BSOD after updating all security programs

Boozad · 02 Apr 2015

I'll take a look tonight when I'm home from work.

Boozad · 03 Apr 2015

The latest dump in the last log (the DV enabled dump) is showing up as 0x109 but is giving nothing away.

Code:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89713e81f, Reserved
Arg2: 0000000000000000, Reserved
Arg3: ed88463647c6b696, Failure type dependent information
Arg4: 0000000000000101, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

BUGCHECK_STR:  0x109

PROCESS_NAME:  System

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

STACK_TEXT:  
fffff880`031fd598 00000000`00000000 : 00000000`00000109 a3a039d8`9713e81f 00000000`00000000 ed884636`47c6b696 : nt!KeBugCheckEx


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_VERSION:  

BUCKET_ID:  BAD_STACK

FAILURE_BUCKET_ID:  BAD_STACK

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:bad_stack

FAILURE_ID_HASH:  {75814664-faf6-4b70-bbc7-dc592132ecdd}

Followup: MachineOwner

I'm starting to wonder whether some faulty hardware is at play here. I'm going to ask for another set of eyes to take look and see if they spot something I'm missing.

In the meantime, can you open an elevated Command Prompt, type in or copy sfc /scannow and hit enter.

Arc · 03 Apr 2015

Disable Driver Verifier now.

Uninstall these following programs, at least as a test.

Start Menu\Programs\herdProtect , dont need it when you have the best one, MBAM.
Start Menu\Programs\LogMeIn Hamachi

Report us for any further BSOD after uninstalling these two.

Golden · 03 Apr 2015

10 seconds before the 0x109 BSOD, the wired network connection was disconnected.

Code:

Event[6172]:
  Log Name: System
  Source: e1qexpress
  Date: 2015-04-02T16:23:51.980
  Event ID: 27
  Task: N/A
  Level: Warning
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: DrudgeSkull
  Description: 
Intel(R) 82583V Gigabit Network Connection
 Network link is disconnected.

Code:

Event[6181]:
  Log Name: System
  Source: Microsoft-Windows-WER-SystemErrorReporting
  Date: 2015-04-02T16:24:02.000
  Event ID: 1001
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: DrudgeSkull
  Description: 
The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000109 (0xa3a039d89713e81f, 0x0000000000000000, 0xed88463647c6b696, 0x0000000000000101). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040215-17097-01.

Thats too coincidental. Did you physcially disconnect it?

Boozad · 03 Apr 2015

Thanks Colin and Arc.

RaidenRaccoon · 03 Apr 2015

Golden said:

10 seconds before the 0x109 BSOD, the wired network connection was disconnected.

Code:

Event[6172]:
  Log Name: System
  Source: e1qexpress
  Date: 2015-04-02T16:23:51.980
  Event ID: 27
  Task: N/A
  Level: Warning
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: DrudgeSkull
  Description: 
Intel(R) 82583V Gigabit Network Connection
 Network link is disconnected.

Code:

Event[6181]:
  Log Name: System
  Source: Microsoft-Windows-WER-SystemErrorReporting
  Date: 2015-04-02T16:24:02.000
  Event ID: 1001
  Task: N/A
  Level: Error
  Opcode: N/A
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: DrudgeSkull
  Description: 
The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000109 (0xa3a039d89713e81f, 0x0000000000000000, 0xed88463647c6b696, 0x0000000000000101). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040215-17097-01.

Thats too coincidental. Did you physcially disconnect it?

You know, I've been noticing that in event viewer... A lot of errors regarding the connection going down.

However I do not physically disconnect it, but I will hook up a 2nd ethernet cable to the 2nd LAN port on the motherboard instead and see if that remedies it. If not, I'll try using both cables and both ports at the same time, see what that results in.

@Arc - highly doubt Hamachi and herdProtect are the causes. They're both installed on all my PC's and laptops (at least 5 total, 6 including this server PC) along side TeamViewer and Malwarebytes Premium. Plus this PC in question has FAR less installed than the others- so unlikely it's a conflict unless it's with the drivers- this is the only PC that has both a TYAN motherboard and a server grade motherboard.

@Boozad - Running the scan now in an elevated CMD. Will update with it's results.

In addition, I've added the dmp file from the last crash (PAGE_FAULT BSOD)

UPDATE: I assume the scan is complete, so I've uploaded a screenshot of the CMD window

Boozad · 03 Apr 2015

Did you get disable Hamachi while Driver Verifier was disabled? If memory serves me correctly you disabled Hamachi and then enabled DV. I'm asking because Hamachi shows up here five seconds before your bugcheck.

Code:

  Event[6892]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.342
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The LMIGuardianSvc service entered the running state.
  
  Event[6893]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.732
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The MBAMScheduler service entered the running state.
  
  Event[6894]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.951
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The Network Location Awareness service entered the running state.
  
  Event[6895]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:09.138
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The MBAMService service entered the running state.
  
  Event[6896]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:09.154
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The Superfetch service entered the running state.
  
  Event[6897]:
    Log Name: System
    Source: Microsoft-Windows-WER-SystemErrorReporting
    Date: 2015-04-03T15:52:13.000
    Event ID: 1001
    Task: N/A
    Level: Error
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffff88002dd5efc, 0x0000000000000008, 0xfffff88002dd5efc, 0x0000000000000001). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040315-25350-01.

It could be coincidence but both Arc and myself have picked up on this. Can you test the system with Hamachi disabled now that DV has also been disabled.

Also I'm slightly concerned about this.

Code:

CREAD_ADDRESS: GetPointerFromAddress: unable to read from fffff80002eb8100
GetUlongFromAddress: unable to read from fffff80002eb81c0
 fffff88002dd5efc Nonpaged pool

FAULTING_IP: 
+350d3e0
fffff880`02dd5efc ??              ???

MM_INTERNAL_CODE:  1

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  lsass.exe

Can you open Task Manager and check in Processes to see if lsass.exe is running. If so we may need to use Process Explorer to see if running from Sys32.

RaidenRaccoon · 03 Apr 2015

Boozad said:

Did you get disable Hamachi while Driver Verifier was disabled? If memory serves me correctly you disabled Hamachi and then enabled DV. I'm asking because Hamachi shows up here five seconds before your bugcheck.

Code:

  Event[6892]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.342
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The LMIGuardianSvc service entered the running state.
  
  Event[6893]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.732
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The MBAMScheduler service entered the running state.
  
  Event[6894]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:08.951
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The Network Location Awareness service entered the running state.
  
  Event[6895]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:09.138
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The MBAMService service entered the running state.
  
  Event[6896]:
    Log Name: System
    Source: Service Control Manager
    Date: 2015-04-03T15:52:09.154
    Event ID: 7036
    Task: N/A
    Level: Information
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The Superfetch service entered the running state.
  
  Event[6897]:
    Log Name: System
    Source: Microsoft-Windows-WER-SystemErrorReporting
    Date: 2015-04-03T15:52:13.000
    Event ID: 1001
    Task: N/A
    Level: Error
    Opcode: N/A
    Keyword: Classic
    User: N/A
    User Name: N/A
    Computer: DrudgeSkull
    Description: 
  The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffff88002dd5efc, 0x0000000000000008, 0xfffff88002dd5efc, 0x0000000000000001). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 040315-25350-01.

It could be coincidence but both Arc and myself have picked up on this. Can you test the system with Hamachi disabled now that DV has also been disabled.

Also I'm slightly concerned about this.

Code:

CREAD_ADDRESS: GetPointerFromAddress: unable to read from fffff80002eb8100
GetUlongFromAddress: unable to read from fffff80002eb81c0
 fffff88002dd5efc Nonpaged pool

FAULTING_IP: 
+350d3e0
fffff880`02dd5efc ??              ???

MM_INTERNAL_CODE:  1

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  lsass.exe

Can you open Task Manager and check in Processes to see if lsass.exe is running. If so we may need to use Process Explorer to see if running from Sys32.

I had Hamachi (and it's services) disabled a while before the Verifier was ran. It crashed both before and during the test. I only recently re-enabled it. If needed I can uninstall it completely, though it would render the purpose of this PC mute- I do not want to delve into port forwarding for the game servers.

And lsass.exe is indeed running. I think I have Process Explorer on a usb drive, but It might be out of date... So far it's using 0 CPU and 3.404K Memory

Boozad · 03 Apr 2015

Just disable Hamachi, it really is just for testing purposes.

Download Process Explorer from the link below and install. If you need any help negotiating it just let me know.

Download

RaidenRaccoon · 03 Apr 2015

Alright, disabled Hamachi and it's services and have Process Explorer installed and running. Not seeing anything that looks out of the ordinary, at least not immediately.