BSOD. help analyzing minidump file please

Posted on 2010-08-17
Medium Priority
Last Modified: 2013-12-12
I'm having a hard time getting WindDbg to read my minidump files.  I have read it will take a long time sometimes, but I have been waiting at the below screen for 4 hrs now.  
 where the debugger is hanging
The computer having the problem is running Windows 7 professional 32 bit.
I was able to boot the computer to safe mode and copy the dmp files to a thumb drive so I could analyze them on my computer running Wind 7 Ult 64 bit.

Anyways it is taking me to long and I am hoping someone can help me out and take a look at the dmp files attached.  There are about 15 from today, I zipped up the last 3.

Thanks for helping!
Question by:jcharshaf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +2

Expert Comment

ID: 33461323
Hello !

If you don't have TrendMicro installed, then you may have a virus.

in WinDbg, when you reach that screen, type !thread in the command bar. It should give you something like WinDbg.txt.

Check on line 7 "NtrtScan.exe". this file is part of TrendMicro antivirus OR it's a virus in disguise.


Author Comment

ID: 33461359
We do have TrendMicro installed, did anything else stand out?  I will try what you said to type !thread into the command bar to see if I am able to view the text.

LVL 92

Expert Comment

ID: 33461887
i could also not open your dumps - they seem corrupt.
i would start by testing the ram with memtest86+ from www.memtest.org, or download ubcd : http://www.ultimatebootcd.com/      
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.


Author Comment

ID: 33461913
I entered this command in the window from the picture I originally posted ! analyze -v and got the following results.  I'm not sure how to read these 100%, but the wording sounds like some sort of virus possibly.  I am going to run a virus scan tomorrow from safe mode.

1: kd> ! analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
Arg1: aeecf80c, Actual security check cookie from the stack
Arg2: 00a701e2, Expected security check cookie
Arg3: ff58fe1d, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:


SECURITY_COOKIE:  Expected 00a701e2 found aeecf80c





LAST_CONTROL_TRANSFER:  from a4b79f15 to 82f31d10

aeecf6d8 a4b79f15 000000f7 aeecf80c 00a701e2 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
aeecf6f8 a4b7934c 00221ace 00000000 00000000 tmcomm+0x15f15
aeecf80c 00000000 00000000 00000000 00000000 tmcomm+0x1534c


a4b79f15 ??              ???


SYMBOL_NAME:  tmcomm+15f15

FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  tmcomm.sys




Followup: MachineOwner

Accepted Solution

SylvainDrapeau earned 1400 total points
ID: 33462993
Hello !

That just confirm what I thought. You have this "PROCESS_NAME:  NTRtScan.exe" and this "IMAGE_NAME:  tmcomm.sys" which are both TrendMicro files. It's not a virus, it's a buggy antivirus.

I would download another antivirus, disconnect from internet, uninstall TM and install the other AV.

I've been a user of AVG for years and now I use Microsoft's Security Essentials and I'm very happy with it.

Download Clamwin portable at http://portableapps.com/apps/utilities/clamwin_portable to scan your computer, since TM seems to be in problem, and Clamwin doesn't need installation, you'll confirm that you don't have a virus. Then, procede with the installation of the new antivirus and leave your computer in that state for a while to test its stability.


Assisted Solution

che6ausc earned 300 total points
ID: 33463970
You were doing a Trend Micro virus scan when the driver  tmcomm.sys went "out of bounds" and wrote over the stack buffer in memory.  See if there are any updates to the antivirus software which may resolve this situation.

If the bsod persists, uninstall Trend Micro with the removal tool so as to remove all traces of the software:http://esupport.trendmicro.com/Pages/How-to-uninstall-Trend-Micro-Internet-Security-Pro-2010.aspx.

Author Comment

ID: 33466276
Thanks for the replies,  I should add that this is Trend Micro Client Server Security Agent and not Internet Security.  The AV gets updates daily from our server, so it looks like I will have to uninstall Trend and re-install after doing a virus scan.  Thanks for the link, I will give Clamwin a try.

Author Comment

ID: 33467124
you are exactly right.  I just noticed that this laptop has Trend Internet Security installed along with Trend Micro Client Server.  I am assuming that these 2 AV programs aren't getting along.  Thanks for the link to removing Trend Internet Security, I will give that a go now.

Expert Comment

ID: 33467612
The process that was running at the time of the bsod was  NTRtScan.exe:  http://blog.iobit.com/ntrtscan-exe_822.html.

Author Comment

ID: 33468666
I am having a horrible time getting rid of this Trend Internet Security 2009.  I am following instructions found from Trend, I have run the Uninstaller program they suggest because the program isn't listed in the list of programs to uninstall in Control Panel.

I have also tried deleting the registry key for PC Cillin and it keeps coming back when I restart!  

Any help would be appreciated.

Assisted Solution

zkrieger earned 300 total points
ID: 33471609
uninstall office scan from safe mode. then try to uninstall pc cillin.  officescan has a watchdog that will revert system changes to trend.

Author Comment

ID: 33472086
I was finally able to get rid of all the AV programs.
Then after rebooting a few times and using the laptop to make sure it was stable, I re-installed Trend Micro Client Server security agent and boom, blue screen.  uninstalled trend again in safe mode system seemed fine, then installed AVG free edition and boom, blue screen again!  Doing a full scan using malwarebytes overnight, if nothing turns up I will just reformat and start over.

Thanks for all the help!
LVL 92

Expert Comment

ID: 33472220
you can also run sfc /scannow from the run box...

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question