Need help from Heir, virus causing computer to freeze and cause blue s
Started by
groch
, Apr 26 2013 03:33 PM
#121
Posted 24 June 2013 - 07:03 AM
#122
Posted 24 June 2013 - 07:59 PM
I believe it's still enabled. I'm out of town, I'll check when u get back
#123
Posted 03 July 2013 - 03:02 PM
Hello again Essexboy
I returned home, downloaded Windows Debugger Tool and analyzed the last Windows minidump.
Results are attached. Might you or your colleagues be able to help with these results?
Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\062613-41917-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\debug_symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`03805000 PsLoadedModuleList = 0xfffff800`03a48670
Debug session time: Tue Jun 25 10:32:22.743 2013 (UTC - 5:00)
System Uptime: 0 days 0:00:34.413
Loading Kernel Symbols
..............................................Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
Unable to add module at 00000000`00000000
Loading User Symbols
Missing image name, possible paged-out or corrupt data.
Loading unloaded module list
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {fffff10003bb2d90, f, 0, fffff800038a4a0c}
Probably caused by : ntkrnlmp.exe ( nt!RtlLookupFunctionEntry+5c )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff10003bb2d90, memory referenced
Arg2: 000000000000000f, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800038a4a0c, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003ab2100
fffff10003bb2d90
CURRENT_IRQL: 0
FAULTING_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038a4a0c 65488b2c2520000000 mov rbp,qword ptr gs:[<Unloaded_Unknown_Module_00000000`00000000>+0x20 (00000000`00000020)]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from fffff800038836f9 to fffff880043779c2
STACK_TEXT:
fffff800`00b9cc58 fffff800`038836f9 : 00000000`002f90aa fffffa80`063a0568 fffff800`03a03cc0 00000000`00000002 : 0xfffff880`043779c2
fffff800`00b9cc60 fffff800`038728dc : fffff800`039f5e80 fffff800`00000000 00000000`00000000 fffff880`01264414 : nt!PoIdle+0x52a
fffff800`00b9cd40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x2c
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038a4a0c 65488b2c2520000000 mov rbp,qword ptr gs:[<Unloaded_Unknown_Module_00000000`00000000>+0x20 (00000000`00000020)]
SYMBOL_NAME: nt!RtlLookupFunctionEntry+5c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
FAILURE_BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
Followup: MachineOwner
---------
I returned home, downloaded Windows Debugger Tool and analyzed the last Windows minidump.
Results are attached. Might you or your colleagues be able to help with these results?
Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\062613-41917-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\debug_symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`03805000 PsLoadedModuleList = 0xfffff800`03a48670
Debug session time: Tue Jun 25 10:32:22.743 2013 (UTC - 5:00)
System Uptime: 0 days 0:00:34.413
Loading Kernel Symbols
..............................................Unable to load image Unknown_Module_00000000`00000000, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Unknown_Module_00000000`00000000
Unable to add module at 00000000`00000000
Loading User Symbols
Missing image name, possible paged-out or corrupt data.
Loading unloaded module list
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {fffff10003bb2d90, f, 0, fffff800038a4a0c}
Probably caused by : ntkrnlmp.exe ( nt!RtlLookupFunctionEntry+5c )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff10003bb2d90, memory referenced
Arg2: 000000000000000f, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800038a4a0c, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003ab2100
fffff10003bb2d90
CURRENT_IRQL: 0
FAULTING_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038a4a0c 65488b2c2520000000 mov rbp,qword ptr gs:[<Unloaded_Unknown_Module_00000000`00000000>+0x20 (00000000`00000020)]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from fffff800038836f9 to fffff880043779c2
STACK_TEXT:
fffff800`00b9cc58 fffff800`038836f9 : 00000000`002f90aa fffffa80`063a0568 fffff800`03a03cc0 00000000`00000002 : 0xfffff880`043779c2
fffff800`00b9cc60 fffff800`038728dc : fffff800`039f5e80 fffff800`00000000 00000000`00000000 fffff880`01264414 : nt!PoIdle+0x52a
fffff800`00b9cd40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x2c
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038a4a0c 65488b2c2520000000 mov rbp,qword ptr gs:[<Unloaded_Unknown_Module_00000000`00000000>+0x20 (00000000`00000020)]
SYMBOL_NAME: nt!RtlLookupFunctionEntry+5c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
FAILURE_BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
Followup: MachineOwner
---------
#124
Posted 03 July 2013 - 03:17 PM
This is the June 21st minidump. Previous post was June 26th mini dump
Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\062113-37081-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\debug_symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`0381b000 PsLoadedModuleList = 0xfffff800`03a5e670
Debug session time: Fri Jun 21 07:25:41.368 2013 (UTC - 5:00)
System Uptime: 0 days 0:07:14.913
Loading Kernel Symbols
...............................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {fffff10003863b10, f, 0, fffff800038baa0c}
Probably caused by : ntkrnlmp.exe ( nt!RtlLookupFunctionEntry+5c )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff10003863b10, memory referenced
Arg2: 000000000000000f, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800038baa0c, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003ac8100
fffff10003863b10
CURRENT_IRQL: f
FAULTING_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: fffff88002e7b340 -- (.trap 0xfffff88002e7b340)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000000f rbx=0000000000000000 rcx=fffff800038bd7e4
rdx=fffff800038bd860 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800038baa0c rsp=fffff88002e7b4d0 rbp=fffff88002e7b588
r8=fffff8000381b000 r9=0000000000000000 r10=fffff88000c400c4
r11=fffff88002e7b720 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!RtlLookupFunctionEntry+0x5c:
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h] gs:00000000`00000020=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800038901a9 to fffff80003890c00
STACK_TEXT:
fffff880`02e7b1f8 fffff800`038901a9 : 00000000`0000000a fffff100`03863b10 00000000`0000000f 00000000`00000000 : nt!KeBugCheckEx
fffff880`02e7b200 fffff800`0388ee20 : fffff8a0`0cff4e40 00000000`00000001 00000000`00000000 fffff800`038afa13 : nt!KiBugCheckDispatch+0x69
fffff880`02e7b340 fffff800`038baa0c : fffffa80`040b6c10 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
fffff880`02e7b4d0 fffff800`038ba1f0 : 00000000`00160016 fffff880`02e7b588 00000000`00000003 00000000`00000000 : nt!RtlLookupFunctionEntry+0x5c
fffff880`02e7b540 fffff800`038cb4d1 : fffff880`02e7c3f8 fffff880`02e7bc50 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0xd0
fffff880`02e7bc20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x135
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!RtlLookupFunctionEntry+5c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
FAILURE_BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
Followup: MachineOwner
---------
Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\062113-37081-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\debug_symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`0381b000 PsLoadedModuleList = 0xfffff800`03a5e670
Debug session time: Fri Jun 21 07:25:41.368 2013 (UTC - 5:00)
System Uptime: 0 days 0:07:14.913
Loading Kernel Symbols
...............................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {fffff10003863b10, f, 0, fffff800038baa0c}
Probably caused by : ntkrnlmp.exe ( nt!RtlLookupFunctionEntry+5c )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff10003863b10, memory referenced
Arg2: 000000000000000f, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800038baa0c, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003ac8100
fffff10003863b10
CURRENT_IRQL: f
FAULTING_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: fffff88002e7b340 -- (.trap 0xfffff88002e7b340)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000000f rbx=0000000000000000 rcx=fffff800038bd7e4
rdx=fffff800038bd860 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800038baa0c rsp=fffff88002e7b4d0 rbp=fffff88002e7b588
r8=fffff8000381b000 r9=0000000000000000 r10=fffff88000c400c4
r11=fffff88002e7b720 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!RtlLookupFunctionEntry+0x5c:
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h] gs:00000000`00000020=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800038901a9 to fffff80003890c00
STACK_TEXT:
fffff880`02e7b1f8 fffff800`038901a9 : 00000000`0000000a fffff100`03863b10 00000000`0000000f 00000000`00000000 : nt!KeBugCheckEx
fffff880`02e7b200 fffff800`0388ee20 : fffff8a0`0cff4e40 00000000`00000001 00000000`00000000 fffff800`038afa13 : nt!KiBugCheckDispatch+0x69
fffff880`02e7b340 fffff800`038baa0c : fffffa80`040b6c10 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
fffff880`02e7b4d0 fffff800`038ba1f0 : 00000000`00160016 fffff880`02e7b588 00000000`00000003 00000000`00000000 : nt!RtlLookupFunctionEntry+0x5c
fffff880`02e7b540 fffff800`038cb4d1 : fffff880`02e7c3f8 fffff880`02e7bc50 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0xd0
fffff880`02e7bc20 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x135
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlLookupFunctionEntry+5c
fffff800`038baa0c 65488b2c2520000000 mov rbp,qword ptr gs:[20h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!RtlLookupFunctionEntry+5c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
FAILURE_BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
BUCKET_ID: X64_0xA_nt!RtlLookupFunctionEntry+5c
Followup: MachineOwner
---------
#125
Posted 03 July 2013 - 03:45 PM
OK it will take me a bit to run through those
#126
Posted 03 July 2013 - 04:10 PM
Thank you!
#127
Posted 04 July 2013 - 07:27 AM
Could you confirm that the shop ran Memtest when they checked it out. As the references are for a memory error
#128
Posted 04 July 2013 - 07:51 AM
The shop invoice, and their verbal communication indicated no hardware issues. But I don't know specifically what they used to check. Is it a Windows test I can run?
#129
Posted 04 July 2013 - 08:26 AM
Found Memtest86 from a Google search. Created a USB image and currently running a test. Going to take while I see.
#130
Posted 04 July 2013 - 09:12 AM
Yes you will need at least 9 passes I am afraid
#131
Posted 04 July 2013 - 09:50 AM
Oh my! We're at 2 passes and at 90 minutes elapsed time. I'm sure it will test both CPU's.
#132
Posted 04 July 2013 - 03:52 PM
Do I let it run 9 passes or will it stop automatically after 9 passes?
#133
Posted 05 July 2013 - 05:59 AM
No it will continue to run until you stop it, has it detected any errors ?
#134
Posted 05 July 2013 - 06:09 AM
No errors after 11 passes.
#135
Posted 05 July 2013 - 06:40 AM
Plus had a unique start up this morning following a Windows update last night. After update, computer shut down. This morning it would not boot to Windows, giving 4 fast beeps, repeating. Restarted in Recovery mode automatically after I powered off and back on and froze in Recovery mode. Restarted in Safe mode successfully, restarted normally, and now up and running. I know there are codes for the beep messages, I'll research. Quite frustrating.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users