I need someone to interpret a few mini dumps.

[Karmashock]

I'm currently going through the process of educating myself about these debugging apps, but I'd appreciate some help the problem that's started it all.

---------Skip if you just want to read the mini dump----------
==============================================
==============================================
XP SP2
AMD X2 4200
ABIT AN8 Ultra
512 x 2
ATI X850 Pro

The system is crashing whenever I launch specific apps or specific opperations.

All my drivers are new, the memory has been throughly tested, and I don't believe I have any spyware or viruses. I'm assuming that one of my drivers might be corrupt or there is a bad registry entry.


I've got all kinds of symptoms:

---------------Error and reboot------------------

Mounting an image in Daemon tools 4 will cause it.
Closing Notpad will cause it.
Closing the MMC will cause it.
Closing System properties will cause it.
<I now fear closing things...>

There are a few other apps that will cause it as well, but most don't cause a lock up. These will cause it every time. I can get around the issue by force quiting the app through the task manager.

---------General Weirdness--------------------
The system manager that is accessed by right clicking on "my computer" is largely unusable unless I boot up in safe mode. The logical disk manager "can not find the registry key", system policy won't load, and most of the other apps in that group don't work.

The Services mmc accessed through the "admin tools" folder in the control panels reports a script error when opened and will not display the help information for any of the services. I believe the error was something like "cannot find OLE <something or other>". At any rate, it works perfectly in safe mode. However, if I open the properties on any of the services, that causes a system lock up and reboot.

Anyway, I'm hoping these mini dumps will shed some light on all of this.

The mini dumps can be reached here
http://www.yourfilelink.com/get.php?fid=36270

There are four of them in one rar file of about 60 KBs.

 

[Vigilante]

Please read this thread before posting minidumps:
https://www.techspot.com/vb/topic35103.html

Then post the minidumps as an ATTACHMENT. Not many people will follow outside links that like. I tried it and had to block two or three popups before I just closed the page. So please ZIP 5 or 6 of them and attach them.

We'll go from there.

 

[Karmashock]

I've done all of that. It isn't the memory.

Here are some brand new ones... the system is rebooting about once an hour because I keep trying things.


It especially hates any kind of ISO loader or vitural drive software of ANY KIND. Most of the system stability issues and bugs go away if I uninstall them all. But some still remain and of course if I reinstall those programs the system stability issues come right back.

I'm using WinDbg now and most of the minidumps generate this:

"Probably caused by : ntkrpamp.exe ( nt!CmpCloseKeyObject+33 )"

 

[howard_hopkinso]

Hello and welcome to Techspot.

2 minidumps crash at b347bus.sys. This is a rootkit driver.

Your system is infected by a rootkit infection.

Go HERE and follow the instructions.

If that doesn`t help. Backup your important data and reformat and reinstall.

Regards Howard :wave: :wave:

 

[Karmashock]

actually, it's a renamed daemon tools driver... typically that file starts with a D, but said there was already a driver by that name when I was doing one of my many reinstalls... so I tried just going from D to B... and it installed... didn't help me... but it installed at least.


As to this rootkit program... thanks for clueing me into this... you may well be right about me having this.

Ok... Rootkit revealer output this after the scan:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 7/18/2005 5:40 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg 1/17/2006 10:40 AM 0 bytes Access is denied.


Should I go in and delete those registry entries?

I'm fairly certain neither is critical, so I'm happy to try it...

 

[howard_hopkinso]

All your minidumps crash with a bugcheck of 8E.

Now that I know that it was you that renamed the file, you can forget the rootkit lol. Funny how you renamed the file to a rootkit name.

0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED

A kernel mode program generated an exception which the error handler didn’t catch. These are nearly always hardware compatibility issues (which sometimes means a driver issue or a need for a BIOS upgrade).

Daemon tools is known to cause problems on some systems. Try uninstalling the programme, and see how it goes.

Regards Howard

 

[Vigilante]

It is odd to be blaiming Ntkrpamp.exe, if you've done a little searching, you may have found what I did, that this file is the multiprocessor version of the special PAE supported kernel. PAE is the Physical Address Extension module that allows Windows to support more then 4GB of RAM, up to 64GB of RAM. The Ntkrpamp.exe file is the multiprocessor version of the regular PAE module which is ntkrnlpa.exe.
In order to be using this kernel, the /PAE option needs to be set in boot.ini.

I'm not sure why it is blaiming that file. But unless your are running something like Windows 2003 Datacenter with 64GB of RAM, you shouldn't be using that file. Check your boot.ini and be sure /PAE is not there. And also remove /NOLOWMEM if it is there.

Not sure if that is relevent info to your issue, but that's what I found on that file.

As for the rootkit, you can delete the ControlSet005 entry, that probably isn't doing anything as it isn't the current control set in use. The other one doesn't really look bad.
And the b347bus.sys file seems odd to me, being renamed and all, and being that it said there was a driver like this already installed. Besides, this is where you're crashing, and you already said that removing these programs stops a lot of the crashing.
If there is already a driver loaded by that name, maybe find out what is using it, you may have a ghosted or duplicate driver loaded.

I might suggest, if you already know your hardware is good, and you have no spyware/viruses/malware/hijacks etc... that you run a registry cleaner.
I would say, uninstall all the programs that cause trouble, then be sure their program folders and files are deleted (do a search). Then run programs like Windoctor, RegSurpreme, Regscrub. This should remove any pointers to the missing files.

And then, before reinstalling them, make sure the system is stable and doesn't crash.

Good luck

 

[Karmashock]

I've recently figured out how to use windbg and have seen that most of my very recent dump files continue to refer to that 'kernel?' so that appears to be what is erroring out. I should say that most of the time it's not making a dump file at alll. It's erroring out so completely that I don't think it can do it. Can someone give me a link to the meathod for doing an active debug... you know the kind that uses a serial cable?
In my readings through the MS site it said that /PAE was "implied" in some of the other switches... I think the DEP related switches imply it... unless explictly told /NOPAE or something like that...

I'll try that switch... Anyway, removing daemon tools, which has worked flawlessly for months and months, does fix most of the problems. But I don't find that acceptable for obvious reasons. Not having access to any kind of virtual drive software is deeply irritating. Not even alcohol's virtual drive software will work.

I think I might be suffering from some anti piracy software... I play a lot of games LEGITMATELY... but that still means I have to install starforce and I'm forever finding weird hidden files put on my computer by various cds...


Several of these games do infact require that I uninstall daemon tools before I even play them... seriously annoying but I don't mind that much.

 

[Karmashock]

Update: Still having the problem...

Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini030306-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*D:\Debugsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Fri Mar 3 05:37:23.421 2006 (GMT-8)
System Uptime: 0 days 0:02:31.109
Loading Kernel Symbols
....................................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 806350cd, a87c6c28, 0}

Probably caused by : ntkrpamp.exe ( nt!CmpCloseKeyObject+33 )

Followup: MachineOwner
---------

--------------------------------------------------
I've been told that duel core systems use ntkrpamp.exe regardless of whether PAE is enabled or not. Is that true? If so, can I 'try' to use the other one?
--------------------------------------------------
Rootkit reveal output this awhile ago:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 3/3/2006 1:41 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 7/18/2005 5:40 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg 1/17/2006 10:40 AM 0 bytes Access is denied.
C:\Documents and Settings\<name>\Cookies\wilbere end@statcounter[1].txt 3/3/2006 1:42 AM 93 bytes Hidden from Windows API.
C:\Documents and Settings\<name>\Cookies\wilbere end@statcounter[2].txt 3/1/2006 6:46 PM 94 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\6TUPWHGB\client[1].htm 3/3/2006 1:42 AM 6.79 KB Hidden from Windows API.
C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\E58VIFAR\client[1].htm 3/1/2006 6:46 PM 6.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\<name>\Local Settings\Temporary Internet Files\Content.IE5\E58VIFAR\t[1].png 3/3/2006 1:42 AM 161 bytes Hidden from Windows API.

 

[Vigilante]

From rootkit, I don't like the temp files and cookies being in there, you should probably delete those.

Dual core using ntkrpamp would make sense I suppose. If the file itself is bad, it would probably get replaced if you ran a sfc /scannow. So try that, you'll need your XP CD handy.

Are you sending the error reports? If not, you should, see if MS has any fixes.

The problem may not be that file, but it could be a hardware issue that manifests itself in that file. Like a CPU or RAM issue, something with the cache perhaps.
I don't have time to research it right this minute, but I would run some CPU tests, and then research that file some more.
Might be a good idea to run rootkitrevealer again and see what it says now.

 

[Karmashock]

Figured it out! :unch:

Ok, I went to the device manager and I disabled everything that would let me disable it.


Then I rebooted. Tried to replicate the problem, just as in safe mode, I didn't have the problem.


So I enabled a few that I was almost positive were safe (USB/CDROM/NIC/etc) and rebooted. Tried to replicate the problem and I was still not getting it.

So I went back to the device manager and enabled the sound card. The sound card doesn't need a reboot, so I just tried it right there... no problem.

I enabled the video card, rebooted, GOT THE PROBLEM!


Freakn' ATI. They're the newest drivers and the dump file didn't say squat about it.


So my new ati drivers or 'something' to do with that card must be causing the problem.

I really don't want to have to go out and shell out another 350 for a new card. Any suggestions?

 

[Vigilante]

Hmm, that would be really odd, but then this whole thing has been odd from the begining.
You CAN load older drivers, perhaps the newest ones weren't 100% stable?

You can also make sure you are NOT loading the WDM driver, or capture driver as it may be called. Somtimes the capture part of the driver causes all havoc if the video doesn't have that function.

In safe mode, uninstall the ati software from control panel, make sure the card is deleted, and then run driver cleaner. Then download and reload the video driver again. Download just the driver and control panel, don't do the full forceware.

 

[Karmashock]

Also figured out what was going on with daemon tools.


Daemon tools was NOT causing the error. It was the autorun program on several images interacting with the video drivers in some way.


I've noticed that if I turn off my drivers and run that auto run, the screen refresh rate resets. I assume this because the screen goes black for a second (drivers off) and comes back at the same resolution... you can hear that 'click' in the CRT that associated with any kind of change in the display settings.


I believe it is this 'change' that causes my video drivers to error out. I still don't understand the other issues like MMC being screwed and closing notpad causing the system to lock up.


I've loaded some other images and it seems that only 'some' autoruns (not many) cause the issue.


I typically run screen setting of 1280x1080 32bit 75RF... I have been unable to duplicate the problem by changing my refresh rate, res, or bit rate. It appears to only happen when 'specific applications' do it. I know notpad or the MMC aren't doing it... but that autorun program is definitely doing it... and a game that errored out a long time (where all this stupidity started) probably did it as well. The game was "the incredibles ROTU"... looked like a good platformer... anyway, that is where I FIRST saw the error. Not on putting the CD in or installing it... but when first run POP... and I've been having weird crashes ever since.


I've assumed that there was some kind of copyprotection that's screwing my system up... but so far I've been unable to isolate it.


One thing is for sure... in my next upgrade cycle... I'm going nVidia... I used to be an ATI man... I've been using their cards since 3Dfx was bought out by nVidia... oh well...

 

[Vigilante]

I wouldn't throw out ATI just for that, you still can't be sure it is that only. Because I had the same experience with Nvidia so I switched to ATI. Neither are without any issues.
Currently I'm happy with my ATI X850 XT PE. Runs rock solid.

Glad you are tracking the issue down. Sounds like it may be time for a reload, get some fresh drivers loaded, work out the incompatible files floating around. Reloading is a lot cheaper for you then buying a new $300+ video card.

 

[Karmashock]

yeah... I also don't want to switch... each brand has it's issues and I have most of ATI's figured out...


I've found a LOT of copyprotection software installed on this machine... I still think it's the root cause... but I can't seem to stop the problem cold.


I found starforce drivers OF COURSE... and some files from a company called "Anticracking" which I researched a bit and they're copyprotection as well...


there are a few others that I found... but I thought I had removed them all...


I really wish anti spyware apps would kill these programs... I hate them...

 

[Vigilante]

The only experience I've had with games and emulators is Star Wars Battlefront. It won't run if it detects a CD-ROM emulator. So I had to crack the exe to remove the emu check to be able to use Alcohol 52% to run the game. It was a pain in the ****, so I feel for ya.

Sysinternal's Rootkitrevealer should put out some of the most hidden copywrite or drm modules. Otherwise you have to find them manually and remove the files and registry entries. But then that may make a particular program not work which uses it. So it's kind of a pickle for sure.

 

[Karmashock]

At this point I really don't care what program stops working because I removed the copy protection as long as it isn't something huge like daemon tools or my video card drivers...