Win7(32) BSOD unbootable

Page 1 of 2 12 LastLast

  1. stoliosoda
    Posts : 6
    Windows 7 Enterprise
       New #1

    Win7(32) BSOD unbootable


    Hi there everyone. I'm really hoping for some help here – I am optimistic given some of the similar cases I’ve seen here. I posted a similar thread in another forum but they seem better at the malware side of things; I am hoping that the real BSOD gurus are here. ;-)

    The Goal:
    • I am desperately trying to avoid all of the pain and agony of a total system wipe and re-install of all my applications, preferences, and files.
    • I am hopeful that if I can just get the currently unbootable system to boot, I'll be able to get help in removing the malware infection (and learn something).
    The System:
    A Dell Latitude E6400 running Windows 7 Ent Edition 32 bit OS, 4GB of matched RAM, 256GB Samsung SSD.

    Current state:
    BSOD on boot, every time. Can't restore to a previous restore point; they somehow are gone; attempts to do a repair with the install DVD fail (details below).

    Important: I have a raw copy of the entire drive (all of its partitions) that I took to a spare drive, so if we want to try anything daring, we can, and I can roll back to that state.

    How it started, Background
    Late last week I managed to get a malware infection that hijacked my DNS config, along with my Google search results, regardless of which browser I used (IE, FF, Chrome). Who knows what else is in the package of evil…regardless, whatever I got snuck past SEP 11 to begin with. Following the infection I used MalwareBytes, SpyBot S&D, and SEP 11 to try and remove it. I have been unable to permanently remove the infection thusfar, and matters are worse now.

    There was a point on Thursday where the machine wouldn't boot - endless blue screens - but I was able to restore to a previous recovery point and get it to boot again. Shortly thereafter, the machine got to a state that it is never bootable anymore. This is no longer possible; when I boot from the Win7 Ent install CD and try and repair the installation, I get the following error:
    StartRep.exe – Application Error
    The instruction at 0x74818f18 referenced memory at 0x00000004. The memory could not be read.
    What I’ve tried so far:
    • As mentioned before, I used MalwareBytes, SpyBot S&D, and SEP 11 before the permanent BSOD issues occurred. I am attaching the logs along with a Hijack This log from those scans/efforts.
    • I have performed diskchk on the drive and found no errors.
    • Ran MemTest through 4 full passes (5:30 hours so far) with no errors.

    I can get the machine booted using Hirem's BootCD on a USB flash drive, and as a result I can run anything that can be run remotely on the drive/registry/etc. But because the machine isn’t booting, I can't run anything that needs to be run inside of the infected OS.

    I am attaching a series of files:
    1) The last minidump I was able to get off of the disk;
    2) A zip file with containing MalwareBytes, SEP 11, and a list of startup items on the OS.
    3) Logs from failed boots:
    • bootstat.dat
    • ntbtlog.txt
    • PFRO.log
    I would be incredibly grateful if someone can help me get to the point where I can get this OS to boot again. I am really trying to avoid having to do a system wipe and start that whole process over - I would really rather try and repair what happened if possible. Thanks so much to you all for your help!
      My Computer
    Quote Quote

  3. usasma
    Posts : 5,705
    Win7 x64 + x86
       New #2

    Please do the following as I can't seem to find the minidump that you uploaded:
    Upload Dump Files:
    Please go to C:\Windows\Minidump and zip up the contents of the folder. Then upload/attach the .zip file with your next post.
    Left click on the first minidump file.
    Hold down the "Shift" key and left click on the last minidump file.
    Right click on the blue highlighted area and select "Send to"
    Select "Compressed (zipped) folder" and note where the folder is saved.
    Upload that .zip file with your next post.

    If you have issues with "Access Denied" errors, try copying the files to your desktop and zipping them up from there. If it still won't let you zip them up, post back for further advice.

    If you don't have anything in that folder, please check in C:\Windows for a file named MEMORY.DMP. If you find it, zip it up and upload it to a free file hosting service . I recommend Windows Live SkyDrive - http://skydrive.live.com or another free, file-hosting service. Then post the link to it in your topic so that we can download it.

    Then, follow the directions here to set your system for Minidumps (much smaller than the MEMORY.DMP file): Set MiniDump
    While you're waiting, please run this free, bootable, hard drive diagnostic: HD Diagnostic (read the details at the link)
      My Computer
    Quote Quote

  4. stoliosoda
    Posts : 6
    Windows 7 Enterprise
    Thread Starter
       New #3

    Minidumps attached per request


    usasma - thanks for your help! The minidumps are attached. I also have a memory dump file if you like, but it's 80MB compressed. Let me know if you need it.

    I am looking forward to hearing what can be done. Thanks!
      My Computer
    Quote Quote

  6. usasma
    Posts : 5,705
    Win7 x64 + x86
       New #4

    August 25 BSOD is likely caused by the drivers for your Dell Broadband card: Driver Reference
    Please do the following:
    - visit the Dell support website and download a fresh copy of the drivers for this device.
    - uninstall the current version of the drivers/software for this device from your system
    - install the fresh copy of the drivers/software
    - monitor for further BSOD's

    September 23 BSOD is likely caused by your Norton/Symantec product: Driver Reference
    Please do the following:
    Anti-Virus Removal:
    Please do the following:
    - download a free antivirus for testing purposes: Free AntiVirus
    - uninstall the Norton from your system (you can reinstall it, if so desired, when we're done troubleshooting)
    - remove any remnants of Norton using this free tool: KB Article Not Found
    - IMMEDIATELY install and update the free antivirus
    - check to see if this fixes the BSOD's
    Please use the following instructions to locate the most currently available drivers to replace the one's that you uninstall OR remove:
    How To Find Drivers:
    - I have listed links to most of the drivers in the code box below. Please use the links there to see what info I've found about those drivers.
    - search Google for the name of the driver
    - compare the Google results with what's installed on your system to figure out which device/program it belongs to
    - visit the web site of the manufacturer of the hardware/program to get the latest drivers (DON'T use Windows Update or the Update driver function of Device Manager).
    - if there are difficulties in locating them, post back with questions and someone will try and help you locate the appropriate program.
    - - The most common drivers are listed on this page: Driver Reference
    - - Driver manufacturer links are on this page: http://www.carrona.org/drvrdown.html

    Here's the older drivers (You can look them up here: Driver Reference ).
    Please pay particular attention to any dated 2008 or earlier:
    Code:
    
BADRV.sys   Mon Jan 07 13:52:14 2008 (478274DE)
e1y6032.sys  Mon Aug 18 17:44:37 2008 (48A9ED45)
RimSerial.sys Mon Nov 24 12:02:13 2008 (492ADE15)
dne2000.sys  Mon Nov 10 19:59:21 2008 (4918D8E9)
CdpPacket.sys Thu Dec 04 21:29:23 2008 (49389203)
BrUsbSer.sys Sat Sep 02 20:53:37 2006 (44FA2791)
BrSerIf.sys  Sat Sep 02 20:53:38 2006 (44FA2792)
    I normally add descriptions and links to my webpage about these drivers, but I'm late for work right now.
    I'll add stuff to it after I get back from work.

    BSOD BUGCHECK SUMMARY
    Code:
    
Built by: 7600.16539.x86fre.win7_gdr.100226-1909
Debug session time: Thu Sep 23 15:30:58.947 2010 (UTC - 4:00)
System Uptime: 0 days 0:00:43.602
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
PROCESS_NAME:  wininit.exe
BUGCHECK_STR:  0xF4_C0000005
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
Bugcheck code 000000F4
Arguments 00000003 89aca498 89aca604 83274d90
จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ``
Built by: 7600.16539.x86fre.win7_gdr.100226-1909
Debug session time: Wed Aug 25 09:18:33.269 2010 (UTC - 4:00)
System Uptime: 5 days 19:35:35.798
*** WARNING: Unable to verify timestamp for usbhub.sys
*** ERROR: Module load completed but symbols could not be loaded for usbhub.sys
*** WARNING: Unable to verify timestamp for qcfilterdl.sys
*** ERROR: Module load completed but symbols could not be loaded for qcfilterdl.sys
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xFE
PROCESS_NAME:  System
Bugcheck code 000000FE
Arguments 00000008 00000004 86bc36bc 00000000
จจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจจ``
      My Computer
    Quote Quote

  7. stoliosoda
    Posts : 6
    Windows 7 Enterprise
    Thread Starter
       New #5

    usmsa - thanks for your help so far. One important reminder for you:
    Current state:
    BSOD on boot, every time. Can't restore to a previous restore point; they somehow are gone; attempts to do a repair with the install DVD fail (details below).
    Quick note re: 8/25/10 minidump: You can ignore the August 25th BSOD - I dont believe that is relevant to my problem at hand. I had some trouble with my broadband card a little while back but that was solved. I almost left it out of the post but wanted to follow instructions "all the way"...anyway I think we can ignore anything in that one for the time being.

    Question #1: how does one uninstall a program from "outside" the working OS?
    I can't run a standard uninstaller because I am not working in that OS (remember, it doesn't boot at all.) Whatever I do has to be from another boot mechanism. I have plenty available to me; I can be in Windows 7, Hirem's Boot CD, or something else if you prefer.

    Question #2: Is there some other boot logging mechanism I can enable for you so that you can see which particular item is causing the BSOD on boot?
    As I understand it, minidumps are only created when Windows has already booted "all the way"'; that's why there are no more recent minidumps than 9/23. If you are only looking at the minimdumps, my concern is that you are not troubleshooting the current problem. Remember, this machine doesn't boot at all. Is there some other boot logging mechanism I can enable for you so that you can see which particular item is causing the BSOD on boot? I will gladly do so.

    Quick note on Symantec drivers:
    You are not the first person to point out the Symantec driver item; I have actually renamed the following files already in hopes of diusabling/resolving/eliminating them as root cause:
    05/15/2010 12:12 PM 7,456 SYMEVENT.CAT_disabled
    05/15/2010 12:12 PM 806 SYMEVENT.INF_disabled
    05/15/2010 12:12 PM 124,976 SYMEVENT.SYS_disabled
    This didn't do a thing to change the state of my machine.

    Any more digging would be greatly appreciated.
      My Computer
    Quote Quote

  8. usasma
    Posts : 5,705
    Win7 x64 + x86
       New #6

    Please bear with me. I've got some serious eye problems, and I tend to miss some things in the longer posts.

    I guess that the biggest question is "Are you able to mount the registry hives from the disk and edit the registry that way?"

    I would also suggest a trial of this program to determine what else Norton/Symantec does to your system: Uninstall program | Uninstaller software, alternative to Windows Add Remove Programs (by installing it on another system and then reading the logs that it produces). I last used this program with XP (and it was great then!), but haven't used it since - so use it at your own risk! With that info you may find that there are many more drivers installed by Norton/Symantec and you can disable them also. FWIW - this also answers Question #1 - you can uninstall stuff outside of the OS, but it's a real PITA!

    The entries for Norton/Symantec will still be in the Registry - but in most cases Windows is robust enough to continue functioning without the files that the registry refers to (the one's that you've renamed).

    In addition to the Norton/Symantec stuff, if you're able to edit the registry, then you'll be able to get at the keys that load services and drivers during the boot - and will then be able to disable them in order to see what's going on. BTW - the ntbtlog.zip that you uploaded doesn't seem to have anything in it.

    This is probably going to take more time to fix than a wipe and reinstall would take - but I understand the pain of that (having just gone through it myself). But also understand that once you're able to get into Windows, then you're going to have to deal with the rest of the remnants of the malware infection. It's your call on which way to go - and we'll continue to help however you decide.

    Question #2     - There's not much else that can be done by us (the registry editing will enable us to see what's loading). Windows performance tools will allow us to analyze the boot - but we've gotta get into Windows in order to install the tools and to read the results.

    As for what we're doing here, the next step would (presuming that you can edit the registry) be to determine what's loading at boot and then disabling these things in groups of 5 - 10 until we find what's crashing. Then we remove that and see if it fixes things.

    Once in Windows we'll have to do our best to repair Windows, and then we'll have to send you over to the malware forums. There they'll finish up removing the bits and pieces of malware so that they can return you to the OS guys (this forum) to ensure that everything is functioning properly.

    Finally, this involves steps that I have knowledge of, but have no detailed experience with. So we're treading on uncertain ground here and have no idea when (or if) we'll be successful.

    Code:
    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\092310-37019-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16539.x86fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0x8304c000 PsLoadedModuleList = 0x83194810
Debug session time: Thu Sep 23 15:30:58.947 2010 (UTC - 4:00)
System Uptime: 0 days 0:00:43.602
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
.......
0: kd> !analyze -v;r;kv;lmtn;lmtsmn;.bugcheck;.logclose;q
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 89aca498, Terminating object
Arg3: 89aca604, Process image file name
Arg4: 83274d90, Explanatory message (ascii)

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS

PROCESS_OBJECT: 89aca498

IMAGE_NAME:  wininit.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: wininit

FAULTING_MODULE: 00000000 

PROCESS_NAME:  wininit.exe

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

BUGCHECK_STR:  0xF4_C0000005

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

CURRENT_IRQL:  0

STACK_TEXT:  
807a1724 833280d3 000000f4 00000003 89aca498 nt!KeBugCheckEx+0x1e
807a1748 832abe84 83274d90 89aca604 89aca708 nt!PspCatchCriticalBreak+0x71
807a1778 832add1f 89aca498 89aca030 c0000005 nt!PspTerminateAllThreads+0x2d
807a17ac 92799449 ffffffff c0000005 87399840 nt!NtTerminateProcess+0x1a2
WARNING: Stack unwind information not available. Following frames may be wrong.
807a1830 8308f44a ffffffff c0000005 807a1cc4 SYMEVENT+0x14449
807a1830 00000000 ffffffff c0000005 807a1cc4 nt!KiFastCallEntry+0x12a
00000030 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xF4_C0000005_IMAGE_wininit.exe

BUCKET_ID:  0xF4_C0000005_IMAGE_wininit.exe

Followup: MachineOwner
---------

eax=8318317c ebx=89aca400 ecx=00000000 edx=00000000 esi=83175d20 edi=00000000
eip=83128d10 esp=807a1708 ebp=807a1724 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!KeBugCheckEx+0x1e:
83128d10 cc              int     3
ChildEBP RetAddr  Args to Child              
807a1724 833280d3 000000f4 00000003 89aca498 nt!KeBugCheckEx+0x1e
807a1748 832abe84 83274d90 89aca604 89aca708 nt!PspCatchCriticalBreak+0x71
807a1778 832add1f 89aca498 89aca030 c0000005 nt!PspTerminateAllThreads+0x2d
807a17ac 92799449 ffffffff c0000005 87399840 nt!NtTerminateProcess+0x1a2
WARNING: Stack unwind information not available. Following frames may be wrong.
807a1830 8308f44a ffffffff c0000005 807a1cc4 SYMEVENT+0x14449
807a1830 00000000 ffffffff c0000005 807a1cc4 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 807a1830)
00000030 00000000 00000000 00000000 00000000 0x0
start    end        module name
80bb7000 80bbf000   kdcom    kdcom.dll    Mon Jul 13 21:08:58 2009 (4A5BDAAA)
83015000 8304c000   hal      halmacpi.dll Mon Jul 13 19:11:03 2009 (4A5BBF07)
8304c000 8345c000   nt       ntkrpamp.exe Sat Feb 27 02:33:35 2010 (4B88CACF)
83618000 83690000   mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Mon Jul 13 21:06:41 2009 (4A5BDA21)
83690000 836a1000   PSHED    PSHED.dll    Mon Jul 13 21:09:36 2009 (4A5BDAD0)
836a1000 836a9000   BOOTVID  BOOTVID.dll  Mon Jul 13 21:04:34 2009 (4A5BD9A2)
836a9000 836eb000   CLFS     CLFS.SYS     Mon Jul 13 19:11:10 2009 (4A5BBF0E)
836eb000 83796000   CI       CI.dll       Mon Jul 13 21:09:28 2009 (4A5BDAC8)
83796000 837b9000   ataport  ataport.SYS  Mon Jul 13 19:11:18 2009 (4A5BBF16)
837b9000 837ed000   fltmgr   fltmgr.sys   Mon Jul 13 19:11:13 2009 (4A5BBF11)
83c00000 83c11000   fileinfo fileinfo.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
83c21000 83c92000   Wdf01000 Wdf01000.sys Mon Jul 13 19:11:36 2009 (4A5BBF28)
83c92000 83ca0000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:11:25 2009 (4A5BBF1D)
83ca0000 83ce8000   ACPI     ACPI.sys     Mon Jul 13 19:11:11 2009 (4A5BBF0F)
83ce8000 83cf1000   WMILIB   WMILIB.SYS   Mon Jul 13 19:11:22 2009 (4A5BBF1A)
83cf1000 83cf9000   msisadrv msisadrv.sys Mon Jul 13 19:11:09 2009 (4A5BBF0D)
83cf9000 83d23000   pci      pci.sys      Mon Jul 13 19:11:16 2009 (4A5BBF14)
83d23000 83d2e000   vdrvroot vdrvroot.sys Mon Jul 13 19:46:19 2009 (4A5BC74B)
83d2e000 83d3f000   partmgr  partmgr.sys  Mon Jul 13 19:11:35 2009 (4A5BBF27)
83d3f000 83d47000   compbatt compbatt.sys Mon Jul 13 19:19:18 2009 (4A5BC0F6)
83d47000 83d52000   BATTC    BATTC.SYS    Mon Jul 13 19:19:15 2009 (4A5BC0F3)
83d52000 83d62000   volmgr   volmgr.sys   Mon Jul 13 19:11:25 2009 (4A5BBF1D)
83d62000 83dad000   volmgrx  volmgrx.sys  Mon Jul 13 19:11:41 2009 (4A5BBF2D)
83dad000 83db4000   pciide   pciide.sys   Mon Jul 13 19:11:19 2009 (4A5BBF17)
83db4000 83dc2000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:11:15 2009 (4A5BBF13)
83dc2000 83dd8000   mountmgr mountmgr.sys Mon Jul 13 19:11:27 2009 (4A5BBF1F)
83dd8000 83de1000   atapi    atapi.sys    Mon Jul 13 19:11:15 2009 (4A5BBF13)
83de1000 83deb000   msahci   msahci.sys   Fri Nov 13 23:09:27 2009 (4AFE2D77)
83deb000 83df4000   amdxata  amdxata.sys  Tue May 19 13:57:35 2009 (4A12F30F)
83e05000 83f34000   Ntfs     Ntfs.sys     Mon Jul 13 19:12:05 2009 (4A5BBF45)
83f34000 83f5f000   msrpc    msrpc.sys    Mon Jul 13 19:11:59 2009 (4A5BBF3F)
83f5f000 83f72000   ksecdd   ksecdd.sys   Mon Jul 13 19:11:56 2009 (4A5BBF3C)
83f72000 83fcf000   cng      cng.sys      Mon Jul 13 19:32:55 2009 (4A5BC427)
83fcf000 83fdd000   pcw      pcw.sys      Mon Jul 13 19:11:10 2009 (4A5BBF0E)
83fdd000 83fe6000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:11:14 2009 (4A5BBF12)
8cc0e000 8ccc5000   ndis     ndis.sys     Mon Jul 13 19:12:24 2009 (4A5BBF58)
8ccc5000 8cd03000   NETIO    NETIO.SYS    Mon Jul 13 19:12:35 2009 (4A5BBF63)
8cd03000 8cd28000   ksecpkg  ksecpkg.sys  Thu Dec 10 23:04:22 2009 (4B21C4C6)
8cd28000 8cdb4700   timntr   timntr.sys   Tue Sep 29 09:37:45 2009 (4AC20DA9)
8cdb5000 8cdff000   SRTSP    SRTSP.SYS    Mon Aug 10 23:20:28 2009 (4A80E37C)
8ce00000 8ce0e000   Npfs     Npfs.SYS     Mon Jul 13 19:11:31 2009 (4A5BBF23)
8ce0e000 8ce1b000   usbrpm   usbrpm.sys   Mon Jul 13 20:14:30 2009 (4A5BCDE6)
8ce1d000 8cf66000   tcpip    tcpip.sys    Mon Jul 13 19:13:18 2009 (4A5BBF8E)
8cf66000 8cf97000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:12:03 2009 (4A5BBF43)
8cf97000 8cf9f380   vmstorfl vmstorfl.sys Mon Jul 13 19:28:44 2009 (4A5BC32C)
8cfa0000 8cfdf000   volsnap  volsnap.sys  Mon Jul 13 19:11:34 2009 (4A5BBF26)
8cfdf000 8cff7000   vpcusb   vpcusb.sys   Tue Sep 22 21:18:08 2009 (4AB97750)
8d012000 8d0eeee0   tdrpm258 tdrpm258.sys Tue Oct 20 03:40:10 2009 (4ADD695A)
8d0ef000 8d0f7000   spldr    spldr.sys    Mon May 11 12:13:47 2009 (4A084EBB)
8d0f7000 8d11df20   snapman  snapman.sys  Mon Feb 08 07:40:51 2010 (4B700653)
8d11e000 8d14b000   rdyboost rdyboost.sys Mon Jul 13 19:22:02 2009 (4A5BC19A)
8d14b000 8d156000   PBADRV   PBADRV.sys   Mon Jan 07 13:52:14 2008 (478274DE)
8d156000 8d166000   mup      mup.sys      Mon Jul 13 19:14:14 2009 (4A5BBFC6)
8d166000 8d16e000   hwpolicy hwpolicy.sys Mon Jul 13 19:11:01 2009 (4A5BBF05)
8d16e000 8d1a0000   fvevol   fvevol.sys   Fri Sep 25 22:24:21 2009 (4ABD7B55)
8d1a0000 8d1b1000   disk     disk.sys     Mon Jul 13 19:11:28 2009 (4A5BBF20)
8d1b1000 8d1d6000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:11:20 2009 (4A5BBF18)
92600000 92621000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:25:49 2009 (4A5BC27D)
92621000 9262e000   watchdog watchdog.sys Mon Jul 13 19:24:10 2009 (4A5BC21A)
9262e000 92636000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:01:40 2009 (4A5BCAE4)
92639000 92784080   NAVEX15  NAVEX15.SYS  Thu Jul 01 14:13:10 2010 (4C2CDAB6)
92785000 927aa000   SYMEVENT SYMEVENT.SYS Wed Jun 24 16:14:58 2009 (4A428942)
927aa000 927bd380   NAVENG   NAVENG.SYS   Thu Jul 01 14:05:22 2010 (4C2CD8E2)
927be000 927c7080   SRTSPX   SRTSPX.SYS   Mon Aug 10 23:20:44 2009 (4A80E38C)
927c8000 927cf000   Null     Null.SYS     Mon Jul 13 19:11:12 2009 (4A5BBF10)
927cf000 927d6000   Beep     Beep.SYS     Mon Jul 13 19:45:00 2009 (4A5BC6FC)
927d6000 927e2000   vga      vga.sys      Mon Jul 13 19:25:50 2009 (4A5BC27E)
927e2000 927ea000   rdpencdd rdpencdd.sys Mon Jul 13 20:01:39 2009 (4A5BCAE3)
927ea000 927f2000   rdprefmp rdprefmp.sys Mon Jul 13 20:01:41 2009 (4A5BCAE5)
927f2000 927fd000   Msfs     Msfs.SYS     Mon Jul 13 19:11:26 2009 (4A5BBF1E)
93e00000 93e30000   pfmfs_321 pfmfs_321.sys Tue Aug 18 21:46:42 2009 (4A8B5982)
93e30000 93e47000   tdx      tdx.sys      Mon Jul 13 19:12:10 2009 (4A5BBF4A)
93e47000 93e52000   TDI      TDI.SYS      Mon Jul 13 19:12:12 2009 (4A5BBF4C)
93e52000 93e7e480   SYMTDI   SYMTDI.SYS   Wed Jun 17 17:11:02 2009 (4A395BE6)
93e7f000 93e8d000   wpsdrvnt wpsdrvnt.sys Thu Sep 17 20:35:48 2009 (4AB2D5E4)
93e8d000 93ee7000   afd      afd.sys      Mon Jul 13 19:12:34 2009 (4A5BBF62)
93ee7000 93f19000   netbt    netbt.sys    Mon Jul 13 19:12:18 2009 (4A5BBF52)
93f19000 93f20000   wfplwf   wfplwf.sys   Mon Jul 13 19:53:51 2009 (4A5BC90F)
93f20000 93f3f000   pacer    pacer.sys    Mon Jul 13 19:53:58 2009 (4A5BC916)
93f3f000 93f50000   vwififlt vwififlt.sys Mon Jul 13 19:52:03 2009 (4A5BC8A3)
93f50000 93f60000   vpcnfltr vpcnfltr.sys Tue Sep 22 21:18:04 2009 (4AB9774C)
93f60000 93f6e000   netbios  netbios.sys  Mon Jul 13 19:53:54 2009 (4A5BC912)
93f6e000 93f88000   serial   serial.sys   Mon Jul 13 19:45:33 2009 (4A5BC71D)
93f88000 93f9b000   wanarp   wanarp.sys   Mon Jul 13 19:55:02 2009 (4A5BC956)
93f9b000 93fe1880   vpcvmm   vpcvmm.sys   Thu Dec 31 01:47:17 2009 (4B3C48F5)
93fe2000 93ff2000   termdd   termdd.sys   Mon Jul 13 20:01:35 2009 (4A5BCADF)
93ff2000 94000000   umbus    umbus.sys    Mon Jul 13 19:51:38 2009 (4A5BC88A)
9b609000 9b673000   SPBBCDrv SPBBCDrv.sys Sat Aug 08 21:37:14 2009 (4A7E284A)
9b673000 9b6b4000   rdbss    rdbss.sys    Mon Jul 13 19:14:26 2009 (4A5BBFD2)
9b6b4000 9b6be000   nsiproxy nsiproxy.sys Mon Jul 13 19:12:08 2009 (4A5BBF48)
9b6be000 9b6c8000   mssmbios mssmbios.sys Mon Jul 13 19:19:25 2009 (4A5BC0FD)
9b6c8000 9b726000   eeCtrl   eeCtrl.sys   Fri May 21 17:44:53 2010 (4BF6FED5)
9b726000 9b743000   EraserUtilRebootDrv EraserUtilRebootDrv.sys Fri May 21 17:44:53 2010 (4BF6FED5)
9b743000 9b74f000   discache discache.sys Mon Jul 13 19:24:04 2009 (4A5BC214)
9b74f000 9b7b3000   csc      csc.sys      Mon Jul 13 19:15:08 2009 (4A5BBFFC)
9b7b3000 9b7cb000   dfsc     dfsc.sys     Mon Jul 13 19:14:16 2009 (4A5BBFC8)
9b7cb000 9b7d9000   blbdrive blbdrive.sys Mon Jul 13 19:23:04 2009 (4A5BC1D8)
9b7d9000 9b7fa000   tunnel   tunnel.sys   Mon Jul 13 19:54:03 2009 (4A5BC91B)
9c600000 9c6b7000   dxgkrnl  dxgkrnl.sys  Thu Oct 01 20:48:33 2009 (4AC54DE1)
9c6b7000 9c6f0000   dxgmms1  dxgmms1.sys  Mon Jul 13 19:25:25 2009 (4A5BC265)
9c6f0000 9c6f9f80   HECI     HECI.sys     Tue Jun 23 15:49:57 2009 (4A4131E5)
9c6fa000 9c704000   serenum  serenum.sys  Mon Jul 13 19:45:27 2009 (4A5BC717)
9c704000 9c73d000   e1y6032  e1y6032.sys  Mon Aug 18 17:44:37 2008 (48A9ED45)
9c73d000 9c748000   usbuhci  usbuhci.sys  Mon Jul 13 19:51:10 2009 (4A5BC86E)
9c748000 9c793000   USBPORT  USBPORT.SYS  Mon Jul 13 19:51:13 2009 (4A5BC871)
9c793000 9c7a2000   usbehci  usbehci.sys  Fri Dec 04 01:51:10 2009 (4B18B15E)
9c7a2000 9c7c1000   HDAudBus HDAudBus.sys Mon Jul 13 19:50:55 2009 (4A5BC85F)
9c7c1000 9c7e3000   ndiswan  ndiswan.sys  Mon Jul 13 19:54:34 2009 (4A5BC93A)
9c7e3000 9c7fb000   raspppoe raspppoe.sys Mon Jul 13 19:54:53 2009 (4A5BC94D)
9c7fb000 9c7fc700   USBD     USBD.SYS     Mon Jul 13 19:51:05 2009 (4A5BC869)
9ca05000 9d364140   nvlddmkm nvlddmkm.sys Tue Dec 15 00:18:20 2009 (4B271C1C)
9d365000 9d366080   nvBridge nvBridge.kmd Mon Dec 14 23:58:53 2009 (4B27178D)
9d367000 9d37e000   raspptp  raspptp.sys  Mon Jul 13 19:54:47 2009 (4A5BC947)
9d37e000 9d395000   rassstp  rassstp.sys  Mon Jul 13 19:54:57 2009 (4A5BC951)
9d395000 9d39ba00   RimSerial RimSerial.sys Mon Nov 24 12:02:13 2008 (492ADE15)
9d39c000 9d3a6000   rdpbus   rdpbus.sys   Mon Jul 13 20:02:40 2009 (4A5BCB20)
9d3a6000 9d3c4000   teefer2  teefer2.sys  Wed May 13 15:25:46 2009 (4A0B1EBA)
9d3c4000 9d3f8000   ks       ks.sys       Mon Jul 13 19:45:13 2009 (4A5BC709)
9d800000 9d818000   rasl2tp  rasl2tp.sys  Mon Jul 13 19:54:33 2009 (4A5BC939)
9d819000 9de95000   NETw5s32 NETw5s32.sys Wed Jan 13 11:36:36 2010 (4B4DF694)
9de95000 9de9f000   vwifibus vwifibus.sys Mon Jul 13 19:52:02 2009 (4A5BC8A2)
9de9f000 9decb000   1394ohci 1394ohci.sys Mon Jul 13 19:51:59 2009 (4A5BC89F)
9decb000 9dee4000   sdbus    sdbus.sys    Fri Oct 09 22:31:24 2009 (4ACFF1FC)
9dee4000 9def5000   rimmptsk rimmptsk.sys Thu Jun 25 03:58:09 2009 (4A432E11)
9def5000 9df0d000   i8042prt i8042prt.sys Mon Jul 13 19:11:23 2009 (4A5BBF1B)
9df0d000 9df4f000   Apfiltr  Apfiltr.sys  Wed Mar 10 04:20:05 2010 (4B976445)
9df4f000 9df5c000   mouclass mouclass.sys Mon Jul 13 19:11:15 2009 (4A5BBF13)
9df5c000 9df69000   kbdclass kbdclass.sys Mon Jul 13 19:11:15 2009 (4A5BBF13)
9df69000 9df81000   parport  parport.sys  Mon Jul 13 19:45:34 2009 (4A5BC71E)
9df81000 9df84700   CmBatt   CmBatt.sys   Mon Jul 13 19:19:18 2009 (4A5BC0F6)
9df85000 9df8e000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:19:16 2009 (4A5BC0F4)
9df8e000 9dfa0000   intelppm intelppm.sys Mon Jul 13 19:11:03 2009 (4A5BBF07)
9dfa0000 9dfad000   CompositeBus CompositeBus.sys Mon Jul 13 19:45:26 2009 (4A5BC716)
9dfad000 9dfcbe80   dne2000  dne2000.sys  Mon Nov 10 19:59:21 2008 (4918D8E9)
9dfcc000 9dfd4000   RootMdm  RootMdm.sys  Mon Jul 13 19:55:21 2009 (4A5BC969)
9dfd4000 9dfe1000   modem    modem.sys    Mon Jul 13 19:55:24 2009 (4A5BC96C)
9dfe1000 9dff3000   AgileVpn AgileVpn.sys Mon Jul 13 19:55:00 2009 (4A5BC954)
9dff3000 9dffe000   ndistapi ndistapi.sys Mon Jul 13 19:54:24 2009 (4A5BC930)
9dffe000 9dfff380   swenum   swenum.sys   Mon Jul 13 19:45:08 2009 (4A5BC704)
9ea00000 9ea17000   usbccgp  usbccgp.sys  Mon Jul 13 19:51:31 2009 (4A5BC883)
9ea37000 9ea6d000   vpchbus  vpchbus.sys  Tue Sep 22 21:18:06 2009 (4AB9774E)
9ea6d000 9eaa0000   bpenum   bpenum.sys   Tue Dec 22 14:37:45 2009 (4B312009)
9eaa0000 9eae4000   usbhub   usbhub.sys   Fri Dec 04 01:51:51 2009 (4B18B187)
9eae4000 9eaed000   sffp_sd  sffp_sd.sys  Fri Oct 09 22:57:31 2009 (4ACFF81B)
9eaed000 9eaf5000   sffdisk  sffdisk.sys  Mon Jul 13 19:45:52 2009 (4A5BC730)
9eaf5000 9eb06000   NDProxy  NDProxy.SYS  Mon Jul 13 19:54:27 2009 (4A5BC933)
9eb06000 9eb72000   stwrt    stwrt.sys    Wed Mar 10 01:03:06 2010 (4B97361A)
9eb72000 9eba1000   portcls  portcls.sys  Mon Jul 13 19:51:00 2009 (4A5BC864)
9eba1000 9ebba000   drmk     drmk.sys     Mon Jul 13 20:36:05 2009 (4A5BD2F5)
9ebba000 9ebcf000   bpusb    bpusb.sys    Tue Dec 22 14:37:48 2009 (4B31200C)
9ebcf000 9ebda000   hidusb   hidusb.sys   Mon Jul 13 19:51:04 2009 (4A5BC868)
9ebda000 9ebed000   HIDCLASS HIDCLASS.SYS Mon Jul 13 19:51:01 2009 (4A5BC865)
9ebed000 9ebf3480   HIDPARSE HIDPARSE.SYS Mon Jul 13 19:50:59 2009 (4A5BC863)
9ebf4000 9ebf5c00   qcfilterdl qcfilterdl.sys Fri Oct 02 19:31:21 2009 (4AC68D49)
9ee26000 9ee4e000   bpmp     bpmp.sys     Tue Dec 22 14:37:53 2009 (4B312011)
9ee4e000 9ee5a000   kbdhid   kbdhid.sys   Mon Jul 13 19:45:09 2009 (4A5BC705)
9ee5a000 9ee65000   mouhid   mouhid.sys   Mon Jul 13 19:45:08 2009 (4A5BC704)
9ee65000 9ee80400   qcusbserdl qcusbserdl.sys Wed Nov 11 15:43:55 2009 (4AFB220B)
9ee81000 9eeb9000   qcusbnetdl qcusbnetdl.sys Mon Nov 23 19:49:20 2009 (4B0B2D90)
9eeb9000 9eec7000   usbscan  usbscan.sys  Mon Jul 13 20:14:44 2009 (4A5BCDF4)
9eec7000 9eed3000   cvusbdrv cvusbdrv.sys Thu Oct 29 14:37:32 2009 (4AE9E0EC)
9eefd000 9ef20b00   usbvideo usbvideo.sys Mon Jul 13 19:51:51 2009 (4A5BC897)
9ef21000 9ef4b000   fastfat  fastfat.SYS  Mon Jul 13 19:14:01 2009 (4A5BBFB9)
9ef4b000 9ef62000   USBSTOR  USBSTOR.SYS  Mon Jul 13 19:51:19 2009 (4A5BC877)
9ef62000 9ef6f000   crashdmp crashdmp.sys Mon Jul 13 19:45:50 2009 (4A5BC72E)
9ef6f000 9ef7a000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:11:16 2009 (4A5BBF14)
9ef7a000 9ef84000   dump_msahci dump_msahci.sys Fri Nov 13 23:09:27 2009 (4AFE2D77)
9ef84000 9ef95000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:12:47 2009 (4A5BBF6F)
9ef95000 9ef9f000   Dxapi    Dxapi.sys    Mon Jul 13 19:25:25 2009 (4A5BC265)
9ef9f000 9efaa000   monitor  monitor.sys  Mon Jul 13 19:25:58 2009 (4A5BC286)
a24f0000 a273a000   win32k   win32k.sys   Sat May 01 10:49:02 2010 (4BDC3F5E)
a2750000 a2759000   TSDDD    TSDDD.dll    Mon Jul 13 20:01:40 2009 (4A5BCAE4)

Unloaded modules:
8d1d6000 8d1e3000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000D000
8d1e3000 8d1ee000   dump_pciidex
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000B000
8d1ee000 8d1f8000   dump_msahci.
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000A000
8d000000 8d011000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00011000
9eed3000 9eedc000   WinUSB.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00009000
9eedc000 9eefd000   WUDFRd.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00021000
8cfdf000 8cffe000   cdrom.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0001F000
start    end        module name
9de9f000 9decb000   1394ohci 1394ohci.sys Mon Jul 13 19:51:59 2009 (4A5BC89F)
83ca0000 83ce8000   ACPI     ACPI.sys     Mon Jul 13 19:11:11 2009 (4A5BBF0F)
93e8d000 93ee7000   afd      afd.sys      Mon Jul 13 19:12:34 2009 (4A5BBF62)
9dfe1000 9dff3000   AgileVpn AgileVpn.sys Mon Jul 13 19:55:00 2009 (4A5BC954)
83deb000 83df4000   amdxata  amdxata.sys  Tue May 19 13:57:35 2009 (4A12F30F)
9df0d000 9df4f000   Apfiltr  Apfiltr.sys  Wed Mar 10 04:20:05 2010 (4B976445)
83dd8000 83de1000   atapi    atapi.sys    Mon Jul 13 19:11:15 2009 (4A5BBF13)
83796000 837b9000   ataport  ataport.SYS  Mon Jul 13 19:11:18 2009 (4A5BBF16)
83d47000 83d52000   BATTC    BATTC.SYS    Mon Jul 13 19:19:15 2009 (4A5BC0F3)
927cf000 927d6000   Beep     Beep.SYS     Mon Jul 13 19:45:00 2009 (4A5BC6FC)
9b7cb000 9b7d9000   blbdrive blbdrive.sys Mon Jul 13 19:23:04 2009 (4A5BC1D8)
836a1000 836a9000   BOOTVID  BOOTVID.dll  Mon Jul 13 21:04:34 2009 (4A5BD9A2)
9ea6d000 9eaa0000   bpenum   bpenum.sys   Tue Dec 22 14:37:45 2009 (4B312009)
9ee26000 9ee4e000   bpmp     bpmp.sys     Tue Dec 22 14:37:53 2009 (4B312011)
9ebba000 9ebcf000   bpusb    bpusb.sys    Tue Dec 22 14:37:48 2009 (4B31200C)
836eb000 83796000   CI       CI.dll       Mon Jul 13 21:09:28 2009 (4A5BDAC8)
8d1b1000 8d1d6000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:11:20 2009 (4A5BBF18)
836a9000 836eb000   CLFS     CLFS.SYS     Mon Jul 13 19:11:10 2009 (4A5BBF0E)
9df81000 9df84700   CmBatt   CmBatt.sys   Mon Jul 13 19:19:18 2009 (4A5BC0F6)
83f72000 83fcf000   cng      cng.sys      Mon Jul 13 19:32:55 2009 (4A5BC427)
83d3f000 83d47000   compbatt compbatt.sys Mon Jul 13 19:19:18 2009 (4A5BC0F6)
9dfa0000 9dfad000   CompositeBus CompositeBus.sys Mon Jul 13 19:45:26 2009 (4A5BC716)
9ef62000 9ef6f000   crashdmp crashdmp.sys Mon Jul 13 19:45:50 2009 (4A5BC72E)
9b74f000 9b7b3000   csc      csc.sys      Mon Jul 13 19:15:08 2009 (4A5BBFFC)
9eec7000 9eed3000   cvusbdrv cvusbdrv.sys Thu Oct 29 14:37:32 2009 (4AE9E0EC)
9b7b3000 9b7cb000   dfsc     dfsc.sys     Mon Jul 13 19:14:16 2009 (4A5BBFC8)
9b743000 9b74f000   discache discache.sys Mon Jul 13 19:24:04 2009 (4A5BC214)
8d1a0000 8d1b1000   disk     disk.sys     Mon Jul 13 19:11:28 2009 (4A5BBF20)
9dfad000 9dfcbe80   dne2000  dne2000.sys  Mon Nov 10 19:59:21 2008 (4918D8E9)
9eba1000 9ebba000   drmk     drmk.sys     Mon Jul 13 20:36:05 2009 (4A5BD2F5)
9ef6f000 9ef7a000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:11:16 2009 (4A5BBF14)
9ef84000 9ef95000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:12:47 2009 (4A5BBF6F)
9ef7a000 9ef84000   dump_msahci dump_msahci.sys Fri Nov 13 23:09:27 2009 (4AFE2D77)
9ef95000 9ef9f000   Dxapi    Dxapi.sys    Mon Jul 13 19:25:25 2009 (4A5BC265)
9c600000 9c6b7000   dxgkrnl  dxgkrnl.sys  Thu Oct 01 20:48:33 2009 (4AC54DE1)
9c6b7000 9c6f0000   dxgmms1  dxgmms1.sys  Mon Jul 13 19:25:25 2009 (4A5BC265)
9c704000 9c73d000   e1y6032  e1y6032.sys  Mon Aug 18 17:44:37 2008 (48A9ED45)
9b6c8000 9b726000   eeCtrl   eeCtrl.sys   Fri May 21 17:44:53 2010 (4BF6FED5)
9b726000 9b743000   EraserUtilRebootDrv EraserUtilRebootDrv.sys Fri May 21 17:44:53 2010 (4BF6FED5)
9ef21000 9ef4b000   fastfat  fastfat.SYS  Mon Jul 13 19:14:01 2009 (4A5BBFB9)
83c00000 83c11000   fileinfo fileinfo.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
837b9000 837ed000   fltmgr   fltmgr.sys   Mon Jul 13 19:11:13 2009 (4A5BBF11)
83fdd000 83fe6000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:11:14 2009 (4A5BBF12)
8d16e000 8d1a0000   fvevol   fvevol.sys   Fri Sep 25 22:24:21 2009 (4ABD7B55)
8cf66000 8cf97000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:12:03 2009 (4A5BBF43)
83015000 8304c000   hal      halmacpi.dll Mon Jul 13 19:11:03 2009 (4A5BBF07)
9c7a2000 9c7c1000   HDAudBus HDAudBus.sys Mon Jul 13 19:50:55 2009 (4A5BC85F)
9c6f0000 9c6f9f80   HECI     HECI.sys     Tue Jun 23 15:49:57 2009 (4A4131E5)
9ebda000 9ebed000   HIDCLASS HIDCLASS.SYS Mon Jul 13 19:51:01 2009 (4A5BC865)
9ebed000 9ebf3480   HIDPARSE HIDPARSE.SYS Mon Jul 13 19:50:59 2009 (4A5BC863)
9ebcf000 9ebda000   hidusb   hidusb.sys   Mon Jul 13 19:51:04 2009 (4A5BC868)
8d166000 8d16e000   hwpolicy hwpolicy.sys Mon Jul 13 19:11:01 2009 (4A5BBF05)
9def5000 9df0d000   i8042prt i8042prt.sys Mon Jul 13 19:11:23 2009 (4A5BBF1B)
9df8e000 9dfa0000   intelppm intelppm.sys Mon Jul 13 19:11:03 2009 (4A5BBF07)
9df5c000 9df69000   kbdclass kbdclass.sys Mon Jul 13 19:11:15 2009 (4A5BBF13)
9ee4e000 9ee5a000   kbdhid   kbdhid.sys   Mon Jul 13 19:45:09 2009 (4A5BC705)
80bb7000 80bbf000   kdcom    kdcom.dll    Mon Jul 13 21:08:58 2009 (4A5BDAAA)
9d3c4000 9d3f8000   ks       ks.sys       Mon Jul 13 19:45:13 2009 (4A5BC709)
83f5f000 83f72000   ksecdd   ksecdd.sys   Mon Jul 13 19:11:56 2009 (4A5BBF3C)
8cd03000 8cd28000   ksecpkg  ksecpkg.sys  Thu Dec 10 23:04:22 2009 (4B21C4C6)
83618000 83690000   mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Mon Jul 13 21:06:41 2009 (4A5BDA21)
9dfd4000 9dfe1000   modem    modem.sys    Mon Jul 13 19:55:24 2009 (4A5BC96C)
9ef9f000 9efaa000   monitor  monitor.sys  Mon Jul 13 19:25:58 2009 (4A5BC286)
9df4f000 9df5c000   mouclass mouclass.sys Mon Jul 13 19:11:15 2009 (4A5BBF13)
9ee5a000 9ee65000   mouhid   mouhid.sys   Mon Jul 13 19:45:08 2009 (4A5BC704)
83dc2000 83dd8000   mountmgr mountmgr.sys Mon Jul 13 19:11:27 2009 (4A5BBF1F)
83de1000 83deb000   msahci   msahci.sys   Fri Nov 13 23:09:27 2009 (4AFE2D77)
927f2000 927fd000   Msfs     Msfs.SYS     Mon Jul 13 19:11:26 2009 (4A5BBF1E)
83cf1000 83cf9000   msisadrv msisadrv.sys Mon Jul 13 19:11:09 2009 (4A5BBF0D)
83f34000 83f5f000   msrpc    msrpc.sys    Mon Jul 13 19:11:59 2009 (4A5BBF3F)
9b6be000 9b6c8000   mssmbios mssmbios.sys Mon Jul 13 19:19:25 2009 (4A5BC0FD)
8d156000 8d166000   mup      mup.sys      Mon Jul 13 19:14:14 2009 (4A5BBFC6)
927aa000 927bd380   NAVENG   NAVENG.SYS   Thu Jul 01 14:05:22 2010 (4C2CD8E2)
92639000 92784080   NAVEX15  NAVEX15.SYS  Thu Jul 01 14:13:10 2010 (4C2CDAB6)
8cc0e000 8ccc5000   ndis     ndis.sys     Mon Jul 13 19:12:24 2009 (4A5BBF58)
9dff3000 9dffe000   ndistapi ndistapi.sys Mon Jul 13 19:54:24 2009 (4A5BC930)
9c7c1000 9c7e3000   ndiswan  ndiswan.sys  Mon Jul 13 19:54:34 2009 (4A5BC93A)
9eaf5000 9eb06000   NDProxy  NDProxy.SYS  Mon Jul 13 19:54:27 2009 (4A5BC933)
93f60000 93f6e000   netbios  netbios.sys  Mon Jul 13 19:53:54 2009 (4A5BC912)
93ee7000 93f19000   netbt    netbt.sys    Mon Jul 13 19:12:18 2009 (4A5BBF52)
8ccc5000 8cd03000   NETIO    NETIO.SYS    Mon Jul 13 19:12:35 2009 (4A5BBF63)
9d819000 9de95000   NETw5s32 NETw5s32.sys Wed Jan 13 11:36:36 2010 (4B4DF694)
8ce00000 8ce0e000   Npfs     Npfs.SYS     Mon Jul 13 19:11:31 2009 (4A5BBF23)
9b6b4000 9b6be000   nsiproxy nsiproxy.sys Mon Jul 13 19:12:08 2009 (4A5BBF48)
8304c000 8345c000   nt       ntkrpamp.exe Sat Feb 27 02:33:35 2010 (4B88CACF)
83e05000 83f34000   Ntfs     Ntfs.sys     Mon Jul 13 19:12:05 2009 (4A5BBF45)
927c8000 927cf000   Null     Null.SYS     Mon Jul 13 19:11:12 2009 (4A5BBF10)
9d365000 9d366080   nvBridge nvBridge.kmd Mon Dec 14 23:58:53 2009 (4B27178D)
9ca05000 9d364140   nvlddmkm nvlddmkm.sys Tue Dec 15 00:18:20 2009 (4B271C1C)
93f20000 93f3f000   pacer    pacer.sys    Mon Jul 13 19:53:58 2009 (4A5BC916)
9df69000 9df81000   parport  parport.sys  Mon Jul 13 19:45:34 2009 (4A5BC71E)
83d2e000 83d3f000   partmgr  partmgr.sys  Mon Jul 13 19:11:35 2009 (4A5BBF27)
8d14b000 8d156000   PBADRV   PBADRV.sys   Mon Jan 07 13:52:14 2008 (478274DE)
83cf9000 83d23000   pci      pci.sys      Mon Jul 13 19:11:16 2009 (4A5BBF14)
83dad000 83db4000   pciide   pciide.sys   Mon Jul 13 19:11:19 2009 (4A5BBF17)
83db4000 83dc2000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:11:15 2009 (4A5BBF13)
83fcf000 83fdd000   pcw      pcw.sys      Mon Jul 13 19:11:10 2009 (4A5BBF0E)
93e00000 93e30000   pfmfs_321 pfmfs_321.sys Tue Aug 18 21:46:42 2009 (4A8B5982)
9eb72000 9eba1000   portcls  portcls.sys  Mon Jul 13 19:51:00 2009 (4A5BC864)
83690000 836a1000   PSHED    PSHED.dll    Mon Jul 13 21:09:36 2009 (4A5BDAD0)
9ebf4000 9ebf5c00   qcfilterdl qcfilterdl.sys Fri Oct 02 19:31:21 2009 (4AC68D49)
9ee81000 9eeb9000   qcusbnetdl qcusbnetdl.sys Mon Nov 23 19:49:20 2009 (4B0B2D90)
9ee65000 9ee80400   qcusbserdl qcusbserdl.sys Wed Nov 11 15:43:55 2009 (4AFB220B)
9d800000 9d818000   rasl2tp  rasl2tp.sys  Mon Jul 13 19:54:33 2009 (4A5BC939)
9c7e3000 9c7fb000   raspppoe raspppoe.sys Mon Jul 13 19:54:53 2009 (4A5BC94D)
9d367000 9d37e000   raspptp  raspptp.sys  Mon Jul 13 19:54:47 2009 (4A5BC947)
9d37e000 9d395000   rassstp  rassstp.sys  Mon Jul 13 19:54:57 2009 (4A5BC951)
9b673000 9b6b4000   rdbss    rdbss.sys    Mon Jul 13 19:14:26 2009 (4A5BBFD2)
9d39c000 9d3a6000   rdpbus   rdpbus.sys   Mon Jul 13 20:02:40 2009 (4A5BCB20)
9262e000 92636000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:01:40 2009 (4A5BCAE4)
927e2000 927ea000   rdpencdd rdpencdd.sys Mon Jul 13 20:01:39 2009 (4A5BCAE3)
927ea000 927f2000   rdprefmp rdprefmp.sys Mon Jul 13 20:01:41 2009 (4A5BCAE5)
8d11e000 8d14b000   rdyboost rdyboost.sys Mon Jul 13 19:22:02 2009 (4A5BC19A)
9dee4000 9def5000   rimmptsk rimmptsk.sys Thu Jun 25 03:58:09 2009 (4A432E11)
9d395000 9d39ba00   RimSerial RimSerial.sys Mon Nov 24 12:02:13 2008 (492ADE15)
9dfcc000 9dfd4000   RootMdm  RootMdm.sys  Mon Jul 13 19:55:21 2009 (4A5BC969)
9decb000 9dee4000   sdbus    sdbus.sys    Fri Oct 09 22:31:24 2009 (4ACFF1FC)
9c6fa000 9c704000   serenum  serenum.sys  Mon Jul 13 19:45:27 2009 (4A5BC717)
93f6e000 93f88000   serial   serial.sys   Mon Jul 13 19:45:33 2009 (4A5BC71D)
9eaed000 9eaf5000   sffdisk  sffdisk.sys  Mon Jul 13 19:45:52 2009 (4A5BC730)
9eae4000 9eaed000   sffp_sd  sffp_sd.sys  Fri Oct 09 22:57:31 2009 (4ACFF81B)
8d0f7000 8d11df20   snapman  snapman.sys  Mon Feb 08 07:40:51 2010 (4B700653)
9b609000 9b673000   SPBBCDrv SPBBCDrv.sys Sat Aug 08 21:37:14 2009 (4A7E284A)
8d0ef000 8d0f7000   spldr    spldr.sys    Mon May 11 12:13:47 2009 (4A084EBB)
8cdb5000 8cdff000   SRTSP    SRTSP.SYS    Mon Aug 10 23:20:28 2009 (4A80E37C)
927be000 927c7080   SRTSPX   SRTSPX.SYS   Mon Aug 10 23:20:44 2009 (4A80E38C)
9eb06000 9eb72000   stwrt    stwrt.sys    Wed Mar 10 01:03:06 2010 (4B97361A)
9dffe000 9dfff380   swenum   swenum.sys   Mon Jul 13 19:45:08 2009 (4A5BC704)
92785000 927aa000   SYMEVENT SYMEVENT.SYS Wed Jun 24 16:14:58 2009 (4A428942)
93e52000 93e7e480   SYMTDI   SYMTDI.SYS   Wed Jun 17 17:11:02 2009 (4A395BE6)
8ce1d000 8cf66000   tcpip    tcpip.sys    Mon Jul 13 19:13:18 2009 (4A5BBF8E)
93e47000 93e52000   TDI      TDI.SYS      Mon Jul 13 19:12:12 2009 (4A5BBF4C)
8d012000 8d0eeee0   tdrpm258 tdrpm258.sys Tue Oct 20 03:40:10 2009 (4ADD695A)
93e30000 93e47000   tdx      tdx.sys      Mon Jul 13 19:12:10 2009 (4A5BBF4A)
9d3a6000 9d3c4000   teefer2  teefer2.sys  Wed May 13 15:25:46 2009 (4A0B1EBA)
93fe2000 93ff2000   termdd   termdd.sys   Mon Jul 13 20:01:35 2009 (4A5BCADF)
8cd28000 8cdb4700   timntr   timntr.sys   Tue Sep 29 09:37:45 2009 (4AC20DA9)
a2750000 a2759000   TSDDD    TSDDD.dll    Mon Jul 13 20:01:40 2009 (4A5BCAE4)
9b7d9000 9b7fa000   tunnel   tunnel.sys   Mon Jul 13 19:54:03 2009 (4A5BC91B)
93ff2000 94000000   umbus    umbus.sys    Mon Jul 13 19:51:38 2009 (4A5BC88A)
9ea00000 9ea17000   usbccgp  usbccgp.sys  Mon Jul 13 19:51:31 2009 (4A5BC883)
9c7fb000 9c7fc700   USBD     USBD.SYS     Mon Jul 13 19:51:05 2009 (4A5BC869)
9c793000 9c7a2000   usbehci  usbehci.sys  Fri Dec 04 01:51:10 2009 (4B18B15E)
9eaa0000 9eae4000   usbhub   usbhub.sys   Fri Dec 04 01:51:51 2009 (4B18B187)
9c748000 9c793000   USBPORT  USBPORT.SYS  Mon Jul 13 19:51:13 2009 (4A5BC871)
8ce0e000 8ce1b000   usbrpm   usbrpm.sys   Mon Jul 13 20:14:30 2009 (4A5BCDE6)
9eeb9000 9eec7000   usbscan  usbscan.sys  Mon Jul 13 20:14:44 2009 (4A5BCDF4)
9ef4b000 9ef62000   USBSTOR  USBSTOR.SYS  Mon Jul 13 19:51:19 2009 (4A5BC877)
9c73d000 9c748000   usbuhci  usbuhci.sys  Mon Jul 13 19:51:10 2009 (4A5BC86E)
9eefd000 9ef20b00   usbvideo usbvideo.sys Mon Jul 13 19:51:51 2009 (4A5BC897)
83d23000 83d2e000   vdrvroot vdrvroot.sys Mon Jul 13 19:46:19 2009 (4A5BC74B)
927d6000 927e2000   vga      vga.sys      Mon Jul 13 19:25:50 2009 (4A5BC27E)
92600000 92621000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:25:49 2009 (4A5BC27D)
8cf97000 8cf9f380   vmstorfl vmstorfl.sys Mon Jul 13 19:28:44 2009 (4A5BC32C)
83d52000 83d62000   volmgr   volmgr.sys   Mon Jul 13 19:11:25 2009 (4A5BBF1D)
83d62000 83dad000   volmgrx  volmgrx.sys  Mon Jul 13 19:11:41 2009 (4A5BBF2D)
8cfa0000 8cfdf000   volsnap  volsnap.sys  Mon Jul 13 19:11:34 2009 (4A5BBF26)
9ea37000 9ea6d000   vpchbus  vpchbus.sys  Tue Sep 22 21:18:06 2009 (4AB9774E)
93f50000 93f60000   vpcnfltr vpcnfltr.sys Tue Sep 22 21:18:04 2009 (4AB9774C)
8cfdf000 8cff7000   vpcusb   vpcusb.sys   Tue Sep 22 21:18:08 2009 (4AB97750)
93f9b000 93fe1880   vpcvmm   vpcvmm.sys   Thu Dec 31 01:47:17 2009 (4B3C48F5)
9de95000 9de9f000   vwifibus vwifibus.sys Mon Jul 13 19:52:02 2009 (4A5BC8A2)
93f3f000 93f50000   vwififlt vwififlt.sys Mon Jul 13 19:52:03 2009 (4A5BC8A3)
93f88000 93f9b000   wanarp   wanarp.sys   Mon Jul 13 19:55:02 2009 (4A5BC956)
92621000 9262e000   watchdog watchdog.sys Mon Jul 13 19:24:10 2009 (4A5BC21A)
83c21000 83c92000   Wdf01000 Wdf01000.sys Mon Jul 13 19:11:36 2009 (4A5BBF28)
83c92000 83ca0000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:11:25 2009 (4A5BBF1D)
93f19000 93f20000   wfplwf   wfplwf.sys   Mon Jul 13 19:53:51 2009 (4A5BC90F)
a24f0000 a273a000   win32k   win32k.sys   Sat May 01 10:49:02 2010 (4BDC3F5E)
9df85000 9df8e000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:19:16 2009 (4A5BC0F4)
83ce8000 83cf1000   WMILIB   WMILIB.SYS   Mon Jul 13 19:11:22 2009 (4A5BBF1A)
93e7f000 93e8d000   wpsdrvnt wpsdrvnt.sys Thu Sep 17 20:35:48 2009 (4AB2D5E4)

Unloaded modules:
8d1d6000 8d1e3000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000D000
8d1e3000 8d1ee000   dump_pciidex
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000B000
8d1ee000 8d1f8000   dump_msahci.
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000A000
8d000000 8d011000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00011000
9eed3000 9eedc000   WinUSB.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00009000
9eedc000 9eefd000   WUDFRd.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00021000
8cfdf000 8cffe000   cdrom.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0001F000
Bugcheck code 000000F4
Arguments 00000003 89aca498 89aca604 83274d90
      My Computer
    Quote Quote

  10. usasma
    Posts : 5,705
    Win7 x64 + x86
       New #7

    Just a thought - but if you've disabled the SYMEVENT.sys driver - what do the BSOD's say now?
    Please read the Blue Screen to see if it mentions the name of a driver and let us know (it may or may not do this).

    Also, let us know the entire text of the error message, for example:

    Code:
    0x000000F4  {0x00000003 0x89aca498 0x89aca604 0x83274d90}
    We can compare this with the previous dumps to see if there's any common ground.

    Also, please run a diagnostic on the drive. Here's a link to the Samsung Magician utility: Samsung SSD | Samsung SSD FAQ I'd suggest installing it on another system and then slaving the SSD to it (in order to test it).

    Any further minidumps will be a great help.
    Also, check in C:\Windows for a file named MEMORY.dmp - it'll be huge, so zip it up and upload it to a free file-hosting service. Then post a link here so we can download it.
      My Computer
    Quote Quote

  11. stoliosoda
    Posts : 6
    Windows 7 Enterprise
    Thread Starter
       New #8

    What am I looking for in the registry?


    usasma - thanks a ton for your help! Quick hits:
    • Yes, I can definitely get into the registry on the unbootable OS using Registry Editor PE. (Registry Editor PE Home Page)
    • Let's not worry about the malware just yet - first things first, let's get 'er booting.
    Here's what I need from you: What keys am I looking for, and where are they located? What's the procedure for disabling them?
    In addition to the Norton/Symantec stuff, if you're able to edit the registry, then you'll be able to get at the keys that load services and drivers during the boot - and will then be able to disable them in order to see what's going on. BTW - the ntbtlog.zip that you uploaded doesn't seem to have anything in it.

    As for what we're doing here, the next step would (presuming that you can edit the registry) be to determine what's loading at boot and then disabling these things in groups of 5 - 10 until we find what's crashing. Then we remove that and see if it fixes things.
    Thanks again SO much for your help!!

    Seth
      My Computer
    Quote Quote

  12. usasma
    Posts : 5,705
    Win7 x64 + x86
       New #9

    All the info is available in Autoruns (free here: Autoruns for Windows ) I don't know why I didn't think of that until now.
    Just run it on any system and you can pick the keys that you need from there.

    For example, drivers (and services) load from HKLM\System\CurrentControlSet\Services - and you can see that at the top of the column when you click on the appropriate tab (Drivers or Services).

    FWIW - I think that CurrentControlSet is a mirror of one of the ControlSet00x entries, so you may have to modify them also (but don't do that yet or we'll get ahead of ourselves and may get lost)

    To disable them, first backup the entire registry. This is a just in case measure to ensure that you don't accidentally mess the registry up.

    Then export them (the group of 5 to 10) to a .reg file. You may want to export the entire Services key in order to make it easier.
    Then delete those keys (the group of 5 to 10) in the registry.
    Then try and boot the system.
    NOTE: After the first one, check and see if the keys come back (which would be the case if the CurrentControlSet is a mirror of one of the ControSet00x keys).
    If it doesn't boot, restore the keys that you deleted by adding them back from the exported .reg file - then export another 5 to 10 and then delete those from the registry.

    So start there by disabling groups of 10 or so (in HKLM\System\CurrentControlSet\Services). Leave the Microsoft drivers/services until last, as most often the problem will be with 3rd party drivers. And I would definitely disable anything Norton/Symantec first!

    To narrow things down a bit, where exactly does the BSOD occur? What is the last thing that you see before the BSOD (discounting any black screens)?

    NOTE: Just another thought, make excruciatingly detailed notes about each boot attempt. The failure may not be due to drivers, but rather to the malware acting on the drivers - so good notes will help us to see more of what's happening.
    Last edited by usasma; 29 Sep 2010 at 05:24.
      My Computer
    Quote Quote

  13. stoliosoda
    Posts : 6
    Windows 7 Enterprise
    Thread Starter
       New #10

    I think we're looking at the wrong stuff here


    usasma - One thing that became clear to me recently is that the minidump file from 9/23/10 is probably not the one we need to be looking at; this system has failed to boot dozens of times since then and none of that information is in that minidump; minidumps come from a booted windows system - mine never gets there. So I think you're troubleshooting an error that occured a week ago and it's not the one that I'm experiencing now.

    So with that out of the way...some answers to your questions:

    Just a thought - but if you've disabled the SYMEVENT.sys driver - what do the BSOD's say now? Please read the Blue Screen to see if it mentions the name of a driver and let us know (it may or may not do this). Also, let us know the entire text of the error message, for example:

    At this point I have deleted all of the symantec keys from the registry, but I am getting the same issue. This is the stop error I get on boot - there is no driver mentioned:
    0x0000007B (0x80786B58, 0xC0000034, 0x00000000, 0x00000000)
    Some more details:
    1. When booting into safe mode, loads of files are loaded, but then it hangs on CLASSPNP.SYS for about 15-30 seconds before the machine blue screens.
    2. I have uploaded a compressed copy of my memory.dmp file here:
      https://docs.google.com/leaf?id=0B3vHrJXYQUKJMDEyYzBhN2MtYjJhNC00MTAwLTgwZTMtMTkzNTUyOGY3ZDc1&hl=en
    3. Someone on another forum suggested that I might have a boot sector virus. That seems quite feasible to me - this is defintiely a malware-induced issue. One thing that was suggested to me was that MalwareBytes might have deleted my atapi.sys files, but they were there - and replacing them with fresh copies (definitely the right version) didn't help either.
    Is this useful info? Does this help point us in the right direction?

    I have not had the opportunity to run the Samsung Magician utility yet - I will try and do that later today if possible.

    Thanks again for your help!!


      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
BSOD On Unbootable Windows 7
in BSOD Help and Support

Hi I've got a Windows 7 installation which will not boot because of a BSOD I've seen the BSOD log collector that has been posted on this website, however, I believe that I won't be able to execute it on a non-bootable installation. However, I will try this anyway and I'll update this post...
hello everyone! Since the installation of my new GPU (nvidia quadro 600) i've been experiencing constant deadlocks at completely random occasions, but using firefox was a certain freeze. The driver installation went completely fine and i had no problems on the first day, all the correct...
BSOD With System Unbootable
in BSOD Help and Support

My Friend was Playing games on PC Suddendly the pc came up with BSOD Unmountable boot volume but the pc is not bootable it keeps restarting if any questions ? Ask me i shall ask my friend and actually he doesn't know speak english fluently And tell me any fixes i shall ask him. and he is noob in...
Unbootable Win7 & MBR assistant
in General Discussion

Hello, (I recently wrote this under another users thread, As we had the same issue & i thought it would be better not to open the same thread. And we could use the same advises, but... never mind) Windows 7 can not pass the "Starting Windows" screen. I have a dual boot PC - one system with...
Hey everyone, So I've got a gateway laptop here that one day was booted up and went to a boot menu screen stating there were errors with the option to launch startup repair. After doing so there has been no sucess, after a looooong process of checking for errors, it says it's unrepairable,...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 ฉ Designer Media Ltd
All times are GMT -5. The time now is 19:57.
Find Us