Hello again. I'm instructed to start a new topic here regarding a Stop error. It seems that a line in the debugging analysis reports (HERE) indicates a possible infection. I'm posting the report below anyway.
Prior to this blue screen, I've run SAS and ClamWin scans on the system, removed detected threats and rebooted.
The line in question is just below the "Debugging Details" heading and it reads EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: bf953e10, The address that the exception occurred at Arg3: ab951c00, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: win32k!GreGetGlyphIndicesW+af bf953e10 8b4004 mov eax,dword ptr [eax+4] TRAP_FRAME: ab951c00 -- (.trap 0xffffffffab951c00) Unable to read trap frame at ab951c00 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E LAST_CONTROL_TRANSFER: from bf94b49d to bf953e10 STACK_TEXT: ab951c8c bf94b49d e1681008 e300d200 e167ed08 win32k!GreGetGlyphIndicesW+0xaf ab951d28 bf94b519 19010dfc 0012ecb8 00000100 win32k!NtGdiGetGlyphIndicesWInternal+0xf2 ab951d48 804de7ec 19010dfc 0012ecb8 00000100 win32k!NtGdiGetGlyphIndicesW+0x1b ab951d48 7c90e514 19010dfc 0012ecb8 00000100 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ea28 00000000 00000000 00000000 00000000 0x7c90e514 STACK_COMMAND: kb FOLLOWUP_IP: win32k!GreGetGlyphIndicesW+af bf953e10 8b4004 mov eax,dword ptr [eax+4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!GreGetGlyphIndicesW+af FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4cc6d6a2 FAILURE_BUCKET_ID: 0x8E_win32k!GreGetGlyphIndicesW+af BUCKET_ID: 0x8E_win32k!GreGetGlyphIndicesW+af Followup: MachineOwner ---------
The second is as follow:
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: bf8124fc, The address that the exception occurred at Arg3: abeea878, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: win32k!ESTROBJ::vInit+43 bf8124fc f6410410 test byte ptr [ecx+4],10h TRAP_FRAME: abeea878 -- (.trap 0xffffffffabeea878) Unable to read trap frame at abeea878 CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E LAST_CONTROL_TRANSFER: from bf8118c5 to bf8124fc STACK_TEXT: abeea900 bf8118c5 e1219cac 0000001e abeeabf0 win32k!ESTROBJ::vInit+0x43 abeeaba4 bf87eb72 abeeabf0 00000015 00000017 win32k!GreExtTextOutWLocked+0x666 abeeabe8 bf87f343 e11889c8 00000015 00000017 win32k!GreExtTextOutWInternal+0x6e abeead38 804de7ec 2c010f20 00000015 00000017 win32k!NtGdiExtTextOutW+0x2b6 abeead38 7c90e514 2c010f20 00000015 00000017 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 00127220 00000000 00000000 00000000 00000000 0x7c90e514 STACK_COMMAND: kb FOLLOWUP_IP: win32k!ESTROBJ::vInit+43 bf8124fc f6410410 test byte ptr [ecx+4],10h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!ESTROBJ::vInit+43 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4cc6d6a2 FAILURE_BUCKET_ID: 0x8E_win32k!ESTROBJ::vInit+43 BUCKET_ID: 0x8E_win32k!ESTROBJ::vInit+43 Followup: MachineOwner ---------
Thank you.