Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ntfs.sys Causing Restart


  • Please log in to reply
8 replies to this topic

#1 captsparrow

captsparrow

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 22 June 2008 - 08:06 PM

I figured I had fixed my computer because I had removed Symantec and therefore savrt.sys, the exploited file. Just now the computer restart I ran bugcheck on it and found that apparently Ntfs.sys caused the restart. If I just run checkdisk will fix the problem?


Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini062208-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Sun Jun 22 18:01:17.562 2008 (GMT-7)
System Uptime: 0 days 3:31:21.124
Loading Kernel Symbols
.........................................................................................................
Loading User Symbols
Loading unloaded module list
...............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1902fe, f7c8e9f4, f7c8e6f0, f769c7b1}

Probably caused by : Ntfs.sys ( Ntfs!NtfsAcquireResourceShared+8 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: f7c8e9f4
Arg3: f7c8e6f0
Arg4: f769c7b1

Debugging Details:
------------------


EXCEPTION_RECORD: f7c8e9f4 -- (.exr 0xfffffffff7c8e9f4)
ExceptionAddress: f769c7b1 (Ntfs!NtfsAcquireResourceShared+0x00000008)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: f7c8e6f0 -- (.cxr 0xfffffffff7c8e6f0)
eax=00000000 ebx=804db2c7 ecx=e386ef01 edx=e386ecc8 esi=00000000 edi=e386ef28
eip=f769c7b1 esp=f7c8eabc ebp=f7c8eabc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
Ntfs!NtfsAcquireResourceShared+0x8:
f769c7b1 6681380207 cmp word ptr [eax],702h ds:0023:00000000=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000000

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_DEREFERENCE

LAST_CONTROL_TRANSFER: from f76db407 to f769c7b1

STACK_TEXT:
f7c8eabc f76db407 861a76f8 00000000 00000001 Ntfs!NtfsAcquireResourceShared+0x8
f7c8ead4 f76a24b6 861a76f8 00000000 00000001 Ntfs!NtfsAcquireSharedFcbCheckWait+0x37
f7c8eb20 f76c3e7c 861a76f8 86549850 e386ecc8 Ntfs!NtfsTeardownFromLcb+0xe5
f7c8eb78 f769e7a4 861a76f8 e386ed90 00000000 Ntfs!NtfsTeardownStructures+0x125
f7c8eba4 f76c16b5 861a76f8 0086ed90 00000000 Ntfs!NtfsDecrementCloseCounts+0x9e
f7c8ec28 f76c1454 861a76f8 e386ed90 e386ecc8 Ntfs!NtfsCommonClose+0x398
f7c8ecc8 804e37f7 86549770 85f1a4d8 8675a9d0 Ntfs!NtfsFsdClose+0x21f
f7c8ecd8 f7740459 f7c8ed28 804e37f7 864df248 nt!IopfCallDriver+0x31
f7c8ece0 804e37f7 864df248 85f1a4d8 85f1a4d8 sr!SrPassThrough+0x31
f7c8ecf0 8056bf74 865bc950 00000000 00000000 nt!IopfCallDriver+0x31
f7c8ed28 80564777 005bc968 865bc950 00000000 nt!IopDeleteFile+0x132
f7c8ed44 804e36d5 865bc968 00000000 806f0298 nt!ObpRemoveObjectRoutine+0xe0
f7c8ed68 804f4ff7 8055f854 86176008 00000000 nt!ObfDereferenceObject+0x5f
f7c8ed8c 805166c1 e11f87c0 00000000 867c24e0 nt!MiSegmentDelete+0xdd
f7c8edac 8057aeff 00000000 00000000 00000000 nt!MiDereferenceSegmentThread+0x9e
f7c8eddc 804f88ea 80514f8b 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
Ntfs!NtfsAcquireResourceShared+8
f769c7b1 6681380207 cmp word ptr [eax],702h

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsAcquireResourceShared+8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5

STACK_COMMAND: .cxr 0xfffffffff7c8e6f0 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsAcquireResourceShared+8

BUCKET_ID: 0x24_Ntfs!NtfsAcquireResourceShared+8

Followup: MachineOwner
---------

kd> .exr 0xfffffffff7c8e9f4
ExceptionAddress: f769c7b1 (Ntfs!NtfsAcquireResourceShared+0x00000008)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:52 AM

Posted 22 June 2008 - 08:12 PM

Might as well try it out :thumbsup:
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 54,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:52 AM

Posted 23 June 2008 - 10:04 AM

http://support.microsoft.com/kb/822800

http://support.microsoft.com/kb/555531

Louis

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:52 PM

Posted 23 June 2008 - 06:11 PM

The presence of the ntfs.sys item in the memory dump does not mean that ntfs.sys caused the error. What it means is that the error occurred in ntfs.sys, not that it was the cause.

In this case, the error occurred in accessing the memory ( ExceptionCode: c0000005 (Access violation) ) because the memory that it was pointing to was not able to be addressed (the address for that piece of memory doesn't exist). Additionally, this is a sharing violation, so it may also be caused by a program trying to access an area that it isn't allowed to access.

From your previous post, you were going to run chkdsk /r. Have you done that? What were the results? Were there any errors?
Have you tried a hard drive diagnostic from the manufacturer of your hard drive?
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 23 June 2008 - 07:24 PM

There weren't any errors for the checkdisk. It crashed again today, but this time before restarting it said to insert the boot disk. I restarted it again and this time it went to the desktop. I'll run checkdisk /f /r, and then scan for viruses.

Here is the dump:

Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini062308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Jun 23 17:06:36.437 2008 (GMT-7)
System Uptime: 0 days 2:27:23.989
Loading Kernel Symbols
..........................................................................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 77, {c0000185, c0000185, 0, 13e7000}

Probably caused by : memory_corruption ( nt!MiMakeOutswappedPageResident+362 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_STACK_INPAGE_ERROR (77)
The requested page of kernel data could not be read in. Caused by
bad block in paging file or disk controller error.
In the case when the first arguments is 0 or 1, the stack signature
in the kernel stack was not found. Again, bad hardware.
An I/O status of c000009c (STATUS_DEVICE_DATA_ERROR) or
C000016AL (STATUS_DISK_OPERATION_FAILED) normally indicates
the data could not be read from the disk due to a bad
block. Upon reboot autocheck will run and attempt to map out the bad
sector. If the status is C0000185 (STATUS_IO_DEVICE_ERROR) and the paging
file is on a SCSI disk device, then the cabling and termination should be
checked. See the knowledge base article on SCSI termination.
Arguments:
Arg1: c0000185, status code
Arg2: c0000185, i/o status code
Arg3: 00000000, page file number
Arg4: 013e7000, offset into page file

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

DISK_HARDWARE_ERROR: There was error with disk hardware

BUGCHECK_STR: 0x77_c0000185

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 80520dea to 8053380e

STACK_TEXT:
f7c9acf0 80520dea 00000077 c0000185 c0000185 nt!KeBugCheckEx+0x1b
f7c9ad60 804e80ce c03dbd50 c03dbd50 00000001 nt!MiMakeOutswappedPageResident+0x362
f7c9ad8c 804e6b41 00505a60 00000000 867bfb30 nt!MmInPageKernelStack+0xf0
f7c9ada4 804e6b24 86505ac0 8057aeff 00000000 nt!KiInSwapKernelStacks+0x16
f7c9adac 8057aeff 00000000 00000000 00000000 nt!KeSwapProcessOrStack+0x89
f7c9addc 804f88ea 804e6aa0 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiMakeOutswappedPageResident+362
80520dea cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiMakeOutswappedPageResident+362

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48025eab

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x77_c0000185_nt!MiMakeOutswappedPageResident+362

BUCKET_ID: 0x77_c0000185_nt!MiMakeOutswappedPageResident+362

Followup: MachineOwner
---------

#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:52 PM

Posted 24 June 2008 - 06:40 AM

IMO it's most likely to be a failing hard disk - running a bootable diagnostic utility from the manufacturer of the hard drive is the best test for this.
It could also be a problem with your RAM. IMO this free test would be the way to tell this: http://www.memtest86.com/
I'd also suggest resetting your pagefile (just in case). It's in Step 2 here: http://www.bleepingcomputer.com/forums/ind...st&p=389845
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#7 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 24 June 2008 - 10:40 AM

For the first reformat I did, I put in a hard drive from 2002, that had rarely been used. I'll run both the memory test, the hard drive diagnostic, and resetting the page file.

I assume any type of virus/malware is out of the picture, I ran AdAware 08 last night and it came up clean.

#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,074 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:52 PM

Posted 24 June 2008 - 12:49 PM

Actually, a virus is a possibility, but my guess is that it's the hard drive.

Viruses can cause all of the problems that you've described - but usually there'll be some other limiting factor associated with it (internet problems, Windows problems, etc). So I'm not leaning that way right now.

FWIW - viruses can get on your system and can then fool antivirus/antispyware programs. That's why we recommend the free, online scans such as these:

(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://housecall.trendmicro.com
http://www.pandasecurity.com/homeusers/solutions/activescan/
http://www.kaspersky.com/virusscanner Scan Only - no removal
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://us.mcafee.com/root/mfs/default.asp
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

<links compiled on 02/14/2008>
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#9 captsparrow

captsparrow
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 24 June 2008 - 07:45 PM

I ran F-Secure, and it found 1 virus, but it was SBAUTOUPDATE.exe that came with Spyware Blaster which I installed previously. It identifyed the virus as W32/Malware.
Should I delete this to be sure (I don't have the full version of Spyware Blaster, just the free version, so I can't autoupdate) or leave it be?

Edited by captsparrow, 24 June 2008 - 07:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users