Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen


  • Please log in to reply
6 replies to this topic

#1 Joe Bill

Joe Bill

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 09 July 2007 - 01:55 PM

Intermittingly a blue screen appears with white letters...
A problem has occurred and windows has shut down to prevent damage to your computer.
(other messages about drives, yada, yada)
STOP: 0x0000008E
Begin dump of physical memory.
Dump complete.

Must hold on/off switch for 5 seconds to stop computer and reboot.
What's the cause? How to fix?
Joe Bill

BC AdBot (Login to Remove)

 


m

#2 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 09 July 2007 - 04:29 PM

Look it:

http://support.microsoft.com/?scid=kb%3Ben...p;x=21&y=12
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:07 AM

Posted 10 July 2007 - 06:18 AM

1) Locate the dump file on your hard drive (search for files ending in .dmp or .mdmp)
2) Use this link to generate an analysis of the dump file: http://forums.majorgeeks.com/showthread.php?t=35246
3) Post the results of the analysis here for us to have a look at.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 Joe Bill

Joe Bill
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 10 July 2007 - 01:12 PM

1) Locate the dump file on your hard drive (search for files ending in .dmp or .mdmp)
2) Use this link to generate an analysis of the dump file: http://forums.majorgeeks.com/showthread.php?t=35246
3) Post the results of the analysis here for us to have a look at.


Here is what I found..
Bug Check 1000008E (c0000065, 8056e2ea, a9f2db84, 0)
Probably caused by: ntoskrnl.exe (nt ! HvpGetCellMapped+5f)

Appreciate your help. Thanks. JB

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:07 AM

Posted 11 July 2007 - 06:06 AM

If a program accesses Windows in an unapproved way, it may cause Windows to crash. If the file that crashed is a Windows system file that will show as the cause, even though it wasn't actually the system file that was at fault.

When troubleshooting STOP errors like this, it's important to see the entire dump file to see if there's any other "pointers" to what's causing this. IME it's a better than 90% chance that this STOP error is caused by something else (but there's a less than 10% chance that it's the Windows file).

Trouble is, the fixes for Windows system files are a real PITA - and when you're done, it may not even fix the issue. For example, here's a link to a description of the STOP 0x8e error (Bug Check and STOP errors are very similar and the descriptions are interchangeable): http://aumha.org/a/stop.php#0x8e

In this case you can see that it's an incompatibility issue. Presuming that you haven't just added some new hardware/software that could be causing this - it then means that there's an issue with either failing hardware (unlikely IMO), bad/corrupt drivers (most likely IMO), or a need for BIOS upgrade (less likely than either of the other 2).
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 MadDawg

MadDawg

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:02:07 AM

Posted 11 July 2007 - 02:29 PM

I have a similar problem. Here's my analysis:


Microsoft ® Windows Debugger Version 6.7.0005.0
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Wed Jul 11 12:20:29.421 2007 (GMT-5)
System Uptime: 0 days 20:25:41.987
Loading Kernel Symbols
......................................................................................................................................................................................
Loading User Symbols
.......................................................................................................................................................................
Loading unloaded module list
..................................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, cd4, 460020, e21d92d0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for Normaliz.dll -
*** ERROR: Module load completed but symbols could not be loaded for xpsp2res.dll
*** WARNING: Unable to verify timestamp for advpack.dll
*** ERROR: Module load completed but symbols could not be loaded for advpack.dll
*** WARNING: Unable to verify checksum for wbsys.dll
*** ERROR: Module load completed but symbols could not be loaded for wbsys.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tapisrv.dll -
*** WARNING: Unable to verify timestamp for seclogon.dll
*** ERROR: Module load completed but symbols could not be loaded for seclogon.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for wbemcons.dll -
*** WARNING: Unable to verify timestamp for ati2dvag.dll
*** ERROR: Module load completed but symbols could not be loaded for ati2dvag.dll
*** WARNING: Unable to verify timestamp for ati2cqag.dll
*** ERROR: Module load completed but symbols could not be loaded for ati2cqag.dll
*** WARNING: Unable to verify timestamp for atikvmag.dll
*** ERROR: Module load completed but symbols could not be loaded for atikvmag.dll
*** WARNING: Unable to verify timestamp for ativvaxx.dll
*** ERROR: Module load completed but symbols could not be loaded for ativvaxx.dll
*** WARNING: Unable to verify timestamp for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for vstor2.sys
*** ERROR: Module load completed but symbols could not be loaded for kqemu.sys
*** ERROR: Module load completed but symbols could not be loaded for ibmfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for mdmxsdk.sys
*** ERROR: Module load completed but symbols could not be loaded for vmx86.sys
*** ERROR: Module load completed but symbols could not be loaded for Aspi32.SYS
*** ERROR: Module load completed but symbols could not be loaded for PrivateDiskM.sys
*** ERROR: Module load completed but symbols could not be loaded for hcmon.sys
*** ERROR: Module load completed but symbols could not be loaded for MaVc2K.sys
*** ERROR: Module load completed but symbols could not be loaded for SymIDSCo.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMFW.SYS -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMIDS.SYS -
*** ERROR: Module load completed but symbols could not be loaded for tfsnudfa.sys
*** ERROR: Module load completed but symbols could not be loaded for tfsnudf.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tfsnifs.sys -
*** ERROR: Module load completed but symbols could not be loaded for tfsnopio.sys
*** ERROR: Module load completed but symbols could not be loaded for EraserUtilRebootDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for eeCtrl.sys
*** ERROR: Module load completed but symbols could not be loaded for SPBBCDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMTDI.SYS -
*** ERROR: Module load completed but symbols could not be loaded for NAVENG.SYS
*** ERROR: Module load completed but symbols could not be loaded for NAVEX15.SYS
*** ERROR: Symbol file could not be found. Defaulted to export symbols for drvnddm.sys -
*** ERROR: Module load completed but symbols could not be loaded for SRTSPX.SYS
*** ERROR: Module load completed but symbols could not be loaded for SRTSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for iksyssec.sys
*** ERROR: Module load completed but symbols could not be loaded for iksysflt.sys
*** ERROR: Module load completed but symbols could not be loaded for ikfilesec.sys
*** ERROR: Module load completed but symbols could not be loaded for ANC.SYS
*** ERROR: Module load completed but symbols could not be loaded for HSF_CNXT.sys
*** ERROR: Module load completed but symbols could not be loaded for HSF_DPV.sys
*** ERROR: Module load completed but symbols could not be loaded for HSFHWATI.sys
*** ERROR: Module load completed but symbols could not be loaded for aeaudio.sys
*** ERROR: Module load completed but symbols could not be loaded for smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for ar5211.sys
*** ERROR: Module load completed but symbols could not be loaded for b57xp32.sys
*** ERROR: Module load completed but symbols could not be loaded for ati2mtag.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for VMNET.SYS -
*** ERROR: Module load completed but symbols could not be loaded for vmnetadapter.sys
*** ERROR: Module load completed but symbols could not be loaded for drvmcdb.sys
*** ERROR: Module load completed but symbols could not be loaded for PxHelp20.sys
*** ERROR: Module load completed but symbols could not be loaded for tfsncofs.sys
*** ERROR: Module load completed but symbols could not be loaded for FileDisk.SYS
*** ERROR: Module load completed but symbols could not be loaded for WmXlCore.sys
*** ERROR: Module load completed but symbols could not be loaded for wsimd.sys
*** ERROR: Module load completed but symbols could not be loaded for libusb0.sys
*** ERROR: Module load completed but symbols could not be loaded for KCOM.SYS
*** ERROR: Module load completed but symbols could not be loaded for ikfileflt.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for TDSMAPI.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMREDRV.SYS
*** ERROR: Module load completed but symbols could not be loaded for Smapint.sys
*** ERROR: Module load completed but symbols could not be loaded for vmnetuserif.sys
*** ERROR: Module load completed but symbols could not be loaded for SYMNDIS.SYS
*** ERROR: Module load completed but symbols could not be loaded for tfsnboio.sys
*** ERROR: Module load completed but symbols could not be loaded for vmnetbridge.sys
*** ERROR: Module load completed but symbols could not be loaded for PROCDD.SYS
*** ERROR: Module load completed but symbols could not be loaded for VMparport.sys
*** ERROR: Module load completed but symbols could not be loaded for GEARAspiWDM.sys
*** ERROR: Module load completed but symbols could not be loaded for psadd.sys
*** ERROR: Module load completed but symbols could not be loaded for ZDPSp50.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ssrtln.sys -
*** ERROR: Module load completed but symbols could not be loaded for TSMAPIP.SYS
*** ERROR: Module load completed but symbols could not be loaded for Tppwrif.sys
*** ERROR: Module load completed but symbols could not be loaded for TPHKDRV.SYS
*** ERROR: Module load completed but symbols could not be loaded for VMkbd.sys
*** ERROR: Module load completed but symbols could not be loaded for tp4track.sys
*** ERROR: Module load completed but symbols could not be loaded for ibmpmdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for WmBEnum.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tfsnpool.sys -
*** ERROR: Module load completed but symbols could not be loaded for sscdbhk5.sys
*** WARNING: Unable to verify timestamp for Fs_Rec.SYS
*** ERROR: Module load completed but symbols could not be loaded for Fs_Rec.SYS
*** ERROR: Module load completed but symbols could not be loaded for IBMBLDID.sys
*** ERROR: Module load completed but symbols could not be loaded for EGATHDRV.SYS
*** ERROR: Module load completed but symbols could not be loaded for pmemnt.sys
*** ERROR: Module load completed but symbols could not be loaded for SYMDNS.SYS
*** ERROR: Module load completed but symbols could not be loaded for tfsndrct.sys
*** ERROR: Module load completed but symbols could not be loaded for smi2.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tfsndres.sys -
*** WARNING: Unable to verify timestamp for Null.SYS
*** ERROR: Module load completed but symbols could not be loaded for Null.SYS
Probably caused by : ntkrnlpa.exe ( nt!ExFreePoolWithTag+2a0 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00460020, Memory contents of the pool block
Arg4: e21d92d0, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS: e21d92d0 Paged pool

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: svchost.exe

LAST_CONTROL_TRANSFER: from 80543e86 to 804f8aef

STACK_TEXT:
f6d12928 80543e86 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f6d12978 8062a263 e21d92d0 00000000 d06cf104 nt!ExFreePoolWithTag+0x2a0
f6d12994 8062a876 e4aa0dd0 d06cf104 e100f2e0 nt!CmpCleanUpKcbValueCache+0x3d
f6d129a8 80631530 e4aa0dd0 e39f9b18 8063164c nt!CmpCleanUpKcbCacheWithLock+0x1a
f6d129b4 8063164c f6d129c8 8062a96c e41e9b90 nt!CmpGetDelayedCloseIndex+0x16
f6d129bc 8062a96c e41e9b90 f6d129d4 8062ad54 nt!CmpAddToDelayedClose+0xa
f6d129c8 8062ad54 e41e9b90 f6d12ba0 80624771 nt!CmpDereferenceKeyControlBlockWithLock+0x38
f6d129d4 80624771 e41e9b90 e1502598 00000000 nt!CmpDereferenceKeyControlBlock+0x12
f6d12ba0 805b34b9 0168e100 c0000034 83ca0008 nt!CmpParseKey+0x6af
f6d12c28 805afdeb 0000001c f6d12c68 00000040 nt!ObpLookupObjectName+0x119
f6d12c7c 8061a3cb 00000000 851c3980 00000001 nt!ObOpenObjectByName+0xeb
f6d12d50 8053ca28 058ff8dc 00020019 058ff2a0 nt!NtOpenKey+0x1af
f6d12d50 7c90eb94 058ff8dc 00020019 058ff2a0 nt!KiFastCallEntry+0xf8
058ff27c 7c90dd48 77dd6a13 058ff8dc 00020019 ntdll!KiFastSystemCallRet
058ff280 77dd6a13 058ff8dc 00020019 058ff2a0 ntdll!ZwOpenKey+0xc
058ff2e0 77dd6b5e 0000001c 058ff308 00000000 ADVAPI32!LocalBaseRegOpenKey+0xe4
058ff314 7d1e4ae9 80000002 023df928 00000000 ADVAPI32!RegOpenKeyExW+0x10d
058ff330 7d1e52c5 80000002 023df928 00000000 msi!MsiRegOpen64bitKey+0x24
058ff5f4 7d1e58db 7d1e5098 058ff9f4 02347af8 msi!OpenInstalledUserDataSubKeyPacked+0xf8
058ff63c 7d1e5d18 7d1e5098 058ff9f4 058ff8dc msi!OpenInstalledProductInstallPropertiesKeyPacked+0x82
058ff94c 7d202a1b 058ff9f4 00000000 00000002 msi!GetInfo+0x184
058ff9b8 7d20297c 058ff9f4 00000000 00000004 msi!fProductExistInContext+0x7c
058ffa8c 7d20283d 06c69a5e 00000000 00000004 msi!GetInfoEx+0x1cb
058ffac0 50138eee 06c69a5e 00000000 00000004 msi!MsiGetProductInfoExW+0x7b
058ffae0 5012009c 06c69a5e 00000000 00000004 wuaueng!CSusMsiWrapper::GetProductInfoEx+0x26
058ffb14 501201aa 06c69a5e 500795b4 058ffb70 wuaueng!CEEMsiHandler::Parse+0x270
058ffb4c 50120aad 501c4b58 058ffb90 058ffb94 wuaueng!CEEMsiHandler::Parse+0x37e
058ffbc8 50120ef4 058ffbec 501c4b58 00000002 wuaueng!CEEMsiHandler::EvalProductInstalled+0x1d0
058ffc20 5011918d 000e99b0 005d060c 005d0624 wuaueng!CEEMsiHandler::Evaluate3+0x142
058ffc60 5011928c 058ffc8c 00000000 00000000 wuaueng!CExprElementTreeNode::Evaluate+0x3e
058ffc90 5010802a 058ffd90 00000004 058ffd90 wuaueng!COperatorTreeNode::Evaluate+0xca
058ffcb0 501083e2 072e1690 058ffce0 00000000 wuaueng!CExpressionManager::EvaluateExpressionTree+0xbd
058ffce8 500df397 072e1690 072e1820 00000000 wuaueng!CExpressionManager::EvaluateRule+0x6c
058ffe10 500df8ab 005a8910 058fff14 072e1690 wuaueng!CAgentUpdateManager::DetectForUpdate+0x233
058ffe70 500e003d 005a8910 058fff14 058ffea0 wuaueng!CAgentUpdateManager::DetectForAllUpdates+0xce
058ffef8 500e018c 005a8910 058fff14 0035d22c wuaueng!CAgentUpdateManager::PreInstallCheck+0xa6
058fff44 500cd246 005a8910 005a8910 500cbe8c wuaueng!CAgentUpdateManager::InstallUpdates+0x109
058fff50 500cbe8c 0035dbc0 0035dc44 00000000 wuaueng!CInstallCall::Execute+0xe
058fff6c 500d6db9 005a89fc 058fffa0 500d808c wuaueng!CClientCallRecorder::ProcessWorkItem+0xb7
058fff78 500d808c 00000001 0000000a 0035dbec wuaueng!CClientCallRecorder::ProcessWorkItem+0x2f
058fffa0 500d8252 00000001 022cfb14 7c910551 wuaueng!CWorkItemManager::ExecuteNonCallbackWorkItem+0x5a
058fffb4 7c80b683 0035dbec 022cfb14 7c910551 wuaueng!CWorkItemManager::ExecuteWorkItemWrapper+0x33
058fffec 00000000 500d821f 0035dbec 00000000 kernel32!BaseThreadStart+0x37


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+2a0
80543e86 8b45f8 mov eax,dword ptr [ebp-8]

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9c

SYMBOL_NAME: nt!ExFreePoolWithTag+2a0

FAILURE_BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2a0

BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2a0

Followup: MachineOwner
---------


I have little knowledge on what to do with this info.
A penguin broke my windows with a half-eaten apple!

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:07 AM

Posted 12 July 2007 - 07:03 AM

Hi MadDawg! While your problem is similar, please start a new topic as the remedy for this problem is very different than what Joe Bill is going to have to do.

Also, please run the debugger again according the the instructions in the link and post it in your new topic. The errors loading the symbol files are excessive and can skew the results of the debugger. Also, try turning off Windows Updates for now (this is just a hunch on my part) to see if it helps.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users