Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD on Windows 2003


  • This topic is locked This topic is locked
2 replies to this topic

#1 BabyHan

BabyHan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 07 December 2010 - 06:29 AM

Hi,

I have a Windows 2003 file server joined to a AD domain, recently this machine went BSOD and restarted several time a day. Tried anti-virus. anti-malware scanning, chkdisk, even went to the extend to swapping another hardware server but ended with the same problem. Suspected it could be virus issue, but could not point out the problem. Tried using WinDbg to analyze the minidump files log during BSOD and got the following.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e1ea9000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f660433c, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e1ea9000

FAULTING_IP:
+6535646234353164
f660433c ?? ???

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 5

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 1

TRAP_FRAME: f5af2aa8 -- (.trap 0xfffffffff5af2aa8)
ErrCode = 00000000
eax=e1ea9000 ebx=00000000 ecx=e1ea9000 edx=00000073 esi=f5af2c0c edi=f5af2cc8
eip=f660433c esp=f5af2b1c ebp=f5af2b28 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
f660433c ?? ???
Resetting default scope

LAST_CONTROL_TRANSFER: from 808692ab to 8087c4a0

STACK_TEXT:
f5af2a40 808692ab 00000050 e1ea9000 00000000 nt!KeBugCheckEx+0x1b
f5af2a90 80836c4c 00000000 e1ea9000 00000000 nt!MmAccessFault+0x813
f5af2a90 f660433c 00000000 e1ea9000 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
f5af2b18 e1ea9000 f6609d62 e1ea8ffe f5af2bac 0xf660433c
f5af2b54 8092c745 0000000c 00001538 f6609d62 0xe1ea9000
f5af2bac f63f378b 00000e78 00000000 00000000 nt!IopCreateFile+0x590
f5af2bd8 f63fc007 00000e78 00000001 f5af2c0c srv!SrvVerifyDeviceStackSize+0x1d
f5af2c24 f63fe1cc 85929140 f5af2cc8 00000081 srv!SrvIoCreateFile+0x40f
f5af2cf0 f63fc825 8540d330 e13e71d0 00000081 srv!SrvNtCreateFile+0x5e0
f5af2d78 f63daeaf 85929148 859816e0 f63f36c7 srv!SrvSmbNtCreateAndX+0x15c
f5af2d84 f63f36c7 00000000 86453db0 00000000 srv!SrvProcessSmb+0xb7
f5af2dac 809208bb 009816e0 00000000 00000000 srv!WorkerThread+0x138
f5af2ddc 8083fe9f f63f3602 859816e0 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
srv!SrvVerifyDeviceStackSize+1d
f63f378b 3bc3 cmp eax,ebx

SYMBOL_STACK_INDEX: 6

SYMBOL_NAME: srv!SrvVerifyDeviceStackSize+1d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srv

IMAGE_NAME: srv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4c696c17

FAILURE_BUCKET_ID: 0x50_srv!SrvVerifyDeviceStackSize+1d

BUCKET_ID: 0x50_srv!SrvVerifyDeviceStackSize+1d

Followup: MachineOwner

---------------------------------------------------------------------------------

Based on the analysis information, managed to locate a KB by microsoft that describes this issue http://support.microsoft.com/kb/950298#top
After patching the hotfix from KB950298, we still get the BSOD and ended up where we started.
Tried running HJT and got the following information from the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:35:41 PM, on 12/7/2010
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sfmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\WINDOWS\system32\Dfsr.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1291201910607
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iah-office.com.sg
O17 - HKLM\Software\..\Telephony: DomainName = iah-office.com.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAADA4BE-ADAC-4524-BF6D-7CEDEC268A0D}: NameServer = 10.2.0.17,10.2.0.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iah-office.com.sg
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 4065 bytes


Will someone please help to analyze what could be the problem and enlighten me on this.

PS: My other file server and Domain controller also encountered the same error and so we suspected it could be trojan that spread thru our domain.

Thanks and best regards
BabyHan

Edited by hamluis, 07 December 2010 - 01:16 PM.
Moved from Windows NT to malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 14 December 2010 - 11:46 PM

Do you still desire help?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:59 PM

Posted 26 December 2010 - 11:24 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users