Got A few probs BSOD on reboot & can't connect to update.microsoft urls

I'm posting here per the suggestion of the malware forums in hopes I can resolve some problems I'm facing. It very well may be the result of some malware that has since been cleared off.

1. I always receive a BSOD on shutting down or restarting my PC.


BugCheck 1000008E, {c0000005, 826c9887, 923ff924, 0}

Probably caused by : ntkrpamp.exe ( nt!PopNotifyDevice+67 )

Followup: MachineOwner
---------

I can paste more from the .dmp file if needed






2. I cannot connect to Microsoft update urls via any browser nor can I connect via Windows Update. I've done the basics here, validating proxy settings, host files, dns and I can't find where this is being prevented.

3. An annoying what I would call a refresh of the explorer.exe. It seems every so often the taskbar will flash, sometimes with less color, and come back.

4. Every few minutes I receive a

Host Process for Windows Services stopped working and has closed.

If I continue it tells me to download windows updates, which of course I can't do.



I know this is quite a bit so help on any of these will be appreciated. Thanks

 

Can you attach the last 3 minidumps files please? You'll need to copy them to your Desktop then zip them and attach the zip file, I'll try to look deeper into them.

 

Thanks for your help. At least the 2 most recent dmps were during the shutdown process. It's possible the oldest was a BSOD while I worked.

If it helps I have some other BSODs when my PC was not shutting down.

 

There are 3 suspect files loaded in your dump files:

84275511.sys 0x00520000 0x4abccca4 9/25/2009 14:59:00
8427551.sys 0x00050000 0x4acf8ec7 10/9/2009 20:28:07
84275512.sys 0x0000d000 0x4ae02bb3 10/22/2009 10:53:55

These appear to be hidden from Explorer as there's no path to locate the files.

I think it's back to your Malware thread and ask for assistance in locating these files and removing them from your system.

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 826c9887, 90967924, 0}

Probably caused by : ntkrpamp.exe ( nt!PopNotifyDevice+67 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 826c9887, The address that the exception occurred at
Arg3: 90967924, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!PopNotifyDevice+67
826c9887 8b4760          mov     eax,dword ptr [edi+60h]

TRAP_FRAME:  90967924 -- (.trap 0xffffffff90967924)
ErrCode = 00000000
eax=00000000 ebx=858e7b4c ecx=858e7b4c edx=00000000 esi=853bf6c8 edi=00000000
eip=826c9887 esp=90967998 ebp=909679a4 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!PopNotifyDevice+0x67:
826c9887 8b4760          mov     eax,dword ptr [edi+60h] ds:0023:00000060=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  wininit.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 826c969a to 826c9887

STACK_TEXT:  
909679a4 826c969a 858e7b4c 00000001 00000000 nt!PopNotifyDevice+0x67
90967a14 826c935c 0000001e 00000004 824fc82c nt!PopSleepDeviceList+0xeb
90967a6c 826c809c 9096c0d0 90967ba4 90967c28 nt!PopSetDevicesSystemState+0x253
90967b90 8248caea 00000006 00000000 00000004 nt!NtSetSystemPowerState+0x3ca
90967b90 8247f609 00000006 00000000 00000004 nt!KiFastCallEntry+0x12a
90967c14 826c7d88 00000006 00000004 c0000004 nt!ZwSetSystemPowerState+0x11
90967d44 8267a147 00000006 00000004 c0000004 nt!NtSetSystemPowerState+0xc0
90967d58 8248caea 00000002 0015f77c 77e00f34 nt!NtShutdownSystem+0x32
90967d58 77e00f34 00000002 0015f77c 77e00f34 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0015f77c 00000000 00000000 00000000 00000000 0x77e00f34


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!PopNotifyDevice+67
826c9887 8b4760          mov     eax,dword ptr [edi+60h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!PopNotifyDevice+67

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4a7965f4

FAILURE_BUCKET_ID:  0x8E_nt!PopNotifyDevice+67

BUCKET_ID:  0x8E_nt!PopNotifyDevice+67

Followup: MachineOwner
---------

 

Thanks Tim; the files were in all 3 dumps and I couldn't find any previous references to those file names - they may be part of the normal save profile/shutdown routine for all I know, the OP was only sure that 2 of the dumps occurred during shutdown, the oldest may have been from a crash while he was working.

 

chaslang replied to the malware thread with the following;

"As I suggested in a private forum to Tim, these are just .SYS files from running Kaspersky's Virus Removal Tool at some point in the past. They are not problems."

Please let me know if there is anything I can do. I can easily enough recreate the BSODs as it happens every reboot. To be honest, its more of an annoyance than anything else. The inability to perform windows updates and the occasional blue screen while not rebooting is more of a pressing concern but I figured this BSOD was a bit easier to troubleshoot and predict and may lead to resolution of the other issues.

 

Ok, then it's back to basics:
Run chkdsk (Start > Run > chkdsk C: /R > Enter) on your System drive then run SFC /scannow to fix file system errors and then check for and reinstall any Windows protected files that are missing/broken. Make sure all your drivers are updated, especially any networking drivers.

Test for some kind of profile corruption by creating a new user and test from that.

 

Ignore the last post, I see your Malware thread has seen some recent activity.