Random BSOD / After waking from Sleep! PLZ HELP!

Hello All, Here is my crash Dump from my PC of the last BSOD I Had.


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\100109-21668-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*Symbol information
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x82a47000 PsLoadedModuleList = 0x82b8f810
Debug session time: Thu Oct 1 17:12:38.632 2009 (GMT-4)
System Uptime: 0 days 0:30:39.614
Loading Kernel Symbols
...............................................................
................................................................
....................................
Loading User Symbols
Loading unloaded module list
......
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 8560d000, The pool entry we were looking for within the page.
Arg3: 8560d300, The next pool entry.
Arg4: 08600000, (reserved)

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for PCTCore.sys
*** ERROR: Module load completed but symbols could not be loaded for PCTCore.sys

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: GetPointerFromAddress: unable to read from 82baf718
Unable to read MiSystemVaType memory at 82b8f160
8560d000

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: CFIWmxSvcs.exe

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from 837dd3dc to 82b661b6

STACK_TEXT:
97e13b90 837dd3dc 8560d008 00000000 97e13bb4 nt!ExFreePoolWithTag+0x1b1
WARNING: Stack unwind information not available. Following frames may be wrong.
97e13ba0 837de05a 8560d008 837e502c 855b3558 TfSysMon+0x13dc
97e13bb4 837de174 855b3558 8b91c3a0 85616d48 TfSysMon+0x205a
97e13bc8 82cb8b97 00000268 000013b4 00000000 TfSysMon+0x2174
97e13bf4 82c8fc37 00000001 015e97d0 b1b87499 nt!PspExitProcess+0xa3
97e13c70 82ca8d37 00000000 837ac614 ffffffff nt!PspExitThread+0x598
97e13c98 837e27ee ffffffff 00000000 00002000 nt!NtTerminateProcess+0x1fa
97e13cd0 8379d7bf ffffffff 00000000 ffffffff TfSysMon+0x67ee
97e13d24 82a8a42a ffffffff 00000000 0012fed8 PCTCore+0x97bf
97e13d24 76ef64f4 ffffffff 00000000 0012fed8 nt!KiFastCallEntry+0x12a
0012fed8 00000000 00000000 00000000 00000000 0x76ef64f4


STACK_COMMAND: kb

FOLLOWUP_IP:
TfSysMon+13dc
837dd3dc ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: TfSysMon+13dc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: TfSysMon

IMAGE_NAME: TfSysMon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49d25a58

FAILURE_BUCKET_ID: 0x19_20_TfSysMon+13dc

BUCKET_ID: 0x19_20_TfSysMon+13dc

Followup: MachineOwner
---------

ALL HELP IS APPRECIATED!!!

TfSysMon.sys = "ThreatFire anti-virus"?

You'd probably want to start with updating that AV package. If that doesn't resolve the crashes, removing it would be the next step.

I do not have ThreatFire AV. I have Spyware Doctor + Microsoft Security Essentials. Would that file be part of Spyware Doctor?

iMarcintosh said:

I do not have ThreatFire AV. I have Spyware Doctor + Microsoft Security Essentials. Would that file be part of Spyware Doctor?

Type this into the debugger and it'll tell you what it knows about that driver: lmvm TfSysMon

The driver is most definitely there on your machine. Perhaps somebody else installed ThreatFire? It was already on the machine when you bought it? It's malware masquerading under the name of another (well known) driver? Only you can do that type of investigation on your PC.

I uninstalled Spyware Doctor, all seem okay. I also typed

Code:

lmvm TfSysMon

into my debugger and got the following output.

Code:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\100109-21668-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x82a47000 PsLoadedModuleList = 0x82b8f810
Debug session time: Thu Oct  1 17:12:38.632 2009 (GMT-4)
System Uptime: 0 days 0:30:39.614
Loading Kernel Symbols
...............................................................
................................................................
....................................
Loading User Symbols
Loading unloaded module list
......
1: kd> lmvm TfSysMon
start    end        module name
837dc000 837e9000   TfSysMon T (no symbols)           
    Loaded symbol image file: TfSysMon.sys
    Image path: \SystemRoot\system32\drivers\TfSysMon.sys
    Image name: TfSysMon.sys
    Timestamp:        Tue Mar 31 14:00:56 2009 (49D25A58)
    CheckSum:         000147F1
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I agree w/ H2SO4 -

tfsysmon.sys = ThreatFire antivirus

It is installed somewhere on that system.

Try Revo uninstaller and see if you can find it -

Download Revo Uninstaller Freeware - Free and Full Download

Regards. . .

jcgriff2


.

After uninstalling Spyware Doctor, that file is no longer present. I will see how it works the next little bit. If it BSOD's again then I WILL post the dump here, so please make sure that you check back often. I thank each and every one of you all for the help. -iMarcintosh

Hi -

So the driver in question was part of Spyware Doctor?? If it was in quarantine, I would not expect to find it loaded into RAM at the time of a system crash.

Good Luck to you.

jcgriff2

.

Here is the Dump of a BSOD that happened just moments ago. Can you all help me on it?


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\100409-22120-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*Symbol information
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.x86fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0x82a1e000 PsLoadedModuleList = 0x82b66810
Debug session time: Sun Oct 4 23:12:47.468 2009 (GMT-4)
System Uptime: 1 days 5:24:28.591
Loading Kernel Symbols
...............................................................
................................................................
...........................
Loading User Symbols
Loading unloaded module list
..........
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 8520d000, The pool entry we were looking for within the page.
Arg3: 8520d300, The next pool entry.
Arg4: 08600000, (reserved)

Debugging Details:
------------------

GetPointerFromAddress: unable to read from 82b86718
Unable to read MiSystemVaType memory at 82b66160

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: GetPointerFromAddress: unable to read from 82b86718
Unable to read MiSystemVaType memory at 82b66160
8520d000

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 82c3f97a to 82b3d1b6

STACK_TEXT:
9ba3dc44 82c3f97a 8520d008 c3504c41 00000148 nt!ExFreePoolWithTag+0x1b1
9ba3dc68 82c3f6f9 8520d038 8520d020 00000000 nt!ObpFreeObject+0x275
9ba3dc7c 82a86f60 00000000 853d0350 8520d020 nt!ObpRemoveObjectRoutine+0x5e
9ba3dc90 82a86ed0 8520d038 82c6378c 8c605710 nt!ObfDereferenceObjectWithTag+0x88
9ba3dc98 82c6378c 8c605710 853d0350 00000334 nt!ObfDereferenceObject+0xd
9ba3dcdc 82c64f72 8c605710 8c716668 871d6750 nt!ObpCloseHandleTableEntry+0x21d
9ba3dd0c 82c650ea 871d6750 853d0301 0110f604 nt!ObpCloseHandle+0x7f
9ba3dd28 82a6142a 00000334 0110f610 77a564f4 nt!NtClose+0x4e
9ba3dd28 77a564f4 00000334 0110f610 77a564f4 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0110f610 00000000 00000000 00000000 00000000 0x77a564f4


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+1b1
82b3d1b6 cc int 3

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExFreePoolWithTag+1b1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc007

FAILURE_BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+1b1

BUCKET_ID: 0x19_20_nt!ExFreePoolWithTag+1b1

Followup: MachineOwner
---------

Something is corrupting pool memory on your system, and obviously with TfSysMon gone it must be a different driver. I'd suggest you follow this procedure to enable "driver verifier" on your system:

https://www.sevenforums.com/crashes-d...tml#post294696

While your machine is running under DV, the next BSOD may reveal more.