Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Utorrent BSOD - IRQL


  • Please log in to reply
5 replies to this topic

#1 thefish66

thefish66

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 23 September 2014 - 07:19 AM

Hi guys

 

I'm having the BSOD when running uTorrent. Sometimes it crashes after a few minutes, sometimes it runs for hours.

Downloaded and ran BluescreenView. Problem sees to be with NETIO.sys. I've attached some of the minidumps here as a zip file.

 

Also saw looking around that a Kernel memory dump might help, so I made a zip file for that too. Can be found here:

http://1drv.ms/1wJgH1H

 

Computer is an Acer Aspire 5560. Any help would be much appreciated.

Thanks

Attached Files


Edited by hamluis, 24 September 2014 - 09:52 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dicke

dicke

    Paraclete


  • Members
  • 2,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:02:34 AM

Posted 23 September 2014 - 07:05 PM

What's the operating system and the security software? Are both current and have you run any scans?

Thanks


Stay well and surf safe [stay protected]

Dick E


#3 thefish66

thefish66
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 24 September 2014 - 07:08 AM

Windows 7 home edition premium

 

I was using AVG, but saw in some other places it can cause issues. It's been uninstalled and Microsoft Security essentials is now running. Still got a BSOD last night. Quick scan was run - no issues. Full scan is running today.

 

Both have all the updates available



#4 dicke

dicke

    Paraclete


  • Members
  • 2,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:02:34 AM

Posted 24 September 2014 - 07:32 AM

What I've read about utorrent doesn't give me much confidence in the site. I can't recommend it.

If you want a second opinion scan I'd suggest going to eset.com and running their online scanner.

http://www.eset.com/us/online-scanner/

 

Keep us posted

 

Dick


Stay well and surf safe [stay protected]

Dick E


#5 Jared44

Jared44

  • BSOD Kernel Dump Expert
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dronfield
  • Local time:07:34 AM

Posted 24 September 2014 - 12:43 PM

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880017526fd, address which referenced memory

We have a 0xD1 bugcheck, in this case it shows that invalid memory was trying to be read at an IRQL of 2.

rax=fffff880033c3920 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880017526fd rsp=fffff880033c3890 rbp=fffff880033c39b8
 r8=00000000ffffffbc  r9=0000000000000044 r10=0000000000000000
r11=fffffa800a1ad860 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
NETIO!RtlCopyBufferToMdl+0x1d:
fffff880`017526fd 448b5228        mov     r10d,dword ptr [rdx+28h] ds:00000000`00000028=????????

So we had a mov command to copy data from an address calculated by adding 28 and the value of rdx which results in a memory read from address 0x28 whcih isn't allowed.

Therefore we crashed.

fffff880`033c35b8 fffff800`02e92169 : 00000000`0000000a 00000000`00000028 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx // BSOD
fffff880`033c35c0 fffff800`02e90de0 : 00000000`00000011 fffff880`01865882 00000000`0000000d 00000000`00000044 : nt!KiBugCheckDispatch+0x69 // call BSOD
fffff880`033c3700 fffff880`017526fd : fffffa80`0ade3cf0 00000000`0000020d fffffa80`06f450c0 fffffa80`07ef7700 : nt!KiPageFault+0x260 //page fault, bring page into memory from disk
fffff880`033c3890 fffff880`018a851b : fffffa80`0acbc870 fffff880`01876822 00000000`00000000 00000000`00000001 : NETIO!RtlCopyBufferToMdl+0x1d
fffff880`033c38f0 fffff880`01874116 : fffffa80`0a1ad860 00000000`00000000 fffffa80`0ade3cf0 00000000`369c378f : tcpip! ?? ::FNODOBFM::`string'+0x1bb3f
fffff880`033c3960 fffff880`01864f38 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`0a2b3030 : tcpip!TcpTcbCarefulDatagram+0x1a46
fffff880`033c3b10 fffff880`0186299a : fffffa80`0ade3cf0 fffff880`0185b800 fffffa80`071b2800 fffffa80`0ac7c220 : tcpip!TcpTcbReceive+0x37c
fffff880`033c3c20 fffff880`018636cb : fffffa80`08af5148 fffffa80`076d8000 00000000`00000000 fffff880`033c3f00 : tcpip!TcpMatchReceive+0x1fa
fffff880`033c3d70 fffff880`0185bf37 : fffffa80`072bca80 fffffa80`072deec3 fffffa80`000074c5 00000000`000074c5 : tcpip!TcpPreValidatedReceive+0x36b
fffff880`033c3e40 fffff880`0185baaa : 00000000`00000000 fffff880`01969800 fffff880`033c4000 fffffa80`06e1ad78 : tcpip!IppDeliverListToProtocol+0x97
fffff880`033c3f00 fffff880`0185b0a9 : fffffa80`0b53b030 00000000`00000000 fffffa80`00000000 fffff880`033c3ff0 : tcpip!IppProcessDeliverList+0x5a
fffff880`033c3fa0 fffff880`01858d4f : 00000000`00000000 00000000`08631000 fffff880`01969800 fffff880`01969800 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`033c4080 fffff880`01858322 : fffffa80`086325b0 00000000`00000000 fffffa80`08631000 00000000`00000001 : tcpip!IpFlcReceivePackets+0x64f
fffff880`033c4280 fffff880`018cabfa : fffffa80`0759a710 fffffa80`09cf98f0 fffffa80`08631010 fffffa80`072c7d18 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
fffff880`033c4360 fffff800`02e9e878 : fffff880`033c4370 00000001`00000001 fffffa80`066f4660 00000000`00000001 : tcpip! ?? ::FNODOBFM::`string'+0x49ca2
fffff880`033c43b0 fffff880`01857e42 : fffff880`01857670 fffffa80`0a2b3030 fffff880`033c4500 00000000`00000001 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`033c4490 fffff880`0170e0eb : fffffa80`086318d0 00000000`00000000 fffffa80`082881a0 fffffa80`067a8ab2 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880`033c4500 fffff880`016d7ad6 : fffffa80`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff880`033c4570 fffff880`0165a5d4 : fffffa80`082881a0 fffff880`06a122c4 00000000`00000001 fffff880`06a4230e : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff880`033c49f0 fffff880`0165a549 : fffff880`033c4b38 fffff880`06a42385 fffff880`033c4af0 fffff880`0423350c : ndis!ndisMTopReceiveNetBufferLists+0x24
fffff880`033c4a30 fffff880`0165a4e0 : fffff880`033c4af0 fffff880`0423362e fffffa80`0a84f010 fffff880`033c4af0 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x29
fffff880`033c4a70 fffff880`0423033e : 00000000`00000001 fffffa80`0862d7e0 fffff880`033c4b38 00000000`00000000 : ndis!NdisFIndicateReceiveNetBufferLists+0x50
fffff880`033c4ab0 fffff880`016730a7 : 00000000`00000001 fffffa80`082881a0 fffffa80`0a2b3030 00000000`00000000 : mfenlfk+0x133e
fffff880`033c4bc0 fffff880`0450f66c : 00000000`00000001 fffff800`030382d8 fffffa80`066f4660 fffffa80`07799890 : ndis! ?? ::FNODOBFM::`string'+0xcd8f
fffff880`033c4c10 fffff880`04509c17 : fffff880`0451f7a8 fffffa80`066f4660 fffffa80`066f4660 00000000`00000000 : tunnel!TeredoWfpIndicationWorker+0xb4
fffff880`033c4c50 fffff800`03189c93 : fffffa80`0862e960 00000000`00000001 fffffa80`08006620 fffffa80`066f4660 : tunnel!LwWorker+0x1b
fffff880`033c4c80 fffff800`02e9c261 : fffff800`03038200 fffff800`03189c01 fffffa80`066f4600 fffffa80`066f4660 : nt!IopProcessWorkItem+0x23
fffff880`033c4cb0 fffff800`0312e73a : 00000000`00000000 fffffa80`066f4660 00000000`00000080 fffffa80`06670990 : nt!ExpWorkerThread+0x111
fffff880`033c4d40 fffff800`02e838e6 : fffff880`03164180 fffffa80`066f4660 fffff880`0316efc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`033c4d80 00000000`00000000 : fffff880`033c5000 fffff880`033bf000 fffff880`033c49e0 00000000`00000000 : nt!KxStartSystemThread+0x16

We can see a lot of network routines, I won't go into detail about them as networking isn't a strong point of mine anyway.

3: kd> lmvm k57nd60a
start             end                 module name
fffff880`04a00000 fffff880`04a67000   k57nd60a   (no symbols)           
    Loaded symbol image file: k57nd60a.sys
    Image path: \SystemRoot\system32\DRIVERS\k57nd60a.sys
    Image name: k57nd60a.sys
    Timestamp:        Tue Feb 15 04:19:05 2011 (4D59FEB9)
    CheckSum:         00071F18
    ImageSize:        00067000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
3: kd> lmvm bcmwl664
start             end                 module name
fffff880`05815000 fffff880`05c99000   bcmwl664   (no symbols)           
    Loaded symbol image file: bcmwl664.sys
    Image path: \SystemRoot\system32\DRIVERS\bcmwl664.sys
    Image name: bcmwl664.sys
    Timestamp:        Tue Feb 15 07:58:59 2011 (4D5A3243)
    CheckSum:         00487935
    ImageSize:        00484000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Your network drivers are both over 3 years old, you need to update them on the manufacturers website.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:34 AM

Posted 25 September 2014 - 05:58 PM

Important Note: Using any torrent, file sharing, peer-to-peer (P2P) program (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare, Azureus/Vuze, Skype, etc) or visiting such sites is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a malware honeypot or zombie.

File sharing networks are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge.

...It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

Software Cracks: A Great Way to Infect Your PC

Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Further some file sharing programs are bundled with other free software you may download (sometimes without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, and browser hijackers as well as malware.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.Using P2P programs, file sharing or browsing torrent sites is almost a guaranteed way to get yourself infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users