Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Of Death 2


  • Please log in to reply
30 replies to this topic

#1 Booman

Booman

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 02:21 PM

alright...i did a virus scan with Avast! Pro and then i looked at my task manager and the same amounts of one file keps on running...i went to terminate them...they were numbers.. like 1234.exe...then i got the bsod...i ran the Microsoft Degugging tools and here is what it found..

Microsoft ® Windows Debugger Version 6.8.0004.0 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini040608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Sun Apr 6 14:56:48.984 2008 (GMT-4)
System Uptime: 0 days 3:04:04.529
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
........................................................................................................................................
Loading User Symbols
Loading unloaded module list
................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80563ed6, b8f9fc30, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for aswSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************


Probably caused by : aswSP.SYS ( aswSP+792f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80563ed6, The address that the exception occurred at
Arg3: b8f9fc30, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************



MODULE_NAME: aswSP

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 47ed2d83

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt+8ced6
80563ed6 3b5138 cmp edx,dword ptr [ecx+38h]

TRAP_FRAME: b8f9fc30 -- (.trap 0xffffffffb8f9fc30)
ErrCode = 00000000
eax=00000003 ebx=0000000c ecx=00000000 edx=0000000c esi=8499b408 edi=b8f9fd38
eip=80563ed6 esp=b8f9fca4 ebp=b8f9fca4 iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
nt+0x8ced6:
80563ed6 3b5138 cmp edx,dword ptr [ecx+38h] ds:0023:00000038=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 80563f25 to 80563ed6

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b8f9fca4 80563f25 00000000 0000000c 8499b408 nt+0x8ced6
b8f9fcc8 80563fa8 00000000 0000000c b8f9fd01 nt+0x8cf25
b8f9fcf0 ee4e692f 0000000c 00000000 00000000 nt+0x8cfa8
b8f9fd40 804de7ec 00000088 0000000c ffffffff aswSP+0x792f
b8f9fd64 7c90eb94 badb0d00 00136f4c eb427d98 nt+0x77ec
b8f9fd68 badb0d00 00136f4c eb427d98 eb427dcc 0x7c90eb94
b8f9fd6c 00136f4c eb427d98 eb427dcc 00000000 0xbadb0d00
b8f9fd70 eb427d98 eb427dcc 00000000 00000000 0x136f4c
b8f9fd74 eb427dcc 00000000 00000000 00000000 0xeb427d98
b8f9fd78 00000000 00000000 00000000 00000000 0xeb427dcc


STACK_COMMAND: kb

FOLLOWUP_IP:
aswSP+792f
ee4e692f ?? ???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: aswSP+792f

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: aswSP.SYS

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------


what i dont know is.... aswSP.SYS is an avast file? idk if its a malware or not....

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:35 PM

Posted 06 April 2008 - 03:22 PM

You need to fix this before we can look at the debug information:

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:35 PM

Posted 06 April 2008 - 03:24 PM

And yes, that is an avast driver file.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 04:27 PM

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

how exactly do i fix that?

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:35 PM

Posted 06 April 2008 - 06:10 PM

Sorry.. I had to find it myself ;)

See this post: http://forums.majorgeeks.com/showthread.php?t=35246
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 06:19 PM

this is how i did it...from that post!..lol

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:35 AM

Posted 06 April 2008 - 06:27 PM

This is the part that has to be re-done:

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

The path will be:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 06:31 PM

i seriously did that i swear by god....

#9 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 06:36 PM

i did it and its saying its wrong....ther is nothing i can do about it sir



Microsoft ® Windows Debugger Version 6.8.0004.0 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini040608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Sun Apr 6 14:56:48.984 2008 (GMT-4)
System Uptime: 0 days 3:04:04.529
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
........................................................................................................................................
Loading User Symbols
Loading unloaded module list
................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80563ed6, b8f9fc30, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for aswSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************


Probably caused by : aswSP.SYS ( aswSP+792f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80563ed6, The address that the exception occurred at
Arg3: b8f9fc30, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************



MODULE_NAME: aswSP

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 47ed2d83

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt+8ced6
80563ed6 3b5138 cmp edx,dword ptr [ecx+38h]

TRAP_FRAME: b8f9fc30 -- (.trap 0xffffffffb8f9fc30)
ErrCode = 00000000
eax=00000003 ebx=0000000c ecx=00000000 edx=0000000c esi=8499b408 edi=b8f9fd38
eip=80563ed6 esp=b8f9fca4 ebp=b8f9fca4 iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
nt+0x8ced6:
80563ed6 3b5138 cmp edx,dword ptr [ecx+38h] ds:0023:00000038=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 80563f25 to 80563ed6

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b8f9fca4 80563f25 00000000 0000000c 8499b408 nt+0x8ced6
b8f9fcc8 80563fa8 00000000 0000000c b8f9fd01 nt+0x8cf25
b8f9fcf0 ee4e692f 0000000c 00000000 00000000 nt+0x8cfa8
b8f9fd40 804de7ec 00000088 0000000c ffffffff aswSP+0x792f
b8f9fd64 7c90eb94 badb0d00 00136f4c eb427d98 nt+0x77ec
b8f9fd68 badb0d00 00136f4c eb427d98 eb427dcc 0x7c90eb94
b8f9fd6c 00136f4c eb427d98 eb427dcc 00000000 0xbadb0d00
b8f9fd70 eb427d98 eb427dcc 00000000 00000000 0x136f4c
b8f9fd74 eb427dcc 00000000 00000000 00000000 0xeb427d98
b8f9fd78 00000000 00000000 00000000 00000000 0xeb427dcc


STACK_COMMAND: kb

FOLLOWUP_IP:
aswSP+792f
ee4e692f ?? ???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: aswSP+792f

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: aswSP.SYS

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

#10 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 06:38 PM

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols


see?

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:35 PM

Posted 06 April 2008 - 06:54 PM

Do you have a firewall enabled that may be preventing the debugger from getting to the site online?

If so, see if you can allow the debugger through it.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 06:57 PM

only thing i have is avast....windows defender...and windows firewall

#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:35 AM

Posted 06 April 2008 - 07:23 PM

I suspect that the debugger is complaining about another set of symbols - from this reference:

Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information.


Anyhow, the Avast is where the crash is occurring - whether it's the Avast itself, another problem, or malware remains to be seen. The first thing to do would be to download a fresh copy of Avast, then uninstall the current copy (Control Panel (Classic View)...Programs and Features), reboot, then install the freshly downloaded copy. Immediately update it and do a full system scan and let us know what happens.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:35 PM

Posted 06 April 2008 - 07:40 PM

Here, you can send me the minidump and I can see if I can get it working...

http://billy-oneal.com/fileUpload/

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Booman

Booman
  • Topic Starter

  • Banned
  • 525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 06 April 2008 - 08:09 PM

file uploaded...and i did the reinstall and the update and scan and a trojan was found...and i deleted it




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users