We help IT Professionals succeed at work.

Minidump Mystery

astrosoup
astrosoup asked
on
963 Views
Last Modified: 2011-09-20
This computer was infected with several trojans, including a few back doors and other various malwares. We removed everything we could find with various scanners and tools and I'm pretty sure everything is gone now.

Ever since the disinfection, the system has been subject to fairly frequent, random system restarts. Restarts also happen consistently if a user tries to login after the computer has been idle awhile. There is a grip of minidump files to analyze, but they are pretty consistent in their outputs. Process Name is the only variable that I've noticed, but I'm sure there are others. Could someone shed some light on what could be going on? WinDBG seems to be blaming hardware, so I am thinking it might be a driver issue, but I don't know how to tell which driver is causing the problem.

Thanks in advance.

**EDIT** I just found an intriguing pattern in the creation times of the minidumps. When the computer is being used consistently through the restarts, the dumps are spaced exactly 1 hr and 3 minutes apart. There are five dumps in a row that follow this pattern. Assuming it takes about 3 minutes to restart this computer, it would seem as if this problem is on a schedule, occuring 1 hour after the system is started up. I know this isn't a smoking gun of any sort, but it does help define the nature of the problem. I may dig around in event viewer a little more with this new perspective. I will post any other interesting finds.

***EDIT II** After browsing the event viewer I found a message saying that the wireless adapter has been started and is functioning. The odd part is that sometimes the event is posted a few minutes before the crash, and sometimes it seems to be posted a few seconds after. Either way, I am pretty sure it's the culprit. I'm going to uninstall it and see what happens.

**EDIT III* The computer rebooted, right on time, even with the wireless card uninstalled. The minidump file is exactly the same as the previous one, save for the number of crashes entry for the day. However, the normal entries that accompany this event are not listed in event viewer. (Event log service started/ TCIP- wireless card enabled.) I've reinstalled the driver and rebooted, so we'll know if that helped in about an hour. Until then, I will poke around elsewhere. It seems that the wireless card thing was a red herring.

**EDIT IV** It turns out that the process: COH32.EXE is more consistent in these dump files than I originally realized. Once in awhile another process such as explorer.exe or svchost.exe shows up, but not very often. I looked it up and the process belongs to Symantec Endpoint Protection. Interstingly this process does not seem to be running in the hour prior to the restarts. Concsidering my experience with Symantec and it's frequent association with- if not direct manifestation of- evil incarnate, I am going uninstall it and see if that  puts a stop to all of this. Patience, loyal readers. I may be a N00b, but I am a persistant one, to say the least.
Loading Dump File [C:\Users\Star-Tech\Desktop\Minidump\Mini071108-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
Symbol search path is: C:\Windows\Symbols
Executable search path is: 
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Fri Jul 11 09:04:08.109 2008 (GMT-7)
System Uptime: 0 days 3:56:08.681
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
......................................................................................................................................................
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck C2, {40, 0, 80000000, 0}
 
Probably caused by : hardware ( nt!RtlLargeIntegerToChar+160 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000040, Attempt to free usermode address to kernel pool
Arg2: 00000000, Starting address
Arg3: 80000000, Start of system address space
Arg4: 00000000, 0
 
Debugging Details:
------------------
 
 
FAULTING_IP: 
nt!RtlLargeIntegerToChar+160
806334d7 ??              ???
 
BUGCHECK_STR:  0xc2_40
 
CUSTOMER_CRASH_COUNT:  2
 
DEFAULT_BUCKET_ID:  DRIVER_FAULT
 
PROCESS_NAME:  COH32.exe
 
MISALIGNED_IP: 
nt!KeForceResumeThread+1
804f9deb 5d              pop     ebp
 
LAST_CONTROL_TRANSFER:  from 80547c2d to 804f9deb
 
STACK_TEXT:  
b3544bbc 80547c2d 000000c2 00000040 00000000 nt!KeForceResumeThread+0x1
b3544bfc 8054a49a 00000000 00000003 e68874d0 nt!_handle_exc+0x1ab
b3544c3c 806334d7 00000000 00000000 e5ffaea8 nt!MiAllocatePoolPages+0x9fd
b3544c58 80633aea e68874d0 e5ffaea8 e10299fc nt!RtlLargeIntegerToChar+0x160
b3544c6c 8063a7a4 e68874d0 e44e0a78 8063a8c0 nt!RtlDecompressFragment+0x23
b3544c80 80633be0 e5ffaea8 b3544c98 80633fc8 nt!SepAdtLogAuditRecord+0x2d
b3544c8c 80633fc8 e5ffaea8 b3544cb0 806350c8 nt!RtlReserveChunk+0x32
b3544c98 806350c8 e5ffaea8 00000000 e16059f0 nt!RtlpSysVolCreateSecurityDescriptor+0x25
b3544cb0 805b9edd e1605a08 00000000 e16059f0 nt!RtlpApplyRelocationFixups+0x2b0
b3544ccc 805259a6 e1605a08 00000000 00000594 nt!VdmSwapContexts+0x191
b3544cfc 805bae49 e1394258 e1605a08 00000594 nt!NtSignalAndWaitForSingleObject+0x154
b3544d44 805baf81 00000594 00000001 00000000 nt!NtFreeVirtualMemory+0x3d3
b3544d58 8054086c 00000594 0012da38 7c90eb94 nt!MiSessionRemoveImage+0x28
b3544d64 7c90eb94 badb0d00 0012da30 9d5e5d98 nt!RtlIpv4StringToAddressExA+0x149
WARNING: Frame IP not in any known module. Following frames may be wrong.
b3544d78 00000000 00000000 00000000 00000000 0x7c90eb94
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!RtlLargeIntegerToChar+160
806334d7 ??              ???
 
SYMBOL_STACK_INDEX:  3
 
SYMBOL_NAME:  nt!RtlLargeIntegerToChar+160
 
FOLLOWUP_NAME:  MachineOwner
 
IMAGE_NAME:  hardware
 
DEBUG_FLR_IMAGE_TIMESTAMP:  0
 
MODULE_NAME: hardware
 
FAILURE_BUCKET_ID:  IP_MISALIGNED
 
BUCKET_ID:  IP_MISALIGNED
 
Followup: MachineOwner
---------

Open in new window

Comment
Watch Question

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Yes, I've uninstalled Symantec Endpoint Security, but in the true tradition of the brand, it hasn't gone down without a fight. The computer is now freezing during login. I am currently digging around in safe mode to see if I can get it working again.

Author

Commented:
So I've disabled all non-Microsoft services and I've disabled all startup processes, but the computer still will only login to its user accounts in safe mode. Other than that it freezes as soon as the password is submitted.

Author

Commented:
So this machine still won't login, but I did get another minidump. I can't make it repeat, but here it is for what it is worth:

Loading Dump File [E:\Minidump\Mini071108-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
Symbol search path is: C:\Windows\Symbols
Executable search path is: 
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Fri Jul 11 13:44:53.609 2008 (GMT-7)
System Uptime: 0 days 0:01:46.298
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 1000008E, {c0000005, 806354df, a7a16988, 0}
 
*** WARNING: Unable to verify timestamp for dmload.sys
Probably caused by : ntoskrnl.exe ( nt!RtlpReadSingleHookInformation+e5 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806354df, The address that the exception occurred at
Arg3: a7a16988, Trap Frame
Arg4: 00000000
 
Debugging Details:
------------------
 
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
FAULTING_IP: 
nt!RtlpReadSingleHookInformation+e5
806354df 8b4304          mov     eax,dword ptr [ebx+4]
 
TRAP_FRAME:  a7a16988 -- (.trap 0xffffffffa7a16988)
ErrCode = 00000000
eax=00000540 ebx=00000540 ecx=8a6b5298 edx=0000033b esi=e1037008 edi=00000c00
eip=806354df esp=a7a169fc ebp=a7a16a44 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!RtlpReadSingleHookInformation+0xe5:
806354df 8b4304          mov     eax,dword ptr [ebx+4] ds:0023:00000544=????????
Resetting default scope
 
CUSTOMER_CRASH_COUNT:  4
 
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
 
BUGCHECK_STR:  0x8E
 
PROCESS_NAME:  services.exe
 
LAST_CONTROL_TRANSFER:  from 806353f0 to 806354df
 
STACK_TEXT:  
a7a16a44 806353f0 e1037008 67654c00 e1037008 nt!RtlpReadSingleHookInformation+0xe5
a7a16a58 80639884 e1037008 67654c00 e1037008 nt!RtlpValidateTargetRanges+0x10e
a7a16a74 80636cdf e1037008 67654c00 e1037008 nt!SepInformLsaOfDeletedLogon+0x5a
a7a16a90 80636fe1 e1037008 0053dbe0 d783ebe4 nt!SepAdtOpenObjectForDeleteAuditAlarm+0xa4
a7a16aac 8063707e e1037008 0053dbe0 d783ebe4 nt!SeAuditHandleDuplication+0xae
a7a16ae8 806378bc e1037008 0019ee60 d75dfe64 nt!SepAdtGenerateDiscardAudit+0x22
a7a16b2c 80637a2f e1079000 00000400 00000006 nt!SepAdtOpenObjectAuditAlarm+0x1aa
a7a16b5c 806244e9 e1037008 000001b8 e1037008 nt!SepAdtOpenObjectAuditAlarm+0x31d
a7a16ccc 8062013a 00010003 a7a16d64 a7a16ce8 nt!NtExtendSection+0x97
a7a16cdc 8054086c 00000005 a7a16d64 804ff995 nt!PbBiosIrqToIoDescriptor+0xb3
a7a16ce8 804ff995 badb0d00 a7a16d60 e3151401 nt!RtlIpv4StringToAddressExA+0x149
a7a16d64 7c90eb94 badb0d00 00d3f878 00000000 nt!RtlpStatusTable+0x72d
WARNING: Frame IP not in any known module. Following frames may be wrong.
a7a16d68 badb0d00 00d3f878 00000000 00000000 0x7c90eb94
a7a16d6c 00d3f878 00000000 00000000 00000000 dmload!_imp_IofCompleteRequest
a7a16d70 00000000 00000000 00000000 00000000 0xd3f878
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!RtlpReadSingleHookInformation+e5
806354df 8b4304          mov     eax,dword ptr [ebx+4]
 
SYMBOL_STACK_INDEX:  0
 
SYMBOL_NAME:  nt!RtlpReadSingleHookInformation+e5
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
IMAGE_NAME:  ntoskrnl.exe
 
DEBUG_FLR_IMAGE_TIMESTAMP:  45e53f9d
 
FAILURE_BUCKET_ID:  0x8E_nt!RtlpReadSingleHookInformation+e5
 
BUCKET_ID:  0x8E_nt!RtlpReadSingleHookInformation+e5
 
Followup: MachineOwner
---------

Open in new window

Author

Commented:
Update. Its been many hours and I am very tired. but I just noticed something very interesting about my dilemna. When I log into Windows it freezes after a few seconds of getting to the splash screen. In other words it isn't a point in the loading process that is causing the consternation, it is something that has already been loaded. Yet it freezes up and leaves no evidence in event viewer. I reached this conclusion because I noticed it would freeze at different points in the process. I decided to "race" it. I typed in the password as fast as I could and hit enter and it brought up the desktop! Very interesting. Any input here is welcome.

Author

Commented:
I am closing this question out as the nature of the problem has mutated greatly. Please refer to https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/NT/Q_23559769.html for continuation of this issue. Thanks to Expelled for his input.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.