random lock ups

bovine · 21 May 2013

I've lurked and skimmed these forums for a couple of years and gotten a few questions answered very quickly and efficiently. So I thought I'd give you guys another go for a crash issue that has come up.

For the past few weeks since this new microATX build I have been having the system lock up at random times. It never does it while I'm actively using the system, only while it's left on and to it's own devices. I come back after X amount of hours and find that the screen saver has locked up. I've tried disabling said screen saver and have come back to just a black screen that won't respond.

After about a week of this the Asus mobo simply wouldn't boot up any more. Reseated peripherals, reloaded UEFI bios to factory default safe BIOS, tried known working bits of hardware, no go. So I did an RMA and got a new motherboard. About 3 weeks later it's started to happen again.

New investigations lead me to believe it was a faulty data drive and cd rom drive as windows had a rather large amount of disk and atapi errors. I've replaced those and the lockups have continued.

This is all on a fairly fresh win7 64bit ultimate install that is not even 2 months old. I've looked at the crash mini dump but the only semi useful thing I'm getting is that it "might" be ntoskernel.exe causing the issue.

I thought you guys might be able to take a look at the gathered logs and find something that I've missed.

system specs:
mobo: ASUS P8Z77-M LGA 1155 Intel Z77-M LGA 1155
cpu: Intel Core i7-3770 Ivy Bridge 3.4ghz (not overlocked)
cooler: Zalman CNPS9500A 92mm copper monstrosity
wifi card: TP-LINK TL-WDN4800 Dual Band
psu: Cooler Master Silent Pro M2 RS620-SPM2E3-US 620
RAM: g.skill Ares Series 16gb DDR3 1866 (2x8gb) (not overclocked)
hdd: WD Scorpio Black WD7500BPKT (Data drive)
sdd: Crucial m4 256gb 6gb/s CT256M4SSD2 (os drive)

Any help at all would be greatly appreciated.

Moo

Arc · 22 May 2013

The BSOD crash dumps are kinda old. But one finding out of them may be useful .....

Code:

fffff880`0331ada8  fffff880`04496684Unable to load image \SystemRoot\system32\DRIVERS\avgtdia.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for avgtdia.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdia.sys
 avgtdia+0x3684

So once AVG had some important bearing in the BSODs (31.03.2013).

AVG is still playing some role there, see two consecutive events ......
AVG starts ....

Code:

Event[422]:
  Log Name: System
  Source: Microsoft-Windows-FilterManager
  Date: 2013-05-21T23:11:00.952
  Event ID: 6
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: Cell
  Description: 
File System Filter 'Avgmfx64' (6.1, ?2013?-?02?-?07T22:14:48.000000000Z) has successfully loaded and registered with Filter Manager.

Restart report.

Code:

Event[423]:
  Log Name: System
  Source: EventLog
  Date: 2013-05-21T23:11:06.000
  Event ID: 6008
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Cell
  Description: 
The previous system shutdown at 10:48:51 AM on ?5/?20/?2013 was unexpected.

So better you stop using AVG; at least as a test. AVG is a known crapware. It it does not give you a real real time protection, but always make your system crash prone, by blocking network and storage access.

Uninstall AVG using AVG Remover. Use Microsoft Security Essentials as your antivirus with windows inbuilt firewall, and free MBAM as the on demand scanner.
Download, install and update those, and then run full system scans with both of them, one by one.

The network driver itself is old, too.

Code:

fffff880`05307000 fffff880`053ba000   Rt64win7   (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\Rt64win7.sys
    Image name: Rt64win7.sys
    Timestamp:        Tue Jun 12 19:30:29 2012 (4FD74B7D)
    CheckSum:         000B8CFC
    ImageSize:        000B3000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Update it from Realtek ; get the Win7 and WinServer 2008 R2 Auto Installation Program (SID:1568649), dated 2013/3/26.

Let us know the results.
_____________________________________________________________________________
BSOD ANALYSIS:

Code:

BugCheck 101, {19, 0, fffff88003502180, 6}

*** WARNING: Unable to verify timestamp for Rt64win7.sys
*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
-------------------------------------------------------------------------------------
BugCheck 1E, {ffffffffc0000005, 0, 8, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiDispatchException+1b9 )

Followup: MachineOwner
---------

bovine · 22 May 2013

Arc,
Thanks for the parsing of the dump files, I kept getting Symbols Missing messages even though I had installed all the packages I could find and pointed winDbg at them.
I'm quite annoyed that the issue might be AVG, I've never had a problem with it before but if it is the culprit then I'll just have to find something else. I've removed it and installed MS Security.

The RealTek network card I don't even use since I have the TP-Link wifi so I've disabled that device entirely. Do I still need to try and update the driver even though it's disabled in Device Manager?

Now it's just a waiting game. The time between the last two hangups was over 2 weeks. I'll update with my findings after a week.

Thanks again!

Moo

Arc · 23 May 2013

Best of luck :)

bovine · 24 May 2013

It looks like removing AVG and disabling that NIC driver didn't help. I came home today to find that the system had locked up again just like it has been.

I went through the event and application logs but nothing really stood out there. For some reason there was no minidump created this time, though. No new .dmp files anywhere on the system. I have attached the new SF Tool gathered info in case it might contain something useful.

Arc · 25 May 2013

From the data you updated ..... AVG is still present there, and playing some foul role.

Event[1250]:
Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 2013-05-24T17:35:35.403
Event ID: 6
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: Cell
Description:
File System Filter 'avgtp' (6.1, ?2013?-?05?-?07T07:38:19.000000000Z) has successfully loaded and registered with Filter Manager.

Event[1251]:
Log Name: System
Source: EventLog
Date: 2013-05-24T17:35:38.000
Event ID: 6008
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Cell
Description:
The previous system shutdown at 1:29:02 AM on ?5/?24/?2013 was unexpected.

AVG loaded and system restarted unexpectedly.

Also, I suggested you to update the network driver.

Another event ....

Event[1255]:
Log Name: System
Source: Microsoft-Windows-Kernel-Power
Date: 2013-05-24T17:35:35.481
Event ID: 41
Task: N/A
Level: Critical
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: Cell
Description:
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Disable sleep. Check if the Power Supply Unit (PSU) supplying adequate power to the computer or not.
eXtreme Power Supply Calculator
At least 30% excess is safe.

Heat is also a thing to suspect ....

Event[1257]:
Log Name: System
Source: Microsoft-Windows-Kernel-Power
Date: 2013-05-24T17:35:36.401
Event ID: 89
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: Cell
Description:
ACPI thermal zone ACPI\ThermalZone\TZ00 has been enumerated.
_PSV = 0K
_TC1 = 0
_TC2 = 0
_TSP = 0ms
_AC0 = 358K
_AC1 = 328K
_AC2 = 273K
_AC3 = 273K
_AC4 = 273K
_AC5 = 0K
_AC6 = 0K
_AC7 = 0K
_AC8 = 0K
_AC9 = 0K
_CRT = 379K
_HOT = 0K
_PSL - see event data.

Is the computer hot? Report us the heat of the computer after a couple of hours of your normal usage. Upload a screenshot of the summery tab of Speccy.

bovine · 25 May 2013

Arc,

I used the AVG Remover you linked to, however when I checked IE and Chrome for addons the AVG Secure Search was still there. I Tried the uninstall.exe located in its folder but that simply didn't run, no entries atll showed up in task manager. Tried to delete the folder and couldn't. I ended up having to use HiJack This to get rid of it. The folder is now gone and no entries for it show up in IE or Chrome.

I also checked the power reqs on the link you put, they're suggesting at least 482 watts and I have a 620watt installed, so I think I'm safe there.

My apologies for not upgrading the RealTEK Driver. I wasn't 100% certain which driver you were advising as the information you gave isn't matching any of the download options.
You advised

"Update it from Realtek ; get the Windows 7 and WinServer 2008 R2 Auto Installation Program (SID:1568649), dated 2013/3/26. "

Win7 and WinServer 2008 R2 Driver 7.072 2013/5/22 849k UK1 CN US1 US2 US3 HK1

This one matches the name but not the SID nor the date
Win7 and WinServer 2008 R2 Auto Installation Program (SID:1581786)
7.072 2013/5/22 5931k UK1 CN US1 US2 US3 HK1

Name matches but not the SID or Date
Vista and WinServer 2008 Auto Installation Program (SID:1568647)
6.252 2013/3/28 5807k UK1 CN US1 US2 US3 HK1

This one matches the date but no SID and the name doesn't match.
Vista and WinServer 2008 Driver
6.252 2013/3/26 738k UK1 CN US1 US2 US3 HK1"
===
I'll be happy to update the driver, I just want to know which one. Or am I being just completely and utterly blind here??

I have SPECCY installed and running currently. No gaming or anything other than general web usage has occurred while the summary info was gathered and I have attached a screen shot of the summary page.

Hopefully it was just AVG causing the isue. I have to say though that I'm rather annoyed that it's caused so many issues. All these years I've used it with out any incident and suggesting it to friends and now it's turned into this bloatware thing. Meh.

Thanks again. :)

moo

bovine · 25 May 2013

Joy, another lock up. Logs are attached. Not sure if AVG is involved now with some hidden DLL being referenced or not. This is getting to be a bit too frequent. Definitely frustrating and still the only dmp files found are the original two.

I went ahead and installed this RealTek driver since it was the most recent. "Win7 and WinServer 2008 R2 Auto Installation Program (SID:1581786)" and I figured that was likely the one being referred to.

Wondering if at this point I shouldn't just do a clean wipe of the OS and start from scratch. All these crashes can't be good for it. At least there are no HDD errors at this point.

**Edit*** Just wanted to say thanks again for helping with this.

bovine · 25 May 2013

***Edit 2***
I did some digging in the registry and found a reference to the avgtp service. in HKLM\System\ControlSet001\Enum\Root\Legacy_AVGTP\0000. From here I went to Services but found no reference to AVG insofar as a service loading on system boot. In this same hive I'm seeing numerous entries for legacy_AVG(whatevertexthere). I added a screenshot of this section of the registry.

bovine · 26 May 2013

I had another crash about an hour ago. Checked the logs and found another entry for avgtp loading and then crashing the system. I then went back to the registry and tried to remove one of the AVG keys but they are all locked, I can't delete them. Expanding a couple of them I found they are talking about "legacy drivers" and "root kit detectors". This revived a memory about an old DRM software that functioned as a rootkit and would basically hork peoples systems. The only way you'd know it was there was by going into device manager and showing Hidden Devices. So I checked on this system and low and behold, there is AVGTP in hidden devices. So I removed it and now to wait and see if it crashes again.

I tried the AVG Remover Tool again but it's own log says that when it attempts to remove all the above keys it fails to do so. I'm not quite sure how to grant it enough permissions to be able to remove the keys, running it as Administrator doesn't do it. The keys are locked down to "system" level when I look at the permissions and I can't take ownership of them.