Got A few probs BSOD on reboot & can't connect to update.microsoft urls

Discussion in 'Software' started by boatdrinks, May 1, 2011.

  1. boatdrinks

    boatdrinks Private E-2

    I'm posting here per the suggestion of the malware forums in hopes I can resolve some problems I'm facing. It very well may be the result of some malware that has since been cleared off.

    1. I always receive a BSOD on shutting down or restarting my PC.


    BugCheck 1000008E, {c0000005, 826c9887, 923ff924, 0}

    Probably caused by : ntkrpamp.exe ( nt!PopNotifyDevice+67 )

    Followup: MachineOwner
    ---------

    I can paste more from the .dmp file if needed






    2. I cannot connect to Microsoft update urls via any browser nor can I connect via Windows Update. I've done the basics here, validating proxy settings, host files, dns and I can't find where this is being prevented.

    3. An annoying what I would call a refresh of the explorer.exe. It seems every so often the taskbar will flash, sometimes with less color, and come back.

    4. Every few minutes I receive a

    Host Process for Windows Services stopped working and has closed.

    If I continue it tells me to download windows updates, which of course I can't do.



    I know this is quite a bit so help on any of these will be appreciated. Thanks
     
  2. satrow

    satrow Major Geek Extraordinaire

    Can you attach the last 3 minidumps files please? You'll need to copy them to your Desktop then zip them and attach the zip file, I'll try to look deeper into them.
     
  3. boatdrinks

    boatdrinks Private E-2

    Thanks for your help. At least the 2 most recent dmps were during the shutdown process. It's possible the oldest was a BSOD while I worked.

    If it helps I have some other BSODs when my PC was not shutting down.
     

    Attached Files:

  4. satrow

    satrow Major Geek Extraordinaire

    There are 3 suspect files loaded in your dump files:

    84275511.sys 0x00520000 0x4abccca4 9/25/2009 14:59:00
    8427551.sys 0x00050000 0x4acf8ec7 10/9/2009 20:28:07
    84275512.sys 0x0000d000 0x4ae02bb3 10/22/2009 10:53:55

    These appear to be hidden from Explorer as there's no path to locate the files.

    I think it's back to your Malware thread and ask for assistance in locating these files and removing them from your system.
    Code:
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 1000008E, {c0000005, 826c9887, 90967924, 0}
    
    Probably caused by : ntkrpamp.exe ( nt!PopNotifyDevice+67 )
    
    Followup: MachineOwner
    ---------
    
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 826c9887, The address that the exception occurred at
    Arg3: 90967924, Trap Frame
    Arg4: 00000000
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    nt!PopNotifyDevice+67
    826c9887 8b4760          mov     eax,dword ptr [edi+60h]
    
    TRAP_FRAME:  90967924 -- (.trap 0xffffffff90967924)
    ErrCode = 00000000
    eax=00000000 ebx=858e7b4c ecx=858e7b4c edx=00000000 esi=853bf6c8 edi=00000000
    eip=826c9887 esp=90967998 ebp=909679a4 iopl=0         nv up ei pl nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
    nt!PopNotifyDevice+0x67:
    826c9887 8b4760          mov     eax,dword ptr [edi+60h] ds:0023:00000060=????????
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  3
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0x8E
    
    PROCESS_NAME:  wininit.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from 826c969a to 826c9887
    
    STACK_TEXT:  
    909679a4 826c969a 858e7b4c 00000001 00000000 nt!PopNotifyDevice+0x67
    90967a14 826c935c 0000001e 00000004 824fc82c nt!PopSleepDeviceList+0xeb
    90967a6c 826c809c 9096c0d0 90967ba4 90967c28 nt!PopSetDevicesSystemState+0x253
    90967b90 8248caea 00000006 00000000 00000004 nt!NtSetSystemPowerState+0x3ca
    90967b90 8247f609 00000006 00000000 00000004 nt!KiFastCallEntry+0x12a
    90967c14 826c7d88 00000006 00000004 c0000004 nt!ZwSetSystemPowerState+0x11
    90967d44 8267a147 00000006 00000004 c0000004 nt!NtSetSystemPowerState+0xc0
    90967d58 8248caea 00000002 0015f77c 77e00f34 nt!NtShutdownSystem+0x32
    90967d58 77e00f34 00000002 0015f77c 77e00f34 nt!KiFastCallEntry+0x12a
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0015f77c 00000000 00000000 00000000 00000000 0x77e00f34
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    nt!PopNotifyDevice+67
    826c9887 8b4760          mov     eax,dword ptr [edi+60h]
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  nt!PopNotifyDevice+67
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrpamp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4a7965f4
    
    FAILURE_BUCKET_ID:  0x8E_nt!PopNotifyDevice+67
    
    BUCKET_ID:  0x8E_nt!PopNotifyDevice+67
    
    Followup: MachineOwner
    ---------
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I have posted to the OP to do a system look for those files, though they may be related to Kaspersky.
     
  6. satrow

    satrow Major Geek Extraordinaire

    Thanks Tim; the files were in all 3 dumps and I couldn't find any previous references to those file names - they may be part of the normal save profile/shutdown routine for all I know, the OP was only sure that 2 of the dumps occurred during shutdown, the oldest may have been from a crash while he was working.
     
  7. boatdrinks

    boatdrinks Private E-2

    chaslang replied to the malware thread with the following;

    "As I suggested in a private forum to Tim, these are just .SYS files from running Kaspersky's Virus Removal Tool at some point in the past. They are not problems."

    Please let me know if there is anything I can do. I can easily enough recreate the BSODs as it happens every reboot. To be honest, its more of an annoyance than anything else. The inability to perform windows updates and the occasional blue screen while not rebooting is more of a pressing concern but I figured this BSOD was a bit easier to troubleshoot and predict and may lead to resolution of the other issues.
     
  8. satrow

    satrow Major Geek Extraordinaire

    Ok, then it's back to basics:
    Run chkdsk (Start > Run > chkdsk C: /R > Enter) on your System drive then run SFC /scannow to fix file system errors and then check for and reinstall any Windows protected files that are missing/broken. Make sure all your drivers are updated, especially any networking drivers.

    Test for some kind of profile corruption by creating a new user and test from that.
     
  9. satrow

    satrow Major Geek Extraordinaire

    Ignore the last post, I see your Malware thread has seen some recent activity.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds