the infamous BSOD

TimW helped me through some browser redirection issues in the Malware forum. In the process I got a BSOD, not sure if it's related in anyway to removing the malware. TimW suggested I come here for help on resolving the BSOD. I have very little info because my computer restarted itself before I was able to read through and comprehend the entire screen. I'm running Windows XP. Any help would be greatly appreciated, thanks in advance.

 

Greetings, shyviolet.

There are MG members that may be able to help you decipher those BSODs, but first you'll have to do some preliminaries:

1. Follow the steps listed here.

2. After your next crash, navigate to the C: > Windows > Minidumps folder, copy those files to the Desktop, zip and upload them as an attachment.

3. Also, if possible, please download and run EVEREST, a free system information tool.

When the scan completes, click 'Report', 'Quick Report', 'Plain Text'. Click 'File', 'Save As...', name the report, and save to an easily found location, such as your Desktop.

Then attach that file to your next post.

 

1. done
2. still waiting for another crash
3. attached

 

Do you have any old minidumps you could upload?

 

There was only one file in the folder, it is attached.

 

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806f0134, The address that the exception occurred at
Arg3: f7b35c28, Exception Record Address
Arg4: f7b35924, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
hal!ExAcquireFastMutex+c
806f0134 ff09            dec     dword ptr [ecx]

EXCEPTION_RECORD:  f7b35c28 -- (.exr 0xfffffffff7b35c28)
ExceptionAddress: 806f0134 (hal!ExAcquireFastMutex+0x0000000c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 0065006d
Attempt to write to address 0065006d

CONTEXT:  f7b35924 -- (.cxr 0xfffffffff7b35924)
eax=00000001 ebx=8697758c ecx=0065006d edx=00000002 esi=e1b16230 edi=85d8f028
eip=806f0134 esp=f7b35cf0 ebp=f7b35d00 iopl=0         nv up ei ng nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010297
hal!ExAcquireFastMutex+0xc:
806f0134 ff09            dec     dword ptr [ecx]      ds:0023:0065006d=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  0065006d

WRITE_ADDRESS:  0065006d 

FOLLOWUP_IP: 
nt!FsRtlRemovePerStreamContext+1e
805161e6 8b5510          mov     edx,dword ptr [ebp+10h]

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 805161e6 to 806f0134

STACK_TEXT:  
f7b35cec 805161e6 85d8f028 8697758c 85d8f020 hal!ExAcquireFastMutex+0xc
f7b35d00 f75ceb6c e1b16230 86977330 e1b16230 nt!FsRtlRemovePerStreamContext+0x1e
f7b35d2c f75d00ba 86977330 86a8dec8 85ac3d38 fltmgr!FltpDeleteAllStreamListCtrls+0x62
f7b35d48 f75c28f7 869773b4 00000008 86a8dec8 fltmgr!FltpFreeVolume+0xa4
f7b35d60 f75c664e 85ac3d38 00000008 8056237c fltmgr!FltpCleanupDeviceObject+0x61
f7b35d74 804e427b 86a8dec8 00000000 86fc1020 fltmgr!FltpFastIoDetachDeviceWorker+0x14
f7b35dac 80579453 86a8dec8 00000000 00000000 nt!ExpWorkerThread+0x100
f7b35ddc 804f88fa 804e41a6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!FsRtlRemovePerStreamContext+1e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4d00dbda

STACK_COMMAND:  .cxr 0xfffffffff7b35924 ; kb

FAILURE_BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

Followup: MachineOwner
---------

Sorry, there's nothing definitive that I can tell from debugging the dump. It's a very common BSOD, the same as:

So, what can we rule out from that list?
Insufficient disk space, your previous logs state that you have 73.85 GB free space.
Hardware incompatibility, it's a laptop that's been working for what - 5 years.
Possibles:
Memory - not very likely, it would probably crash frequently with several different BSOD's.
Faulty system service, this would probably crash with a noticeable pattern of events, often during boot or within a few minutes of starting up.
Video card (but I'd expect other signs too).

So, let's see what the drivers have to offer. Given that the laptop has presumably worked well for years, I'd not expect the installed drivers to be a problem - unless a recent Windows Update (or malware/file corruption) has had an effect.
mefiulgw.sys 12/21/2007 04:56:59
MpKsl721bb48c.sys 3/31/2010 03:06:14
The above drivers are listed yet I find no trace of either of them in a Google search! I suspect the latter file is just a randomly named anti-malware file (part of MSE) but the mefiulgw.sys is very suspicious, can you find and upload it to virustotal.com for analysis please? Report back with a link to the results page.

 

I'm going to agree with satrow. the 0X7E blue screen in my experience has been mostly caused by an infected driver. Atapi.sys infections used to be rampant last year and would always produce 0x7e.

the mefiulgw.sys driver or MpKsl721bb48c.sys driver that satrow found could very well be the problem

 

I'm having trouble finding the files using windows search, any idea where they could be located?

 

Unfortunately, I couldn't see any location details for mefiulgw.sys, make sure that Search is set to look in hidden files and folders, also in Windows folders, or whatever the options are.

 

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  mefiulgw*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

log attached

 

Hmm, no files found, that makes it interesting?!

I'd like you to download Driverview next please, unzip it to a convenient folder then run it. Highlight the first entry in the results pane and then Ctrl+A to select all, then Ctrl+S to save the file, choose the Desktop to save it to. Please attach the resulting txt file.

 

Attached Driverview file.

 

Thanks, while I work my way through the log, could you do the following:

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

Attach the log please.

 

TDSSKiller log

 

Ok, both logs come up with no sign of an odd, randomly named driver being loaded now. I'm at a loss to explain it, I could hazard a guess or two but I have only the dump data, which may not be 100% accurate, to work from.

No BSOD's since? Any other oddities that have occurred since the BSOD that may be related?

The MpKsl721bb48c.sys was part of the MSE sofware, today it's called MpKsl5468e5cc.sys.

 

Nothing funky since the BSOD, everything seems to be running fine.

 

Hmm, on balance, I think that mefiulgw.sys may have been a temporary driver loaded by one of your CD burning packages because the main driver detected that the CD wasn't 'closed', or something along those lines; I've not pursued that avenue because I've only just thought of it

My best guess is that you're ok to continue as usual You did complete the clean up steps outlined in the final post by TimW over in the malware forum, yes?

 

I completed the steps through 8. I didn't go on because I didn't want to mess around with setting a system restore point if my computer was still messed up. I wanted to get some advice on the BSOD first. If everything seems good to go I will finish up tomorrow.

 

I think the machine's good to go, I had a little think again re. the CD burning software, I'd probably put the RAM part of it into the frame alongside a possible bad block on the CD.

If you had the time or inclination, there maybe some additional evidence around the time of the BSOD (Thu Jun 9 04:04:13.287 2011 (UTC + 1:00)) in the System or Application logs, look for Errors and Warnings.

 

If you think it's worth looking into, I can but I don't feel the need to get to the bottom of it if there is nothing that can be done about it. I haven't had any suspicious activity since the crash.

 

If you're experiencing no oddities or problems, then your PC is most probably clean and bug-free. However, if you have any doubts, we can go through the logs or you could revisit the Malware forum and run through the diagnostics again.

 

Guys in Malware told me everything looked clean, so maybe the BS was a one time deal. I'm gonna go with that for now. If anything crazy happens, I'll be back Thank you so much for all your help!

 

No worries stay safe!