1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

BSOD 9 times in 48 hours, mostly for different reasons.

Discussion in 'Virus & Other Malware Removal' started by bjmar13, Feb 25, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    Attached you will find the 9 BSOD's from Bluescreenview that I have recieved in the last 48 hours.

    I've scrubbed vid drivers, check ram with memtest for 10+ hours, and checked my BIOS settings for any strange settings.

    Over and over I get these blue screens.

    Please...HELP!

    Custom built system running Win 7 64bit.
     

    Attached Files:

  2. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    hello bjmar13 and Welcome to TSG!

    Please go to C:\Windows and copy the minidump folder there to the desktop. Compress it and upload to this post. How to upload, Click Go Advanced and scroll down to Manage Attachments Browse to the compressed file.
     
  3. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    Here's the data.
     

    Attached Files:

  4. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    bump

    anyone?
     
  5. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    76,921
    check out whocrashed to decode that dumpfile. I'm not at my main rig currently, so I do not have the software on this rig to analyze it. But whocrashed will give you the results, and you can post them back here.

    thanks,

    v
     
  6. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    Hi! Just heading out the door for work and I will look over those files later today. I took a quick look at one and found "netsession_win.exe" Which is from Akamai Technologies, Inc. It sends logfiles to akamai's servers (without knowledge or interaction of the user) and it installed itself without any permission, and leaving no trace as to what it was bundled with. Uninstall it is my recommendation.

    PHP:
    Microsoft (RWindows Debugger Version 6.12.0002.633 X86
    Copyright 
    (cMicrosoft CorporationAll rights reserved.


    Loading Dump File [C:\Users\LG-PC7\Desktop\Minidump\Minidump\022513-33493-01.dmp]
    Mini Kernel Dump FileOnly registers and stack trace are available

    Symbol search path is
    SRV*your local folder for symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is
    Windows 7 Kernel Version 7601 (Service Pack 1MP (3 procsFree x64
    Product
    WinNtsuiteTerminalServer SingleUserTS Personal
    Built by
    7601.17944.amd64fre.win7sp1_gdr.120830-0333
    Machine Name
    :
    Kernel base 0xfffff800`04416000 PsLoadedModuleList = 0xfffff800`0465a670
    Debug session time
    Mon Feb 25 17:31:20.679 2013 (UTC 8:00)
    System Uptime0 days 1:06:46.099
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .......................................
    Loading User Symbols
    Loading unloaded module 
    list
    ......
    *******************************************************************************
    *                                                                             *
    *                        
    Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !
    analyze -v to get detailed debugging information.

    BugCheck 50, {fffff8e0009e99bc1fffff800045c0fa25}


    Could not read faulting driver name
    Probably caused by 
    ntkrnlmp.exe nt!ExFreePoolWithTag+212 )

    FollowupMachineOwner
    ---------

    1kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        
    Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory
    .
    Arguments:
    Arg1fffff8e0009e99bcmemory referenced.
    Arg20000000000000001value 0 read operationwrite operation.
    Arg3fffff800045c0fa2, If non-zerothe instruction address which referenced the bad memory
        address
    .
    Arg40000000000000005, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name

    WRITE_ADDRESS
    GetPointerFromAddressunable to read from fffff800046c4100
     fffff8e0009e99bc 

    FAULTING_IP

    nt!ExFreePoolWithTag+212
    fffff800
    `045c0fa2 ff411c          inc     dword ptr [rcx+1Ch]

    MM_INTERNAL_CODE:  5

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x50

    PROCESS_NAME:  netsession_win

    CURRENT_IRQL:  1

    IRP_ADDRESS:  ffffffffffffff88

    TRAP_FRAME:  fffff88007b246f0 -- (.trap 0xfffff88007b246f0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000005fffffffa0 rbx=0000000000000000 rcx=fffff8e0009e99a0
    rdx=fffff880009e9180 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800045c0fa2 rsp=fffff88007b24880 rbp=0000000000000000
     r8=0000000000000000  r9=0000000000000000 r10=fffff80004416000
    r11=fffffa8007113920 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz ac po nc
    nt!ExFreePoolWithTag+0x212:
    fffff800
    `045c0fa2 ff411c          inc     dword ptr [rcx+1Chds:0980:fffff8e0`009e99bc=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff8000443b8af to fffff80004494fc0

    STACK_TEXT:  
    fffff880
    `07b24588 fffff800`0443b8af : 00000000`00000050 fffff8e0`009e99bc 00000000`00000001 fffff880`07b246f0 : nt!KeBugCheckEx
    fffff880
    `07b24590 fffff800`044930ee : 00000000`00000001 fffff8e0`009e99bc fffffa80`05089d00 fffffa80`05d4c160 : nt! ?? ::FNODOBFM::`string'+0x437c1
    fffff880`07b246f0 fffff800`045c0fa2 : fffffa80`06600980 00000000`00000000 fffffa80`03f36ed0 ffffffff`ffd9da05 : nt!KiPageFault+0x16e
    fffff880`07b24880 fffff800`044a98de : 00000000`00000001 fffff800`04497e7a fffffa80`20206f49 fffffa80`06d119e0 : nt!ExFreePoolWithTag+0x212
    fffff880`07b24930 fffff800`04487a37 : 00000000`00000000 00000000`00000000 fffffa80`073e2b00 fffff880`07b24ca0 : nt!IopCompleteRequest+0x5ce
    fffff880`07b24a00 fffff800`0448ac3d : fffff800`0460a840 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x1c7
    fffff880`07b24a80 fffff800`0449bd8f : 00000000`00000468 00000000`7ef9b000 fffff880`0000002e 00000000`035ff118 : nt!KiCommitThreadWait+0x3dd
    fffff880`07b24b10 fffff800`04786fde : 00000000`740a2400 00000000`00000006 00000000`00000001 00000000`7ef9b001 : nt!KeWaitForSingleObject+0x19f
    fffff880`07b24bb0 fffff800`04494253 : fffffa80`07289060 00000000`00000000 fffff880`07b24bf8 fffffa80`07021e50 : nt!NtWaitForSingleObject+0xde
    fffff880`07b24c20 00000000`740a2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`035ff0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x740a2e09


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    nt!ExFreePoolWithTag+212
    fffff800`045c0fa2 ff411c          inc     dword ptr [rcx+1Ch]

    SYMBOL_STACK_INDEX:  3

    SYMBOL_NAME:  nt!ExFreePoolWithTag+212

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME:  ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  503f82be

    FAILURE_BUCKET_ID:  X64_0x50_nt!ExFreePoolWithTag+212

    BUCKET_ID:  X64_0x50_nt!ExFreePoolWithTag+212

    Followup: MachineOwner
     
  7. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    76,921
    thanks, Lance. :)
     
  8. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    I thought my first post had the decoded information from the dumpfiles. I used BlueScreenViewer to generate a HTML grid of the issues in my first post.
     
  9. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    Also, thanks Lance1.

    Eagerly awaiting your advice.
     
  10. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    So the second I post this, I'm sure to get a BSOD, but since I uninstalled that damn program, I haven't had a BSOD.

    Still it seems a bit odd that just a rogue program could cause all the different types of BSOD's. Hopefully I didn't miss anything else (drivers, etc.)
     
  11. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    Hi bjmar13. I just plopped in my chair and will start looking through those files. I'll let you know what I find in a bit.
     
  12. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    OK. I found some issues, #1

    garminlifetime.exe Garmin Lifetime Updater for GPS. This is a legitimate app. Look into the Garmin Site and see if there are updates to the app.

    #2

    services.exe This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. In some cases, services.exe is a virus, spyware, trojan or worm! If it is the folks in the malware section of TSG should and will help with this.

    #3

    svchost.exe is in most cases system process which hosts Windows Services. On the other hand, some threats uses svchost.exe filename to cloak or own process in task manager. Svchost.exe should live in C:\WINDOWS\System32, use Task Manager / Processes to see if it is in any other location. If it is then it is most likely a threat and the malware folks will come in.

    #5

    This one is another Garmin Lifetime Updater from #1

    #6

    avgnsa.exe This is your AVG Online Shield Service. What version of AVG are you running?

    Ok, some are suspicious so I am going to ask a malware specialist to look into this post. Please be very patient, they are busy and will respond to this post.
     
  13. Lance1

    Lance1

    Joined:
    Aug 4, 2003
    Messages:
    5,613
    OK! I asked a specialist to assist in this post. Again, be patient. Please watch your post.
     
  14. bjmar13

    bjmar13 Thread Starter

    Joined:
    Feb 25, 2013
    Messages:
    14
    Thanks Lance. I've made sure to update all the programs you've mentioned, and looked into my running SCVhost and service.exe.

    Still no BSOD since I uninstalled the first program you mentioned!
     
  15. Mark1956

    Mark1956

    Joined:
    May 7, 2011
    Messages:
    14,142
    As most of the BSOD's happened within an hour of up time it sounds like you have fixed it.

    But, as there is one Crash Dump that could be related to a Rootkit infection it would be wise to run a couple of scans just to be sure. There is a possibility that Crash was caused by the item you have removed, we will see what the scans tell us.

    STEP 1
    NOTE: If you have already used Combofix please delete the icon from your desktop.

    • Please download DeFogger and save it to your desktop.
    • Once downloaded, double-click on the DeFogger icon to start the tool.
    • The application window will appear.
    • You should now click on the Disable button to disable your CD Emulation drivers.
    • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
    • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.



    STEP 2
    Please download ComboFix [​IMG] from one of the locations below and save it to your Desktop. <-Important!!!


    Be sure to print out and follow these instructions: A guide and tutorial on using ComboFix

    Vista/Windows 7 users can skip the Recovery Console instructions and use the Windows DVD to boot into the Vista Recovery Environment or Windows 7 System Recovery Options if something goes awry. If you do not have a Windows 7 DVD then please create a Windows 7 Repair Disc. XP users need to install the Recovery Console first.

    • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click this link to see a list of such programs and how to disable them.
    • If ComboFix detects an older version of itself, you will be asked to update the program.
    • ComboFix will begin by showing a Disclaimer. Read it and click I Agree if you want to continue.
    • Follow the prompts and click on Yes to continue scanning for malware.
    • If using Windows 7 or Vista and you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
    • When finished, please copy and paste the contents of C:\ComboFix.txt (which will open after reboot) in your next reply.
    • Be sure to re-enable your anti-virus and other security programs.

    -- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
    -- ComboFix will temporarily disable your desktop, and if interrupted may leave it disabled. If this occurs, please reboot to restore it.
    -- ComboFix disables autorun of all CD, floppy and USB devices to assist with malware removal and increase security.


    If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier. Those instructions only apply to XP, for Vista and Windows 7 go here: Internet connection repair

    NOTE: if you see a message like this when you attempt to open anything after the reboot "Illegal Operation attempted on a registry key that has been marked for deletion" please reboot the system again and the warning should not return.

    ====================================================================


    Please follow the instructions exactly as written, deviating from the instructions and trying to fix anything before I have seen the logs may make your PC unbootable. If TDSSKiller does not offer the Cure option DO NOT select delete as you may remove files needed for the system to operate.

    Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!
    -- The tool is frequently updated...if you used TDSSKiller before, delete that version and download the most current one before using again.

    Be sure to print out and follow the instructions for performing a scan.

    • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
    • Alternatively, you can download TDSSKiller.exe and use that instead.
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If an update is available, TDSSKiller will prompt you to update and download the most current version. Click Load Update. Close TDSSKiller and start again.


    • When the program opens, click the Change parameters.

      [​IMG]

    • Under "Additional options", check the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.

      [​IMG]

    • Click the Start Scan button.

      [​IMG]

    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If 'Suspicious objects' are detected, the default action will be Skip. Leave the default set to Skip and click on Continue.
    • If Malicious objects are detected, they will show in the Scan results - Select action for found objects: and offer three options.

      [​IMG]

    • Ensure Cure is selected...then click Continue -> Reboot computer for cure completion.

      [​IMG]

    • Important! -> If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed. If you choose Delete you may remove critical system files and make your PC unstable or possibly unbootable.
    • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C: ).
    • Copy and paste the contents of that file in your next reply.

    -- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it to something else before beginning the download and saving to the computer or to perform the scan in "safe mode".
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1090979

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice