Multiple BSOD even after factory reset

[fozbear]

hi there,

As the title suggest, I've reset my laptop to the factory settings after suffering through mutliple BSODs. Sadly this doesn't seem to have helped as I'm getting BSODs every 15 minutes or so on the default factory setup.

I haven't installed anything, just the Windows Updates that load automatically after resetting.

I've uploaded the dumpfiles using the diagnostic tool.

Thanks in advance

 

[koolkat77]

Welcome to the Forum.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88005501d26, fffff88007f4e990, 0}

*** WARNING: Unable to verify timestamp for mfeavfk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfeavfk.sys
Probably caused by : mfeavfk.sys ( mfeavfk+ad26 )

Followup: MachineOwner
---------

• It seems that the cause of your BSOD's is McAfee. McAfee is a known cause of BSOD's. Please uninstall it and use Microsoft Security Essentials & the Free version of Malwarebytes, update and make full scans separately:
  • Uninstallers (removal tools) for common antivirus software - ESET Knowledgebase
  • Help protect your PC with Microsoft Security Essentials
  • Malwarebytes Free

   Note

:info: Do not start the trial version of MalwareBytes

• Also take a look at: Good & Free System Security Combination

• Virus Check:
  • Make scans with these tools below:
    • TDSSKiller Rootkit Removal Utility Free Download | Kaspersky Lab US
    • Online Virus Scanner Eset
• Application conflict:
  • Reduce the start-up items. This will help avoid software conflicts:
    • Remove Startup Programs in Windows 7
    • Clean Startup in Windows 7

• System File Checker
  • The SFC /SCANNOW Command - System File Checker scans the integrity of all protected Windows 7 system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible. If you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files to it's default state.
    • Link to full tutorial: http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
• Run Disk Check in Windows 7
  • Run this on your Hard Drive(s). This will show you how to run Check Disk or chkdsk in Windows 7 to check a selected hard disk for file system errors and bad sectors on it. With both boxes checked for all HDDs and with Automatically fix file system errors. Post back your logs for the checks after finding them using http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html
    • Link to full tutorial: http://www.sevenforums.com/tutorials/433-disk-check.html

• Check for heating issues using Speccy or HWmonitor
  • HWMonitor CPUID - System & hardware benchmark, monitoring, reporting
  • Speccy - System Information - Free Download
    • Please upload a summary tab using Speccy. http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html

 

[fozbear]

I've done all the suggested steps, with nothing unusual showing up.

The BSODs are less frequent now, but they're still happening.

Attached are the printscrn from speccy and the latest dumpfiles.

Thanks again for any help

 

[x BlueRobot]

Could you post the .CBS log from here - http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

Please post the log created by Check Disk - http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html

Please post the MBAM logs and TDSS logs.

-------------------------------------------------------------

[COLOR=Red]BugCheck C2[/COLOR], {[COLOR=Blue]7[/COLOR], 1097, 0, [COLOR=SeaGreen]fffffa8008c3c340[/COLOR]}

GetPointerFromAddress: unable to read from fffff80002f030e0
GetUlongFromAddress: unable to read from fffff80002f03198
Probably caused by : [COLOR=Red]win32k.sys[/COLOR] ( win32k!xxxMsgWaitForMultipleObjects+108 )

0: kd> [COLOR=SeaGreen]dt nt!_KAPC_STATE fffffa80062a6660[/COLOR]
   +0x000 ApcListHead      : [2] _LIST_ENTRY [ 0x00000000`00000006 - 0xfffffa80`062a6668 ]
   +0x020 Process          : 0x00000000`672911a0 _KPROCESS
   +0x028 KernelApcInProgress : 0x70 'p'
   +0x029 KernelApcPending : 0x9d ''
   +0x02a UserApcPending   : 0x39 '[COLOR=Red]9[/COLOR]'

I don't think the APC data structures have been paged out properly since this is a Minidump. The values of the fields of some of the other structures didn't appear to look right.

0: kd> [COLOR=SeaGreen]!pool fffffa8008c3c340[/COLOR]
Pool page fffffa8008c3c340 region is Nonpaged pool
 fffffa8008c3c000 size:  300 previous size:    0  (Free)       TNbl
[COLOR=Red]*fffffa8008c3c300 size:  150 previous size:  300  (Allocated) *File (Protected)[/COLOR]
        Pooltag File : [COLOR=Red]File objects[/COLOR]
 fffffa8008c3c450 size:  860 previous size:  150  (Free)       AfdB
 fffffa8008c3ccb0 size:  100 previous size:  860  (Allocated)  MmCa
 fffffa8008c3cdb0 size:  150 previous size:  100  (Allocated)  File (Protected)
 fffffa8008c3cf00 size:  100 previous size:  150  (Allocated)  MmCa

We can see that the Protected bit has been set for the pool allocation which was being freed, the Protected bit enables the Windows Memory Manager to check that the pool allocation being freed is the intentional one.

0: kd> [COLOR=SeaGreen]!stack[/COLOR]
Call Stack : [COLOR=Red]12 frames[/COLOR]
## Stack-Pointer    Return-Address   Call-Site       
00 fffff88002399538 fffff80002dfe60e nt!KeBugCheckEx+0 
01 fffff88002399540 fffff80002ceacce [COLOR=Red]nt!ExFreePoolWithTag[/COLOR]-1aa2 (perf)
02 fffff880023995f0 fffff80002ca823f [COLOR=Red]nt!IopCompleteRequest[/COLOR]+5ce 
03 fffff880023996c0 fffff80002cd2bfd [COLOR=Red]nt!KiDeliverApc[/COLOR]+1d7 
04 fffff88002399740 fffff80002cceeeb nt!KiCommitThreadWait+3dd (perf)
05 fffff880023997d0 fffff9600015a46c nt!KeWaitForMultipleObjects+26b (perf)
06 fffff88002399a80 fffff9600015b443 win32k!xxxMsgWaitForMultipleObjects+108 
07 fffff88002399b00 fffff96000115098 win32k!xxxDesktopThread+253 
08 fffff88002399b80 fffff96000195f9a win32k!xxxCreateSystemThreads+64 
09 fffff88002399bb0 fffff80002ccaad3 win32k!NtUserCallNoParam+36 
0a fffff88002399be0 000007fefd9c3d5a nt!KiSystemServiceCopyEnd+13

The thread was placed into a wait state, possibly to allow the APC deliver to provide the I/O operation, which lead to the release of the pool allocation which has already been freed.

0xfffff880023995e8 : 0xfffff80002ceacce : nt!IopCompleteRequest+0x5ce
0xfffff880023995f8 : 0xfffff80002cd177a : nt!KiSwapContext+0x7a
0xfffff88002399610 : 0xfffff88002399628 : 0xfffff9600021656f : win32k!StartDeviceRead+0x1e7
0xfffff88002399618 : 0xfffff960001b9da9 : [COLOR=Red]win32k!ProcessMouseInput[/COLOR]+0x1d5
0xfffff88002399628 : 0xfffff9600021656f : [COLOR=Red]win32k!StartDeviceRead[/COLOR]+0x1e7
0xfffff880023996b8 : 0xfffff80002ca823f : nt!KiDeliverApc+0x1d7

In fact, the APC delivery may have been used, to help service a I/O operation from the mouse.

The File Object within the pool block is most likely the mouse.

0: kd> [COLOR=SeaGreen]!irql[/COLOR]
Debugger saved IRQL for processor 0x0 -- [COLOR=Red]1 (APC_LEVEL)[/COLOR]

Run Driver Verifier to scan for any corrupted drivers which may be causing problems, this program works by running various stress tests on drivers, in order to produce a BSOD which will locate the driver; run for least 24 hours:

• http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

   Information

Additional Help - http://www.sevenforums.com/crash-lo...-driver-verifier-identify-issues-drivers.html

 

[fozbear]

Requested logs attached, not sure what MBAM log is.

I've let driver verifier run for around 24hours, still getting BSODs.

 

[x BlueRobot]

Uploading MBAM Log:

1. Open up MBAM or Malwarebytes, and then navigate the Logs tab:

View attachment 292654

2. Select the latest log file, and then click Open. Notepad should open with MBAM text log file. The bottom entry will always be the latest.

View attachment 292655

3. With Notepad, click File and then Save As.

View attachment 292656

View attachment 292657

4. Save the log file to your desktop, and then upload in your next post.

View attachment 292658

 

[x BlueRobot]

Please upload the actual TDSS log file:

View attachment 292660

There appears to be no problems with your file system which is good, and no problems within your .CBS log file.

Please upload any new dump files with the SF_Diagnostic tool. I'm not trying to sound rude, but it's quite annoying when people simply state they are still having BSODs without uploading any new dump files. It slows down the troubleshooting process.

 

[fozbear]

The requested files are attached.

Sorry about not attaching the SF_Diagnostic files too. I had no idea I was supposed to send this with every posting.

 

[x BlueRobot]

Logs:

Your TDSS log is clean and your MBAM log is fine apart from a PUP (Potientally Unwanted Program) which you seem to have deleted which is great. I've been doing some searching, and it appears that PUP.Optional.Bandoo.A is used to make certain websites appear higher in search engine rankings.

Debugging Analysis:

0: kd> [COLOR=SeaGreen]vertarget[/COLOR]
Windows 7 Kernel Version [COLOR=Red]7600[/COLOR] MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.17273.amd64fre.win7_gdr.130318-1532
Machine Name:
Kernel base = 0xfffff800`02c0f000 PsLoadedModuleList = 0xfffff800`02e4be70
Debug session time: Wed Nov  6 16:12:30.579 2013 (UTC + 0:00)
System Uptime: 0 days 1:12:28.483

Please install Service Pack 1, it contains many patches and security updates - Learn how to install Windows 7 Service Pack 1 (SP1)

[COLOR=Red]BugCheck 1A[/COLOR], {[COLOR=Blue]3452[/COLOR], 7fffffac000, fffff7000108f250, 8f6000003623cc66}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+33013 )

Unfortunately, the 3452 subtype error code is undocumented, however, this a 3451 which indicates that the PTEs of a kernel thread stack which have been paged out have become corrupt.

Have you ran Driver Verifer?

Run Driver Verifier to scan for any corrupted drivers which may be causing problems, this program works by running various stress tests on drivers, in order to produce a BSOD which will locate the driver; run for least 24 hours:

• http://www.sevenforums.com/tutorials/101379-driver-verifier-enable-disable.html

   Information

Additional Help - http://www.sevenforums.com/crash-lo...-driver-verifier-identify-issues-drivers.html

 

[fozbear]

I managed to install service pack after several attempts. The installation stopped working halfway through several times, but i finally managed to get it installed in the end. BSODs are still happening but less frequently now.

I ran driver verifier previously, nothing showed up.

 

[Critthinker]

This being a Dell machine, you could try running the built in diagnostics. These diagnostics are found in the one-boot menu and might find a failed hard drive. The minidump that I looked at was having issues with NTFS so I would verify that the HDD is still good before checking software. The hardware test takes about 15min to run.

Tap f12 at the Dell screen to get to the one-time boot menu and select diagnostics near the bottom of the screen. If it still under warranty then you should be able to call and get a hard drive shipped out next business-day.

*edit*
So I looked over the rest of them and found references to a McAfee driver as well. I think the hardware diagnostics are still a good idea though...

 

[x BlueRobot]

[COLOR=Red]BugCheck 24[/COLOR], {3a0000, 0, 69448d0, fffff8a00b8d7930}

Probably caused by : Ntfs.sys ( Ntfs!NtfsAcquirePagingResourceExclusive+5e )

1: kd> [COLOR="SeaGreen"]k[/COLOR]
 # Child-SP          RetAddr           Call Site
00 fffff880`060da478 fffff880`01465f2e nt!KeBugCheckEx
01 fffff880`060da480 fffff880`014d7374 [COLOR="Red"]Ntfs!NtfsAcquirePagingResourceExclusive[/COLOR]+0x5e
02 fffff880`060da4c0 fffff880`0147a5df [COLOR="Red"]Ntfs!NtfsFlushVolume[/COLOR]+0x154
03 fffff880`060da5f0 fffff880`01467c7f Ntfs!NtfsVolumeDasdIo+0x1d3
04 fffff880`060da6a0 fffff880`01469478 Ntfs!NtfsCommonRead+0x5bf
05 fffff880`060da810 fffff880`012c5bcf Ntfs!NtfsFsdRead+0x1b8
06 fffff880`060da8c0 fffff880`012c46df fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
07 fffff880`060da950 fffff880`012c46af fltmgr!FltpDispatch+0xcf
08 fffff880`060da9b0 fffff800`02fe417b fltmgr!FltpDispatch+0x9f
09 fffff880`060daa10 fffff800`02fc3e53 nt!IopSynchronousServiceTail+0xfb
0a fffff880`060daa80 fffff800`02cd9e53 nt!NtReadFile+0x631
0b fffff880`060dab70 00000000`77c9131a nt!KiSystemServiceCopyEnd+0x13
0c 00000000`047ac338 00000000`00000000 0x77c9131a

Ntfs!NtfsFlushVolume is undocumentated within the WDK, however, I believe it may be part of some cache flushing. During this process, the Volume Control Block has to be locked, I'm assuming this is the reason for the above function call: Ntfs!NtfsAcquirePagingResourceExclusive, the file system is trying to obtain a Resource (synchronization mechanism) which is Exclusive, this acts like a standard Mutex.

In a other bugcheck, your Intel graphics driver seems to be very outdated, and potentially causing problems. Please update the driver from here: Intel® Driver Update Utility

0: kd> [COLOR="SeaGreen"]lmvm igdkmd64[/COLOR]

start             end                 module name
fffff880`04ab5000 fffff880`051bc400   igdkmd64 T (no symbols)           
    Loaded symbol image file: igdkmd64.sys
    Image path: \SystemRoot\system32\DRIVERS\igdkmd64.sys
    Image name: igdkmd64.sys
    Timestamp:        [COLOR="Red"]Wed Sep 02 19:54:15 2009[/COLOR] (4A9EBF57)
    CheckSum:         00710FEA
    ImageSize:        00707400
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4