Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Daily Crashes


  • Please log in to reply
10 replies to this topic

#1 Daenyathos

Daenyathos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 30 May 2015 - 11:14 PM

OS - Windows 7 Professional

 

x64

 

System was first installed with Windows 7 Ultimate, now Windows 7 Professional

 

Full Retail Version

 

Age of hardware is 2 years 5 months

 

OS Reinstalled, 5 months old

 

CPU: Intel® Core™ i7 2600k CPU @ 3.40GHz 3.70GHz

 

Video Card: AMD Radeon 6900 Series

 

Motherboard: Gigabyte Technology Co. Ltd. Model: Z68X-UD3H-B3

 

Power Supply: Corsair TX750M

 

System Manufacturer: Self-built/Custom

 

Exact Model Number: N/A

 

Desktop

 

Problem Information: My computer must be restarted once per day or else it will BSOD and restart on its own. This also happens when I attempt to run a virus scan with either Malwarebytes or SUPERAntiSpyware. I suspect it is a virus but I am not certain. If any more information is needed please do not hesitate to ask. Any assistance would be appreciated.

 

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 31 May 2015 - 01:31 PM

6: kd> .bugcheck
Bugcheck code 000000F4
Arguments 00000000`00000003 fffffa80`0e7fdb30 fffffa80`0e7fde10 fffff800`03176940

Let's set the process context:

6: kd> .process fffffa800e7fde10
Implicit process is now fffffa80`0e7fde10

Now let's see the EPROCESS/thread stack:

6: kd> !process
GetPointerFromAddress: unable to read from fffff800030af000
PROCESS fffffa800e7fdb30
    SessionId: none  Cid: 01e4    Peb: 7fffffd6000  ParentCid: 01d8
    DirBase: 3c72c3000  ObjectTable: fffff8a00a433cb0  HandleCount: <Data Not Accessible>
    Image: csrss.exe
    VadRoot fffffa800e553260 Vads 106 Clone 0 Private 2759. Modified 20170. Locked 2025.
    DeviceMap fffff8a0000060f0
    Token                             fffff8a00a441060
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         429824
    QuotaPoolUsage[NonPagedPool]      21016
    Working Set Sizes (now,min,max)  (2981, 50, 345) (11924KB, 200KB, 1380KB)
    PeakWorkingSetSize                19165
    VirtualSize                       195 Mb
    PeakVirtualSize                   328 Mb
    PageFaultCount                    58451
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      5177

csrss.exe was the process that unexpectedly closed, therefore that's the reason for the bug check. Windows cannot run without this process, as it's a necessary subsystem.

 

The fact that your crash during a scan + get 0xF4 with csrss.exe as the terminating object is classic malware behavior, so yes you're likely infected. I cannot tell you what you're infected with without a kernel-dump though, so try and get that for me. Even if you get it for me, I still may not be able to. We'll see. Do the following:

 

1. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

Ensure kernel-dumps are set to generate in C:\Windows as MEMORY.DMP.

 

2. Enable Driver Verifier:

 

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:
 
- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

http://support.microsoft.com/kb/244617

 

3. After crashing with #'s 1 and 2 done, upload the kernel-dump to Onedrive or something similar, and paste the link here.



#3 Daenyathos

Daenyathos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 03 June 2015 - 05:23 PM

Here it is:

 

https://onedrive.live.com/redir?resid=C744D90670E369E!837&authkey=!ABjgWOLKsblll2Q&ithint=file%2cDMP



#4 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 04 June 2015 - 05:58 PM

For some reason, the download fails consistently. Would you mind please re-zipping it, re-uploading it, and then pasting the link?


Edited by ring 0, 07 June 2015 - 12:12 PM.


#5 crossfirez-28

crossfirez-28

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 04 June 2015 - 06:00 PM

I am having similar issues, just no BSOD since about mid May. Windows 7 pro 64 bit. Stalling and unresponsive. Somehow, although I am just learning how to fix these such problems, I'm thinking it is related to an update from windows. I will continue to follow this thread in hopes you find a resolution.



#6 Daenyathos

Daenyathos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 04 June 2015 - 10:18 PM

No problem, I've also added the minidump file if you need it, and the unzipped versions of both just in case.
 
I hope it works this time:

 

https://onedrive.live.com/redir?resid=C744D90670E369E!848&authkey=!AEx5JOisfQytwLs&ithint=file%2cdmp            (Minidump unzipped)

 

https://onedrive.live.com/redir?resid=C744D90670E369E!849&authkey=!AO8j8RAQLY4eVhg&ithint=file%2czip           (Minidump zipped)

 

https://onedrive.live.com/redir?resid=C744D90670E369E!851&authkey=!AAWR0nCqWPwTGuM&ithint=file%2cDMP   (MEMORY.DMP unzipped)

 

https://onedrive.live.com/redir?resid=C744D90670E369E!850&authkey=!AHHEVeHJagHer0w&ithint=file%2czip           (MEMORY.DMP zipped)



#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 06 June 2015 - 05:53 PM

Can you uninstall the "Microsoft Virtual WiFi Miniport Adapter" from Device Manager? Driver Verifier blames its driver (dated 2009) for crashing. I'm also unable to download either MEMORY.DMP files you posted. Tried 3 times. Failed - Network Error each time.
 

FAILURE_BUCKET_ID:  X64_0x50_VRF_vwifimp+6744
STACK_TEXT:  
fffff880`03361e80 fffff880`06366744 : 00000000`00000000 fffff880`06364110 fffffa80`103601a0 fffff980`075a6fa0 : ndis!NdisMSetMiniportAttributes+0x9b
fffff880`03361ec0 00000000`00000000 : fffff880`06364110 fffffa80`103601a0 fffff980`075a6fa0 fffff880`03361fb0 : vwifimp+0x6744

ndis (network related) before vwifimp
 

OS - Windows 7 Professional

 
vwifimp.sys ->  Part of the Windows 8 Operating System according to herdProtect

Did you ever try out the Windows 8 Preview?
 
Description: Virtual WiFi Miniport Driver. Virtual Box is also installed. Wondering if that has any effect on that particular driver. ring0 would probably know more.

Network Card(s):           3 NIC(s) Installed.
                           [02]: Microsoft Virtual WiFi Miniport Adapter
                                 Connection Name: Wireless Network Connection 2
                                 Status:          Media disconnected

Edited by thisisu, 06 June 2015 - 06:20 PM.


#8 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 07 June 2015 - 03:43 PM

I'm not sure what you're doing during uploading of files, but everything is uploading in parts. It's not uploading as just the single file.



#9 Daenyathos

Daenyathos
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 June 2015 - 04:43 PM

Microsoft Virtual WiFi Miniport Adapter is now uninstalled. No I haven't tried the Windows 8 preview, or anything related to Windows 8 at all really.

 

I uploaded the files to File Dropper, I hope it works this time. Here are the links:

 

http://www.filedropper.com/memory (MEMORY.DMP Zipped)

 

http://www.filedropper.com/060415-17066-01 (Minidump Zipped)



#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 AM

Posted 07 June 2015 - 05:14 PM

That worked, and it looks like it shows the same driver as the culprit:

*** ERROR: Module load completed but symbols could not be loaded for vwifimp.sys
Probably caused by : vwifimp.sys ( vwifimp+6744 )

I guess just let us know if you continue to experience BSODs after removing Microsoft Virtual WiFi Miniport Adapter


Edited by thisisu, 07 June 2015 - 05:15 PM.


#11 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:29 AM

Posted 07 June 2015 - 06:47 PM

2: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks..

Resource @ nt!IopDeviceTreeLock (0xfffff80003085ea0)    Shared 1 owning threads
     Threads: fffffa800cab9040-01<*> 
KD: Scanning for held locks.

Resource @ nt!PiEngineLock (0xfffff80003085da0)    Exclusively owned
    Contention Count = 7
    NumberOfExclusiveWaiters = 1
     Threads: fffffa800cab9040-01<*> 
     Threads Waiting On Exclusive Access:
              fffffa800cabb660       

KD: Scanning for held locks...........................................................

Resource @ 0xfffffa800efb58c8    Shared 1 owning threads
     Threads: fffffa800f4b5570-01<*> 
KD: Scanning for held locks.

Resource @ 0xfffffa800fe38bf8    Shared 1 owning threads
     Threads: fffffa800fdf6640-01<*> 
KD: Scanning for held locks.

Resource @ 0xfffffa800fe39508    Shared 1 owning threads
     Threads: fffffa8010274a10-01<*> 
KD: Scanning for held locks...............
2401 total locks, 5 locks currently held

First of all, there's a lock being held at the time of the crash.

2: kd> !thread fffffa8010274a10
THREAD fffffa8010274a10  Cid 00c4.0510  Teb: 000007fffff9c000 Win32Thread: fffff900c1afb6a0 WAIT: (WrPageIn) KernelMode Non-Alertable
    fffffa800ef36310  NotificationEvent
IRP List:
    fffffa80102e47b0: (0006,03e8) Flags: 00060403  Mdl: fffffa800ef363b0
    fffffa80102e4010: (0006,03e8) Flags: 00060900  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a000007e80
Owning Process            fffffa800fe033d0       Image:         svchost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      1267           Ticks: 43 (0:00:00:00.670)
Context Switch Count      1065           IdealProcessor: 6                 LargeStack
UserTime                  00:00:00.015
KernelTime                00:00:00.015
Win32 Start Address 0x000007feff57a808
Stack Init fffff88004740c70 Current fffff88004740030
Base fffff88004741000 Limit fffff88004738000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`04740070 fffff800`02e80802 : 00000000`00000002 fffffa80`10274a10 00000000`00000000 fffff800`03325a6a : nt!KiSwapContext+0x7a
fffff880`047401b0 fffff800`02e8451f : fffff800`03117ef7 00000000`00000000 fffffa80`00000000 fffffa80`10274a10 : nt!KiCommitThreadWait+0x1d2
fffff880`04740240 fffff800`02eabe12 : 00000000`00000000 fffffa80`00000009 fffffa80`102e3d00 fffffa80`0ef36300 : nt!KeWaitForSingleObject+0x19f
fffff880`047402e0 fffff800`02e6baf3 : fffffa80`0ef362f0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiWaitForInPageComplete+0xc2
fffff880`047403c0 fffff800`03166460 : 00000000`00000000 00000000`00000000 fffffa80`102e3d10 00000000`01e6f360 : nt!CcFetchDataForRead+0x1c3
fffff880`04740420 fffff880`012585d0 : fffff8a0`00000000 00000000`00000005 fffffa80`00040000 fffff880`012aa001 : nt!CcCopyRead+0x180
fffff880`047404e0 fffff880`0125a0b3 : fffffa80`102e4010 fffff8a0`010cea03 fffff880`047406e0 fffff880`047406d8 : Ntfs!NtfsCachedRead+0x180
fffff880`04740540 fffff880`0125a478 : fffffa80`0fe317c0 fffffa80`102e4010 fffff880`04740601 fffffa80`0e75a000 : Ntfs!NtfsCommonRead+0x19ea
fffff880`047406b0 fffff800`0332bd46 : fffffa80`102e4010 fffffa80`102e4010 fffffa80`0e75a030 fffffa80`0df0f690 : Ntfs!NtfsFsdRead+0x1b8
fffff880`04740760 fffff880`01010bcf : fffffa80`102e43b0 fffff880`04740800 fffffa80`1029b010 fffffa80`0df0f690 : nt!IovCallDriver+0x566
fffff880`047407c0 fffff880`0100f6df : fffffa80`0e4a6de0 fffffa80`0e4a6de0 fffffa80`0e4a6d00 fffffa80`102e4010 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`04740850 fffff800`0332bd46 : fffffa80`102e4010 00000000`00000002 00000000`00000300 fffff800`02e8e701 : fltmgr!FltpDispatch+0xcf
fffff880`047408b0 fffff800`0318530b : 00000000`00000000 fffffa80`102e3d10 00000000`00000001 fffffa80`101de740 : nt!IovCallDriver+0x566
fffff880`04740910 fffff800`031661b3 : fffffa80`102e3d10 fffff880`04740b60 fffffa80`102e3d10 fffff800`02e86d01 : nt!IopSynchronousServiceTail+0xfb
fffff880`04740980 fffff800`02e7bcd3 : 00000000`00000518 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x631
fffff880`04740a70 00000000`7732dc3a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`04740ae0)
00000000`01e6f228 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7732dc3a

According to the stack, we appear to have the lock from waiting to read data from a file (KeWaitForSingleObject - KiCommitThreadWait).

 

If we switch to core #4:

4: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffff880`03346880 fffff800`02f87a45 nt!MiRemoveWorkingSetPages+0x12f
01 fffff880`03346900 fffff800`02f89007 nt!MiEmptyWorkingSet+0x285
02 fffff880`033469b0 fffff800`03326391 nt!MiTrimAllSystemPagableMemory+0x218
03 fffff880`03346a10 fffff800`033264ef nt!MmVerifierTrimMemory+0xf1
04 fffff880`03346a40 fffff800`03326c44 nt!ViKeRaiseIrqlSanityChecks+0xcf
05 fffff880`03346a80 fffff880`03826042 nt!VerifierKeAcquireSpinLockRaiseToDpc+0x54
06 fffff880`03346ae0 fffff880`038264b3 bcmwlhigh664+0x20042
07 fffff880`03346b10 fffff800`03172743 bcmwlhigh664+0x204b3
08 fffff880`03346b40 fffff800`02e866a5 nt!IopProcessWorkItem+0x23
09 fffff880`03346b70 fffff800`03116aba nt!ExpWorkerThread+0x111
0a fffff880`03346c00 fffff800`02e6e426 nt!PspSystemThreadStartup+0x5a
0b fffff880`03346c40 00000000`00000000 nt!KiStartSystemThread+0x16

A system thread started, which is a worker thread to process a work item regarding the Broadcom 802.11 USB Network Adapter. Verifier is enabled, therefore it checks to ensure it's at the IRQL it's supposed to be. Pageable system memory is removed as well as the process to empty as many pages from the working set list as possible, which is where we hang.

 

To be quite honest, given NDIS being involved in the initialization of adapter(s), and setting miniport attributes:

ndis!ndisMInitializeAdapter

I'd say Broadcom is our reason for the lock, especially considering it's a 4+ year old driver:

0: kd> lmvm bcmwlhigh664
start             end                 module name
fffff880`03806000 fffff880`0393d000   bcmwlhigh664   (no symbols)           
    Loaded symbol image file: bcmwlhigh664.sys
    Image path: \SystemRoot\system32\DRIVERS\bcmwlhigh664.sys
    Image name: bcmwlhigh664.sys
    Timestamp:        Tue Apr 19 03:13:08 2011 (4DAD3604)
    CheckSum:         00137E7A
    ImageSize:        00137000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Try updating it if available.


Edited by ring 0, 07 June 2015 - 06:49 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users