BlueScreen: Memory Dump

bradfells · Oct 5, 2010

Hey, I've been having some issues with Vista lately. I have been getting BSOD a few times a day and it is getting to where windows is near unusable.

The minidump files are attached, if there is anything else I can provide to help solve this issue just let me know. Thanks for any and all help!

-Brad

Jonathan_King · Oct 5, 2010

I wonder if this is caused by malware. I can find no information on the driver vwnvstf.sys, which is blamed by all of your dumps.

Do a virus scan with Malwarebytes:

Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

AVG is mentioned in the dumps as well, which does not surprise me. Remove it with this tool: http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

Replace it with MSE: http://www.microsoft.com/security_essentials

Please follow these directions: http://www.vistax64.com/crashes-debugging/282419-blue-screen-death-bsod-posting-instructions.html

That may tell us what that file is.

...Summary of the Dumps:

Code:

[font=lucida console]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Tue Oct  5 01:26:24.630 2010 (UTC - 4:00)
System Uptime: 0 days 1:13:41.471
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {a39bf000, 2, 0, 806c5ccb}
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Mon Oct  4 20:42:54.663 2010 (UTC - 4:00)
System Uptime: 0 days 1:07:19.489
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {cc27c000, 2, 0, 8069fccb}
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Sun Oct  3 20:52:32.080 2010 (UTC - 4:00)
System Uptime: 0 days 0:11:26.781
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {a3899000, 2, 0, 80697ccb}
*** WARNING: Unable to verify timestamp for avgtdix.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdix.sys
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Sun Oct  3 20:39:59.120 2010 (UTC - 4:00)
System Uptime: 0 days 0:12:53.821
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {a7b0f000, 2, 0, 80693ccb}
*** WARNING: Unable to verify timestamp for avgtdix.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdix.sys
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Sun Oct  3 16:28:30.225 2010 (UTC - 4:00)
System Uptime: 0 days 0:26:17.051
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {ca400000, 2, 0, 82aa0ccb}
*** WARNING: Unable to verify timestamp for avgtdix.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdix.sys
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Sun Oct  3 15:35:22.482 2010 (UTC - 4:00)
System Uptime: 0 days 23:13:48.964
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {a8447000, 2, 0, 806c6ccb}
*** WARNING: Unable to verify timestamp for avgtdix.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdix.sys
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Debug session time: Sat Oct  2 15:53:55.025 2010 (UTC - 4:00)
System Uptime: 1 days 14:27:43.728
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
*** WARNING: Unable to verify timestamp for vwnvstf.sys
*** ERROR: Module load completed but symbols could not be loaded for vwnvstf.sys
BugCheck D1, {aef73000, 2, 0, 806c8ccb}
*** WARNING: Unable to verify timestamp for avgtdix.sys
*** ERROR: Module load completed but symbols could not be loaded for avgtdix.sys
Probably caused by : vwnvstf.sys ( vwnvstf+4ccb )
BUGCHECK_STR:  0xD1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Built by: 6001.18488.x86fre.vistasp1_gdr.100608-0458
Debug session time: Wed Sep 29 20:17:08.726 2010 (UTC - 4:00)
System Uptime: 0 days 0:18:04.553
BugCheck F4, {3, 87679020, 8767916c, 8224b4f0}
Probably caused by : _(M___
PROCESS_NAME:  taskmgr.exe
BUGCHECK_STR:  0xF4_taskmgr.exe
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
[/font]

bradfells · Oct 5, 2010

Yeah, I tried to post the system report as well as the BSOD program results, but got a bluescreen while uploading so I just left the computer off, here are those files now.

I am going to remove AVG now and install MSE while awaiting your response. Thanks for all the help.

bradfells · Oct 5, 2010

Ok, AVG is now gone and MSE is installed and it did its initial scan and found one sever threat which it removed. Thus far everything seems to be working much better then before. I would still like to hear from you regarding the system reports just in case there is anything else I can do. Again, thanks a ton for your patience and service.

-Brad

Jonathan_King · Oct 5, 2010

I do suspect it was malware. The driver vwnvstf.sys is not listed under the loaded drivers, which makes me suspect it is hidden.

It did show up in the dumps, however. I'll have a chat with some other guys, and see what they think. I'm no malware expert.

jcgriff2 · Oct 5, 2010

I cannot find anything on that driver, either.

It could be dynamically allocated considering it has today's timestamp on it.

I did find -

Code:

[FONT=lucida console]844800   [COLOR=blue]10/5/2010[/COLOR]    1:20:19 AM  [/FONT]
[FONT=lucida console]"C:\Windows\System32\drivers\[COLOR=red][B]vwnvstf.sys[/B][/COLOR]"[/FONT]

Code:

[FONT=lucida console]Event[270]:[/FONT]
[FONT=lucida console]Log Name: Application[/FONT]
[FONT=lucida console]Source: Windows Error Reporting[/FONT]
[FONT=lucida console]Date: 2010-10-04T19:49:53.000[/FONT]
[FONT=lucida console]Description: [/FONT]
[FONT=lucida console]Fault bucket 0xD1_[COLOR=red][B]vwnvstf[/B][/COLOR]+4ccb, type 0[/FONT]
[FONT=lucida console]Event Name: [COLOR=blue]BlueScreen[/COLOR][/FONT]
[FONT=lucida console]Response: None[/FONT]
[FONT=lucida console]Cab Id: 0[/FONT]
[FONT=lucida console]Problem signature:[/FONT]
[FONT=lucida console]P1: [/FONT]
[FONT=lucida console]P2: [/FONT]
[FONT=lucida console]P3: [/FONT]
[FONT=lucida console]P4: [/FONT]
[FONT=lucida console]P5: [/FONT]
[FONT=lucida console]P6: [/FONT]
[FONT=lucida console]P7: [/FONT]
[FONT=lucida console]P8: [/FONT]
[FONT=lucida console]P9: [/FONT]
[FONT=lucida console]P10: [/FONT]
[FONT=lucida console]Attached files:[/FONT]
[FONT=lucida console]C:\Windows\Minidump\Mini100410-01.dmp[/FONT]
[FONT=lucida console]C:\Users\gc\AppData\Local\Temp\WER-36722-0.sysdata.xml[/FONT]
[FONT=lucida console]C:\Users\gc\AppData\Local\Temp\WER8E88.tmp.version.txt[/FONT]
[FONT=lucida console]These files may be available here:[/FONT]
[FONT=lucida console]C:\Users\gc\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report04efb5b7[/FONT]
 
[FONT=lucida console][COLOR=blue]BugCheck 7F, {0, 0, 0, 0}[/COLOR][/FONT]

You have Limewire installed, so malware is a definite possibility.

Go to \windows\system32\drivers - scroll to vwnvstf.sys - RIGHT-click on it, select "Properties" and look at deatils. Is there a manufacturer name on it?

Regards. . .

jcgriff2

`

bradfells · Oct 5, 2010

Hey guys, thanks for the replies. I did do a scan after installing MSE with Maleware Bytes and it found nothing, I also did a scan while in safemode a few days ago.

As far as finding that file in system32/drivers I went and looked and it is not in there. So hopefully MSE got rid of it?

Jonathan_King · Oct 6, 2010

Hopefully!

We don't know what it was that MSE found; many people have little things on their systems that anti-virus programs classify as malware, but it has never bothered them.

I wish we could see the results of that scan. Open up MSE, and in the History tab, could you post a screenshot of what's there?

bradfells · Oct 6, 2010

HA, so I went to the history tab to see what MSE found.

Trojan:WinNT/Bubnix.gen!A

And at the bottom where it describes the Trojan itself it says:

Items:
file:C:\Windows\system32\drivers\vwnvstf.sys

So it does in fact look like MSE fixed the problem! I hope this was what you wanted to see regarding what was removed. And as always, I really appreciate your help and patience.

-Brad

Jonathan_King · Oct 6, 2010

That is what I wanted to see. Thanks!

I have added this thread to my Solved BSOD Archive under the malware section. I suspect that either AVG was trying to stop the virus, and erroring in the process, or the virus was disabling AVG, but not completely.

Let us know if you need anything else!

BlueScreen: Memory Dump

bradfells

Attachments

My Computer

System One

Jonathan_King

My Computer

System One

bradfells

My Computer

System One

bradfells

My Computer

System One

Jonathan_King

My Computer

System One

jcgriff2

Banned

My Computer

System One

bradfells

My Computer

System One

Jonathan_King

My Computer

System One

bradfells

My Computer

System One

Jonathan_King

My Computer

System One