Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen Of Death - Stop:0x00000050


  • Please log in to reply
10 replies to this topic

#1 byonic

byonic

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 11 July 2007 - 04:49 AM

Hi, I have a problem with my pc.

As of Monday, it has been Blue Screening at seemingly random points, usually in the middle of using an application, but occassionally just after XP loads, or sometimes when the pc has been left alone and no applications are open.

The Blue Screen message:

STOP: 0x00000050 (0xE3017000, 0x00000000, 0x805286C4, 0x0000001)

PAGE_FAULT_IN_NONPAGED_AREA

The PC spec:

Windows XP Professional
Version 2002
Service Pack 1

Pentium 4 CPU 3.00GHz
512 MB of RAM



I understand that this problem is often caused by a memory malfunction, but wanted some advice on how to proceed.

I have run a microsoft online crash analysis program called windiag, which reported no errors with the computer's memory. This test ran for approximately 17 hours, but did not find a fault in the memory.

Is it possible that this stop screen is caused by a virus or other malware?
The reason I ask is that the PC's internet connection is behaving strangely, usually making the computer very sluggish.

I would appreciate any input and advice on this, and thanks in advance for the help.


Byron

Edited by byonic, 11 July 2007 - 04:51 AM.

Big Yellow Feet
The production company

BC AdBot (Login to Remove)

 


m

#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:43 AM

Posted 11 July 2007 - 05:49 AM

While this error is most often seen as a memory error ( http://aumha.org/a/stop.php#0x50 ) it can also be caused by a lot of other stuff - including malware.

When troubleshooting inside of Windows, it's important to have a stable platform to test. IMO the most important thing to do (when troubleshooting these issues) is to ensure that the system is virus free. If this isn't done, the best case is that the fixes won't work, the worst case is that the malware will adjust to the fixes and become even harder to remove.

Having said that, I'd recommend these 2 free, online scans:

http://safety.live.com (requires IE)
http://housecall.trendmicro.com
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 12 July 2007 - 05:20 AM

Thanks for the replying John.

I have been having problems running the online tests though, as the BSOD always interupts the scan (both Trend and Microsoft) before they have got half way through.

Is this a coincidence? Or is does the scan trigger the BSOD because it is performing a certain function?

So, is there another scan which is not an online check, but one I can download and run in safe mode?

Thanks
Big Yellow Feet
The production company

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:43 AM

Posted 12 July 2007 - 07:20 AM

And that my friend is the $50,000 question! :thumbsup:

The scan is to rule out malware that may be causing the BSOD. There are many different ways to troubleshoot the error, but I'd suggest searching your hard drive for files ending in .dmp or .mdmp (around the time of the crash) - if you find them, follow this link to generate an analysis of the dump file: http://forums.majorgeeks.com/showthread.php?t=35246

Post the results of the scan here and it'll give us some more clues as to what's causing this.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 12 July 2007 - 10:11 AM

Okay - the dump analysis follows:

Microsoft ® Windows Debugger Version 6.7.0005.1
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\windows\Minidump\Mini071207-05.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp2.050301-1526
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054c850
Debug session time: Thu Jul 12 12:16:40.000 2007 (GMT+1)
System Uptime: 0 days 0:03:07.593
Loading Kernel Symbols
.................................................................................................................................
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e32bd000, 0, 804f8ca4, 1}

*** WARNING: Unable to verify timestamp for windev-471a-54.sys
*** ERROR: Module load completed but symbols could not be loaded for windev-471a-54.sys

Could not read faulting driver name
Probably caused by : windev-471a-54.sys ( windev_471a_54+9b3 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e32bd000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f8ca4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e32bd000

FAULTING_IP:
nt!wcsncpy+14
804f8ca4 668b02 mov ax,word ptr [edx]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 5

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: edf8c604 -- (.trap 0xffffffffedf8c604)
ErrCode = 00000000
eax=edf85249 ebx=edf8c9e4 ecx=00000007 edx=e32bd000 esi=edf8c6a0 edi=edf8c890
eip=804f8ca4 esp=edf8c678 ebp=edf8c8a4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!wcsncpy+0x14:
804f8ca4 668b02 mov ax,word ptr [edx] ds:0023:e32bd000=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8051f2d8 to 8052b591

STACK_TEXT:
edf8c5a0 8051f2d8 00000050 e32bd000 00000000 nt!KeBugCheckEx+0x19
edf8c5ec 804dda27 00000000 e32bd000 00000000 nt!MmAccessFault+0x6f5
edf8c5ec 804f8ca4 00000000 e32bd000 00000000 nt!KiTrap0E+0xb8
edf8c67c ee49a9b3 edf8c6a0 e32bce10 000000ff nt!wcsncpy+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
edf8c8a4 804dad01 80001bf8 00000000 00000000 windev_471a_54+0x9b3
edf8c8a4 804d9296 80001bf8 00000000 00000000 nt!KiSystemService+0xc4
edf8c934 80580559 80001bf8 00000000 00000000 nt!ZwEnumerateKey+0x11
edf8c9dc 80580ed5 00000086 00000000 00000000 nt!IopGetDeviceInterfaces+0x5b9
edf8c9f8 ee1e7495 ee1f5350 00000000 00000000 nt!IoGetDeviceInterfaces+0x38
edf8ca24 ee1ed54a edf8ca38 edf8ca3c edf8ca3c wdmaud!OpenSysAudio+0x1e
edf8ca40 ee1e8b5c 81f45568 81fb45d8 820a9368 wdmaud!kmxlOpenSysAudio+0x1b
edf8ca60 804dfdfd 82029a78 81f45558 81f45558 wdmaud!SoundDispatchCreate+0x84
edf8ca70 8055ad41 81db2850 81f86ebc edf8cc18 nt!IopfCallDriver+0x31
edf8cb54 8055253a 81db2868 00000000 81f86e18 nt!IopParseDevice+0xa4d
edf8cbd8 805557a2 00000000 edf8cc18 00000040 nt!ObpLookupObjectName+0x56a
edf8cc2c 8055b008 00000000 00000000 e24ed001 nt!ObOpenObjectByName+0xe9
edf8cca8 8055b0b9 0197f668 c0100080 0197f608 nt!IopCreateFile+0x407
edf8ccf0 80557c4e 0197f668 c0100080 0197f608 nt!IoCreateFile+0x36
edf8cd30 804dad01 0197f668 c0100080 0197f608 nt!NtCreateFile+0x2e
edf8cd30 7ffe0304 0197f668 c0100080 0197f608 nt!KiSystemService+0xc4
0197f660 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


STACK_COMMAND: kb

FOLLOWUP_IP:
windev_471a_54+9b3
ee49a9b3 ?? ???

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: windev_471a_54

IMAGE_NAME: windev-471a-54.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: windev_471a_54+9b3

FAILURE_BUCKET_ID: 0x50_windev_471a_54+9b3

BUCKET_ID: 0x50_windev_471a_54+9b3

Followup: MachineOwner
---------
Big Yellow Feet
The production company

#6 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 12 July 2007 - 10:19 AM

Before doing the above dump analysis, I had another go at running the MS Onecare online checker again, and this time the machine didn't BSOD.

BUT, it did hang when the check got to 14% of the Disc clean up scan.
I thought I'd mention it, as before the hang, the check revealed that:

virus and spyware scan: 0 items detected, 0 issues found
registry cleaner scan: 272 invalid items found

Now to me that seems like a lot of invalid items! Is that number normal?

Thanks
(How do I win the $50,000?!?)
Big Yellow Feet
The production company

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:43 AM

Posted 13 July 2007 - 05:33 AM

I got over 700 invalid items the first time that I ran the scan - so that should be normal.

I'd search your system for a file named: windev-471a-54.sys And, if possible, scan it with your anti-virus software. A google for it didn't give any results - which is normally a "red flag" for malware. But the malware scan came back negative, so it may not be. Confusing, huh?

This isn't going to be an easy fix because we'll have to work at figuring out what's caused it. Are there any other dump files on the system, can you analyze them to see what they say?

Also, you may want to run this free, bootable memory tester to see if the problem is with your memory: http://www.memtest86.com/
Follow the directions for making the disk exactly, then let the test run for at least 2 or 3 passes (overnight would be better) and let us know if it finds anything.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 17 July 2007 - 06:51 AM

Hi again,

Before you posted the above reply, I had done a number of things-

I ran the Trend scanner again, which completed this time. The results showed that I had malware on the system-
TROJ_DLOADER.KTY

It also reported the following Grayware/Spyware:

HTTP COOKIES

I then instructed it to clean or delete the problems.

Then, after reading your post, I searched for the windev-471a-54.sys file, but it couldn't be found using windows search tool. Is this perhaps because Trend Housecall has 'cleaned' it?

I then downloaded the Memtest86 program and ran that over the weekend. I checked it after it had been running for about 6 hours and it reported no errors. However, when I checked it on Monday morning, the computer was off. The pc seemed to have shut itself down.

Since carring out these actions, the BSOD appears to happen less frequently (I used the machine all day yesterday without an occurrence, apart from the first time XP loaded up), but does stilll happen.

I will post the log of this below.

Thanks.
Big Yellow Feet
The production company

#9 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 17 July 2007 - 06:55 AM

Microsoft ® Windows Debugger Version 6.7.0005.1
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\windows\Minidump\Mini071607-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp2.050301-1526
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054c850
Debug session time: Mon Jul 16 11:28:51.468 2007 (GMT+1)
System Uptime: 0 days 0:00:43.078
Loading Kernel Symbols
..............................................................................................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e2df9000, 0, 804f8ca4, 1}

*** WARNING: Unable to verify timestamp for windev-471a-54.sys
*** ERROR: Module load completed but symbols could not be loaded for windev-471a-54.sys

Could not read faulting driver name
Probably caused by : windev-471a-54.sys ( windev_471a_54+9b3 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e2df9000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f8ca4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e2df9000

FAULTING_IP:
nt!wcsncpy+14
804f8ca4 668b02 mov ax,word ptr [edx]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: f897f804 -- (.trap 0xfffffffff897f804)
ErrCode = 00000000
eax=f897b7ae ebx=f897fbe4 ecx=00000007 edx=e2df9000 esi=f897f8a0 edi=f897fa90
eip=804f8ca4 esp=f897f878 ebp=f897faa4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!wcsncpy+0x14:
804f8ca4 668b02 mov ax,word ptr [edx] ds:0023:e2df9000=????
Resetting default scope

LOCK_ADDRESS: 8054a8e0 -- (!locks 8054a8e0)

Resource @ nt!PiEngineLock (0x8054a8e0) Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0x8054a8e0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from 8051f2d8 to 8052b591

STACK_TEXT:
f897f7a0 8051f2d8 00000050 e2df9000 00000000 nt!KeBugCheckEx+0x19
f897f7ec 804dda27 00000000 e2df9000 00000000 nt!MmAccessFault+0x6f5
f897f7ec 804f8ca4 00000000 e2df9000 00000000 nt!KiTrap0E+0xb8
f897f87c ee4b39b3 f897f8a0 e2df8e10 000000ff nt!wcsncpy+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
f897faa4 804dad01 80001830 00000000 00000000 windev_471a_54+0x9b3
f897faa4 804d9296 80001830 00000000 00000000 nt!KiSystemService+0xc4
f897fb34 80580559 80001830 00000000 00000000 nt!ZwEnumerateKey+0x11
f897fbdc 8058ff3b 00000082 820c89d4 00000000 nt!IopGetDeviceInterfaces+0x5b9
f897fc48 8058fc39 820c89d4 e16235e0 00000001 nt!IopDisableDeviceInterfaces+0xe1
f897fc60 8058f9fe 820c8940 e16235e0 00000000 nt!IopSurpriseRemoveLockedDeviceNode+0xad
f897fc74 8058fa77 820c8940 00000003 e16235e0 nt!IopDeleteLockedDeviceNode+0x4e
f897fca8 8058f81f 81fc53b8 026235e0 00000003 nt!IopDeleteLockedDeviceNodes+0x3d
f897fd34 8058fded f897fd6c 806c9608 e2cd19a8 nt!PiProcessQueryRemoveAndEject+0x4c5
f897fd4c 8058e994 f897fd6c 823ccb30 81f98a00 nt!PiProcessTargetDeviceEvent+0x24
f897fd74 804e0f89 81f98a00 00000000 823ccb30 nt!PiWalkDeviceList+0xce
f897fdac 805609b0 81f98a00 00000000 00000000 nt!ExpWorkerThread+0xfe
f897fddc 804e8c54 804e0eb6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
windev_471a_54+9b3
ee4b39b3 ?? ???

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: windev_471a_54

IMAGE_NAME: windev-471a-54.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: windev_471a_54+9b3

FAILURE_BUCKET_ID: 0x50_windev_471a_54+9b3

BUCKET_ID: 0x50_windev_471a_54+9b3

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e2df9000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f8ca4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e2df9000

FAULTING_IP:
nt!wcsncpy+14
804f8ca4 668b02 mov ax,word ptr [edx]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: f897f804 -- (.trap 0xfffffffff897f804)
ErrCode = 00000000
eax=f897b7ae ebx=f897fbe4 ecx=00000007 edx=e2df9000 esi=f897f8a0 edi=f897fa90
eip=804f8ca4 esp=f897f878 ebp=f897faa4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!wcsncpy+0x14:
804f8ca4 668b02 mov ax,word ptr [edx] ds:0023:e2df9000=????
Resetting default scope

LOCK_ADDRESS: 8054a8e0 -- (!locks 8054a8e0)

Resource @ nt!PiEngineLock (0x8054a8e0) Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0x8054a8e0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from 8051f2d8 to 8052b591

STACK_TEXT:
f897f7a0 8051f2d8 00000050 e2df9000 00000000 nt!KeBugCheckEx+0x19
f897f7ec 804dda27 00000000 e2df9000 00000000 nt!MmAccessFault+0x6f5
f897f7ec 804f8ca4 00000000 e2df9000 00000000 nt!KiTrap0E+0xb8
f897f87c ee4b39b3 f897f8a0 e2df8e10 000000ff nt!wcsncpy+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
f897faa4 804dad01 80001830 00000000 00000000 windev_471a_54+0x9b3
f897faa4 804d9296 80001830 00000000 00000000 nt!KiSystemService+0xc4
f897fb34 80580559 80001830 00000000 00000000 nt!ZwEnumerateKey+0x11
f897fbdc 8058ff3b 00000082 820c89d4 00000000 nt!IopGetDeviceInterfaces+0x5b9
f897fc48 8058fc39 820c89d4 e16235e0 00000001 nt!IopDisableDeviceInterfaces+0xe1
f897fc60 8058f9fe 820c8940 e16235e0 00000000 nt!IopSurpriseRemoveLockedDeviceNode+0xad
f897fc74 8058fa77 820c8940 00000003 e16235e0 nt!IopDeleteLockedDeviceNode+0x4e
f897fca8 8058f81f 81fc53b8 026235e0 00000003 nt!IopDeleteLockedDeviceNodes+0x3d
f897fd34 8058fded f897fd6c 806c9608 e2cd19a8 nt!PiProcessQueryRemoveAndEject+0x4c5
f897fd4c 8058e994 f897fd6c 823ccb30 81f98a00 nt!PiProcessTargetDeviceEvent+0x24
f897fd74 804e0f89 81f98a00 00000000 823ccb30 nt!PiWalkDeviceList+0xce
f897fdac 805609b0 81f98a00 00000000 00000000 nt!ExpWorkerThread+0xfe
f897fddc 804e8c54 804e0eb6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
windev_471a_54+9b3
ee4b39b3 ?? ???

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: windev_471a_54

IMAGE_NAME: windev-471a-54.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: windev_471a_54+9b3

FAILURE_BUCKET_ID: 0x50_windev_471a_54+9b3

BUCKET_ID: 0x50_windev_471a_54+9b3

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e2df9000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804f8ca4, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: e2df9000

FAULTING_IP:
nt!wcsncpy+14
804f8ca4 668b02 mov ax,word ptr [edx]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: f897f804 -- (.trap 0xfffffffff897f804)
ErrCode = 00000000
eax=f897b7ae ebx=f897fbe4 ecx=00000007 edx=e2df9000 esi=f897f8a0 edi=f897fa90
eip=804f8ca4 esp=f897f878 ebp=f897faa4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!wcsncpy+0x14:
804f8ca4 668b02 mov ax,word ptr [edx] ds:0023:e2df9000=????
Resetting default scope

LOCK_ADDRESS: 8054a8e0 -- (!locks 8054a8e0)

Resource @ nt!PiEngineLock (0x8054a8e0) Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0x8054a8e0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from 8051f2d8 to 8052b591

STACK_TEXT:
f897f7a0 8051f2d8 00000050 e2df9000 00000000 nt!KeBugCheckEx+0x19
f897f7ec 804dda27 00000000 e2df9000 00000000 nt!MmAccessFault+0x6f5
f897f7ec 804f8ca4 00000000 e2df9000 00000000 nt!KiTrap0E+0xb8
f897f87c ee4b39b3 f897f8a0 e2df8e10 000000ff nt!wcsncpy+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
f897faa4 804dad01 80001830 00000000 00000000 windev_471a_54+0x9b3
f897faa4 804d9296 80001830 00000000 00000000 nt!KiSystemService+0xc4
f897fb34 80580559 80001830 00000000 00000000 nt!ZwEnumerateKey+0x11
f897fbdc 8058ff3b 00000082 820c89d4 00000000 nt!IopGetDeviceInterfaces+0x5b9
f897fc48 8058fc39 820c89d4 e16235e0 00000001 nt!IopDisableDeviceInterfaces+0xe1
f897fc60 8058f9fe 820c8940 e16235e0 00000000 nt!IopSurpriseRemoveLockedDeviceNode+0xad
f897fc74 8058fa77 820c8940 00000003 e16235e0 nt!IopDeleteLockedDeviceNode+0x4e
f897fca8 8058f81f 81fc53b8 026235e0 00000003 nt!IopDeleteLockedDeviceNodes+0x3d
f897fd34 8058fded f897fd6c 806c9608 e2cd19a8 nt!PiProcessQueryRemoveAndEject+0x4c5
f897fd4c 8058e994 f897fd6c 823ccb30 81f98a00 nt!PiProcessTargetDeviceEvent+0x24
f897fd74 804e0f89 81f98a00 00000000 823ccb30 nt!PiWalkDeviceList+0xce
f897fdac 805609b0 81f98a00 00000000 00000000 nt!ExpWorkerThread+0xfe
f897fddc 804e8c54 804e0eb6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
windev_471a_54+9b3
ee4b39b3 ?? ???

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: windev_471a_54

IMAGE_NAME: windev-471a-54.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: windev_471a_54+9b3

FAILURE_BUCKET_ID: 0x50_windev_471a_54+9b3

BUCKET_ID: 0x50_windev_471a_54+9b3

Followup: MachineOwner
---------
Big Yellow Feet
The production company

#10 byonic

byonic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:43 AM

Posted 17 July 2007 - 06:56 AM

Sorry about the duplicate info in the above- I seem to have run !analyze -v a few times. Oops!
Big Yellow Feet
The production company

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:43 AM

Posted 18 July 2007 - 05:51 AM

Since you've found a Trojan and the windev file is still appearing, I'd suspect that there's still an infection on the system. Try checking the pinned topics at the following links to get some help in ensuring that the system is clean:

http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once we're sure that the system is clean, we can then troubleshoot the BSOD's and expect some reliable results.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users