BleepingComputer.com: BSOD on shutdown

I have this annoying BSOD at every shutdown.


Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini061410-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.100216-1510
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Jun 14 13:18:13.484 2010 (GMT+2)
System Uptime: 0 days 8:41:28.037
Loading Kernel Symbols
...........................................................................................................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 80657613, f7c21bc8, f7c218c4}

Probably caused by : ntoskrnl.exe ( nt!HvShiftCell+10 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80657613, The address that the exception occurred at
Arg3: f7c21bc8, Exception Record Address
Arg4: f7c218c4, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!HvShiftCell+10
80657613 8b4804 mov ecx,dword ptr [eax+4]

EXCEPTION_RECORD: f7c21bc8 -- (.exr 0xfffffffff7c21bc8)
ExceptionAddress: 80657613 (nt!HvShiftCell+0x00000010)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004

CONTEXT: f7c218c4 -- (.cxr 0xfffffffff7c218c4)
eax=00000000 ebx=e4510b60 ecx=7fff9fff edx=e4510c3c esi=e11b0c84 edi=e54d3030
eip=80657613 esp=f7c21c90 ebp=f7c21c90 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!HvShiftCell+0x10:
80657613 8b4804 mov ecx,dword ptr [eax+4] ds:0023:00000004=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000004

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 80656880 to 80657613

STACK_TEXT:
f7c21c90 80656880 e4510b60 ffff9fff e54d3030 nt!HvShiftCell+0x10
f7c21cac 80656e04 e4510b60 e1035b60 00002c80 nt!CmpShiftKey+0x41
f7c21cdc 80656fb6 e4510b60 e1035b60 00000003 nt!CmpShiftAllCells2+0x63
f7c21d04 80657077 0000007e e1035b60 e1035fe8 nt!CmpShiftAllCells+0x97
f7c21d20 80654a9d e1035b60 00d36000 00000000 nt!CmpShiftHiveFreeBins+0x94
f7c21d48 8065283d e1035b60 80560ab0 00000001 nt!CmCompressKey+0xba
f7c21d60 80665783 805622c0 88bc5640 00000000 nt!CmShutdownSystem+0x6a
f7c21d74 804e427b 00000000 00000000 88bc5640 nt!PopGracefulShutdown+0xdf
f7c21dac 8057b0df 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f7c21ddc 804f88fa 804e41a6 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!HvShiftCell+10
80657613 8b4804 mov ecx,dword ptr [eax+4]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!HvShiftCell+10

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4b7a94f1

STACK_COMMAND: .cxr 0xfffffffff7c218c4 ; kb

FAILURE_BUCKET_ID: 0x7E_nt!HvShiftCell+10

BUCKET_ID: 0x7E_nt!HvShiftCell+10

Followup: MachineOwner
---------


It's absolutely nothing hardware related. Why? Because I cloned this system on two
pc (identical hardware) and they have the same problem with the same data (minidump are
identical ... event the exception address.
I would be (almost) impossibile to have a memory problem at the same address on two pc ....

EDIT: Malware Removal Log split from this topic, posted in MRL ~ Hamluis.

This post has been edited by hamluis: 20 June 2010 - 01:04 PM

well, I can add I did a clean system boot using msconfig .. I also disabled all the services: problem persisted.
I tried to disabled microsoft services too (not the indispensable ones): problem is still there.

safe mode too.
Problem not solved.

So, I think .. it's probably one of the "essential drivers" ... there are not other explanations.

FWIW: c0000005 is just a generic "access violation" message, may often involve malware.

http://www.updatexp.com/0xC0000005.html

Shutdown issues are very common, I view them as the end results of whatever clues are revealed in error messages.

Info on 7E STOP error messages:

0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
A system thread generated an exception which the error handler did not catch. There are numerous individual causes for this problem, including hardware incompatibility, a faulty device driver or system service, or some software issues. Check Event Viewer (EventVwr.msc) for additional information.

Let's try this...

Download/install BlueScreenView, http://www.nirsoft.net/utils/blue_screen_view.html.

Double-click BlueScreenView.exe file.

When scanning is done, Edit/Select All...then File/Save Selected Items. Save the report as BSOD.txt.

Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

You might also take a look in Event Viewer...looking for errors that occur in same timeframe as your BSODs.

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/topic40108.html

Louis

This post has been edited by hamluis: 14 June 2010 - 11:41 AM

done.

I guess I don't understand why there's only 1 error portrayed...my understanding is that a BSOD is generated with each shutdown. Unless you've only shut down your system one time...there ought to be more errors reflected.

In the meantime...you may want to do a series of scans on your system...starting with your installed AV program, followed by SUPERAntiSpyware and (possibly) Malwarebytes.

Louis

I'm sorry .... I cancelled the other minidumps.
However I can confirm that the message is identical in all of them.

Regarding virus and malware I can exclude completely the issue.

I run combofix yesterday and I did two days ago
a scan with avira bootable cd, kaspersky bootable cd,
bitdefender bootable cd and avg bootable cd.

This week I have also scan the system with gmer, rootrepeal
and helios lite. I tried malwarebytes and prevx too.

It's absolutely and completely clean. No hidden drivers,
no hooks.

This problem has been going on for some time .... I get rid of it
time ago disabling some microsoft services ...but the same configuration
now don't make the job.

it's a weird situation ... I have my experience with
various problem as rootkit but bsod in general ... this time
I don't know what to do.

PC however crashes only at shutdown ... it works perfectly the rest of the time.

mmm ... eventually this look a bit strange to me:
ntoskrnl.exe, file version: 5.1.2600.5938 (xpsp_sp3_qfe.100216-1510)

could you check it out if these is the latest version
of the file?

Because, I found reference to this
version only on .ru and .cn website ...

and this is no good at all ...

so, I downloaded the latest patch involving ntoskernel.exe for windows XP
from microsoft (KB979683).
I'm not sure my procedure is correct, but if I open the patch with winrar,
extract the file and calculate the MD5 I obtain D41C3CBAD0E1C0728D1CDFD541F60CFA.
The one installed in my system had an MD5 of E1F653A542449D54FA2D27463D99B6B6.

I tried to reinstall the patch and and a reboot the MD5 remain E1F653A542449D54FA2D27463D99B6B6.

However I don't know microsoft patching procedure .... maybe they modifie
the file on the fly .... so I am not sure it's a real issue or not.

Could someone with an updated XP SP3 check ithe correct MD5?

ops

ops

ops

no hope ...

The OTL log you submitted...has been submitted as a malware topic, http://www.bleepingcomputer.com/forums/topic325871.html.

From this point on, please take all instructions from the BC Staff personnel in the Malware Removal Logs forum.

To prevent further confusion, I am now closing this thread.

Good luck .

Louis

This post has been edited by hamluis: 20 June 2010 - 01:04 PM