BSOD-Windows XP-Thinkpad T61

Hi,
On Sunday I experienced a BSOD crash. I went to the forums at bleepingcomputer to troubleshoot the error. The only thing they were able to figure out is that it is most likely being caused by the lenovo driver Apsx86.sys
I have been searching for possible solutions all day with no luck. I really need to get this fixed as soon as possible. Attached is a log from BlueScreenView. Thanks in advanced for your help.

 

I did the following to make my T61's work.

I was able to locate a T61 in the office that was working with no problems. I slashed out to the C:\WINDOWS\SYSTEM32 directory and copied the following files:

File: C:\WINDOWS\system32\drivers\ShockMgr.sys
File: C:\WINDOWS\system32\drivers\shockprf.sys
File: C:\WINDOWS\system32\Sensor.dll
Memory: 3200, c:\WINDOWS\system32\TPHDEXLG.exe
File: C:\WINDOWS\system32\TpShCPL.cpl
File: C:\WINDOWS\system32\TpShCPL.dll
File: C:\WINDOWS\system32\TpShocks.exe

I copied the files to a directory on my LOCAL computer, then I burned them on a CD.

I then proceeded to boot the infected/messed up laptop(s) with Windows XP CD, and selected 'R' for Recovery Console.

I swapped out the Windows XP CD for the CD with the files, and copied the files from the CD to the locations specified above.
[example: D:\copy ShockMgr.sys c:\windows\system32\drivers ]

I exited out of the Recovery Console. (by typing EXIT)

Computer Rebooted, and OS loaded with no problems.

 

so if you have access to a working one you can do this.</end>

 

Thanks for getting back to me. I'm sure I know someone with a T61, but it probably won't be easy to track down. Is there any other way that might work?

 

If you attach the complete dmps (zipped) from \Windows\Minidumps, we can get a better picture of what drivers are loaded that may be triggering the BSOD's.

 

Here are the complete dmps.

 

Ok, I ran 3x dmps though WinDbg, starting with the oldest dated 3 types of the current BSOD's, the 02, 03 and 04 from the 25th October.

Code:

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Administrator\Desktop\dutchluck\Mini102510-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Mon Oct 25 18:06:38.218 2010 (UTC + 1:00)
System Uptime: 0 days 2:56:50.844
Loading Kernel Symbols
...............................................................
.............................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {f7947000, 1, 804f2a9b, 0}


[B]Could not read faulting driver name
Probably caused by : ntkrnlmp.exe[/B] ( nt!KiDeliverApc+b3 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f7947000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804f2a9b, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS:  f7947000 

FAULTING_IP: 
nt!IopCompleteRequest+92
804f2a9b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

IRP_ADDRESS:  8a1038f0

DEVICE_OBJECT: 8b3ef030

LAST_CONTROL_TRANSFER:  from 804f2c55 to 804f2a9b

STACK_TEXT:  
f7946abc 804f2c55 8a103930 f7946b08 f7946afc nt!IopCompleteRequest+0x92
f7946b0c 80701ef2 00000000 00000000 f7946b24 nt!KiDeliverApc+0xb3
f7946b0c 80701ae4 00000000 00000000 f7946b24 hal!HalpApcInterrupt+0xc6
f7946b94 804e5d5c 8a103930 8a1038f0 00000000 hal!KeReleaseQueuedSpinLock+0x3c
f7946bb4 804f2c6f 8a103930 00000000 00000000 nt!KeInsertQueueApc+0x6d
f7946be8 8aa9a731 f7946c64 8b3f4118 00000000 nt!IopfCompleteRequest+0x1d8
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7946c00 804e13eb 8b3ef030 8a1038f0 8b3ef030 0x8aa9a731
f7946c30 804dc84d f7946c88 00000000 00000000 nt!IopfCallDriver+0x31
f7946c34 f7946c88 00000000 00000000 00000000 nt!KiSwapContext+0x2f
00000000 00000000 00000000 00000000 00000000 0xf7946c88


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KiDeliverApc+b3
804f2c55 8d55d8          lea     edx,[ebp-28h]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!KiDeliverApc+b3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6eda6

FAILURE_BUCKET_ID:  0x50_nt!KiDeliverApc+b3

BUCKET_ID:  0x50_nt!KiDeliverApc+b3

Followup: MachineOwner
---------

=========================================================

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Administrator\Desktop\dutchluck\Mini102510-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Oct 25 18:10:25.968 2010 (UTC + 1:00)
System Uptime: 0 days 0:03:09.736
Loading Kernel Symbols
...............................................................
................................................................
.......................................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 8b5132e4, ba56fb04, ba56f800}

[B]*** WARNING: Unable to verify timestamp for Apsx86.sys
*** ERROR: Module load completed but symbols could not be loaded for Apsx86.sys
Probably caused by : Apsx86.sys[/B] ( Apsx86+3a93 )

Followup: MachineOwner
---------
=========================================================

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Administrator\Desktop\dutchluck\Mini102510-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Oct 25 18:13:57.906 2010 (UTC + 1:00)
System Uptime: 0 days 0:02:58.669
Loading Kernel Symbols
...............................................................
................................................................
.......................................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 8b5142e4, ba56fb04, ba56f800}

[B]Probably caused by : ntkrpamp.exe[/B] ( nt!KiEspToTrapFrame+27 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8b5142e4, The address that the exception occurred at
Arg3: ba56fb04, Exception Record Address
Arg4: ba56f800, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
+16
8b5142e4 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

EXCEPTION_RECORD:  ba56fb04 -- (.exr 0xffffffffba56fb04)
ExceptionAddress: 8b5142e4
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 01cb731b
Attempt to write to address 01cb731b

CONTEXT:  ba56f800 -- (.cxr 0xffffffffba56f800)
eax=12a19de5 ebx=89aa03a0 ecx=00000200 edx=00000000 esi=8b51abe8 edi=01cb731b
eip=8b5142e4 esp=ba56fbcc ebp=ba56fbd4 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
8b5142e4 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
Resetting default scope

CUSTOMER_CRASH_COUNT:  4

DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  01cb731b

WRITE_ADDRESS:  01cb731b 

FOLLOWUP_IP: 
nt!KiEspToTrapFrame+27
804fdb29 8b4a6c          mov     ecx,dword ptr [edx+6Ch]

FAILED_INSTRUCTION_ADDRESS: 
+6d652faf024ddbf4
8b5142e4 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

BUGCHECK_STR:  0x7E

EXCEPTION_DOESNOT_MATCH_CODE:  [B]This indicates a hardware error[/B].
Instruction at 8b5142e4 does not read/write to 01cb731b

LAST_CONTROL_TRANSFER:  from 8b515718 to 8b5142e4

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba56fbd4 8b515718 01cb731b 00000000 00000001 0x8b5142e4
ba56fc00 804ef19f 8b551030 89aa0330 8b551030 0x8b515718
ba56fd00 804fdb29 ba56f16c ba56ee14 ba56f16c nt!IopfCallDriver+0x31
ba56fdac 805cff62 8b49a4a0 00000000 00000000 nt!KiEspToTrapFrame+0x27
ba56fddc 8054612e b9cfc5f6 8b49a4a0 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!KiEspToTrapFrame+27

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8

STACK_COMMAND:  .cxr 0xffffffffba56f800 ; kb

FAILURE_BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_BAD_IP_nt!KiEspToTrapFrame+27

BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_BAD_IP_nt!KiEspToTrapFrame+27

Followup: MachineOwner
---------

Searching online for posts with all 3 related drivers gives me 147 hits, most referring to malware.

As you can't seem to be able to keep the laptop running for more than a few minutes, you'll need to connect the drive to another PC to save any valuable data and attempt cleaning, disk checking, etc.

 

Thanks satrow
I'm able to run in safe mode and safe mode w/ networking and have already backed up any valuable data. I'll proceed to scan for/remove malware.

 

Do a full disk check on it too and check for those files mentioned earlier by the binary guy

 

What do you mean by full disk check? (Using what?)

 

Use Explorer, right-click the drive and choose Properties > Tools tab > Error checking > check both boxes and ok your way out. Windows should then run a disk check at next boot.

 

Okay I ran the scan and it came back clean. I also was able to finally figure out a way uninstall Thinkpad Active Protection while in safe mode. This fixed the problem being caused by the lenovo driver and i am now able to boot normally . I know that there is still malware on the computer, so I will go through the appropriate steps to remove that.

 

Ok, that's good progress, I hope the cleanup goes well

 

Good luck mate!