Windows 7 0x0000003b BSOD Random Crashing

mcginnis

New Member
Lately, I have been getting bsod randomly. Any ideas? :D

I uploaded a few of the dump files from those bsod's. Thanks!
 

Attachments

  • Minidump.rar
    74.7 KB · Views: 288
Maybe we should start with AVG.
DUMP:
Code:
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {10, 2, 0, fffff880044101d9}

Unable to load image \SystemRoot\system32\DRIVERS\avgtdia.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for avgtdia.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdia.sys
Probably caused by : [COLOR=#ff0000][U][B]avgtdia.sys ( avgtdia+11d9 )[/B][/U][/COLOR]

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000010, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880044101d9, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000370b100
 0000000000000010 

CURRENT_IRQL:  2

FAULTING_IP: 
avgtdia+11d9
fffff880`044101d9 397b18          cmp     dword ptr [rbx+18h],edi

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  avgnsa.exe

TRAP_FRAME:  fffff88006ecb700 -- (.trap 0xfffff88006ecb700)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80087ce1b0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880044101d9 rsp=fffff88006ecb890 rbp=fffff88006787080
 r8=fffffa80087ce1c0  r9=0000000000000000 r10=0000000000000000
r11=0000fffffffff000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
avgtdia+0x11d9:
fffff880`044101d9 397b18          cmp     dword ptr [rbx+18h],edi ds:66d0:00000000`00000018=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800034d81e9 to fffff800034d8c40

STACK_TEXT:  
fffff880`06ecb5b8 fffff800`034d81e9 : 00000000`0000000a 00000000`00000010 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`06ecb5c0 fffff800`034d6e60 : 00000000`00000000 00000000`00000000 00000014`00000000 ffffffff`fffffff8 : nt!KiBugCheckDispatch+0x69
fffff880`06ecb700 fffff880`044101d9 : 00000000`000186a0 fffffa80`0b06a5d0 00000000`00000b12 00000000`00000000 : nt!KiPageFault+0x260
fffff880`06ecb890 00000000`000186a0 : fffffa80`0b06a5d0 00000000`00000b12 00000000`00000000 fffffa80`0b06a500 : [COLOR=#ff0000][U][B]avgtdia+0x11d9[/B][/U][/COLOR]
fffff880`06ecb898 fffffa80`0b06a5d0 : 00000000`00000b12 00000000`00000000 fffffa80`0b06a500 fffff880`04413570 : 0x186a0
fffff880`06ecb8a0 00000000`00000b12 : 00000000`00000000 fffffa80`0b06a500 fffff880`04413570 00000000`00000000 : 0xfffffa80`0b06a5d0
fffff880`06ecb8a8 00000000`00000000 : fffffa80`0b06a500 fffff880`04413570 00000000`00000000 00000000`00000000 : 0xb12


STACK_COMMAND:  kb

FOLLOWUP_IP: 
[COLOR=#ff0000][U][B]avgtdia+11d9[/B][/U][/COLOR]
fffff880`044101d9 397b18          cmp     dword ptr [rbx+18h],edi

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  [B][U][COLOR=#ff0000]avgtdia+11d9[/COLOR][/U][/B]

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: [COLOR=#ff0000][U][B]avgtdia[/B][/U][/COLOR]

IMAGE_NAME:  [COLOR=#ff0000][U][B]avgtdia.sys[/B][/U][/COLOR]

DEBUG_FLR_IMAGE_TIMESTAMP:  4e1a2bdd

FAILURE_BUCKET_ID:  X64_0xD1_[COLOR=#ff0000][U][B]avgtdia+11d9[/B][/U][/COLOR]

BUCKET_ID:  X64_0xD1_[B][U][COLOR=#ff0000]avgtdia+11d9[/COLOR][/U][/B]
Uninstall it using programs and features applet in the control panel and follow that up with the vendor specific proprietary removal tool get the correct one for your architecture. Replace with MSE from here.
If Blue Screens persist;
Please read the first post in this sticky thread here How to ask for help with a BSOD problem
Do your best to accumulate the data required.
Run the SF Diagnostic tool (download and right click the executable and choose run as administrator)
Download and run CPUz. Use the Windows snipping tool to gather images from all tabs including all slots populated with memory under the SPD tab.
Likewise RAMMon. Export the html report, put everything into a desktop folder that you've created for this purpose, zip it up and attach it to your next post (right click it and choose send to, compressed (zipped) folder.
You have any number of old, pre Windows 7 RTM, that you may want to address, perhaps use google to see if you can find some updates from the applicable vendors. You can start with these;
RTCore64.sys
5/25/2005 0:39
GEARAspiWDM.sys
8/7/2006 11:11
ElbyCDFL.sys
12/14/2006 15:22
wacommousefilter.sys
2/16/2007 12:12
nvstor64.sys
7/2/2007 18:35
SCDEmu.SYS
8/7/2007 9:19
RTKVHD64.sys
9/9/2008 4:06
nvm62x64.sys
10/17/2008 15:01
adfs.SYS
11/3/2008 10:48
RimSerial_AMD64.sys
11/24/2008 11:01
ElbyCDIO.sys
2/17/2009 11:11
wacomvhid.sys
5/20/2009 13:53
netr28ux.sys
5/24/2009 22:38
FileLock.sys
5/30/2009 9:11
 
Thanks, I'll do what you suggested. Quick question though, what is the ntoskrnl.exe? On all three dumps that's the red one that seems to be the issue? Avg only showed once.
 
Not sure where you are seeing the ntoskrnl.exe but it any case that is a system process integral to the Operating System same with the other two files mentioned in the other two (of three) dump files;
ntkrnlmp.exe: Google it.
Code:
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {ffffffffc0000005, fffff800034ad3b5, fffff88003532608, fffff88003531e60}
Probably caused by : [COLOR=#ff0000][U][B]ntkrnlmp.exe[/B][/U][/COLOR] ( nt!FsFilterPerformCallbacks+35 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem
and
win32k.sys
Code:
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff800034b37e9, fffff8800c1af0e0, 0}
Probably caused by : [COLOR=#ff0000][U][B]win32k.sys[/B][/U][/COLOR] ( win32k!GreLockVisRgnShared+41 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Often these system files are picked up in the Bugcheck and get blamed but are rarely if ever actually at fault.
 
Cool thanks! And sorry, I dl'd this dump viewer and it showed that file as the main cause (red) or so I thought. XD I'll look into doing the updates and such and hopefully it all works out.
 
Did the seven forums folder with cpu-z pics. I uninstalled if not updated the drivers you listed. (Through control panel after finding what program it goes to) I still got a BSOD this morning while getting on firefox and ie. :( Also, uninstalled avg and using mse now. Plz help...
 

Attachments

  • Seven Forums.zip
    2.9 MB · Views: 366
Thanks for the attachment, but it doesn't contain (for some reason) your most recent dump file from today that you mention above. Please attach that so we can have a look. Thanks
 
It didn't make one... o_O It went BSOD said it dumped it and when it rebooted I didn't get a notification like I always do after a crash saying it crashed. So no dump file. One of the dump files included is really recent, about a day or so ago.
 
We're going to need new dump files to forward the diagnostic process. And to see any impact you changes and adjustments have had on your current configuration. So....
Double check and make sure nothing has changed regarding how you are writing .dmp(s)
  1. Go to Start and type in sysdm.cpl and press Enter
  2. Click on the Advanced tab
  3. Click on the Startup and Recovery Settings button
  4. Ensure that Automatically restart is unchecked
  5. Under the Write Debugging Information header select Small memory dump (256 kB) in the dropdown box
  6. Ensure that the Small Dump Directory is listed as %systemroot%\Minidump << where your .dmp files can be found later
  7. Click OK twice to exit the dialogs, then reboot for the changes to take effect.
SOURCE: http://windows7forums.com/blue-screen-death-bsod/38837-how-ask-help-bsod-problem.html#post140795


In the mean time I don't suppose a little TLC would hurt at you discretion perhaps a disk cleanup with either the built in utility or Ccleaner, a couple passes with the built in disk defrag utility. From an elevated command prompt
type chkdsk C: /R answer yes "Y" to the prompt and reboot let it finish all five stages and see what it has to say. Again from an elevated command prompt type sfc /scannow, see if that produces any information.
Install, update and run Malwarebytes see if that finds anything worth mentioning.
 
Last edited:
Done :) The small memory dump wasn't selected so I did that and everything else. ^_^ Thanks for the TLC. lol have forgotten to do that for a while.
 
Yes, I think that's where we are right now.
Any new .dmp(s) attach to your next post and we'll proceed from there.
 
My thought, from lots of past experiance: IRQL Blue Screens are either due to shoddy drivers, or faulty RAM. In either case, the module that crashes is usually not the root cause, just the bystander that got hit by the effects. A memory diagnostic using either Memtest86 or Microsoft Memory Diagnostic couldn't hurt, just to rule out the case of bad RAM.
 
My thought, from lots of past experiance: IRQL Blue Screens are either due to shoddy drivers, or faulty RAM. In either case, the module that crashes is usually not the root cause, just the bystander that got hit by the effects. A memory diagnostic using either Memtest86 or Microsoft Memory Diagnostic couldn't hurt, just to rule out the case of bad RAM.

Thanks :D I'll do that and see if there's any errors.
 
Well I was hoping it wouldn't BSOD anymore but yep happened again tonight. :( Gave me a dump file though so let me know if anything screams out.
 

Attachments

  • 120411-23961-01.rar
    29.9 KB · Views: 193
Update the following drivers
GEARAspiWDM.sys 8/7/2006 from here Driver updates - GEAR Software
adfs.SYS 11/3/2008 Adobe Drive File System Driver
mcdbus.sys 2/24/2009 MagicISO SCSI Host Controller
netr28ux.sys 5/24/2009 Looks like a RaLink 2870, you might give this link a try Ralink-A MEDIATEK COMPANY best to confirm first exactly what type of network adapter it is.
FileLock.sys 5/30/2009 File Lock Kernel Modual from Gili Soft Inc.
All are pre-Windows 7 RTM and should be updated if possible. If not then uninstalled by uninstalling the associated software or device. Or as a last resort consider renaming the file extension .sys to .BAK easily reversed if problem present.
Additionally it looks like you have a relatively old version of True Image from Acronis installed
snapman.sys 9/8/2009
timntr.sys 8/17/2009
Not sure about its' compatibility with Windows 7, you may want to consider upgrading that as well.
Nothing spectacular about the
DUMP:
Code:
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {28000e003f, 2, 0, fffff88004d3e6e7}
[COLOR=#ff0000][U][B]Probably caused by : USBPORT.SYS[/B][/U][/COLOR] ( USBPORT!USBPORT_Core_iCheckAbortList+c3 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  [COLOR=#ff0000][U][B]This is usually
caused by drivers using improper addresses.[/B][/U][/COLOR]
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000028000e003f, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88004d3e6e7, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003907100
 00000028000e003f 
CURRENT_IRQL:  2
FAULTING_IP: 
USBPORT!USBPORT_Core_iCheckAbortList+c3
fffff880`04d3e6e7 8b5740          mov     edx,dword ptr [rdi+40h]
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
TRAP_FRAME:  fffff80000b9c940 -- (.trap 0xfffff80000b9c940)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000fe3dbc49 rbx=0000000000000000 rcx=fffffa80090a7920
rdx=fffffa8008eb91a0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004d3e6e7 rsp=fffff80000b9cad0 rbp=fffffa800733c260
 r8=0000000058726261  r9=000000000000000b r10=00000000ffffffff
r11=fffffa8008eb91a0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
USBPORT!USBPORT_Core_iCheckAbortList+0xc3:
fffff880`04d3e6e7 8b5740          mov     edx,dword ptr [rdi+40h] ds:c390:00000000`00000040=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from fffff800036d41e9 to fffff800036d4c40
STACK_TEXT:  
fffff800`00b9c7f8 fffff800`036d41e9 : 00000000`0000000a 00000028`000e003f 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`00b9c800 fffff800`036d2e60 : ffffffff`00000000 fffffa80`0a9fd2b0 fffffa80`08eb9ba0 fffffa80`08eb9050 : nt!KiBugCheckDispatch+0x69
fffff800`00b9c940 fffff880`04d3e6e7 : fffffa80`0a9fd7b0 fffffa80`07438cc0 fffffa80`08eb9050 fffff880`04d379b9 : nt!KiPageFault+0x260
fffff800`00b9cad0 fffff880`04d3ac9a : fffffa80`08eb9eb0 00000000`ffffffff fffffa80`08eb9050 fffff880`04d3956a : USBPORT!USBPORT_Core_iCheckAbortList+0xc3
fffff800`00b9cb20 fffff880`04d3bb0f : fffffa80`0733c202 fffffa80`0ae3bc60 00000000`ffffffff fffffa80`08eb9eb0 : USBPORT!USBPORT_Core_iCompleteDoneTransfer+0x7e
fffff800`00b9cc00 fffff880`04d3966f : fffffa80`08eb9eb0 fffffa80`08eb91a0 fffffa80`08eba050 00000000`00000000 : USBPORT!USBPORT_Core_iIrpCsqCompleteDoneTransfer+0x3a7
fffff800`00b9cc60 fffff880`04d2af89 : fffffa80`08eb9050 00000000`00000000 fffffa80`08eb9e02 fffffa80`08eb9eb0 : USBPORT!USBPORT_Core_UsbIocDpc_Worker+0xf3
fffff800`00b9cca0 fffff800`036e00ac : fffff800`0384ae80 fffffa80`08eb9eb0 fffffa80`08eb9ec8 00000000`00000000 : USBPORT!USBPORT_Xdpc_Worker+0x1d9
fffff800`00b9ccd0 fffff800`036cc96a : fffff800`0384ae80 fffff800`03858cc0 00000000`00000000 fffff880`04d2adb0 : nt!KiRetireDpcList+0x1bc
fffff800`00b9cd80 00000000`00000000 : fffff800`00b9d000 fffff800`00b97000 fffff800`00b9cd40 00000000`00000000 : nt!KiIdleLoop+0x5a
STACK_COMMAND:  kb
FOLLOWUP_IP: 
USBPORT!USBPORT_Core_iCheckAbortList+c3
fffff880`04d3e6e7 8b5740          mov     edx,dword ptr [rdi+40h]
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  USBPORT!USBPORT_Core_iCheckAbortList+c3
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: USBPORT
IMAGE_NAME:  USBPORT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP:  4d8c0c08
FAILURE_BUCKET_ID:  X64_0xD1_USBPORT!USBPORT_Core_iCheckAbortList+c3
BUCKET_ID:  X64_0xD1_USBPORT!USBPORT_Core_iCheckAbortList+c3
Followup: MachineOwner
 
In addition to the ones listed above I just found one other driver that deserves some immediate attention as well
sptd.sys 03/22/2009 Usually associated with Daemon Tools use the utility found here DuplexSecure - Downloads make sure go get the one for your architecture (32 or 64 bit) and be sure to click Uninstall to remove it.
Sorry I missed it earlier.
 
Back
Top