BSODs; volsnap.sys identified

[cwaters]

Win7 BSODs; volsnap.sys identified; how diagnose and resolve?

My three-year old Dell Studio XPS desktop PC running Windows 7 x64 (with SP1) had become sluggish; so about two months ago, I formatted the HDD and then performed a new install. It had been working fine for about a month. Over the last few weeks, however, upon my unlocking the desktop I've been noticing that the system has unexpectedly rebooted. Upon the loading of my profile, Windows will inevitably display a message saying that a critical error occurred and that the system unexpectedly shutdown. Sometimes the system will lock-up right after I enter my credentials to unlock the desktop or even to log in.

The System log shows that the PC has unexpectedly rebooted about 20 times over the last three weeks. The following two error/critical events appear with each unexpected reboot:

Source: EventLog
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description: The previous system shutdown at ... was unexpected.

Source: Microsoft-Windows-Kernel-Power
Event ID: 41
Task Category: (63)
Level: Critical
Keywords: (2)
User: SYSTEM
Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

A surface scan of the HDD using SpinRite doesn't report any problems.

I had added memory to the system just prior to my performing the new install. I used MemTest86 utility over the past 36 hours, performing 10 passes; no errors were found.

All Windows Updates are installed.

SFC /SCANNOW reports "Windows Resource Protection did not find any integrity violations."

Full scans in MSE show the system to be clean. Various malware-detecting utilities report the system to be clean, too.

The BlueScreenView utility shows two mini-dump files: one associated with the earliest reboot listed in the System Log (it occurred about three weeks ago) and one associated with a reboot that occurred about a week ago. The PC has unexpectedly rebooted many times since then; not sure why no other dump files are present. For both mini-dump files, the Bug Check String is DRIVER_IRQL_NOT_LESS_OR_EQUAL, the Bug Check Code is 0x000000d1, and the Caused By Driver is volsnap.sys.

Upon analyzing the full memory dump file and the two mini-dump files, the "Who Crashed" utility vaguely reports: "This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high. This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time."

I only have one restore point, dated today -- even though there is over 440 GB of drive space and the system is configured to use it. Not sure why there are no other restore points. I wonder if this is somehow related to the mention of the volsnap.sys driver associated with the unexpected reboots?

Since unchecking the System failure "Automatically restart" checkbox, I've seen a few of the BSOD's; they all reference volsnap.sys.

I considered using the Verifier tool but it didn't seem relevant -- since volsnap.sys is a Microsoft file.

Suspecting volsnap.sys and learning that it corresponds to the Volume Shadow Copy service, I stopped the service. A few minutes later, however, I noticed it had been started. I stopped the service again, numerous times, but it kept starting; not sure what's causing that. I have now stopped the service and have set it to "Disabled".

I have attached the SF_Diagnostic_Tool ZIP file.

Thank you for any suggestions as to how to diagnose and resolve this problem!

 

[Arc]

Hello cwaters.

Both the dumps are exactly the same, and they are showing a lot of this particular error ....

fffff880`02f1bd98  fffff880`010acf5c ataport!IdePortCompletionDpc

In this situation, I am suggesting you to scan the system for possible virus infection.

• Anti-rootkit utility TDSSKiller
• Windows Defender Offline
  

When done, free up the startup.

1. Click on the Start button
2. Type “msconfig (without quotes), click the resulting link. It will open the System Configuration window.
3. Select the “Startup” tab.
4. Deselect all items other than the antivirus.
5. Apply > OK
6. Accept the restart.

One problematic element is still remained there, but apparently it is not a startup issue but a BIOS rootkit that is causing the issues.

 

[cwaters]

Thanks! I ran TDSSKiller when I first started encountering the problem a few weeks ago. I see that it was updated 8 days ago -- so I will download and run that version. I'm curious; TDSSKiller runs within Windows, so how effective can it be at detecting low-level malware?

I will setup Windows Defender Offline media and then scan my system. Had been wondering whether there was such a thing. Again, since MSE runs within Windows, how effective can it be at detecting low-level malware?

I'm confused about your last suggestion. How will 'freeing up the startup' help? What should I look for and/or do afterward?

BTW, since disabling the VSC service, I've not encountered any unexpected reboots. Could that indicate that my volsnap.sys file is truly corrupt (or worse, infected)?

 

[Kaktussoft]

Stop error message when you resume a computer that is running Windows 7 or Windows Server 2008 R2 from sleep or from hibernation: "Stop error code 0x000000D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL)"

Stop error on a computer that is running Windows Server 2008 R2, Windows Server 2008, Windows Vista or Windows 7 when the operating system uses a virtual storport miniport driver to save a dump file or a hibernation file: "0x000000D1"
did you do: chkdsk/r c:
??

 

[cwaters]

did you do: chkdsk/r c:
??

I just now performed this. A reboot was required. Through the first four steps, no errors were detected. The fifth/final step ('checking free space') ran for at least an hour, slowly progressing, but I missed the end results. BTW, is there a way to make the results remain on the screen ... so as to prevent the Windows GUI from loading?

 

[cwaters]

Thanks! I ran TDSSKiller when I first started encountering the problem a few weeks ago. I see that it was updated 8 days ago -- so I will download and run that version. I'm curious; TDSSKiller runs within Windows, so how effective can it be at detecting low-level malware?

The updated version of TDSSKiller, using the default parameters, did not find any threats. I did not select the "Loaded modules" option since it says it requires a reboot so as to install a driver.

 

[Kaktussoft]

did you do: chkdsk/r c:
??

I just now performed this. A reboot was required. Through the first four steps, no errors were detected. The fifth/final step ('checking free space') ran for at least an hour, slowly progressing, but I missed the end results. BTW, is there a way to make the results remain on the screen ... so as to prevent the Windows GUI from loading?

http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html

 

[Kaktussoft]

Did you do #4 already?

 

[cwaters]

Did you do #4 already?

Yes, I did. Please #5....and your reply (#7). Or did I misunderstand the question?

 

[Arc]

If you are asking ....

Thanks! I ran TDSSKiller when I first started encountering the problem a few weeks ago. I see that it was updated 8 days ago -- so I will download and run that version. I'm curious; TDSSKiller runs within Windows, so how effective can it be at detecting low-level malware?

It works almost all the times, I have never seen it failing.

I will setup Windows Defender Offline media and then scan my system. Had been wondering whether there was such a thing. Again, since MSE runs within Windows, how effective can it be at detecting low-level malware?

MSE gives you the real time protection. For scanning, you should use WDO.

I'm confused about your last suggestion. How will 'freeing up the startup' help? What should I look for and/or do afterward?

It will help you to determine if any startup entries are causing any issue there.

BTW, since disabling the VSC service, I've not encountered any unexpected reboots. Could that indicate that my volsnap.sys file is truly corrupt (or worse, infected)?

Probably the worse ... as rootkits are there.

 

[cwaters]

Hello cwaters.
In this situation, I am suggesting you to scan the system for possible virus infection.

• Anti-rootkit utility TDSSKiller
• Windows Defender Offline
  

One problematic element is still remained there, but apparently it is not a startup issue but a BIOS rootkit that is causing the issues.

Windows Defender Offline (default Quick Scan) did not find any problems. I'm now running a Full Scan.

As I mentioned earlier, the updated version of TDSSKiller, using the default parameters, did not find any threats.

I can free up the startup; however, the problem is so random and inconsistent, I'm not sure how effective that will be. Of course, with the VSC service now disabled, the PC is working great!
UPDATE: Would it be possible for me to overwrite volsnap.sys from another source? And would that help?

I'm a bit concerned by your comment about a possible BIOS rootkit. Are you suggesting that the BIOS has been compromised? If so, could that result in TDSSKiller and Windows Defender Offline returning a false negative. How do you suggest I proceed?

 

[Arc]

Try one more thing ... Malwarebytes : Malwarebytes Anti-Rootkit

If it also comes clean, your BIOS is OK.

 

[cwaters]

Try one more thing ... Malwarebytes : Malwarebytes Anti-Rootkit

If it also comes clean, your BIOS is OK.

Thanks! It came back clean. Are you sure it checks for BIOS rootkits?

So it seems this PC is free of viruses, malware, and (apparently) rootkits. Yet the problem with volsnap.sys still exists...and, based on the comments in this thread, there may still be other concerns.

What now? Would my performing a 'repair install' be a good next step?

I have since re-enabled the VSC service to see whether the BSODs and unexpected reboots start occurring again.

 

[Kaktussoft]

Fill in your system specs please

 

[Kaktussoft]

Try this "fvevol!FveFilterDeviceControl+1d0" Stop error when you create a VSS snapshot backup in Windows Server 2008 R2 SP1 reboot and test. Afterwards you have a fresh copy of volsnap.sys

 

[Arc]

I have since re-enabled the VSC service to see whether the BSODs and unexpected reboots start occurring again.

If you get the BSODs again, let us know .... we will have a look again.

 

[cwaters]

I have since re-enabled the VSC service to see whether the BSODs and unexpected reboots start occurring again.

If you get the BSODs again, let us know .... we will have a look again.

It crashed again overnight. I was greeted this morning with a BSOD identifying volsnap.sys. Appreciate any guidance you can provide.

I will follow Kaktussoft's suggestion to install a fresh copy of volsnap.sys.

 

[cwaters]

Try this "fvevol!FveFilterDeviceControl+1d0" Stop error when you create a VSS snapshot backup in Windows Server 2008 R2 SP1 reboot and test. Afterwards you have a fresh copy of volsnap.sys

Thanks! I will try that.
UPDATE: This is a Microsoft article for a hotfix. Although it's labeled for Server 2008, it seems to apply to Windows 7, also. Looks like it will simply install a newer version of volsnap.sys.
UPDATE 2: I made a backup of the existing volsnap.sys and then copied it to a thumbdrive. On my laptop (which is not experiencing BSODs), I used FC.EXE to compare the file with the local version; they match. Was surprised to see that.
UPDATE 3: I have installed the hotfix. After rebooting, I confirmed the file details; the updated volsnap.sys is now installed.

I have updated the System Specs in my profile.

FYI: Not sure if it has any bearing on the apparent corruption of my volsnap.sys but I should point out that when I performed the original re-install of the OS a few months ago, I used an ISO of the Windows 7 w/SP1 DVD installation media that I had downloaded from http://msft.digitalrivercontent.net/win/X17-24395.iso -- rather than use my retail non-SP1 DVD installation media.

 

[cwaters]

My system BSOD'd again, naming the (now hotfixed) volsnap.sys.

I will revert to the original SP1 volsnap.sys.

What next? Should I try a repair re-install?

 

[Kaktussoft]

My system BSOD'd again, naming the (now hotfixed) volsnap.sys.

I will revert to the original SP1 volsnap.sys.

What next? Should I try a repair re-install?

try it