BSOD when using browse button or accessing network resource

Jeffesmi · 06 Jul 2012

I have a workstation that we just installed. It is an Acer i5, 4GB RAM, 500GB hard drive, and Windows 7 Pro 64-bit. In the last couple of weeks, it has started having BSOD problems seemingly randomly. Following is the message given when logging in after a BSOD:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: 1e
BCP1: FFFFFFFFC0000005
BCP2: FFFFF88005631C40
BCP3: 0000000000000000
BCP4: 0000000000000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\070512-15147-01.dmp
C:\Users\Keene Dodge\AppData\Local\Temp\WER-24710-0.sysdata.xml

Read our privacy statement online:
Windows 7 Privacy Statement - Microsoft Windows

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

I researched it and most seemed to agree that this type of error is driver based, so I downloaded all of the newest drivers from the manufacturer's web site and updated them. When this did not work, I uninstalled the anti-virus program. When this did not work I tried:

Ran CCLEANER for files & registry
Ran Malwarebytes full scan & AVG full scan on system
Disabled all startup items using MSCONFIG
Disabled all services EXCEPT Microsoft services using MSCONFIG
Ran a CHKDSK /F, though when I tried to go through the drive properties and select tools, I got the BSOD
Ran HDTUNE for speed and surface errors, though it could not see the SMART info
Reviewed the log files and found some drive access errors though no diagnostics showed any problem with the drive. I think an example will be included with the captured information as it appeared to be collecting event log info.
Booted in safe mode w/ Networking. The BSOD did not happen, but I couldn't access the network resource anyway.
Installed all MS updates INCLUDING optional hardware updates

I've found the following ways that will BSOD the machine everytime they are performed

Type a non http:// URL into the START/SEARCH-RUN box. For example, I typed in \\frank to get to a machine named frank. Instant BSOD.
Goto drive properties and select TOOLS from the tabs
select the browse button from this sevenforums.com page to include a file

At first, I started using the sevenforums programs & procedures to capture the requested information and then realized that I still had all of the services & startup items disabled, so I enabled everything and ran a second data capture with a NORMAL startup. Both are included as I'm not sure which one will be more useful.

Thanks in Advance,

Jeff

writhziden · 06 Jul 2012

Device Concerns:

Code:

KSecPkg	ROOT\LEGACY_KSECPKG\0000	This device is disabled.
NDProxy	ROOT\LEGACY_NDPROXY\0000	This device is disabled.
High Definition Audio Controller	PCI\VEN_8086&DEV_1C20&SUBSYS_04921025&REV_05\3&11583659&0&D8	This device is disabled.

Were you aware of the above? If so, please explain your troubleshooting steps.

Software Concerns:

Security Software: ??? Make sure to install security software. I recommend either of these:

Microsoft Security Essentials - Free Antivirus for Windows coupled with Malwarebytes. Do not start the free trial of Malwarebytes. Just use the standalone version, update it, and scan your computer once a week with Malwarebytes and with Microsoft Security Essentials.
Good and Free system security combination.

After installing your security software, update it, and then run full scans today with each program. Report back the results of the scans.

Analysis:

Crashes point to a network related issue. Could be a virus/malware on the system. Crashes may also indicate Windows corruption.

If you are overclocking any hardware, please stop.
Check Windows for corruption. Run SFC /SCANNOW Command - System File Checker up to three times to fix all errors with a restart in between each. Post back if it continues to show errors after a fourth run or if the first run comes back with no integrity violations. Use OPTION THREE of SFC /SCANNOW Command - System File Checker to provide us with the sfcdetails.txt file if errors occur.
Download and install Malwarebytes, update it, do not start the free trial, and then run a full scan. Also run a full scan with your antivirus software installed on your system. If you do not have antivirus software installed, see the Good and Free system security combination. for better security steps and scanning tools. Make sure to update the security software before running the full scan.

Jeffesmi · 07 Jul 2012

I removed the existing anti-virus as a troubleshooting step. Hopefully I mentioned that in my original post. They were using AVG 12. Also, I ran malwarebytes. I use the free edition, not the trial. What I did not make clear and/or didn't think was relevant is that after I tried every other step in my original message, I did reload ALL Microsoft updates including hardware. If no AV is present, those updates include the Windows AV program you mentioned. Not my favorite, but for troubleshooting, it is worth a temporary load.

As to:

KSecPkg ROOT\LEGACY_KSECPKG\0000 This device is disabled.
NDProxy ROOT\LEGACY_NDPROXY\0000 This device is disabled.
High Definition Audio Controller PCI\VEN_8086&DEV_1C20&SUBSYS_04921025&REV_05\3&11583659&0&D8 This device is disabled.

I'm not sure how to troubleshoot these as I'm not sure what they are. Do you have any idea what KSecPkg or NDProxy are? I assume the HighDefinition Audio Controller is some minor sub-component as the sound works on this system. I was actually more concerned about the Drive errors that should have shown up on the captured event logs. While no diagnostics found any issue with the drive, it wouldn't be the first time a flakey drive has driven me to distration.

When you say "crashes point to a network related issue," what is your basis? Did you see a specific error or component that seemed like a problem? I'm going to run combofix on this system and see if a rootkit is at work, but I'm NOTseeing anything that would indicate that such a browser redirection, popups, etc. At this point, if the captured information isn't sufficient to help fix the specific problem, I'd rather spend the three hours that multiple SFC scans would take on a complete rebuild. It's a pain since these are greatly customized systems and take upwards of 5 or 6 hours from zero of the HD to a fully function unit, so I'd obviously rather try to fix the specific problem.

Would posting the actual memory.dmp file provide any additional information? I'm not familiar with how to analyze these files, but from what I've read, someone with knowledge of the process can discern quite a bit of information.

Thanks in advance,

Jeff

writhziden · 07 Jul 2012

Jeffesmi said:

As to:

KSecPkg ROOT\LEGACY_KSECPKG\0000 This device is disabled.
NDProxy ROOT\LEGACY_NDPROXY\0000 This device is disabled.
High Definition Audio Controller PCI\VEN_8086&DEV_1C20&SUBSYS_04921025&REV_05\3&11583659&0&D8 This device is disabled.

I'm not sure how to troubleshoot these as I'm not sure what they are. Do you have any idea what KSecPkg or NDProxy are? I assume the HighDefinition Audio Controller is some minor sub-component as the sound works on this system.

KSecPkg is Kernel Security Support Provider Interface Packages provided as a critical Windows driver. The fact that it is disabled is concerning to say the least... It may also be contributing to the network related problems.

NDProxy is another Windows system driver for interfaces between network drivers. Also may contribute to network issues if it is disabled.

The High Definition Audio Controller is Intel based and is described as Intel Cougar Point (PCH) HD Audio Controller. If the user has chosen a PCI sound card over the onboard or is using the graphics/display card audio in its place, that may indicate why the Intel version is disabled.

Jeffesmi said:

I was actually more concerned about the Drive errors that should have shown up on the captured event logs. While no diagnostics found any issue with the drive, it wouldn't be the first time a flakey drive has driven me to distration.

I am currently more concerned with why system drivers are disabled. That really should be top priority as having system drivers disabled for any reason can lead to any number of crashes. Especially since this happens when "using the browse button or accessing network resource" which are network related activities...

Jeffesmi said:

When you say "crashes point to a network related issue," what is your basis? Did you see a specific error or component that seemed like a problem? I'm going to run combofix on this system and see if a rootkit is at work, but I'm NOT seeing anything that would indicate that such a browser redirection, popups, etc. At this point, if the captured information isn't sufficient to help fix the specific problem, I'd rather spend the three hours that multiple SFC scans would take on a complete rebuild. It's a pain since these are greatly customized systems and take upwards of 5 or 6 hours from zero of the HD to a fully function unit, so I'd obviously rather try to fix the specific problem.

Code:

--------------------------------------------
--------------------START-------------------
--------------------------------------------
Loading Dump File [C:\Users\BSODAnalyst\Downloads\Jeffesmi\070512-39967-01.dmp]

Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64

System Uptime: 0 days 0:01:11.044

BugCheck 1E, {ffffffffc0000005, fffff8800738ab80, 0, 0}

Probably caused by : ksecdd.sys ( ksecdd!KsecProcessSecurityContext+293 )

KMODE_EXCEPTION_NOT_HANDLED (1e)

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  System

STACK_TEXT:  
fffff880`0738bce0 fffff880`014ba6a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000001 : ksecdd!KsecProcessSecurityContext+0x293
fffff880`0738bde0 fffff880`018c5af4 : 00000000`00000000 00000000`00000000 fffffa80`084a0e00 00000000`00000000 : ksecdd!InitializeSecurityContextW+0x66
fffff880`0738be40 fffff880`018c697e : 00000000`0001ac0b 00000000`0001ac0b 00000000`00000100 01cd5ac0`cbbad928 : tcpip!WfpAlepCreateTokenFromLogonId+0x1c4
fffff880`0738bf60 fffff880`018c5872 : fffffa80`0849fb70 fffffa80`084a0ed0 fffffa80`0849fb70 fffffa80`0849b010 : tcpip!WfpAleCreateTokenFromLogonId+0x2e
fffff880`0738bfe0 fffff880`018c5ee5 : 00000000`00000000 fffffa80`084a0ed0 00000000`00000000 fffffa80`0849fb70 : tcpip!WfpAlepSetSecurity+0x282
fffff880`0738c0b0 fffff880`018e6800 : 00000000`00004800 00000000`00000002 00000000`0000fffc fffffa80`08337cf0 : tcpip!WfpAleProcessSecureSocketControl+0xa5
fffff880`0738c240 fffff880`018e5fd7 : 00000000`00000000 fffffa80`0849b1b8 fffff880`0738c4b0 80000800`00000000 : tcpip!TcpSetSockOptEndpoint+0x150
fffff880`0738c340 fffff800`02cd4e48 : 00000000`00000000 fffff880`02ef6982 fffffa80`08337da0 fffffa80`08337cf0 : tcpip!TcpTlEndpointIoControlEndpointCalloutRoutine+0x107
fffff880`0738c3a0 fffff880`018e6060 : fffff880`018e5ed0 ffff0000`06a533ed fffff880`02ef6900 fffffa80`07ff7e01 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`0738c480 fffff880`02f4f418 : fffffa80`0820f901 fffffa80`06a24e20 fffff880`0738c5d0 00000000`00000000 : tcpip!TcpTlEndpointIoControlEndpoint+0x70
fffff880`0738c4f0 fffff880`02f52db2 : fffffa80`0820f901 fffff880`0738c5d0 fffffa80`07ff7ec0 fffff880`0738c5e0 : afd!WskTdiTLIoControl+0x48
fffff880`0738c520 fffff880`02ee8056 : fffffa80`0820f940 00000000`00000000 fffffa80`0820f901 fffffa80`0820f950 : afd!WskTdiTLRequestIoControlEndpoint+0xb2
fffff880`0738c5b0 fffff880`02ee76e0 : 00000000`980000c8 00000000`00000000 fffffa80`06a24e20 fffffa80`0810fcb0 : afd!WskProTLControlRequest+0x136
fffff880`0738c640 fffff880`02ee7afb : 00000000`00000000 fffffa80`06a24e20 fffffa80`0810fcb0 fffff800`02e66a28 : afd!WskProControlSocketCore+0x110
fffff880`0738c6c0 fffff880`03a0a6c0 : 00000000`00000468 00000000`00000000 00000000`00000000 00000000`000007ff : afd!WskProAPIControlSocket+0x9b
fffff880`0738c730 fffff880`03a09de6 : 00000000`00000001 fffff880`02ef9400 00000000`00000000 00000000`00000700 : mrxsmb!SmbWskSetSocketOptions+0x1f0
fffff880`0738c7f0 fffff880`03a02082 : fffffa80`079a4f50 fffffa80`08022d01 00000000`00000080 fffffa80`079a4f50 : mrxsmb!SmbWskInitiateAsynchronousConnect+0x1a6
fffff880`0738c940 fffff880`03a083a9 : 00000000`00000000 00000000`00000003 fffffa80`08022d40 00000000`00000000 : mrxsmb!RxCeInitiateConnectRequest+0x52
fffff880`0738c970 fffff880`03a08ba5 : fffff880`03a1cf00 fffffa80`08022d40 fffff880`02e86110 00000000`aaaaaaaa : mrxsmb!RxCeBuildConnectionOverMultipleTransports+0x659
fffff880`0738cb00 fffff880`02e6c1b1 : fffff880`02e874a8 00000000`00000080 fffff880`02e86110 fffffa80`08022de0 : mrxsmb!RxCeInitiateConnection+0x151
fffff880`0738cb40 fffff800`02f5fe6a : fffff880`02e874a8 fffff880`02e878f8 fffff880`0738cc00 fffffa80`083da300 : rdbss!RxpWorkerThreadDispatcher+0x1a1
fffff880`0738cc00 fffff800`02cb9ec6 : fffff880`03165180 fffffa80`083da300 fffffa80`08029a00 00000000`00000202 : nt!PspSystemThreadStartup+0x5a
fffff880`0738cc40 00000000`00000000 : fffff880`0738d000 fffff880`07387000 fffff880`0738abe0 00000000`00000000 : nt!KiStartSystemThread+0x16


FAILURE_BUCKET_ID:  X64_0x1e_c0000005_ksecdd!KsecProcessSecurityContext+293

--------------------------------------------
---------------------END--------------------
--------------------------------------------

Above, I have provided the crash analysis I looked at to determine the problems. As you can see, the crash says it was probably caused by ksecdd.sys, a driver very similar in name to one of the disabled drivers above. A clue, perhaps, that the disabled driver is causing crashes... What signifies that it is network based is the stack. If you scroll down in the code, I have highlighted in blue the network drivers on the stack. tcpip.sys, afd.sys, and mrxsmb.sys are all network related drivers.

Jeffesmi said:

Would posting the actual memory.dmp file provide any additional information? I'm not familiar with how to analyze these files, but from what I've read, someone with knowledge of the process can discern quite a bit of information.

The memory.dmp file is not necessary at this time. The information given seems to clearly implicate those disabled drivers as the issue. You should enable those drivers through device manager ASAP. If they were disabled through device manager -> Start Menu -> Right click Computer -> Manage -> Device Manger from the list on the left.

You may need Device Manager : Hidden Devices to enable them.

If for some reason you are unable to enable the drivers, you need to run a sfc /scannow up to three times as described in my previous post.

usasma · 07 Jul 2012

Microsoft system drivers are disabled.
KSecPkg is related to kernel security
NDProxy is the NDIS Proxy driver

So, you either have an infection, the remnants of damage caused by an infection, or a corrupted OS.
SFC.EXE may not be able to fix this as it's involved with devices associated with these drivers.

I suggest (as writhziden has stated) locating the devices for these drivers. Once found, make a System Restore point (just in case) - then uninstall these devices (right click..."Uninstall"). Then reboot - and if the disabled devices are gone, then try SFC.EXE /SCANNOW
******************************************************************
Also, the Event Viewer logs show an amazing number of Event ID 41 errors on 5 July (the system shut down unexpectedly). Was this due to the errors, or was it due to manually forcing shutdowns?

The Event ID 41 error previously was from 18 June and earlier. Most Event ID 41 errors are (IME) hardware based.

Looks like you're also having many, many issues with BZVA.exe - most likely from ADP's WebSuite program.
Please remove it while we're troubleshooting (use another computer for payroll temporarily).

Finally, I researched the STOP 0x1E errors myself back in 2009 and found that they could just as easily be due to hardware as it could be due to drivers. Here's the results of my research: BSOD Index - STOP 0x1E

I suspect either your memory or your network card.

As for memory tests, please try these: Hardware Diagnostics
Start with MemTest86+, then move to Prime95. Also try the video tests to see if video memory could be involved.

As for the network card, the easiest test it to try another one. If the current NIC is built into the mobo, disable it in the BIOS before trying another card.

Jeffesmi · 07 Jul 2012

Thanks guys. All GREAT information. I went into the devices and they were indeed disabled, but when I tried to enable them it said that they could not be enabled. I'm running combofix right now to look for malicious programs. It's not perfect, but between AVG, Malwarebytes, and Combofix, if none of them are picking anything up, I think it's a good bet that it's not caused by a current infection. The machine was put in just a couple of months ago or less and the woman who uses it does not seem to get into trouble with inappropriate web sites. I'll try Combofix, swapping the memory out, the NIC, and maybe uninstalling those devices as suggested by usasma suggested, but I have tried SFC dozens of times in many different situations, and it has NEVER actually fixed anything while on several occassions making things worse. I hate to waste the time assocaited with SFC since it has been so ineffective for me in the past. In general, when I get to the point where I'd run SFC, I now just start a backup and system rebuild as that has a MUCH greater chance of success in my experience. If it was my own machine and not a critical system at work, I'd play with it weeks if need be, but it not only does payroll, but several critical ADP functions, so it cannot be easily experimented on.

Thanks again for all the help. I'll update this when I get back into the office and try the things we discussed. I'm in remotely right now doing combofix. Hopefully it doesn't get hosed up during combofix because I have no way of getting into the office on Sunday.

Jeff

usasma · 08 Jul 2012

FWI - I'd not mess with enabling those devices as you don't know what they do. If they are malware, then it's a huge problem with an internet connected system that handles payroll!

Please note that I said memory NOT RAM - that includes different memory structures throughout the system (to include CPU cache, memory controller (both stressed by using Prime95) along with video RAM. Any of these can cause STOP 0x1E errors.

As for SFC.EXE, it does work occasionally. I've never had it mess up a system on me and I run it several times a week at work. Just yesterday I had the very first instance (that I can recall) of SFC fixing things without requiring any intervention on my part (it fixed a dbghelp.dll error on a new system that was preventing us from installing Microsoft Office).

But, since this is a production environment, it may be easier (and quicker) to backup, wipe the hard drive, and then reinstall Windows and all apps. Have you though of making rotating images of this system for a backup? That way you can easily restore it and all the apps?

Jeffesmi · 09 Jul 2012

Well, COMBOFIX locked up and I don't have access during the weekened. Today, when I went in, the system was frozen on the desktop with no icons showing. I had to do a hard power cycle. Once it came back up, I repaired .net framework. Combofix always does something to the .net framework that requires unloading and reloading it. I checked the combofix log and it didn't indicate that anything had been detected or deleted, but since it locked up somwhere in the process, it's possible that it removed something and did not record it in the log before the system locked up. After fixing .net, I tested the adp applications and they worked. Then I tried to force the BSOD again. I COULD NOT GET IT TO BSOD!!! Since the logs were incomplete from COMBOFIX, I figure it has to be one of the following that caused it/fixed it:

Malicious software of one sort or another that was removed by combofix and just not logged
Corrupted .net software that was fixed when .net was remove and reinstalled
Some as of yet undetected hardware issue

I had come prepared with new memory chips, a network card, and a stack of DVDs to create the recovery disks on, but didn't end up needing anything but the DVDs. I created a full recovery disk set and full Windows Image backup of the system in case it is a hardware problem and the failure reoccurs. At the end, I ran a CHKDSK /F since I had to do a hard power cycle.

Thanks or all the help guys. Can anyone who looked at the info I posted give me an idea of whether it's possible that the .net framework was causing the problem?

Also of note, the disabled devices were enabled when I went to look at them except the audio component and I enabled that just to see what would happen. I'm fairly confident that the problem is fixed. Wish I knew for sure what caused it, but "such is life."

Thanks,

Jeff

Jeffesmi · 09 Jul 2012

usasma said:

FWI - I'd not mess with enabling those devices as you don't know what they do. If they are malware, then it's a huge problem with an internet connected system that handles payroll!

Good Point.

usasma said:

Please note that I said memory NOT RAM - that includes different memory structures throughout the system (to include CPU cache, memory controller (both stressed by using Prime95) along with video RAM. Any of these can cause STOP 0x1E errors.

Since it wasn't happening under stress, I didn't consider this. Also, since it was happening consistantly on a particular operation, but this was not changed by what was or was not loaded, I feel that specific memory problems could be excluded other than maybe a corrupted file on a hard disk sector which would explain the issue quite well. As I said in my earlier post, I did bring memory with me today as I try to never discount anything since "There are more things in heaven and earth, than are dreamt of..."

usasma said:

As for SFC.EXE, it does work occasionally. I've never had it mess up a system on me and I run it several times a week at work. Just yesterday I had the very first instance (that I can recall) of SFC fixing things without requiring any intervention on my part (it fixed a dbghelp.dll error on a new system that was preventing us from installing Microsoft Office).

But, since this is a production environment, it may be easier (and quicker) to backup, wipe the hard drive, and then reinstall Windows and all apps. Have you though of making rotating images of this system for a backup? That way you can easily restore it and all the apps?

So I shouldn't give up on SFC huh? I guess I'll keep it in my last resort bag of tricks. I had one time that I removed a virus from a system and the system was unstable afterwards, so I ran SFC on the system and about halfway through the virus poked it's head up through and crashed the SFC scan. Somehow, SFC had reactivated the virus. I wasn't able to boot the system after that, so I just booted to a PE disk, backed everything up, zeroed the hard disk, and rebuilt it from the ground up. Since then, I've marked SFC off my bag of tricks. I'll put it back in, but way towards the back. :)

Thanks so much for your input. It help from pros like the people on this forum that make it such a valuable resource.

Jeff

Jeffesmi · 18 Jul 2012

Haven't heard a peep from them since the combofix & .net repair. {crossing fingers} I'm marking this solve. You guys are the best. Now I've got to upload another BSOD. Same type of situation. New computer. Worked for several days after install, then BOOM, BSOD! I'll post it up on a new thread.

Thanks & Best Wishes,

Jeff