Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD coinciding with CPU slowdown


  • Please log in to reply
7 replies to this topic

#1 Falcon197

Falcon197

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 06 March 2018 - 06:16 PM

Hi there,
 
I'm getting about 1-2 BSODs a day and I have reason to think it's my 3-year-old CPU.  My desktop rig is primarily built for gaming and starting about 2 weeks ago I noticed I was getting significant frame drops whenever I'd switch between games. I'm aware this is sometimes a GPU or driver issue tied to VRAM but this was far more pronounced than I've ever experienced and in some cases a reboot didn't solve it.
 
Next came the pop-ups from trying to run certain games, saying "Your CPU isn't fast enough to run this program" and even with reboots allowing me to override these I'd still get major framerate lag in games that previously ran +60FPS at high settings.  The BSODs started not long after that and have been continuous even after updating my OS and GPU drivers.
 
I also haven't added any new hardware, software, or externals that would lead to this.  The BSODs themselves seem to happen whenever I'm multi-tabbing in my browser and other windows versus when I'm gaming.  My system performance also feels slower overall, both with reboots and normal processing.
 
My first suspicion was the GPU, but having experienced GPU-related BSODs before and solved them, I'm seeing different symptoms this time around.  Bad RAM may also be the cause but I haven't performed a RAM test yet.  The HDD tests (Long Generic) recommended by this site came back clean on both my drives.
 
One other thing worth noting: I've done a lot of crypto mining on this system using XMR-STAK, which leverages both the GPU and CPU.  My last few times running it, I noticed a major hashrate drop in the CPU's output (every core's rate dropped by 80%) while the GPU remained consistent.  So perhaps mining somehow damaged the processor and created these other problems.  I've avoided running any mining programs since all this began.
 
Any advice or guidance would be really helpful. Below are my specs and some images of the BSOD and the error report I'd get on reboot. I haven't done any overclocking:
 
CPU: Intel Core i7-4790K Devil’s Canyon Quad-Core 4.0 GHz LGA 1150
CPU Heatsink: Cooler Master V8 GTS
Mobo: ASUS Sabertooth Z97 Mark S ATX
RAM: 4 x Corsair Vengeance Pro 8GB DDR3 1866
HDD: 1 x Seagate ST1000DM003 1TB, 1 x WD Red 3TB NAS
PSU: Corsair CHX850 ATX12V
GPU: 1 x EVGA GeForce 980 Ti
OS: Win7 64-bit (6.1, Build 7601) OEM - installed since I built the system in 2015, no previous OS or subsequent reinstallation
 
All hardware is 2-3 years old.  The only things upgraded since the system was built was the GPU and PSU.
 
I've attached the Sysnative zip as instructed along with images of the BSOD and the error report I received post reboot.
 
Attached File  BSDO.png   649.16KB   0 downloads
Attached File  BSOD1.png   50.54KB   0 downloads
Attached File  BSOD2.png   53.27KB   0 downloads

Attached Files


Edited by Falcon197, 06 March 2018 - 06:19 PM.


BC AdBot (Login to Remove)

 


#2 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:08:52 AM

Posted 06 March 2018 - 07:12 PM

Hmm, I don't think it's quite CPU-related.

5: kd> !analyze -show 3b c0000005 fffff8800162f250 fffff88002778b20 0
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: ffffffffc0000005, Exception code that caused the bugcheck
Arg2: fffff8800162f250, Address of the instruction which caused the bugcheck
Arg3: fffff88002778b20, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
5: kd> u fffff8800162f250
NETIO!StreamInvokeCalloutAndNormalizeAction+0x1d0:
fffff880`0162f250 41837b5003      cmp     dword ptr [r11+50h],3
fffff880`0162f255 7555            jne     NETIO!StreamInvokeCalloutAndNormalizeAction+0x22c (fffff880`0162f2ac)
fffff880`0162f257 488b0dfaf00100  mov     rcx,qword ptr [NETIO!WPP_GLOBAL_Control (fffff880`0164e358)]
fffff880`0162f25e 493bcc          cmp     rcx,r12
fffff880`0162f261 743c            je      NETIO!StreamInvokeCalloutAndNormalizeAction+0x21f (fffff880`0162f29f)
fffff880`0162f263 80792904        cmp     byte ptr [rcx+29h],4
fffff880`0162f267 7236            jb      NETIO!StreamInvokeCalloutAndNormalizeAction+0x21f (fffff880`0162f29f)
fffff880`0162f269 0fba612c0e      bt      dword ptr [rcx+2Ch],0Eh
5: kd> .cxr fffff88002778b20
rax=0000000000000000 rbx=fffff880027796e0 rcx=0000000000001001
rdx=fffffa80194cd7f0 rsi=fffff880027798e0 rdi=fffff88002779718
rip=fffff8800162f250 rsp=fffff88002779500 rbp=fffffa80194cd4d0
 r8=0000000000000126  r9=0000000000000014 r10=fffff88006f3c200
r11=0000000000000000 r12=fffff8800164e358 r13=0000000000000001
r14=fffffa80194cd4d0 r15=fffffa80194cd4d0
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
NETIO!StreamInvokeCalloutAndNormalizeAction+0x1d0:
fffff880`0162f250 41837b5003      cmp     dword ptr [r11+50h],3 ds:002b:00000000`00000050=????????

I've disassembled the faulting instruction for your interest. Here's the raw stack truncated.

5: kd> !dpx
Start memory scan  : 0xfffff88002778258 ($csp)
End memory scan    : 0xfffff8800277b000 (Kernel Stack Base)

               rsp : 0xfffff88002778258 : 0xfffff80003c73629 : nt!KiBugCheckDispatch+0x69
               r11 : 0xfffff88002778458 : 0xfffff80003c00000 : "nt!KiSelectNextThread <PERF> (nt+0x0)"
0xfffff88002778258 : 0xfffff80003c73629 : nt!KiBugCheckDispatch+0x69
0xfffff88002778270 : 0xfffff8800162f250 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x1d0
0xfffff88002778370 : 0xfffff80003c00000 : "nt!KiSelectNextThread <PERF> (nt+0x0)"
0xfffff88002778378 : 0xfffff80003c73313 : nt!KiSystemServiceCopyEnd+0x13
0xfffff88002778380 : 0xfffff80003e87a14 : "nt!BBTBuffer <PERF> (nt+0x287a14)"
0xfffff88002778388 : 0xfffff80003c72f00 : nt!KiSystemServiceHandler
...
0xfffff880027789c8 : 0xfffff88001604ee1 : NETIO!ArbitrateAndEnforce+0x1c1
Unable to load image \SystemRoot\system32\drivers\aswStm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswStm.sys
*** ERROR: Module load completed but symbols could not be loaded for aswStm.sys
...
0xfffff88002778a88 : 0xfffff880093af000 : aswStm
0xfffff88002778aa0 : 0xfffff8800162f251 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x1d1
0xfffff88002778ae8 : 0xfffff80003caeb31 : nt!KiDispatchException+0x135
Unable to load image \SystemRoot\system32\drivers\mrxsmb22.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mrxsmb22.sys
*** ERROR: Module load completed but symbols could not be loaded for mrxsmb22.sys
...

Now note that a strange driver appears — mrxsmb22.sys. What is it?

5: kd> lm k vm mrxsmb22
Browse full module list
start             end                 module name
fffff880`06f30000 fffff880`06f40000   mrxsmb22 T (no symbols)           
    Loaded symbol image file: mrxsmb22.sys
    Image path: \SystemRoot\system32\drivers\mrxsmb22.sys
    Image name: mrxsmb22.sys
    Browse all global symbols  functions  data
    Timestamp:        Wed Jan 31 19:47:11 2018 (5A72638F)
    CheckSum:         000198C5
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

A potentially unwanted program driver, called NetFilter. It's sneaky too. Observe that its file name is nearly identical to some legitimate Windows system files.

5: kd> lmvm mr*
Browse full module list
start             end                 module name
fffff880`05600000 fffff880`0564e000   mrxsmb10   (deferred)             
    Mapped memory image file: c:\symbols\mrxsmb10.sys\56BCC6084e000\mrxsmb10.sys
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    Image name: mrxsmb10.sys
    Browse all global symbols  functions  data
    Timestamp:        Thu Feb 11 12:34:00 2016 (56BCC608)
    CheckSum:         00056931
    ImageSize:        0004E000
    File version:     6.1.7601.19160
    Product version:  6.1.7601.19160
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     MRxSmb0.sys
    OriginalFilename: MRXSMB0.Sys
    ProductVersion:   6.1.7601.19160
    FileVersion:      6.1.7601.19160 (win7sp1_gdr.160211-0600)
    FileDescription:  Longhorn SMB Downlevel SubRdr
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
fffff880`0564e000 fffff880`05672000   mrxsmb20   (deferred)             
    Mapped memory image file: c:\symbols\mrxsmb20.sys\56BCC60224000\mrxsmb20.sys
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    Image name: mrxsmb20.sys
    Browse all global symbols  functions  data
    Timestamp:        Thu Feb 11 12:33:54 2016 (56BCC602)
    CheckSum:         00026FC7
    ImageSize:        00024000
    File version:     6.1.7601.19160
    Product version:  6.1.7601.19160
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     MRxSmb20.sys
    OriginalFilename: MRXSMB20.Sys
    ProductVersion:   6.1.7601.19160
    FileVersion:      6.1.7601.19160 (win7sp1_gdr.160211-0600)
    FileDescription:  Longhorn SMB 2.0 Redirector
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
fffff880`057ae000 fffff880`057db000   mrxsmb     (deferred)             
    Mapped memory image file: c:\symbols\mrxsmb.sys\56BCC6342d000\mrxsmb.sys
    Image path: \SystemRoot\system32\DRIVERS\mrxsmb.sys
    Image name: mrxsmb.sys
    Browse all global symbols  functions  data
    Timestamp:        Thu Feb 11 12:34:44 2016 (56BCC634)
    CheckSum:         00028E64
    ImageSize:        0002D000
    File version:     6.1.7601.19160
    Product version:  6.1.7601.19160
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     MRxSmb.sys
    OriginalFilename: MRXSMB.Sys
    ProductVersion:   6.1.7601.19160
    FileVersion:      6.1.7601.19160 (win7sp1_gdr.160211-0600)
    FileDescription:  Windows NT SMB Minirdr
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
fffff880`06f30000 fffff880`06f40000   mrxsmb22 T (no symbols)           
    Loaded symbol image file: mrxsmb22.sys
    Image path: \SystemRoot\system32\drivers\mrxsmb22.sys
    Image name: mrxsmb22.sys
    Browse all global symbols  functions  data
    Timestamp:        Wed Jan 31 19:47:11 2018 (5A72638F)
    CheckSum:         000198C5
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Going back to the raw stack, we see Avast trying to catch it right before the crash. So it's fair to conclude that malware is definitely related to your crashes somehow. Keep in mind that this is the only dump in the Sysnative report from the several crashes you've had this past week, though I looked at the Event Log and last few crashes were pretty similar. Anyway, I would suggest you post in our Virus, Trojan, Spyware, and Malware Removal Logs forum for some help removing the PUP. They have special posting instructions too; be sure to follow them.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#3 HyperHenry

HyperHenry

  • Malware Study Hall Junior
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa (but travel)
  • Local time:07:52 AM

Posted 06 March 2018 - 10:10 PM

MRxSmb0.sys is a valid Windows file but usually only installed on Windows servers so I agree it's probably malware.



#4 HyperHenry

HyperHenry

  • Malware Study Hall Junior
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa (but travel)
  • Local time:07:52 AM

Posted 06 March 2018 - 10:12 PM

What Windbg command do you use to get such detailed information?



#5 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:08:52 AM

Posted 06 March 2018 - 10:42 PM

MRxSmb0.sys is a valid Windows file but usually only installed on Windows servers so I agree it's probably malware.

mrxsmb22.sys is the malicious driver. BTW, MRxSmb10.sys seems perfectly legitimate as it has symbols:

5: kd> !itoldyouso mrxsmb10

mrxsmb10.sys
    Timestamp: 56BCC608
  SizeOfImage: 4E000
          pdb: mrxsmb10.pdb
      pdb sig: CEB02A6E-72CD-4DB1-ADD2-F3A7CDAA46D0
          age: 1

Loaded pdb is c:\symbols\mrxsmb10.pdb\CEB02A6E72CD4DB1ADD2F3A7CDAA46D01\mrxsmb10.pdb

mrxsmb10.pdb
      pdb sig: CEB02A6E-72CD-4DB1-ADD2-F3A7CDAA46D0
          age: 1

MATCH: mrxsmb10.pdb and mrxsmb10.sys

Its internal alias is MRXSMB0.Sys.

 

What Windbg command do you use to get such detailed information?

The commands I used are in the top line of every code box. :)


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#6 HyperHenry

HyperHenry

  • Malware Study Hall Junior
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa (but travel)
  • Local time:07:52 AM

Posted 06 March 2018 - 11:15 PM

Thank you Bleepin Owl. You are my hero for the day.



#7 Falcon197

Falcon197
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 06 March 2018 - 11:48 PM

Heroic work indeed! 

 

Thanks for tracking that down, Bleepin' Owl.  So now I'll go kill this mrxsmb22.sys file.  Is deleting it sufficient or do I need to purge anything in Regedit?


Edited by Falcon197, 06 March 2018 - 11:53 PM.


#8 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,953 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:08:52 AM

Posted 07 March 2018 - 10:46 PM

I would not suggest you delete it manually; it may render the system unbootable. Rather, follow my previous instructions and post in our malware removal section for help.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users