Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screens, Fresh WinXP maybe CSRSS.EXE virus. Here's WinDBG Analysis


  • Please log in to reply
8 replies to this topic

#1 sarahsmile

sarahsmile

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 July 2009 - 05:36 AM

Please help! I've been without my computer for a week now. It kept crashing and bluescreening. I tried to get help for a week in the HiJack This Forum, then gave up and reinstalled WinXP SP2 and upgraded to SP3 and began reloading all my software.

Suddenly Blue Screening again first few times

STOP: 0x000000F4 (oxooooooo3, 0x8B0AC020, 0x8B0AC194, 0X805D297C)


Then,

BAD_POOL_CALLER

STOP: 0X0000000a (0x00000000, 0x00000002, 0x00000001, 0x8053A593)



OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name D3DH7PC1
System Manufacturer Dell Inc.
System Model Precision M90
System Type X86-based PC
Processor x86 Family 6 Model 15 Stepping 6 GenuineIntel ~2330 Mhz
BIOS Version/Date Dell Inc. A08, 10/16/2008
SMBIOS Version 2.4
Windows Directory C:\windows
System Directory C:\windows\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name D3DH7PC1\User
Time Zone Eastern Daylight Time
Total Physical Memory 4,096.00 MB
Available Physical Memory 2.02 GB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 7.07 GB
Page File D:\pagefile.sys








I followed the Blue Screen suggestions and created the WinDBG Analysis below:


Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Jul 8 15:55:34.765 2009 (GMT-4)
System Uptime: 0 days 0:33:30.496
Loading Kernel Symbols
...............................................................
................................................................
.................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
Loading unloaded module list
..............................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, 8b0ac020, 8b0ac194, 805d297c}

*** ERROR: Module load completed but symbols could not be loaded for TfSysMon.sys
*** ERROR: Module load completed but symbols could not be loaded for vsdatant.sys
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
Probably caused by : csrss.exe

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8b0ac020, Terminating object
Arg3: 8b0ac194, Process image file name
Arg4: 805d297c, Explanatory message (ascii)

Debugging Details:
------------------

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details

PROCESS_OBJECT: 8b0ac020

IMAGE_NAME: csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: csrss

FAULTING_MODULE: 00000000

PROCESS_NAME: csrss.exe

EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

BUGCHECK_STR: 0xF4_IOERR

DEFAULT_BUCKET_ID: DRIVER_FAULT

STACK_TEXT:
b97b9430 805d1ac5 000000f4 00000003 8b0ac020 nt!KeBugCheckEx+0x1b
b97b9454 805d2a27 805d297c 8b0ac020 8b0ac194 nt!PspCatchCriticalBreak+0x75
b97b9484 ba10eb32 8b0ac268 c0000006 ba10eadc nt!NtTerminateProcess+0x7d
WARNING: Stack unwind information not available. Following frames may be wrong.
b97b9504 b31b2548 ffffffff c0000006 b97b9584 TfSysMon+0x6b32
00000000 00000000 00000000 00000000 00000000 vsdatant+0x42548


STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0xF4_IOERR_IMAGE_csrss.exe

BUCKET_ID: 0xF4_IOERR_IMAGE_csrss.exe

Followup: MachineOwner
---------

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:47 AM

Posted 09 July 2009 - 09:00 AM

Just a comment: Your pagefile looks like it's twice as large as it should be. Do you have XP managing it? You should.

<>

Can you post a screen shot from Device Manager?

Have you checked Event Viewer for possible clues?

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

Is XP current with critical updates?

Have you done any scans for malware? What defense programs do you have installed, current and operating?

http://www.neuber.com/taskmanager/process/csrss.exe.html

What's the path for the csrss.exe file on your system? file size?

Louis

#3 sarahsmile

sarahsmile
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 July 2009 - 11:28 AM

Okay, I think what has happened is that i eliminated the pagefile on Drive C: and WindowsXP has overriden that. I have now tried to set it to be 2MB minimum with 50MB max setting. Based on this site http://www.petri.co.il/pagefile_optimization.htm

Oh that doesn't work. I get a message from WindowsXP that the page file must be at least 200MB in order to correctly write debug information in the event of a memory dump. So be I've set it to be 400MB for both max and min.

I increased the size of the page file to be 1.5 times the 4GB of memory.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:47 AM

Posted 09 July 2009 - 12:58 PM

With 4GB of RAM, the likelihood of needing that large a pagefile is...almost nil, IMO.

I have 4GB installed (XP, SP3) and my pagefile (with XP managing) is 3.5GB. I also don't have hibernation enabled, thus no hiberfil.sys file wasting space.

Louis

#5 sarahsmile

sarahsmile
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 July 2009 - 02:07 PM

Ok! I will reduce the page file to 3.5 as per your example and will find out how to eliminate the hibernating.

I looked carefully through the event log entries that coincided with the time of the last memory dump. There were no errors recorded at the time of the Blue Screen! The only error recorded was 20 minutes before the computer crashed!

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:47 AM

Posted 09 July 2009 - 03:27 PM

How about the file path and size?

If it's anything other than where/what is expected...it could be a malware issue.

Louis

#7 sarahsmile

sarahsmile
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 July 2009 - 03:49 PM

XPSP3 is current with all updates except the .NetFramework 3.5 for Families which I've chosen not to install.

The Security Task Manager gives a thumbs up to my version of csrss.exe giving it a rating of harmless and indicating it is a Microsoft signed file. The location is c:\windows\system32 and the file size is 6.0KB. The file version is 5.1.2600.5512 which I think agrees with the WinXP build.

The computer just bluescreened again this time with the following:

BAD_POOL_HEADER
STOP: 0x00000019 (0x00000020, 0x00000700, 0x00000700, 0x0A00C680)

this was during an installation of software Adobe CS4

#8 sarahsmile

sarahsmile
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 09 July 2009 - 03:50 PM

Oh there was a Windows Error Report generated this time with a response from microsoft:

Blue screen error caused by a device or driver

You received this message because a hardware device, its driver, or related software has caused a blue screen error. This type of error means the computer has shut down abruptly to protect itself from potential data corruption or loss. In this case, we were unable to detect the specific device or driver that caused the problem.

Troubleshooting

The following troubleshooting steps might prevent the blue screen error from recurring. Try them in the order given. If one step does not solve the problem, then move on to the next one.

Step 1: Download and install the latest updates and device drivers for your computer

1. Use Windows Update to check for and install updates:
1.

Go online to the Windows Update website:

Windows Update

Note
If Microsoft Update is installed, you'll be taken to the Microsoft Update website.
2.

Click Custom to check for available updates.
3.

In the left pane, under Select by Type, click each of the following links to view all available updates:
*

High Priority
*

Software, Optional
*

Hardware, Optional

4.

Select the updates you want, click Review and install updates, and then click Install Updates.
2.

If you recently added a new hardware device to your computer, go online to the manufacturer's website to see if a driver update is available.
3.

If you recently added a new program to your computer, go online to the manufacturer's website to see if an update is available.

Step 2: Remove any new hardware or software to isolate the cause of the blue screen

If you received the blue screen error after adding a new hardware device or program, and downloading updates didn't solve the problem, try removing the device or program and restarting Windows. If removing the new device or program allows Windows to start without the error, contact the device or program's manufacturer to get product updates or to learn about any known issues with the device or program.

Step 3: Scan your computer for viruses

Many blue screen errors can be caused by computer viruses or other types of malicious software.

If you have an antivirus program installed on your computer, make sure it is up to date with the latest antivirus definitions and perform a complete scan of your system. Check your antivirus product's website for information on getting the latest updates.

If you do not have antivirus software installed on your computer, we recommend using a web-based scanner to check your computer for malware. Many of the top antivirus software providers offer this service free of charge on their websites.

To see a list of Microsoft and third-party providers of antispyware, anti-malware, and antivirus software, go online to the following website:

Security software: Downloads and trials

To see a list of antivirus software vendors, go online to the following Knowledge Base article:

List of antivirus software vendors

Tip
Consider scanning your computer using more than one web-based antivirus scanner, even if you have an antivirus program installed on your computer. This will help make sure that you are using the most up-to-date antivirus definitions and allows you to benefit from the different strengths of each antivirus software manufacturer. If you do run multiple antivirus products, make sure you run only one product at a time. Running multiple antivirus products simultaneously can produce incorrect results.

Step 4: Check your hard disk for errors

You can help solve some computer problems and improve the performance of your computer by making sure that your hard disk has no errors.

1.

Click Start, and then click My Computer.
2.

Right-click the hard disk drive that you want to check, and then click Properties.
3.

Click the Tools tab, and then, under Error-checking, click Check Now.

To automatically repair problems with files and folders that the scan detects, select Automatically fix file system errors. Otherwise, the disk check will report problems but not fix them.

To perform a thorough disk check, select Scan for and attempt recovery of bad sectors. This scan attempts to find and repair physical errors on the hard disk itself, and it can take much longer to complete.

To check for both file errors and physical errors, select both Automatically fix file system errors and Scan for and attempt recovery of bad sectors.
4.

Click Start.

Depending upon the size of your hard disk, this might take several minutes or longer. For best results, don't use your computer for any other tasks while it's checking for errors.

Note
If you select Automatically fix file system errors for a disk that is in use (for example, the partition that contains Windows), you'll be prompted to reschedule the disk check for the next time you restart your computer.

For more information, go online to read the following article:

How to perform disk error checking in Windows XP

Step 5: Restore your computer to an earlier state

If the blue screen error occurred after installing a system or program update, consider using the System Restore feature to remove the changes. System Restore uses "restore points" that have been saved on your computer to return your system to a point in time before the problem began. This won't fix the problem, but it can make your computer work again.

Do one of the following:

If Windows doesn't start:

1.

Restart the computer and, when the screen becomes blank during startup, repeatedly press F8 until the Windows Advanced Options Menu displays.
2.

Use your arrow keys to select Safe Mode with Command Prompt, and then press ENTER.

For more information about safe mode start up options, go online to read an article in the Microsoft Knowledge Base:

Click to read KB315222
3.

If you are prompted to select a version of Windows, select the correct version, and then press ENTER.
4.

Log on to the computer using the Administrator account or an account that has administrator credentials.
5.

Type the following command at a command prompt, and then press ENTER:

[systemroot]\system32\restore\rstrui.exe

(Where [systemroot] is the drive and directory where your Windows system files are located -- for example, "C:\Windows")
6.

Follow the instructions that appear on the screen to restore the computer to an earlier state.

Or, if Windows starts:

1.

Log on to Windows using an administrator account.
2.

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
3.

On the Welcome to System Restore page, select Restore my computer to an earlier time, and then click Next.
4.

On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. You might receive a message that lists configuration changes that System Restore will make. Review this list, and then click OK.
5.

On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows configuration, and then restarts the computer.
6.

Log on to the computer as an administrator.
7.

When the System Restore Restoration Complete page appears, click OK.


Advanced troubleshooting

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:47 AM

Posted 09 July 2009 - 05:38 PM

Adobe software (and AV, video-editors...music programs, etc.) all have drivers, in addition to the hardware components of a system.

Sooo...a message about a driver during a software install...probably refers to that program. One of the reasons that this may occur is that the program has been updated and users are attempting to use an older, unpatched version (or a version which has sustained file damage).

I would uninstall and then attempt to reinstall said program.

FWIW: Some programs also require MS.NET to be installed but my experience is that they will point such out.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users