• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3110
  • Last Modified:

BSOD. help analyzing minidump file please

I'm having a hard time getting WindDbg to read my minidump files.  I have read it will take a long time sometimes, but I have been waiting at the below screen for 4 hrs now.  
 where the debugger is hanging
The computer having the problem is running Windows 7 professional 32 bit.
I was able to boot the computer to safe mode and copy the dmp files to a thumb drive so I could analyze them on my computer running Wind 7 Ult 64 bit.

Anyways it is taking me to long and I am hoping someone can help me out and take a look at the dmp files attached.  There are about 15 from today, I zipped up the last 3.

Thanks for helping!
 081710-24008-01.zip
0
jcharshaf
Asked:
jcharshaf
  • 6
  • 2
  • 2
  • +2
3 Solutions
 
SylvainDrapeauCommented:
Hello !

If you don't have TrendMicro installed, then you may have a virus.

in WinDbg, when you reach that screen, type !thread in the command bar. It should give you something like WinDbg.txt.

Check on line 7 "NtrtScan.exe". this file is part of TrendMicro antivirus OR it's a virus in disguise.

Syldra
WinDbg.txt
0
 
jcharshafAuthor Commented:
We do have TrendMicro installed, did anything else stand out?  I will try what you said to type !thread into the command bar to see if I am able to view the text.

Thanks,
0
 
nobusCommented:
i could also not open your dumps - they seem corrupt.
i would start by testing the ram with memtest86+ from www.memtest.org, or download ubcd : http://www.ultimatebootcd.com/      
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jcharshafAuthor Commented:
I entered this command in the window from the picture I originally posted ! analyze -v and got the following results.  I'm not sure how to read these 100%, but the wording sounds like some sort of virus possibly.  I am going to run a virus scan tomorrow from safe mode.

1: kd> ! analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer.  This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned.  This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: aeecf80c, Actual security check cookie from the stack
Arg2: 00a701e2, Expected security check cookie
Arg3: ff58fe1d, Complement of the expected security check cookie
Arg4: 00000000, zero

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  GS_FALSE_POSITIVE_MISSING_GSFRAME

SECURITY_COOKIE:  Expected 00a701e2 found aeecf80c

CUSTOMER_CRASH_COUNT:  1

BUGCHECK_STR:  0xF7

PROCESS_NAME:  NTRtScan.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from a4b79f15 to 82f31d10

STACK_TEXT:  
aeecf6d8 a4b79f15 000000f7 aeecf80c 00a701e2 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
aeecf6f8 a4b7934c 00221ace 00000000 00000000 tmcomm+0x15f15
aeecf80c 00000000 00000000 00000000 00000000 tmcomm+0x1534c


STACK_COMMAND:  kb

FOLLOWUP_IP:
tmcomm+15f15
a4b79f15 ??              ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  tmcomm+15f15

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tmcomm

IMAGE_NAME:  tmcomm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c318770

FAILURE_BUCKET_ID:  0xF7_MISSING_GSFRAME_tmcomm+15f15

BUCKET_ID:  0xF7_MISSING_GSFRAME_tmcomm+15f15

Followup: MachineOwner
---------
0
 
SylvainDrapeauCommented:
Hello !

That just confirm what I thought. You have this "PROCESS_NAME:  NTRtScan.exe" and this "IMAGE_NAME:  tmcomm.sys" which are both TrendMicro files. It's not a virus, it's a buggy antivirus.

I would download another antivirus, disconnect from internet, uninstall TM and install the other AV.

I've been a user of AVG for years and now I use Microsoft's Security Essentials and I'm very happy with it.

Download Clamwin portable at http://portableapps.com/apps/utilities/clamwin_portable to scan your computer, since TM seems to be in problem, and Clamwin doesn't need installation, you'll confirm that you don't have a virus. Then, procede with the installation of the new antivirus and leave your computer in that state for a while to test its stability.

Syldra
0
 
che6auscCommented:
You were doing a Trend Micro virus scan when the driver  tmcomm.sys went "out of bounds" and wrote over the stack buffer in memory.  See if there are any updates to the antivirus software which may resolve this situation.

If the bsod persists, uninstall Trend Micro with the removal tool so as to remove all traces of the software:http://esupport.trendmicro.com/Pages/How-to-uninstall-Trend-Micro-Internet-Security-Pro-2010.aspx.
0
 
jcharshafAuthor Commented:
Thanks for the replies,  I should add that this is Trend Micro Client Server Security Agent and not Internet Security.  The AV gets updates daily from our server, so it looks like I will have to uninstall Trend and re-install after doing a virus scan.  Thanks for the link, I will give Clamwin a try.
0
 
jcharshafAuthor Commented:
@che6ausc
you are exactly right.  I just noticed that this laptop has Trend Internet Security installed along with Trend Micro Client Server.  I am assuming that these 2 AV programs aren't getting along.  Thanks for the link to removing Trend Internet Security, I will give that a go now.
0
 
che6auscCommented:
The process that was running at the time of the bsod was  NTRtScan.exe:  http://blog.iobit.com/ntrtscan-exe_822.html.
0
 
jcharshafAuthor Commented:
I am having a horrible time getting rid of this Trend Internet Security 2009.  I am following instructions found from Trend, I have run the Uninstaller program they suggest because the program isn't listed in the list of programs to uninstall in Control Panel.

I have also tried deleting the registry key for PC Cillin and it keeps coming back when I restart!  

Any help would be appreciated.
0
 
zkriegerCommented:
uninstall office scan from safe mode. then try to uninstall pc cillin.  officescan has a watchdog that will revert system changes to trend.
0
 
jcharshafAuthor Commented:
I was finally able to get rid of all the AV programs.
Then after rebooting a few times and using the laptop to make sure it was stable, I re-installed Trend Micro Client Server security agent and boom, blue screen.  uninstalled trend again in safe mode system seemed fine, then installed AVG free edition and boom, blue screen again!  Doing a full scan using malwarebytes overnight, if nothing turns up I will just reformat and start over.

Thanks for all the help!
0
 
nobusCommented:
you can also run sfc /scannow from the run box...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now