[SpeedEffect]

Hello Everyone. Firstly, i apologise if this has already been posted, buyt its happening that often on my computer, i don't have the time to check through other posts to see if its already been solved.

Ive lately been getting the dreaded BSOD alot lately. I dont know why. Its mostly started happening since i installed Football Manager 2010, but ive since uninstalled it and im still getting the BSOD so i dont know if its connected.

I got my first BSOD when i tried to run updates last week. Ive since downloaded and successfully updated from Vista, to Vista Service pack 2. The BSOD's originally stopped for a few days, but ive recieved several tonight.

The BSOD im getting is as follows...


ddeciart.sys

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen the stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your compute, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical Information:

*** STOP: 0x00000050 (0xA7F4E000, 0x00000000, 0x867CB958, 0x00000000)

*** ddeciart.sys - Address 867CB958 base at 867C8000, datestamp 48d42734

Collecting date for crash dump...
Initializing disk for crash dump...
Beginnning dump of physical memory.
Dumping physcial memory to disk: 100
Physical memory dump complete.

Contact your system admin or technical support group for further assistance.


Any help would be greatly appreciated.

Thankyou.

[Rollin' Rog]

Because there are no "google" hits for that driver name, malware is suspect, unless you copied the name incorrectly >>

http://www.google.com/search?client=...utf-8&oe=utf-8

You might try doing a "System Restore" to a date prior to the issue; these can be undone if not helpful.

To do a System Restore, run rstrui.exe and make sure you are showing more than 5 restore dates to pick one that predates the problem if available.


-------------------------------------------------
I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to c:\windows\minidump and copy the last few minidump files to that folder. *this assumes 'c' is your boot drive, if it is not, subsitute accordingly
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non Microsoft driver causing the error, if one exists for it.

If you do not see any minidumps, be sure you are not using any cache cleaner such as CCleaner. Also run sysdm.cpl and select Advanced > Startup and Recovery. Make sure "small memory dump" is the one chosen under "write debugging information" and the location should be %systemroot%\minidump

[SpeedEffect]

Thanks so much for replying.

I don't have a recent restore point....for some reason my computer keeps deleting them

Ive attached a copy of my minidumps for you to take a look at.

And ive also attached a jpeg of ddeciart.sys appearing in my drivers folder in system 32.

Thanks once again

[Rollin' Rog]

I can't get any ownership information out of the bugcheck for that -- only that it is an older file.

Can your find it again, right click on it and select "properties" and see if there is any copyright or version information?

867c4000 867d3000 ddeciart T (no symbols)
Loaded symbol image file: ddeciart.sys
Image path: \SystemRoot\system32\DRIVERS\ddeciart.sys
Image name: ddeciart.sys
Timestamp: Fri Sep 19 15:27:00 2008 (48D42734)
CheckSum: 0000D5B9
ImageSize: 0000F000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

------------------------------------------------------------------------

You might also try to locate it in the registry. Run regedit and open

HKEY_LOCAL_MACHINE\SYSTEM

Select Edit > Find and enter:

ddeciart.sys

You will probably find it in a Current Control Set key.

If so, you can disable the startup by setting the startup mode to 4 -- but try to find some more information on it first as I don't know whether it could cause a failed boot.

I would also remove any installed Emulation software (I see Daemon Tools, for one) until the problem is resolved.

[SpeedEffect]

Ok ive removed Daemon Tools...see if that solves the problem.

I'll try disabling ddeciart.sys when i know more about it because like you said, it might cause boot failure.

Ive attached a jpeg of the ddeciart.sys properties.

Thanks

p.s. ive also got a memory test due to start next time i reboot.

[SpeedEffect]

Just finished running a memory test and it passed...no errors detected

[Rollin' Rog]

No version or copyright info there, but it was built in 2006

However the bugcheck "timestamp" is >> Fri Sep 19 15:27:00 2008

.. which is probably when it was installed -- so that might give you a clue

When searching regedit for it, you can do a complete search by starting from the "computer" icon -- and hit Find Next for each hit.

You should be able to determine from the other entries associated with it, or what left pane folder it is in, what it came with.

But the startup for it would be in the "currentcontrolset" (no number) directory.

That mirrors the active directory. If you ONLY disable it there, a boot failure should still allow a "last known good configuration" startup -- as one of the other CCS directories (the ones with numbers) will contain the last successful boot mode.

From running some other windbg command I suspect the actual file is corrupt -- but we don't know what is calling it.

This command is supposed to analyze the security risk of STOP error. The fact that no instruction set can be disassembled is curious

1: kd> !load msec.dll
1: kd> !exploitable
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.

Error: Unable to disassemble the faulting instruction.
Error: Gather Rule #23 in !exploitable failed

------------------

For what it's worth the "dde" part of the file name probably stands for "dynamic data exchange" and is associated with moving data between applications. What the "ciart" stands for one can speculate.

[SpeedEffect]

Im not sure what you mean for me to try next.

Ive found it in Regedit...but dont know what to do with it.

Could all this have something to do with the fact that my computer up until recently was dual booted between Vista and XP....then i started getting these BSOD, so i deleted the XP partition to see if it rectified the problem...to no avail

[Rollin' Rog]

Well there is no further identifying data there, very unusual. I don't see how it could have any connection to a past dual boot configuration.

More unusual is that the service state start configuration is '0' which is a "boot" start service. I'm not sure how this differs from "automatic" which is the more common configuration.

One might suspect it to be a critical device driver except that nothing is known about it which makes it very suspect, especially as the start type is uncommonly used and no default device uses it that I know of.

In your first attachment you will see a right pane entry for "start"

Double click that and set the start mode to '3'

This is a "manual" startup which does not really disable it but it will not start unless a particular device calls for it.

Hopefully that will not result in a failed boot, but if it does, select "Last Known Good Configuration" from your F8 start menu options and that should get you in if this happens on the first reboot attemp.

If you still get the BSOD, then you can bite the bullet and try disabling it completely by setting the Start Mode to disabled or '4'

[SpeedEffect]

Ok, well i'll try you suggestions if i get another BSOD.

As of now, i haven't had one since yesterday morning.

Could having Daemon Tools on my computer be causing this...because ive not had a BSOD since uninstalling it...and if i remember rightly, ive been getting them since i updated Daemon Tools Lite to play a game.

Or it could be that its the game? However, i uninstalled the game on getting the first few BSOD, but after still getting them with it uninstalled, ive gone and installed it again.

[Rollin' Rog]

I've always recommended uninstalling Daemon Tools when troubleshooting a problem like this. It does have rootkit like stealth characteristics and can occupy a large memory footprint.

I just don't know why that particular file would be the one faulting. I don't think it is associated with Daemon Tools, but as they do use "stealth" drivers, it could be something that came with an older version and is not polymorphic like the newer ones.

It's also possible that if you have run any malware scans recently -- it might have removed part of the rootkit (if that is what it is), but left that driver.

If you haven't run any scans, you should.

Here is one you might try:

http://www.gmer.net/