Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Frequent BSOD After Virus Removal

  • Please log in to reply
1 reply to this topic

#1 schmendric


  • Members
  • 1 posts
  • Local time:08:29 AM

Posted 18 June 2011 - 10:36 AM

I recently found an awful virus on my computer that simulated a computer crash and wanted me to pay for an "advanced" recovery program. It took a long while to remove and now I am having a new problem, frequent BSODs.I am posting a Windows debugging tool analysis of a memory dump, and any help would be much appreciated.

Thanks in advance.

Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.

Loading Dump File [F:\New Folder\Mini061811-08.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6002.18327.x86fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0x82e3c000 PsLoadedModuleList = 0x82f53c70
Debug session time: Sat Jun 18 10:59:36.760 2011 (UTC - 4:00)
System Uptime: 0 days 1:05:26.657
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 83019e1b, d67388c4, 0}

Probably caused by : ntkrpamp.exe ( nt!CmpGetNameControlBlock+ff )

Followup: MachineOwner

1: kd> !analyze -v
* *
* Bugcheck Analysis *
* *

This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 83019e1b, The address that the exception occurred at
Arg3: d67388c4, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

83019e1b 3b01 cmp eax,dword ptr [ecx]

TRAP_FRAME: d67388c4 -- (.trap 0xffffffffd67388c4)
ErrCode = 00000000
eax=09c06bb4 ebx=d6738980 ecx=52414823 edx=10252b04 esi=d258a6f0 edi=8ce1a000
eip=83019e1b esp=d6738938 ebp=d6738960 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
83019e1b 3b01 cmp eax,dword ptr [ecx] ds:0023:52414823=????????
Resetting default scope




PROCESS_NAME: setup.exe


LAST_CONTROL_TRANSFER: from 830198ab to 83019e1b

d6738960 830198ab 0000000a 017389a7 d6738a4c nt!CmpGetNameControlBlock+0xff
d6738994 8304057d 9a9fea20 0033c430 008fd434 nt!CmpCreateKeyControlBlock+0x315
d67389e0 83043d5d 9a9fea20 0033c430 9e8fd434 nt!CmpDoOpen+0x2e2
d6738b70 83069615 a6c5e328 85b249c8 865f1d20 nt!CmpParseKey+0x861
d6738c00 83077034 00000160 d6738c58 00000040 nt!ObpLookupObjectName+0x11e
d6738c60 83044802 01d0ddf0 85b249c8 00000001 nt!ObOpenObjectByName+0x13c
d6738d34 8304463c 004c7320 00020019 01d0ddf0 nt!CmOpenKey+0x1b1
d6738d50 82e86c7a 004c7320 00020019 01d0ddf0 nt!NtOpenKey+0x16
d6738d50 77a35ca4 004c7320 00020019 01d0ddf0 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
01d0de2c 00000000 00000000 00000000 00000000 0x77a35ca4


83019e1b 3b01 cmp eax,dword ptr [ecx]


SYMBOL_NAME: nt!CmpGetNameControlBlock+ff



IMAGE_NAME: ntkrpamp.exe


FAILURE_BUCKET_ID: 0x8E_nt!CmpGetNameControlBlock+ff

BUCKET_ID: 0x8E_nt!CmpGetNameControlBlock+ff

Followup: MachineOwner

BC AdBot (Login to Remove)


#2 TheShooter93



  • Malware Response Team
  • 4,793 posts
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:09:29 AM

Posted 18 June 2011 - 04:42 PM

I suggest you post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section.

But before you do, make sure to read this: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Edited by TheShooter93, 18 June 2011 - 04:42 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users