BSOD translation

I had a BSOD today, caught a photo and two logs out of it. All will be attached soon from another pc.

Info on the BSOD. While a quick indicator says driver issue, I haven't updated anything. I have ran check disk on all four partitions of the hard drive, didn't watch it but ran it. Came up without any screen thus far. I suspect a hard drive issue, it was gotten used with a hard drive monitor tool showing three areas of 'fail'.

 

pics added, looking for a ut to break down the dump file

 

BSod text

 

First thing I'd check (other than the hard drive) would be anything related to your network: card, adapter, drivers, etc. - most NDIS.SYS errors are network-related...

 

I haven't noticed any intermittent or spotty Network functions. Inside Device Manager is clean, free of any question marks or exclamation marks.

 

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini090610-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Mon Sep 6 17:09:39.500 2010 (UTC - 5:00)
System Uptime: 1 days 12:40:19.094
Loading Kernel Symbols
...............................................................
................................................................

Loading User Symbols
Loading unloaded module list
....................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 86cf3868, f38d5afc, f38d57f8}

Probably caused by : NDProxy.SYS ( NDProxy!AllocateTapiProvider+79 )

Followup: MachineOwner
---------

 

Can you locate the file 'NDProxy.SYS'? Reason I ask: if it's in the c:\windows or c:\windows\system32 folders, there's a possibility that's it's malware disguising itself as a Windows file...just a possibility...

 

with !analyze -v switch:

kd> SRV*c:\symbols*http://msdl.microsoft.com/download/symbols !analyze -v
*** WARNING: Unable to verify timestamp for nv4_disp.dll
*** ERROR: Module load completed but symbols could not be loaded for nv4_disp.dll
*** WARNING: Unable to verify timestamp for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
*** WARNING: Unable to verify timestamp for HTTP.sys
*** ERROR: Module load completed but symbols could not be loaded for HTTP.sys
*** WARNING: Unable to verify timestamp for avgntflt.sys
*** ERROR: Module load completed but symbols could not be loaded for avgntflt.sys
*** WARNING: Unable to verify timestamp for avipbb.sys
*** ERROR: Module load completed but symbols could not be loaded for avipbb.sys
*** WARNING: Unable to verify timestamp for ipnat.sys
*** ERROR: Module load completed but symbols could not be loaded for ipnat.sys
*** WARNING: Unable to verify timestamp for SASKUTIL.SYS
*** ERROR: Module load completed but symbols could not be loaded for SASKUTIL.SYS
*** WARNING: Unable to verify timestamp for ipsec.sys
*** ERROR: Module load completed but symbols could not be loaded for ipsec.sys
*** WARNING: Unable to verify timestamp for InCDFs.sys
*** ERROR: Module load completed but symbols could not be loaded for InCDFs.sys
*** WARNING: Unable to verify timestamp for cmdguard.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdguard.sys
*** WARNING: Unable to verify timestamp for aeaudio.sys
*** ERROR: Module load completed but symbols could not be loaded for aeaudio.sys
*** WARNING: Unable to verify timestamp for smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for smwdm.sys
*** WARNING: Unable to verify timestamp for winachcf.sys
*** ERROR: Module load completed but symbols could not be loaded for winachcf.sys
*** WARNING: Unable to verify timestamp for e100b325.sys
*** ERROR: Module load completed but symbols could not be loaded for e100b325.sys
*** WARNING: Unable to verify timestamp for nv4_mini.sys
*** ERROR: Module load completed but symbols could not be loaded for nv4_mini.sys
*** WARNING: Unable to verify timestamp for InCDRec.sys
*** ERROR: Module load completed but symbols could not be loaded for InCDRec.sys
*** WARNING: Unable to verify timestamp for inspect.sys
*** ERROR: Module load completed but symbols could not be loaded for inspect.sys
*** WARNING: Unable to verify timestamp for WudfPf.sys
*** ERROR: Module load completed but symbols could not be loaded for WudfPf.sys
*** WARNING: Unable to verify timestamp for a347bus.sys
*** ERROR: Module load completed but symbols could not be loaded for a347bus.sys
*** WARNING: Unable to verify timestamp for isapnp.sys
*** ERROR: Module load completed but symbols could not be loaded for isapnp.sys
*** WARNING: Unable to verify timestamp for intelppm.sys
*** ERROR: Module load completed but symbols could not be loaded for intelppm.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for drmk.sys -
*** WARNING: Unable to verify timestamp for sfmanm.sys
*** ERROR: Module load completed but symbols could not be loaded for sfmanm.sys
*** WARNING: Unable to verify timestamp for dvdfab.sys
*** ERROR: Module load completed but symbols could not be loaded for dvdfab.sys
*** WARNING: Unable to verify timestamp for InCDPass.sys
*** ERROR: Module load completed but symbols could not be loaded for InCDPass.sys
*** WARNING: Unable to verify timestamp for cmdhlp.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdhlp.sys
*** WARNING: Unable to verify timestamp for ssmdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for ssmdrv.sys
*** WARNING: Unable to verify timestamp for SASDIFSV.SYS
*** ERROR: Module load completed but symbols could not be loaded for SASDIFSV.SYS
*** WARNING: Unable to verify timestamp for NuidFltr.sys
*** ERROR: Module load completed but symbols could not be loaded for NuidFltr.sys
*** WARNING: Unable to verify timestamp for point32.sys
*** ERROR: Module load completed but symbols could not be loaded for point32.sys
*** WARNING: Unable to verify timestamp for intelide.sys
*** ERROR: Module load completed but symbols could not be loaded for intelide.sys
*** WARNING: Unable to verify timestamp for a347scsi.sys
*** ERROR: Module load completed but symbols could not be loaded for a347scsi.sys
*** WARNING: Unable to verify timestamp for ctlfacem.sys
*** ERROR: Module load completed but symbols could not be loaded for ctlfacem.sys
*** WARNING: Unable to verify timestamp for avgio.sys
*** ERROR: Module load completed but symbols could not be loaded for avgio.sys
*** WARNING: Unable to verify timestamp for hiber_WMILIB.SYS
*** ERROR: Module load completed but symbols could not be loaded for hiber_WMILIB.SYS
*** WARNING: Unable to verify timestamp for SENSUPGD.SYS
*** ERROR: Module load completed but symbols could not be loaded for SENSUPGD.SYS
Couldn't resolve error at 'RV*c:\symbols*http://msdl.microsoft.com/download/symbols !analyze -v'
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 86cf3868, The address that the exception occurred at
Arg3: f38d5afc, Exception Record Address
Arg4: f38d57f8, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+16
86cf3868 0000 add byte ptr [eax],al

EXCEPTION_RECORD: f38d5afc -- (.exr 0xfffffffff38d5afc)
ExceptionAddress: 86cf3868
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0d3477c8
Attempt to write to address 0d3477c8

CONTEXT: f38d57f8 -- (.cxr 0xfffffffff38d57f8)
eax=0d3477c8 ebx=f38d5c6c ecx=00000000 edx=86121a50 esi=86d362b0 edi=f38d5c70
eip=86cf3868 esp=f38d5bc4 ebp=f38d5be8 iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
86cf3868 0000 add byte ptr [eax],al ds:0023:0d3477c8=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 0d3477c8

WRITE_ADDRESS: 0d3477c8

FOLLOWUP_IP:
NDProxy!AllocateTapiProvider+79
f77573eb 3d03010000 cmp eax,103h

FAILED_INSTRUCTION_ADDRESS:
+2dc2faf016edfc0
86cf3868 0000 add byte ptr [eax],al

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f74bec8c to 86cf3868

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f38d5bc0 f74bec8c 86121a50 00000000 00000000 0x86cf3868
f38d5be8 f77573eb 86572900 00000000 00000000 NDIS!NdisCoRequest+0xf1
f38d5cbc f7757694 86048b18 8617ef00 f38d5d50 NDProxy!AllocateTapiProvider+0x79
f38d5ccc f7753328 86048b18 8617ef00 86572900 NDProxy!AllocateTapiResources+0x10
f38d5d50 f74a9541 8617ef6c 860dc2ac 86572900 NDProxy!PxCoNotifyAfRegistration+0x38c
f38d5d74 f74a9498 860dc290 f74a6464 8629bae4 NDIS!ndisNotifyAfRegistration+0x38
f38d5d98 f74a6baa 8629bad0 00000000 86cfc020 NDIS!ndisMFinishQueuedPendingOpen+0x7d
f38d5dac 8057b0df 8629bad4 00000000 00000000 NDIS!ndisWorkerThread+0x75
f38d5ddc 804f88fa f74a6b85 8629bad4 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: NDProxy!AllocateTapiProvider+79

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NDProxy

IMAGE_NAME: NDProxy.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 48025798

STACK_COMMAND: .cxr 0xfffffffff38d57f8 ; kb

FAILURE_BUCKET_ID: 0x7E_BAD_IP_NDProxy!AllocateTapiProvider+79

BUCKET_ID: 0x7E_BAD_IP_NDProxy!AllocateTapiProvider+79

Followup: MachineOwner
---------

 

Really? ok, I will look for it. Have to jet now though.

 

I have a pic of the locations of the NDProxy.SYS file in question.

Also attached is a monitoring tool showing the status of the current hard drive.