Arc, in which I'm afraid he got rather fed up with me! I made what was possibly a mistake in appending my new (?) problem to the BSOD thread I started back at the end of August, as I assumed they were related. Arc kept telling me to delete something that I deleted back then, and seemed very put out that I couldn't do it.

Arc keeps saying that there is a folder call GFI/Languard in Program Files (x86) but I can't see it on my machine. It occurs to me that he may have been looking at the old zip file, rather than the newer one that I attached a few days ago. Maybe the software only allows one zip file per thread - don't know! I am accordingly starting a new thread, and attaching the newer zip file again.

In the absence of clear guidance from Arc, I tried the following:

- deleted registry folders: sbfwimcl and sbfwimclmp
- deleted sbfwim.sys from windows/drivers folder

- restarted system

- no internet connection

- went back into registry and found deleted folders had come back

- restarted system - still no Internet connection

- did a System restore - as of yesterday

- did system restart and Internet is back - sbfwim.sys in Windows/drivers is back as well!

FYI I am running Vipre, which seems to use some sbfw modules - I did use Spybot S&D for several years, but uninstalled it when I switched to Vipre. Languard was still on my system, but when Arc recommended me to uninstall it, I couldn't as it was not on the Control Panel/Programs and Features.

I know you guys have access to tools and knowledge that I don't - is it possible that there are invisible folders on Program Files (x86), e.g. GFI - that I can't see but you guys can?

Help would be much appreciated! I was very enthusiastic about the level of support I got last time - this more recent experience hasn't been quite up to the same standard!

Paul Morrison

 

[jpaulm]

It occurs to me that, even if Arc was looking at the right zip file - TUNAPUNA2-15_10_2014__94048_42.zip, could he have been looking at the wrong minidump - it should of course be 101514-14866-01.dmp. Could our miscommunication problem be that simple? Just an idea! Regards.

 

[jpaulm]

Found a service called GFI LanGuard 11 Attendant Service - have deleted it! However, the registry folders (SBFWIMCL and SBFWIMCLMP) are still there, and so is sbfwim.sys (in the Windows/drivers list)! Could this be what Arc was referring to? Other than that, I am totally stumped! Thx

 

[Hexagon12]

Hi,

The WinDBG says that this is Unknown_Image.

Re-run the SF diagnostic tool again. I saw, that few files are missing from thi zip.

 

[Boozad]

Re-run the SF diagnostic tool again. I saw, that few files are missing from this zip.

This advice is correct. Upload new logs when you've run the tool again.

 

[jpaulm]

Hi hexagon1 and Boozad, thanks so much for getting back to me! Assuming that the SF Diagnostic tool you refer to is the DM Log collector, I have just run it, and am attaching the latest zip file. I see it's a bit bigger than the last one! Hope this helps.

 

[Boozad]

The first thing that stands out is a program called Sunbelt Firewall.

fffff880`0319fa18  fffff880`05618670Unable to load image \SystemRoot\system32\DRIVERS\SBFWIM.sys, Win32 error 0n2
[COLOR=Red][B]*** WARNING: Unable to verify timestamp for SBFWIM.sys
*** ERROR: Module load completed but symbols could not be loaded for SBFWIM.sys[/B][/COLOR]
 SBFWIM+0x18670

:ar: Uninstall that software and use integrated Windows Firewall.

You have an Atheros Wireless adaptor? It's causing issues

fffff880`0319eaa8  fffff880`065c4defUnable to load image \SystemRoot\system32\DRIVERS\athrx.sys, Win32 error 0n2
[COLOR=Red][B]*** WARNING: Unable to verify timestamp for athrx.sys
*** ERROR: Module load completed but symbols could not be loaded for athrx.sys[/B][/COLOR]
 athrx+0x164def

0: kd> lmvm athrx
start             end                 module name
fffff880`06460000 fffff880`0686b000   athrx    T (no symbols)           
    Loaded symbol image file: athrx.sys
    Image path: \SystemRoot\system32\DRIVERS\athrx.sys
    Image name: athrx.sys
    Timestamp:        [COLOR=Red][B]Fri Feb 21 08:49:10 2014[/B][/COLOR] (53071306)
    CheckSum:         003EAAF4
    ImageSize:        0040B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

:ar: Look for an updated version here.

 

[jpaulm]

Thanks, Boozad, this seems to fit in with what happened 6 weeks ago, and led to my communication problem with Arc.

Re SBFWIM.sys: as I said at the start of this thread, there is no Sunbelt stuff in Control Panel/Programs and Features, so I don't know how to do an uninstall - is there another way?

There are two registry folders that refer to this driver - when I deleted them and the driver, I lost access to the Internet! Should I just delete the driver? Or the registry folders alone, or change some settings? I know that I'm ignorant, but that is why I rely on experts like you guys!

Re athrx.sys, I installed a driver from atheros.cz about 6 weeks ago, so I'm surprised it's still giving trouble! Should I just try again?

TIA

Paul

 

[Boozad]

From what I can see about Sunbelt Firewall it buries itself deep into Windows with many different files and can be difficult to get rid of competely, Add/Remove Programs may not take care of it. There are obviously some remnants of it still running on your machine as it showed in a dump from your machine three days ago. Can you open Task Manager and take a screenshot of Startup and Services (they may take more than one screenshot each) so I can see if there are any applications running that belong to Sunbelt.

As for you Atheros adapter, my advice would be to completely uninstall it, reboot and see if Windows finds a driver for it. Before doing so make sure you have a driver saved on your machine just in case Windows doesn't find one. Either way that device is causing plenty of issues.

 

[jpaulm]

This is getting clearer! I have 4 pages of services, attached. I saw one called sbpimsvc which appears to be a sunbelt product - should I delete that service? I'm afraid there are a lot for you to go through!

Oh wait, I found a service called GFI Languard Attendant Service a couple of days ago and deleted it - could that be causing some of the stuff you saw on the dump?

I brought up the Startup list on msconfig but couldn't see anything strange - I have been through it several times! Is there another way to do it?

Under Device Manager, I ran the Windows check for drivers for the Atheros adapter, and it said it was up to date (10.0.0.285), but maybe uninstalling it and reinstalling it is a better check...?

When I go into the atheros.cz web site I see DriverMend and DriverManager - are they safe to use?

Also something called DriverUpdater, which I can't find the link to again! I guess I'm getting paranoid!

 

[jpaulm]

BTW I am running Vipre - a) I gather that Vipre does use a few SB functions (is that right?), and b) Vipre has a firewall, so presumably I don't need to run the Windows firewall as well - or can/should one run several?

Thx

 

[jpaulm]

Boozad, help! You say that the Atheros is causing plenty of issues! I assume you mean the software that's driving it, rather than the actual hardware...? What kinds of issues?

Now when I look at msinfo32.nfo, I see under Components/Network/Adapter a number of devices using the SB driver SMFWIM.sys - which explains why the network access died when I tried simply deleting it, based on what Arc seemed to be saying, but unfortunately couldn't explain in terms I could understand! In fact I see quite a few entries all saying GFI Software Firewall NDIS IM Filter Miniport - is this normal, or just a red herring?!

One other diagnostic I saw seemed to be blaming vwifimp.sys - what do you think?

Thanks,

Paul M.

 

[Hexagon12]

I personally think, that you should get rid of Vipre. Windows Firewall can secure your internet connection.

Let's see, if Windows can automatically detect your ethernet:
1. Go to device manager.
2. Expand all network adapters.
3. Select your ethernet driver.
4. Right-click and select uninstall or something familiar.
5. Restart Windows after that is done.
6. You see, in notification area, that the drivers is installing.


After that, see if you get new BSoD's.

 

[jpaulm]

Hi Hexagon12,

Sorry to be a bit slow, but I didn't quite understand if you were answering my questions to Boozad of last night, or answering based on the dumps I sent...

First, are you saying that Vipre is a problem generally (I think it is or was one of the most highly rated AntiVirus tools), or just that I should cripple its firewall facility, or something else....?

Second, when you said "ethernet driver", for each line in the Network Adapters category, there are two drivers, one of which is the SunBelt one (SBFWIM); the other is specific, e.g. vwifimp.sys. The Atheros has 2 vwifibus.sys and athrx.sys.... Do I uninstall all or just the Sunbelt one?

Third, in your note, when I display it, the words "driver" and "drivers" are replaced by a link to DriverUpdater (by tweakbit) - is this something you guys endorse?

Fourth, do you still consider athrx.sys a problem?

Thanks so much for your prompt replies,

Regards,

Paul

 

[Boozad]

Apologies for the delay, I've been pretty ill. I'll catch up on this later today and get back to you, there's a lot of messy information to go through here.

 

[Boozad]

OK, first place to start will be here. I'm not sure what stuff you have installed now, it seems there are so many duplicate programs and utilities it's hard to know where to begin. Follow the tutorial linked below and test stability.

http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

 

[jpaulm]

Hi Boozad, sorry to hear you've been ill - and please don't rush to look at my problem. The BSODs were only occasional anyway - it was more that I wouldn't mind answers to my questions in the previous post - totally at your leisure! The machine runs pretty well as far as I can see - unless there are viruses present that neither Vipre nor MalwareBytes are picking up!

One odd thing I have just run into is that there are a bunch of hidden drivers in my DeviceManager Network Adapters settings which reference GFI Software Firewall NDIS IM Filter Miniport, which may have been what Arc was talking about - except that he didn't tell me how to find them! I just stumbled across them! I tried uninstalling them yesterday, but they're back today!

Last question - again no rush: Hexagon12 suggested stopping my (Vipre) Firewall and using Windows FW instead - a) do you agree, and b) does the Windows FW do any web filtering?

Thanks a million, and get well soon!

 

[Boozad]

I would highly recommend using the native Windows Firewall, I've been using it for years now and have never had any problems. As long as the programs you're running are efficient then less is more. One AV program, Windows native Firewall, MBAM run on demand, one network adaptor.

I would also recommend uninstalling Vipre and installing MS Security Essentials. That is really your call though.

 

[jpaulm]

Thanks, Boozad, that's clear! I had already switched to Windows Firewall, so that's good! I am thinking of dropping Vipre anyway as it is no longer #1 apparently! Looks like either Bitdefender or MSE...

Not sure how to get rid of the GFI driver remnants - also I don't know if you still think athrx.sys is a problem.

 

[Boozad]

I've spoken briefly to Arc about this Paul and it seems that you've deleted the folders for some programs as opposed to actually uninstalling them which would explain why some have left remnants on your machine. In this case it's extremely difficult to cleanse what's left of the programs as it would have to be done manually and would involve editing the registry to delete the entries.

What I'd suggest here is backing up all of your important files and data and performing a clean installation of Windows. It will be of great benefit if you go this route as you'll have the best possible install, and with our guidance you will be able to get your system running at optimal performance. Let me know if you will consider this route and I'll happily talk you through the process. I wouldn't recommend it if I didn't think it was the best course of action.