Solved

Netbt.sys BSOD

Posted on 2011-02-16
10
1,425 Views
Last Modified: 2012-05-11
I have a Windows XP (SP3) PC that gets a blue screen on a semi regular basis (any ideas?):
 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: b8795ca0, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: b4bffa1b, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  b8795ca0 

CURRENT_IRQL:  2

FAULTING_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from b4bfe42f to b4bffa1b

STACK_TEXT:  
b4256abc b4bfe42f 89a0ca18 000001fe 89c158a8 netbt!DisconnectHndlrNotOs+0x74f
b4256b18 b4bfd8c9 00000000 b4b2cbd8 8aaad7f8 netbt!RejectSession+0x32b
b4256b34 b4bfe04c b4256b58 b4b2cbd8 8b012ca8 netbt!Outbound+0x8a9
b4256b84 b4bfacdc 8aa52d30 89890008 8b012c98 netbt!GetIrpIfNotCancelled+0x68
b4256ba0 804ef19f e0a52d30 898900c0 00000000 netbt!AddToHashTable+0x920
b4256bc8 b4bfe0bb 00000000 89890008 00000000 nt!MiFlushSectionInternal+0x256
b4256c18 b4bfacdc 8aa52d30 898f0008 8a83c154 netbt!GetIrpIfNotCancelled+0xd7
b4256c34 804ef19f e0a52d30 898f00c0 898f0008 netbt!AddToHashTable+0x920
b4256c8c b4b26e3d 00000000 00000003 89960a58 nt!MiFlushSectionInternal+0x256
b4256ca4 b4b38479 01936e28 00000000 8993b8f0 rdbss!WPP_SF_qc+0x11
b4256d00 b4ae2b5f 8abe34a0 00000000 00000002 rdbss!WPP_SF_qxxqq+0x39
b4256d50 b4ab94ca 89a6d318 8abe34a0 b4b2cfc0 mrxsmb!_NULL_IMPORT_DESCRIPTOR <PERF> (mrxsmb+0x2fb5f)
b4256d6c b4b234b1 89a6d318 00000000 89ae8b40 mrxsmb!SmbCeResumeSuspendedExchangesLite+0x192
b4256d9c b4b2d957 00b2cfc0 b4b2d240 b4256ddc rdbss!WPP_SF_Lq <PERF> (rdbss+0x4b1)
b4256dac 805cffa8 b4b2cfc0 00000000 00000000 rdbss!WPP_SF_Dxqqqd+0x33
b4256ddc 8054615e b4b2d93d b4b2cfc0 00000000 nt!IopQueryReconfiguration+0x76
b4256df0 00000000 00000000 00000000 00000000 nt!ExpFindAndRemoveTagBigPages+0x1c


STACK_COMMAND:  kb

FOLLOWUP_IP: 
netbt!DisconnectHndlrNotOs+74f
b4bffa1b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  netbt!DisconnectHndlrNotOs+74f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: netbt

IMAGE_NAME:  netbt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025d1b

FAILURE_BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

BUCKET_ID:  0xD1_netbt!DisconnectHndlrNotOs+74f

Followup: MachineOwner
---------

0: kd> lmvm netbt
start    end        module name
b4bf9000 b4c20c00   netbt    M (pdb symbols)          q:\debuggingtools\symbols\netbt.pdb\1626402455904865A529CF25011A28871\netbt.pdb
    Loaded symbol image file: netbt.sys
    Image path: netbt.sys
    Image name: netbt.sys
    Timestamp:        Sun Apr 13 14:20:59 2008 (48025D1B)
    CheckSum:         0002FE7A
    ImageSize:        00027C00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Open in new window


Thanks!
0
Comment
Question by:IT_Crowd
  • 5
  • 3
10 Comments
 
LVL 3

Expert Comment

by:rabindrajha
ID: 34907526
0
 
LVL 22

Expert Comment

by:optoma
ID: 34907896
Could be patched
Run these on machine and post logs if needed :)
TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910561
Do you think it is a malware infection vs a corrupted driver?
0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910605
I will run those and let you know.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 13

Author Comment

by:IT_Crowd
ID: 34910851
All scans passed - no problems found
0
 
LVL 22

Accepted Solution

by:
optoma earned 500 total points
ID: 34910861
More so these days a corrupted driver is due to it being patched :)
0
 
LVL 22

Expert Comment

by:optoma
ID: 34911060
Ok.
1> Can you attach TdssKiller's log from c:\ and the three recent actual minidump files from c:\windows\minidump

2>Run autoruns.
In Autoruns:
Hit options and check "verify code signatures" and rescan (F5 key)
Don't make any other changes...

Within Autoruns,select the file tab and select save(Ctrl+S) and save as AutoRuns Data (*.arn)

Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

3>Anything in event viewer, red ball errors regarding anything network related?

4>How long has this been happening? Any recent change in AV or FW software or hardware.

5>No recent virus etc.. detected?

0
 
LVL 13

Author Comment

by:IT_Crowd
ID: 35129847
Objection - issue has been solved. I would like to assign a solution.
0
 
LVL 13

Author Closing Comment

by:IT_Crowd
ID: 35189115
Good idea - NIC driver was corrupted.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now