Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: BSOD once again

04 Aug 2011   #1
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 
BSOD once again

I had 3-4 BSOD during this day, and I ran some spyware removal tools (Superantispyware, Malware bytes Antimalware, Iobit) and MSE to clean up the laptop for malicious files. But the BSOD shows once again and I wanted to ask you how I can secure against it.
I had no BSOD for more than a month, all the drivers are updated and MSE is even set to daily update the definitions and run a fast scan.

thanks in advance


My System SpecsSystem Spec
.
05 Aug 2011   #2
usasma
Microsoft MVP

 
 

Did the malware scans turn up any viruses?


OLDER DRIVERS PRESENT IN THE DUMP FILES
- Create a System Restore Point prior to doing any of this. DO NOT mess with the drivers themselves - leave the Windows\System32\drivers directory alone unless we specifically direct you to it!
- Please update these drivers from the device manufacturer's website - or uninstall them from your system. Reference links are included below.
- DO NOT use Windows Update or the Update Drivers function of Device Manager.
- Please feel free to post back about any drivers that you are having difficulty locating.
- Windows Update exceptions may be noted below for Windows drivers:
Quote:
Code:

amdxata.sys                 Fri Mar 19 12:18:18 2010 (4BA3A3CA)
iaStor.sys                  Tue Apr 26 14:06:18 2011 (4DB7099A)
lullaby.sys                 Wed Jun 17 22:45:32 2009 (4A39AA4C)
nvpciflt.sys                Sat May 21 00:07:59 2011 (4DD73A9F)
dump_iaStor.sys             Tue Apr 26 14:06:18 2011 (4DB7099A)
GEARAspiWDM.sys             Mon May 18 08:17:04 2009 (4A1151C0)
Impcd.sys                   Fri Feb 26 18:32:11 2010 (4B8859FB)
PuAcpi64.sys                Thu Jun 04 10:40:26 2009 (4A27DCDA)
L1C62x64.sys                Mon Apr 27 04:25:59 2009 (49F56C17)
ETD.sys                     Wed Sep 08 07:39:31 2010 (4C8775F3)
kbfiltr.sys                 Mon Jul 20 05:21:42 2009 (4A643726)
athrx.sys                   Mon Oct 05 12:33:57 2009 (4ACA1FF5)
HECIx64.sys                 Thu Sep 17 15:54:16 2009 (4AB293E8)
IntcDAud.sys                Fri Oct 15 04:28:17 2010 (4CB810A1)
ASMMAP64.sys                Thu Jul 02 05:13:26 2009 (4A4C7A36)
sncduvc.SYS                 Mon Dec 29 04:14:26 2008 (495894F2)
snp2uvc.sys                 Wed Aug 19 22:41:36 2009 (4A8CB7E0)
TuneUpUtilitiesDriver64.sys Thu Sep 17 07:54:52 2009 (4AB2238C)
UrlFilter.sys               Sat Mar 19 03:16:54 2011 (4D845866)
SASKUTIL64.SYS              Tue Jul 12 17:00:01 2011 (4E1CB5D1)
NisDrvWFP.sys               Wed Apr 06 16:08:53 2011 (4D9CC855)
regfilter.sys               Sat Mar 19 03:19:40 2011 (4D84590C)
pffilter.sys                Wed Mar 16 06:40:13 2011 (4D80938D)
nvBridge.kmd                Fri May 20 23:58:23 2011 (4DD7385F)
MpFilter.sys                Tue Sep 14 20:19:28 2010 (4C901110)
SASKUTIL64.SYS              Tue Feb 09 17:27:34 2010 (4B71E156)
SASDIFSV64.SYS              Mon Feb 08 19:11:52 2010 (4B70A848)
NisDrvWFP.sys               Tue Sep 14 20:20:25 2010 (4C901149)
MpNWMon.sys                 Tue Sep 14 20:19:30 2010 (4C901112)
ETD.sys                     Thu Oct 15 05:23:18 2009 (4AD6EA06)
psi_mf.sys                  Wed Sep 01 03:53:14 2010 (4C7E066A)
http://www.carrona.org/dvrref.html#amdxata.sys
http://www.carrona.org/dvrref.html#iaStor.sys
http://www.carrona.org/dvrref.html#lullaby.sys
http://www.carrona.org/dvrref.html#nvpciflt.sys
http://www.carrona.org/dvrref.html#dump_iaStor.sys
http://www.carrona.org/dvrref.html#GEARAspiWDM.sys
http://www.carrona.org/dvrref.html#Impcd.sys
http://www.carrona.org/dvrref.html#PuAcpi64.sys
http://www.carrona.org/dvrref.html#L1C62x64.sys
http://www.carrona.org/dvrref.html#ETD.sys
http://www.carrona.org/dvrref.html#kbfiltr.sys
http://www.carrona.org/dvrref.html#athrx.sys
http://www.carrona.org/dvrref.html#HECIx64.sys
http://www.carrona.org/dvrref.html#IntcDAud.sys
http://www.carrona.org/dvrref.html#ASMMAP64.sys
http://www.carrona.org/dvrref.html#sncduvc.SYS
http://www.carrona.org/dvrref.html#snp2uvc.sys
http://www.carrona.org/dvrref.html#TuneUpUtilitiesDriver64.sys
http://www.carrona.org/dvrref.html#UrlFilter.sys
http://www.carrona.org/dvrref.html#SASKUTIL64.SYS
http://www.carrona.org/dvrref.html#NisDrvWFP.sys
http://www.carrona.org/dvrref.html#regfilter.sys
http://www.carrona.org/dvrref.html#pffilter.sys
http://www.carrona.org/dvrref.html#nvBridge.kmd
http://www.carrona.org/dvrref.html#MpFilter.sys
http://www.carrona.org/dvrref.html#SASKUTIL64.SYS
http://www.carrona.org/dvrref.html#SASDIFSV64.SYS
http://www.carrona.org/dvrref.html#NisDrvWFP.sys
http://www.carrona.org/dvrref.html#MpNWMon.sys
http://www.carrona.org/dvrref.html#ETD.sys
http://www.carrona.org/dvrref.html#psi_mf.sys
I'd suggest running Driver Verifier according to these instructions:
Quote:
Using Driver Verifier is an iffy proposition. Most times it'll crash and it'll tell you what the driver is. But sometimes it'll crash and won't tell you the driver. Other times it'll crash before you can log in to Windows. If you can't get to Safe Mode, then you'll have to resort to offline editing of the registry to disable Driver Verifier.

So, I'd suggest that you first backup your stuff and then make sure you've got access to another computer so you can contact us if problems arise. Then make a System Restore point (so you can restore the system using the Vista/Win7 Startup Repair feature).

Then, here's the procedure:
- Go to Start and type in "verifier" (without the quotes) and press Enter
- Select "Create custom settings (for code developers)" and click "Next"
- Select "Select individual settings from a full list" and click "Next"
- Select everything EXCEPT FOR "Special Pool" and "Low Resource Simulation" and click "Next"
NOTE: You can use Low Resource Simulation if you'd like. From my limited experimentation it makes the BSOD's come faster.
- Select "Select driver names from a list" and click "Next"
Then select all drivers NOT provided by Microsoft and click "Next"
- Select "Finish" on the next page.

Reboot the system and wait for it to crash to the Blue Screen. Continue to use your system normally, and if you know what causes the crash, do that repeatedly. The objective here is to get the system to crash because Driver Verifier is stressing the drivers out. If it doesn't crash for you, then let it run for at least 36 hours of continuous operation (an estimate on my part).

Reboot into Windows (after the crash) and turn off Driver Verifier by going back in and selecting "Delete existing settings" on the first page, then locate and zip up the memory dump file and upload it with your next post.

If you can't get into Windows because it crashes too soon, try it in Safe Mode.
If you can't get into Safe Mode, try using System Restore from your installation DVD to set the system back to the previous restore point that you created.

If that doesn't work, post back and we'll have to see about fixing the registry entry off-line:
Code:
Delete these registry keys (works in XP, Vista, Win7):
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\VerifyDrivers
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\VerifyDriverLevel
More info on this at this link: Using Driver Verifier to identify issues with Windows drivers for advanced users
BSOD BUGCHECK SUMMARY
Code:

Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\080411-53508-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Thu Aug  4 13:47:23.681 2011 (UTC - 4:00)
System Uptime: 0 days 0:58:58.743
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+278 )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  WINWORD.EXE
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+278
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02eb9568 fffff880`0bfe48e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\080411-44663-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Thu Aug  4 10:33:26.377 2011 (UTC - 4:00)
System Uptime: 0 days 0:08:11.454
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+278 )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  WINWORD.EXE
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+278
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02eb5568 fffff880`0b65a8e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\080411-45911-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Thu Aug  4 10:22:51.656 2011 (UTC - 4:00)
System Uptime: 0 days 0:28:45.108
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+278 )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  WINWORD.EXE
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+278
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02eb7568 fffff880`0a2548e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\071611-56706-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Fri Jul 15 14:31:04.907 2011 (UTC - 4:00)
System Uptime: 0 days 0:51:58.359
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+35e )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  CCleaner64.exe
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+35e
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02eb464e fffff880`09f408e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\071511-61916-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Fri Jul 15 09:37:39.205 2011 (UTC - 4:00)
System Uptime: 0 days 0:17:37.267
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+35e )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  CCleaner64.exe
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+35e
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02e6b64e fffff880`06f808e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\071411-72634-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Thu Jul 14 13:56:12.283 2011 (UTC - 4:00)
System Uptime: 0 days 0:20:32.345
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+35e )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  CCleaner64.exe
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+35e
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02ec164e fffff880`0db0d8e0 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\071011-54381-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Sun Jul 10 09:45:08.230 2011 (UTC - 4:00)
System Uptime: 0 days 0:39:26.682
Probably caused by : ntkrnlmp.exe ( nt!woutput_l+278 )
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  WINWORD.EXE
FAILURE_BUCKET_ID:  X64_0x3B_nt!woutput_l+278
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`02eba568 fffff880`08f3c880 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
  
  
My System SpecsSystem Spec
06 Aug 2011   #3
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

Thanks for the reply.

Yes the malware found 4 viruses, it seemed to be related to MS office.
The problem occured when I was working with Office, and since that time I haven't used the program and there hasn't been any BSOD since then.

The files that were found by Malwarebytes antimalware:
Quote:
Folders Infected:
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.

Files Infected:
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\about relevantknowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\privacy policy and user license agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
I'll run the driver verifier and let you know, even though I have updated the drivers to the latest.
My System SpecsSystem Spec
.

06 Aug 2011   #4
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

I set the driver verifier and after restarting it gave BSODs before entering Windows. This happened several times so I have now disabled the driver verifier.
My System SpecsSystem Spec
06 Aug 2011   #5
usasma
Microsoft MVP

 
 

Please zip up and upload the memory dumps from C:\Windows\Minidump
That should contain the Driver Verifier memory dumps and may tell us what's causing the problem.

Although it's possible that the malware caused the problems, I'm not as concerned because of the particular type of malware that you removed.
My System SpecsSystem Spec
06 Aug 2011   #6
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

Here is the recent dump file from Windows after trying to use driver verifier.
My System SpecsSystem Spec
06 Aug 2011   #7
usasma
Microsoft MVP

 
 

The attached file appears to be corrupted.
Please do the following:
- right click on the C:\Windows\Minidump folder and select "Send To"
Then select "Compressed (zipped) folder" - note where it saves it to.
Upload the .zip folder with your next post.
My System SpecsSystem Spec
06 Aug 2011   #8
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

For some reason Windows had generated to dmp files and one of them was a 0 byte, the one that I had previously uploaded. This one is the second dmp file that was also generated the same day and has a size of 256 kb.
My System SpecsSystem Spec
06 Aug 2011   #9
usasma
Microsoft MVP

 
 

That sorta stuff happens on occasion. That's why I ask for the entire Minidump folder (and I note the file names in the dumps that I've already analyzed).

The memory dump blames pffilter.sys - a component of your IOBit protection program (?IOBit Malware Fighter?).
Please uninstall the program and see if that stops the BSOD's. If it does, and you want to reinstall the program, please visit the IOBit website and get a fresh copy of the program (in case your current copy is corrupted).

BSOD BUGCHECK SUMMARY
Code:

Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\080611-36067-01.dmp]
Built by: 7601.17592.amd64fre.win7sp1_gdr.110408-1631
Debug session time: Sat Aug  6 06:20:12.313 2011 (UTC - 4:00)
System Uptime: 0 days 0:00:59.406
*** WARNING: Unable to verify timestamp for pffilter.sys
*** ERROR: Module load completed but symbols could not be loaded for pffilter.sys
Probably caused by : pffilter.sys ( pffilter+553e )
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
BUGCHECK_STR:  0xc4_0
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
PROCESS_NAME:  System
FAILURE_BUCKET_ID:  X64_0xc4_0_VRF_pffilter+553e
Bugcheck code 000000C4
Arguments 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000
ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии``
  
  
My System SpecsSystem Spec
07 Aug 2011   #10
mach04

Windows 7 Home Premium x64, Windows 8 Pro
 
 

Thanks for the reply, I'll do that and post back the result.
My System SpecsSystem Spec
Reply

 BSOD once again




Thread Tools



Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

й Designer Media Ltd

All times are GMT -5. The time now is 09:16.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App