Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange CRITICAL_STRUCTURE_CORRUPTION (109) Crashes


  • Please log in to reply
13 replies to this topic

#1 InsideIT

InsideIT

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 04:44 PM

Hi All,

 

Long time reader, first time poster. I have a clients laptop that has been crashing with CRITICAL_STRUCTURE_CORRUPTION (109) and MEMORY_MANAGEMENT (1a) BSODs. (debug output below)

 

It *really* looks like bad memory and before I go out and buy some, I'm wondering if anyone has any thoughts? This is what I've done:

 

  • Ran both the built-in memory diagnostic and memtest86, both fine
  • scandisk c: /r /f -- no bad sectors (twice)
  • Updated all drivers that needed it in device manager
  • Cleaned up unnecessary services and startups
  • Scanned for and removed malware with 3 engines
  • Disabled the swap file
  • Ran sigverif.exe -- all OK

Any thoughts?

 

Many thanks

 

 

 



BC AdBot (Login to Remove)

 


#2 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 04:45 PM

Oops, forget debug output:

 

Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\BowesIT\091913-105643-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\BowesIT\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`02a52000 PsLoadedModuleList = 0xfffff800`02c95670
Debug session time: Thu Sep 19 06:28:37.145 2013 (UTC - 7:00)
System Uptime: 0 days 0:14:38.721
Loading Kernel Symbols
...............................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 109, {a3a039d8982fe666, b3b7465eeaae22a8, fffff80000b96bb0, 6}

*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Probably caused by : ntoskrnl.exe ( nt_fffff80000b95000+1bb0 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d8982fe666, Reserved
Arg2: b3b7465eeaae22a8, Reserved
Arg3: fffff80000b96bb0, Failure type dependent information
Arg4: 0000000000000006, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification

Debugging Details:
------------------


BUGCHECK_STR:  0x109

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff80002ac7c00

SYMBOL_ON_RAW_STACK:  1

STACK_ADDR_RAW_STACK_SYMBOL: fffff88002ff5600

STACK_COMMAND:  dds FFFFF88002FF5600-0x20 ; kb

STACK_TEXT:  
fffff880`02ff55e0  00000109
fffff880`02ff55e4  00000000
fffff880`02ff55e8  982fe666
fffff880`02ff55ec  a3a039d8
fffff880`02ff55f0  eaae22a8
fffff880`02ff55f4  b3b7465e
fffff880`02ff55f8  00b96bb0
fffff880`02ff55fc  fffff800
fffff880`02ff5600  00000006
fffff880`02ff5604  00000000
fffff880`02ff5608  00000000
fffff880`02ff560c  00000000
fffff880`02ff5610  00000000
fffff880`02ff5614  00000000
fffff880`02ff5618  00000000
fffff880`02ff561c  00000000
fffff880`02ff5620  00000000
fffff880`02ff5624  00000000
fffff880`02ff5628  00000000
fffff880`02ff562c  00000000
fffff880`02ff5630  00000000
fffff880`02ff5634  00000000
fffff880`02ff5638  00000000
fffff880`02ff563c  00000000
fffff880`02ff5640  00000000
fffff880`02ff5644  00000000
fffff880`02ff5648  00000000
fffff880`02ff564c  00000000
fffff880`02ff5650  00000000
fffff880`02ff5654  00000000
fffff880`02ff5658  00000000
fffff880`02ff565c  00000000


FOLLOWUP_IP:
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

SYMBOL_NAME:  nt_fffff80000b95000+1bb0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt_fffff80000b95000

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5149a99c

FAILURE_BUCKET_ID:  X64_0x109_nt_fffff80000b95000+1bb0

BUCKET_ID:  X64_0x109_nt_fffff80000b95000+1bb0

Followup: MachineOwner






Loading Dump File [C:\BowesIT\091913-64662-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\BowesIT\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533
Machine Name:
Kernel base = 0xfffff800`02a54000 PsLoadedModuleList = 0xfffff800`02c976d0
Debug session time: Thu Sep 19 13:24:04.172 2013 (UTC - 7:00)
System Uptime: 0 days 0:02:07.748
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {3451, fffff6fc40022f50, fffffa80054a6890, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+51e8d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
    # Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000003451, The PTEs of an outswapped kernel thread stack are corrupt.
Arg2: fffff6fc40022f50
Arg3: fffffa80054a6890
Arg4: 0000000000000000

Debugging Details:
------------------


BUGCHECK_STR:  0x1a_3451

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002b4e56d to fffff80002ac9b80

STACK_TEXT:  
fffff880`03140b58 fffff800`02b4e56d : 00000000`0000001a 00000000`00003451 fffff6fc`40022f50 fffffa80`054a6890 : nt!KeBugCheckEx
fffff880`03140b60 fffff800`02afd8f0 : fffffa80`054a6890 00000000`00000000 fffffa80`00000000 fffff800`02afa72b : nt! ?? ::FNODOBFM::`string'+0x51e8d
fffff880`03140c70 fffff800`02afd87f : 00000000`00000000 00000000`00000001 fffffa80`033c8b30 00000000`00000080 : nt!MmInPageKernelStack+0x40
fffff880`03140cd0 fffff800`02afd5c4 : 00000000`00000000 00000000`00000000 fffffa80`033c8b00 ffffffff`efffff00 : nt!KiInSwapKernelStacks+0x1f
fffff880`03140d00 fffff800`02d67bae : 48ff1daf`d3f7ef6a eaffffff`fffffffd f7f94ddf`fcfbffff ffffffff`fffeffff : nt!KeSwapProcessOrStack+0x84
fffff880`03140d40 fffff800`02aba8c6 : fffff800`02c44e80 fffffa80`033eeb50 fffffa80`033ee040 febfffff`f7feffff : nt!PspSystemThreadStartup+0x5a
fffff880`03140d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+51e8d
fffff800`02b4e56d cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+51e8d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  51fb06cd

FAILURE_BUCKET_ID:  X64_0x1a_3451_nt!_??_::FNODOBFM::_string_+51e8d

BUCKET_ID:  X64_0x1a_3451_nt!_??_::FNODOBFM::_string_+51e8d

Followup: MachineOwner



#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:30 PM

Posted 20 September 2013 - 04:49 PM

Please perform the following, so that we can get the exact specs of your computer.  This will better assist us in helping you more.
 
 
The below is for those who cannot get online
 
Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

 

So we can see your hardware.  



#4 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 05:10 PM

Thank you crytodan, here it is http://speccy.piriform.com/results/bH2U5DLIjX8L8SVASMNOLMV
 
I should also note that there are a lot of ad popups in IE that nothing has seemed to have killed. I'll see if autoruns can shed any light in that but thought it was worth mentioning.

Edited by InsideIT, 20 September 2013 - 05:10 PM.


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:30 PM

Posted 20 September 2013 - 05:23 PM

I noticed you ran other tools, to test memory, but you have not ran drive diagnostics on this computer.  Please download the following Hitachi Drive Fitness Test and burn it to a CD.  Go into your BIOS and change the boot order from HDD to CD-ROM and let it boot the CD-ROM.  Perform the extended test's and report back.

 

WHat kind of popups. and are they happening with IE Closed?

 

Also you mentioned malware removal tools what tools did you use?



#6 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 05:38 PM

I noticed you ran other tools, to test memory, but you have not ran drive diagnostics on this computer.  Please download the following Hitachi Drive Fitness Test and burn it to a CD.  Go into your BIOS and change the boot order from HDD to CD-ROM and let it boot the CD-ROM.  Perform the extended test's and report back.

 

WHat kind of popups. and are they happening with IE Closed?

 

Also you mentioned malware removal tools what tools did you use?

 

I did run the built-in Compaq drive diagnotics and chkdsk, I'll try the hitachi diagnotics, thanks for that.

 

The popups are like 250x250 ads in the lower left corner of the IE window, they only come up in IE, nowhere else.

 

For malware I used malwarebytes first, combofix, superantimalware and the f-secure rescue CD.

 

Thanks for the fast help crytodan!



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:30 PM

Posted 20 September 2013 - 05:45 PM

Did you use Combofix in conjunction with a trained person here at BC or at another site?  You may need to get that log analyzed and looked at.



#8 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 06:08 PM

Did you use Combofix in conjunction with a trained person here at BC or at another site?  You may need to get that log analyzed and looked at.

 

No, I didn't. I'm guessing that there are command line parameters but of course I don't know that. I ran it "out of the box" so to speak. I can certainly upload the log if it would be helpful.



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,862 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:30 PM

Posted 20 September 2013 - 06:10 PM

Well...if you post the answer to Cryptodan's querstions...that will shed some light on what direction we need to move toward.

 

As I see it...you either have critical hardware issues...critical malware issues...or serious file corruption issues.  We need to eliminate suspects :).

 

Louis



#10 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 06:15 PM

Well...if you post the answer to Cryptodan's querstions...that will shed some light on what direction we need to move toward.

 

As I see it...you either have critical hardware issues...critical malware issues...or serious file corruption issues.  We need to eliminate suspects :).

 

Louis

 

I thought I had posted the answers to Cryptodan's questions hamluis. If there's something I've neglected to answer, I'd appreciate it if it was pointed out. Sorry if I missed something...


Edited by InsideIT, 20 September 2013 - 06:16 PM.


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:30 PM

Posted 20 September 2013 - 06:21 PM

before we continue, I would like for you to get the combofix log analyzed, as that can be the cause of this BSOD and other issues.  

 

So Please follow the instructions in ==>This Guide<==.

 
Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==  Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.
 
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
 
Once you have created the new topic, please reply back here with a link to the new topic.


#12 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 20 September 2013 - 06:40 PM

Thanks again Cryptodan, in all honesty, I was thinkig this was a misbehaving driver issue more than a malware issue and I wasn't aware of the protocol. I have some learning to do. I've in IT for a number of years but sometimes we lose touch. Your help is appreciated.

 

I'm running the Toshiba fitness test and I might as well let it finish. Once it;s done I'll create a new topic.

 

hamluis, I see where you were going now, cheers.



#13 InsideIT

InsideIT
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 21 September 2013 - 09:24 AM

New topic created http://www.bleepingcomputer.com/forums/t/508470/strange-critical-structure-corruption-109-crashes/



#14 hamluis

hamluis

    Moderator


  • Moderator
  • 55,862 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:30 PM

Posted 21 September 2013 - 04:44 PM

:thumbup2: , I'm a bit show when it comes to reading all the posts in a topic sometimes :).

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users