Solved

BSOD. help analyzing minidump file please

Posted on 2010-08-17
13
3,083 Views
Last Modified: 2013-12-12
I'm having a hard time getting WindDbg to read my minidump files.  I have read it will take a long time sometimes, but I have been waiting at the below screen for 4 hrs now.  
 where the debugger is hanging
The computer having the problem is running Windows 7 professional 32 bit.
I was able to boot the computer to safe mode and copy the dmp files to a thumb drive so I could analyze them on my computer running Wind 7 Ult 64 bit.

Anyways it is taking me to long and I am hoping someone can help me out and take a look at the dmp files attached.  There are about 15 from today, I zipped up the last 3.

Thanks for helping!
 081710-24008-01.zip
0
Comment
Question by:jcharshaf
  • 6
  • 2
  • 2
  • +2
13 Comments
 
LVL 8

Expert Comment

by:SylvainDrapeau
ID: 33461323
Hello !

If you don't have TrendMicro installed, then you may have a virus.

in WinDbg, when you reach that screen, type !thread in the command bar. It should give you something like WinDbg.txt.

Check on line 7 "NtrtScan.exe". this file is part of TrendMicro antivirus OR it's a virus in disguise.

Syldra
WinDbg.txt
0
 

Author Comment

by:jcharshaf
ID: 33461359
We do have TrendMicro installed, did anything else stand out?  I will try what you said to type !thread into the command bar to see if I am able to view the text.

Thanks,
0
 
LVL 91

Expert Comment

by:nobus
ID: 33461887
i could also not open your dumps - they seem corrupt.
i would start by testing the ram with memtest86+ from www.memtest.org, or download ubcd : http://www.ultimatebootcd.com/      
0
 

Author Comment

by:jcharshaf
ID: 33461913
I entered this command in the window from the picture I originally posted ! analyze -v and got the following results.  I'm not sure how to read these 100%, but the wording sounds like some sort of virus possibly.  I am going to run a virus scan tomorrow from safe mode.

1: kd> ! analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: aeecf80c, Actual security check cookie from the stack
Arg2: 00a701e2, Expected security check cookie
Arg3: ff58fe1d, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_MISSING_GSFRAME

SECURITY_COOKIE:  Expected 00a701e2 found aeecf80c

CUSTOMER_CRASH_COUNT:  1

BUGCHECK_STR:  0xF7

PROCESS_NAME:  NTRtScan.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from a4b79f15 to 82f31d10

STACK_TEXT:  
aeecf6d8 a4b79f15 000000f7 aeecf80c 00a701e2 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
aeecf6f8 a4b7934c 00221ace 00000000 00000000 tmcomm+0x15f15
aeecf80c 00000000 00000000 00000000 00000000 tmcomm+0x1534c


STACK_COMMAND:  kb

FOLLOWUP_IP:
tmcomm+15f15
a4b79f15 ??              ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  tmcomm+15f15

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tmcomm

IMAGE_NAME:  tmcomm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c318770

FAILURE_BUCKET_ID:  0xF7_MISSING_GSFRAME_tmcomm+15f15

BUCKET_ID:  0xF7_MISSING_GSFRAME_tmcomm+15f15

Followup: MachineOwner
---------
0
 
LVL 8

Accepted Solution

by:
SylvainDrapeau earned 350 total points
ID: 33462993
Hello !

That just confirm what I thought. You have this "PROCESS_NAME:  NTRtScan.exe" and this "IMAGE_NAME:  tmcomm.sys" which are both TrendMicro files. It's not a virus, it's a buggy antivirus.

I would download another antivirus, disconnect from internet, uninstall TM and install the other AV.

I've been a user of AVG for years and now I use Microsoft's Security Essentials and I'm very happy with it.

Download Clamwin portable at http://portableapps.com/apps/utilities/clamwin_portable to scan your computer, since TM seems to be in problem, and Clamwin doesn't need installation, you'll confirm that you don't have a virus. Then, procede with the installation of the new antivirus and leave your computer in that state for a while to test its stability.

Syldra
0
 
LVL 6

Assisted Solution

by:che6ausc
che6ausc earned 75 total points
ID: 33463970
You were doing a Trend Micro virus scan when the driver  tmcomm.sys went "out of bounds" and wrote over the stack buffer in memory.  See if there are any updates to the antivirus software which may resolve this situation.

If the bsod persists, uninstall Trend Micro with the removal tool so as to remove all traces of the software:http://esupport.trendmicro.com/Pages/How-to-uninstall-Trend-Micro-Internet-Security-Pro-2010.aspx.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jcharshaf
ID: 33466276
Thanks for the replies,  I should add that this is Trend Micro Client Server Security Agent and not Internet Security.  The AV gets updates daily from our server, so it looks like I will have to uninstall Trend and re-install after doing a virus scan.  Thanks for the link, I will give Clamwin a try.
0
 

Author Comment

by:jcharshaf
ID: 33467124
@che6ausc
you are exactly right.  I just noticed that this laptop has Trend Internet Security installed along with Trend Micro Client Server.  I am assuming that these 2 AV programs aren't getting along.  Thanks for the link to removing Trend Internet Security, I will give that a go now.
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33467612
The process that was running at the time of the bsod was  NTRtScan.exe:  http://blog.iobit.com/ntrtscan-exe_822.html.
0
 

Author Comment

by:jcharshaf
ID: 33468666
I am having a horrible time getting rid of this Trend Internet Security 2009.  I am following instructions found from Trend, I have run the Uninstaller program they suggest because the program isn't listed in the list of programs to uninstall in Control Panel.

I have also tried deleting the registry key for PC Cillin and it keeps coming back when I restart!  

Any help would be appreciated.
0
 
LVL 6

Assisted Solution

by:zkrieger
zkrieger earned 75 total points
ID: 33471609
uninstall office scan from safe mode. then try to uninstall pc cillin.  officescan has a watchdog that will revert system changes to trend.
0
 

Author Comment

by:jcharshaf
ID: 33472086
I was finally able to get rid of all the AV programs.
Then after rebooting a few times and using the laptop to make sure it was stable, I re-installed Trend Micro Client Server security agent and boom, blue screen.  uninstalled trend again in safe mode system seemed fine, then installed AVG free edition and boom, blue screen again!  Doing a full scan using malwarebytes overnight, if nothing turns up I will just reformat and start over.

Thanks for all the help!
0
 
LVL 91

Expert Comment

by:nobus
ID: 33472220
you can also run sfc /scannow from the run box...
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now