Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Restarting


  • Please log in to reply
23 replies to this topic

#1 captsparrow

captsparrow

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 28 May 2008 - 10:17 AM

So my computer just restarted out of the blue, I'm a little scared because I just had to rebuild my computer because of the startup loop virus, and restarting was what was happening before.

I went to the Event Viewer and found this under SYSTEM under SAVE DUMP:
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000c5 (0x000006a8, 0x00000002, 0x00000001, 0x8054c0b9). A dump was saved in: C:\WINDOWS\Minidump\Mini052808-01.dmp.

What exactly is a bugcheck?

BC AdBot (Login to Remove)

 


#2 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:11:07 PM

Posted 28 May 2008 - 10:45 AM

An explaination here:

http://en.wikipedia.org/wiki/Bug_check

As to the cause of the problem, the above topic mentions kernal drivers as the cause of these problems, but who knows it may be something else altogether.
Does this look like an OldGrumpyBastard or what?

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:07 AM

Posted 28 May 2008 - 07:22 PM

Here's a description of the error: http://aumha.org/a/stop.php#0xc5
It's most often caused by driver issues - so I'd suggest reviewing any recent hardware additions to your system.
If there's nothing recent of note, then I'd suggest reading this link: http://forums.majorgeeks.com/showthread.php?t=35246
Then perform an analysis of the file located at: C:\WINDOWS\Minidump\Mini052808-01.dmp
Post the results here for us to have a look at.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 28 May 2008 - 07:24 PM

http://forums.majorgeeks.com/showthread.php?t=35246
Follow the above instructions then paste the results into your next post so that we can take a look at it.

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 03 June 2008 - 05:47 PM

Sorry it took me all this time to get back to you. It crashed once more so I used that dump, here's the debugging info:
Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini060308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Tue Jun 3 15:05:29.203 2008 (GMT-7)
System Uptime: 0 days 1:18:07.778
Loading Kernel Symbols
..................................................................................................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {fffffff0, 2, 0, 804efc2c}

Probably caused by : ntoskrnl.exe ( nt!CcGetDirtyPages+97 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffffff0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804efc2c, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: fffffff0

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcGetDirtyPages+97
804efc2c 66813efd02 cmp word ptr [esi],2FDh

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from f74feb95 to 804efc2c

STACK_TEXT:
f7aa69b4 f74feb95 e101eb98 f74de1e1 f7aa6c14 nt!CcGetDirtyPages+0x97
f7aa6be0 f74ff174 f7aa6c14 86fcb100 00000000 Ntfs!NtfsCheckpointVolume+0x6f0
f7aa6d74 804e426b 00000000 00000000 86fc5640 Ntfs!NtfsCheckpointAllVolumes+0xd2
f7aa6dac 8057aeff 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f7aa6ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CcGetDirtyPages+97
804efc2c 66813efd02 cmp word ptr [esi],2FDh

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!CcGetDirtyPages+97

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48025eab

FAILURE_BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

Followup: MachineOwner
---------

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 03 June 2008 - 06:05 PM

Hi,
ntoskrnl.exe might be causing it.

ntoskrnl.exe is a critical process in the boot-up cycle of your computer although should never appear in WinTasks whilst under normal circumstances Note: ntoskrnl.exe can be altered by the w32.bolzano and variants. If this process appears in WinTasks, please update your virus definitions immediately.

Can you please do some scans with your anti-virus program and as well with a online scan.
http://housecall.trendmicro.com
http://www.kaspersky.com/virusscanner
http://www.bitdefender.com/scan8/ie.html
http://us.mcafee.com/root/mfs/default.asp
Post back with the results in your next reply.

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 03 June 2008 - 06:10 PM

Should I scan the entire computer, or just the WINDOWS directory where it is located?

Is there anyway to repair the file w/o having to reinstall Windows?

Edited by captsparrow, 03 June 2008 - 06:10 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 03 June 2008 - 06:11 PM

Scanning the whole computer won't do any harm so I will just scan the whole computer.

Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 03 June 2008 - 06:14 PM

Hello.

Please run a full system scan. Even though the file in question is located in WINDOWS, if there is an infection, we want to find the other components of it too.

With Regards,
The Panda

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:07 AM

Posted 03 June 2008 - 06:17 PM

Hi,

Is there anyway to repair the file w/o having to reinstall Windows?

We don't know if the file needs to be repaired or not, I would just do the scans and see what they come up with and from there we will tell you if anything needs to be repaired or fixed

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:07 AM

Posted 04 June 2008 - 06:13 PM

NTOSKRNL.EXE loads a bunch of processes when it starts (I counted 37 separate steps) - there's no telling (at this point) what's actually going wrong.
The Stack Trace shows activity within NTFS.SYS (the file system driver) just prior to the error - so I'd suspect that that may be contributing to it.

So, if you pass all the scans recommended above, I'd next suggest that you run chkdsk /r from the Command Prompt. It'll ask you if you want to schedule it for the next reboot - answer Yes and reboot. Let the check run and the system will boot back into Windows when it's done.

Should this not fix it, then I'd suggest running a hard drive diagnostic from the website of the manufacturer of your hard drive (usually free).

NTOSKRNL.EXE:

Initializes executive subsystems and boot and system-start device drivers, prepares the system for running native applications, and runs Smss.exe.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 09 June 2008 - 09:13 PM

Okay, so I reformated my computer hoping to get rid of the problem. I know a lot of work, but stability is key. So it worked perfectly for about 5 days, until today when it crashed. The root of the problem is apparently iexplore.exe, hopefully this doesn't mean a virus has been latched into the system.

EDIT: After reading around on the internet at some potential causes, it has been said that memory could be a cause. I was running IE7 while accessing Google Docs which can take a long time to load, and take up a lot of memory. That might have overloaded the system causing a restart. Also, savrt.sys (Symantec system file) might be a cause, should I just uninstall and reinstall Norton to check?

Here's the complete bug check:

Microsoft Windows Debugger Version 6.9.0003.113 X86
Copyright Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini060908-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Jun 9 18:45:29.953 2008 (GMT-7)
System Uptime: 0 days 4:33:54.516
Loading Kernel Symbols
..................................................................................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, 86573f28, 86573f68, c080005}

Unable to load image savrt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for savrt.sys
*** ERROR: Module load completed but symbols could not be loaded for savrt.sys
Probably caused by : savrt.sys ( savrt+3dfe0 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 86573f28, The pool entry we were looking for within the page.
Arg3: 86573f68, The next pool entry.
Arg4: 0c080005, (reserved)

Debugging Details:
------------------


BUGCHECK_STR: 0x19_20

POOL_ADDRESS: 86573f28

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: iexplore.exe

LAST_CONTROL_TRANSFER: from 8054c4c1 to 8053380e

STACK_TEXT:
f78de760 8054c4c1 00000019 00000020 86573f28 nt!KeBugCheckEx+0x1b
f78de7b0 8054be39 86573f30 00000000 86189a5c nt!ExFreePoolWithTag+0x2be
f78de7c0 f58e1fe0 86573f30 e1eb7120 00000000 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
f78de7c8 e1eb7120 00000000 00000001 00000001 savrt+0x3dfe0
f78de7cc 00000000 00000001 00000001 00000042 0xe1eb7120


STACK_COMMAND: kb

FOLLOWUP_IP:
savrt+3dfe0
f58e1fe0 ?? ???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: savrt+3dfe0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: savrt

IMAGE_NAME: savrt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 402816ae

FAILURE_BUCKET_ID: 0x19_20_savrt+3dfe0

BUCKET_ID: 0x19_20_savrt+3dfe0

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 86573f28, The pool entry we were looking for within the page.
Arg3: 86573f68, The next pool entry.
Arg4: 0c080005, (reserved)

Debugging Details:
------------------


BUGCHECK_STR: 0x19_20

POOL_ADDRESS: 86573f28

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: iexplore.exe

LAST_CONTROL_TRANSFER: from 8054c4c1 to 8053380e

STACK_TEXT:
f78de760 8054c4c1 00000019 00000020 86573f28 nt!KeBugCheckEx+0x1b
f78de7b0 8054be39 86573f30 00000000 86189a5c nt!ExFreePoolWithTag+0x2be
f78de7c0 f58e1fe0 86573f30 e1eb7120 00000000 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
f78de7c8 e1eb7120 00000000 00000001 00000001 savrt+0x3dfe0
f78de7cc 00000000 00000001 00000001 00000042 0xe1eb7120


STACK_COMMAND: kb

FOLLOWUP_IP:
savrt+3dfe0
f58e1fe0 ?? ???

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: savrt+3dfe0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: savrt

IMAGE_NAME: savrt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 402816ae

FAILURE_BUCKET_ID: 0x19_20_savrt+3dfe0

BUCKET_ID: 0x19_20_savrt+3dfe0

Followup: MachineOwner
---------

Edited by captsparrow, 09 June 2008 - 09:40 PM.


#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:07 AM

Posted 10 June 2008 - 07:09 AM

If you're using an older version of Symantec/Norton antivirus this could be a problem as there's an exploit vulnerability for the savrt.sys file. (which could mean that you're infected).

Try a couple of these free, online scanners to see if anything has slipped by your protection:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://housecall.trendmicro.com
http://www.pandasecurity.com/homeusers/solutions/activescan/
http://www.kaspersky.com/virusscanner Scan Only - no removal
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://us.mcafee.com/root/mfs/default.asp
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

<links compiled on 02/14/2008>

If you show up clean on a couple of the scans, then I'd uninstall the Norton and reinstall it with an updated copy from their website. If you're not clean, don't try this as it may cause the virus to mutate/morph into a form that's harder to detect/remove.

Edited by usasma, 10 June 2008 - 07:11 AM.
Last paragraph

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 10 June 2008 - 08:59 AM

How old a version of Norton? I'm using Symantec V9.0.0.338.

I'll try running the scans. How could the same thing as last time infect my system again after a clean format?

#15 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:07 AM

Posted 10 June 2008 - 09:26 AM

This article ( http://www.securityfocus.com/bid/20684 ) suggests that yours is one of the versions.

And this answers your question about how it could happen after a clean format. It doesn't take long for an exploit to get acted on if the system isn't secure.

This isn't saying that you are infected - it's saying that the likelyhood exists for someone to exploit this flaw in Symantec and use it to invade your system.

Check this link for some good, free applications to replace the Symantec stuff: http://www.bleepingcomputer.com/forums/topic3616.html
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users