Windows Failed To Load

**cluberti** · 29 Aug 2010

At 1.7K, there's no way that .zip file contains dumps. You might want to try again.

alicenchainz · 30 Aug 2010

Sorry bout that had trouble getting the file to copy and paste properly. Hopefully this time it will work.

CarlTR6 · 11 Sep 2010

I apologize for being so late in seeing this. I was away most of last week.

Error code F7, DRIVER_OVERRAN_STACK_BUFFER - usually caused by Device driver, Malware.

Error code A, IRQL_NOT_LESS_OR_EQUAL - usually caused by Kernel mode driver, System Service, BIOS, Windows, Virus scanner, Backup tool, compatibility.

Code:

Kernel base = 0xfffff800`02e62000 PsLoadedModuleList = 0xfffff800`0309fe50
Debug session time: Mon Aug 30 12:03:08.173 2010 (GMT-4)
System Uptime: 0 days 0:00:09.952
Loading Kernel Symbols
...............................................................
...................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, fffff80002ef2183}

Unable to load image nvlddmkm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
Probably caused by : Pool_Corruption ( nt!ExFreePool+d4d )

Followup: Pool_corruption
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002ef2183, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000310a0e0
 0000000000000000 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!IopCompleteRequest+ae3
fffff800`02ef2183 488b09          mov     rcx,qword ptr [rcx]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  System

IRP_ADDRESS:  ffffffffffffff89

TRAP_FRAME:  fffff88002f68880 -- (.trap 0xfffff88002f68880)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88002f68f80 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002ef2183 rsp=fffff88002f68a10 rbp=fffff88002f68b60
 r8=fffff88002f68b18  r9=fffff88002f68b10 r10=0000000000000002
r11=fffff80002ef16a0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!IopCompleteRequest+0xae3:
fffff800`02ef2183 488b09          mov     rcx,qword ptr [rcx] ds:00000000`00000000=????????????????
Resetting default scope

LOCK_ADDRESS:  fffff800030d6400 -- (!locks fffff800030d6400)

Resource @ nt!PiEngineLock (0xfffff800030d6400)    Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE: 
    Lock address  : 0xfffff800030d6400
    Thread Count  : 0
    Thread address: 0x0000000000000000
    Thread wait   : 0x0

LAST_CONTROL_TRANSFER:  from fffff80002ed1b69 to fffff80002ed2600

STACK_TEXT:  
fffff880`02f68738 fffff800`02ed1b69 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`02f68740 fffff800`02ed07e0 : fffffa80`056f66e0 fffff980`02950ee0 00000000`00000004 fffff880`1490c228 : nt!KiBugCheckDispatch+0x69
fffff880`02f68880 fffff800`02ef2183 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
fffff880`02f68a10 fffff800`02eaefcf : 00000000`00000001 00000000`00000000 00000000`00000000 fffff800`00000000 : nt!IopCompleteRequest+0xae3
fffff880`02f68ae0 fffff800`02eaf387 : 00000000`00000120 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x1d7
fffff880`02f68b60 fffff800`03366df6 : 00000000`00000120 00000000`00000000 00000000`0000000d fffff800`02f95b6b : nt!KiApcInterrupt+0xd7
fffff880`02f68cf0 fffff800`0336d295 : 00000000`00000120 fffff880`02f6a000 00000000`00000000 00000000`00000801 : nt!VfDeadlockDeleteMemoryRange+0x36
fffff880`02f68d70 fffff800`0336dca5 : fffff8a0`004ccc60 00000000`00000012 00000000`00000001 00000000`00000003 : nt!VfFreeMemoryNotification+0x15
fffff880`02f68da0 fffff800`0300567c : fffff8a0`004ccc60 00000000`00000120 00000000`00000003 00000000`00000001 : nt!VfFreePoolNotification+0x55
fffff880`02f68dd0 fffff800`031ab464 : fffff8a0`004ccdc0 00000000`00000000 fffff8a0`004ccdc0 fffff800`031b3e12 : nt!ExFreePool+0xd4d
fffff880`02f68e80 fffff800`031b0192 : 00000000`00000007 fffff880`02f690f0 fffffa80`04611501 fffff8a0`00000016 : nt!CmQueryKey+0x888
fffff880`02f69040 fffff800`02ed1853 : fffffa80`04602b60 fffff800`00000003 fffff880`02f693c8 fffffa80`05d78900 : nt!NtQueryKey+0x262
fffff880`02f691a0 fffff800`02ecddf0 : fffff880`03c6a75b 00000000`00000000 fffff800`03364a46 fffff8a0`004ba570 : nt!KiSystemServiceCopyEnd+0x13
fffff880`02f693a8 fffff880`03c6a75b : 00000000`00000000 fffff800`03364a46 fffff8a0`004ba570 fffff8a0`000015d0 : nt!KiServiceLinkage
fffff880`02f693b0 fffff880`03ce1bd4 : 00000000`000000fc 00000000`00000000 00000000`00000000 ffffffff`80000120 : dxgkrnl!DpiGetDeviceRegistryPaths+0xdf
fffff880`02f69430 fffff880`13d68986 : fffffa80`05d76bf0 fffffa80`05d831f0 fffffa80`05d831f0 fffffa80`05d831f0 : dxgkrnl!DpiAddDevice+0x4b4
fffff880`02f69690 fffffa80`05d76bf0 : fffffa80`05d831f0 fffffa80`05d831f0 fffffa80`05d831f0 fffff880`02f696f0 : nvlddmkm+0x87986
fffff880`02f69698 fffffa80`05d831f0 : fffffa80`05d831f0 fffffa80`05d831f0 fffff880`02f696f0 fffffa80`05d831f0 : 0xfffffa80`05d76bf0
fffff880`02f696a0 fffffa80`05d831f0 : fffffa80`05d831f0 fffff880`02f696f0 fffffa80`05d831f0 00000000`00000004 : 0xfffffa80`05d831f0
fffff880`02f696a8 fffffa80`05d831f0 : fffff880`02f696f0 fffffa80`05d831f0 00000000`00000004 fffff880`13d688e4 : 0xfffffa80`05d831f0
fffff880`02f696b0 fffff880`02f696f0 : fffffa80`05d831f0 00000000`00000004 fffff880`13d688e4 fffffa80`05d831f0 : 0xfffffa80`05d831f0
fffff880`02f696b8 fffffa80`05d831f0 : 00000000`00000004 fffff880`13d688e4 fffffa80`05d831f0 fffff800`02fd3825 : 0xfffff880`02f696f0
fffff880`02f696c0 00000000`00000004 : fffff880`13d688e4 fffffa80`05d831f0 fffff800`02fd3825 00000000`00000000 : 0xfffffa80`05d831f0
fffff880`02f696c8 fffff880`13d688e4 : fffffa80`05d831f0 fffff800`02fd3825 00000000`00000000 fffffa80`056f7060 : 0x4
fffff880`02f696d0 fffffa80`05d831f0 : fffff800`02fd3825 00000000`00000000 fffffa80`056f7060 00000000`00000000 : nvlddmkm+0x878e4
fffff880`02f696d8 fffff800`02fd3825 : 00000000`00000000 fffffa80`056f7060 00000000`00000000 fffff880`02f69704 : 0xfffffa80`05d831f0
fffff880`02f696e0 fffff800`032b6fb5 : 00000000`00000000 fffffa80`05d831f0 00000000`00000002 fffffa80`056f66e0 : nt!PpvUtilCallAddDevice+0x45
fffff880`02f69720 fffff800`032be461 : fffffa80`056f66e0 fffffa80`056f66e0 00000000`00000000 00000000`00000000 : nt!PnpCallAddDevice+0xd5
fffff880`02f697a0 fffff800`032bf9f2 : fffffa80`056ed910 fffffa80`056f66e0 00000000`00000002 fffffa80`056f7060 : nt!PipCallDriverAddDevice+0x661
fffff880`02f69950 fffff800`032bfe8c : fffffa80`05ddc260 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PipProcessDevNodeTree+0x2b2
fffff880`02f69bc0 fffff800`02fd42d2 : 00000001`00000003 00000000`00000000 00000000`32706e50 00000000`00000084 : nt!PiProcessStartSystemDevices+0x7c
fffff880`02f69c10 fffff800`02edf861 : fffff800`02fd3fd0 fffff800`0332a501 fffffa80`04602b00 00000000`00000000 : nt!PnpDeviceActionWorker+0x302
fffff880`02f69cb0 fffff800`03177a86 : ffffffff`ffffffff fffffa80`04602b60 00000000`00000080 fffffa80`03988b30 : nt!ExpWorkerThread+0x111
fffff880`02f69d40 fffff800`02eb0b06 : fffff880`02d64180 fffffa80`04602b60 fffff880`02d6ef80 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`02f69d80 00000000`00000000 : fffff880`02f6a000 fffff880`02f64000 fffff880`02f68570 00000000`00000000 : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExFreePool+d4d
fffff800`0300567c 90              nop

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  nt!ExFreePool+d4d

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  X64_0xA_nt!ExFreePool+d4d

BUCKET_ID:  X64_0xA_nt!ExFreePool+d4d

Followup: Pool_corruption
---------

Kernel base = 0xfffff800`02e61000 PsLoadedModuleList = 0xfffff800`0309ee50
Debug session time: Mon Aug 30 17:30:03.231 2010 (GMT-4)
System Uptime: 0 days 0:00:13.010
Loading Kernel Symbols
...............................................................
...................
Loading User Symbols
Unable to load image nvlddmkm.sys, Win32 error 0n2
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F7, {fffff88003161f98, 2b992ddfa232, ffffd466d2205dcd, 0}

Probably caused by : nvlddmkm.sys ( nvlddmkm+16d3a6 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: fffff88003161f98, Actual security check cookie from the stack
Arg2: 00002b992ddfa232, Expected security check cookie
Arg3: ffffd466d2205dcd, Complement of the expected security check cookie
Arg4: 0000000000000000, zero

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_MISSING_GSFRAME

SECURITY_COOKIE:  Expected 00002b992ddfa232 found fffff88003161f98

CUSTOMER_CRASH_COUNT:  1

BUGCHECK_STR:  0xF7

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff880140023a6 to fffff80002ed1600

STACK_TEXT:  
fffff880`03160df8 fffff880`140023a6 : 00000000`000000f7 fffff880`03161f98 00002b99`2ddfa232 ffffd466`d2205dcd : nt!KeBugCheckEx
fffff880`03160e00 00000000`000000f7 : fffff880`03161f98 00002b99`2ddfa232 ffffd466`d2205dcd 00000000`00000000 : nvlddmkm+0x16d3a6
fffff880`03160e08 fffff880`03161f98 : 00002b99`2ddfa232 ffffd466`d2205dcd 00000000`00000000 fffff800`02efe39f : 0xf7
fffff880`03160e10 00002b99`2ddfa232 : ffffd466`d2205dcd 00000000`00000000 fffff800`02efe39f fffff880`146ec58c : 0xfffff880`03161f98
fffff880`03160e18 ffffd466`d2205dcd : 00000000`00000000 fffff800`02efe39f fffff880`146ec58c fffff880`140006ab : 0x2b99`2ddfa232
fffff880`03160e20 00000000`00000000 : fffff800`02efe39f fffff880`146ec58c fffff880`140006ab fffff880`03161e68 : 0xffffd466`d2205dcd


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nvlddmkm+16d3a6
fffff880`140023a6 ??              ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nvlddmkm+16d3a6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME:  nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c37918e

FAILURE_BUCKET_ID:  X64_0xF7_MISSING_GSFRAME_nvlddmkm+16d3a6

BUCKET_ID:  X64_0xF7_MISSING_GSFRAME_nvlddmkm+16d3a6

Followup: MachineOwner
---------

The driver, nvlddmkm.sys, is implicated in the first dump along with memory. The second dump also blames nvlddmkm.sys and indicates possible malware.

I recommend that you download and install Malwarebytes. Up date it and run a quick scan. If i finds anything, let it clean up the nasties and then do a deep scan. That will take a while. You want to make sure you are not infected. Take care of this before you take any other steps.

You did a great job with the drivers; i only find one driver not up to date. Update this one if you can.

AtiPcie.sys Tue May 05 11:00:22 2009 - ATI PCIE Driver for ATI PCIE chipsetGlobal Provider of Innovative Graphics, Processors and Media Solutions | AMD

Since you have updated the drivers, try enabling Driver Verifier following this tutorial: Driver Verifier - Enable and Disable. Upload any dumps generated my Driver Verifier. Use you computer normally while Verifier is running.

alicenchainz · 30 Nov 2010

I want to apologize for my delayed response. When school started I put this issue on the back burner. A few weeks ago, I finally had a need to get this comp up and running (Editor at a school paper and I wanted to install adobe software). I took it to a local computer shop where they infromed me after a few days that I had a ram problem. Apprently, the sticks I had were not in sync. When I did ram tests in the past, I did it with one stick each and got no problems. I never made the connection that it was BOTH running together that was causeing the problem.

I took my computer home after purchasing some new ram that worked and had a sad face when it showd me another BSOD. I felt like giving up completely. Fortunatly for me I looked through the clear side of my computer case and saw that the snaps that hold the RAM stick in place were not pushded down on one. After doing that, I have not had a BSOD for 3 weeks.

Just thought I would let you know and I wanted to thank you for your advice and efforts.