BSOD on boot-up after a System Restore

Hello,

I recently used System Restore in an attempt to remove a virus from my computer. The virus seems to be gone, but now whenever I boot up I get a BSOD after ~30 seconds or so on a consistent basis. I am attaching a minidump in hopes that someone could help me isolate my issue.

One report does not solve the problem. Can you send all or most of your dump reports. I will be very happy to analyze and help you.

richc46 said:

One report does not solve the problem. Can you send all or most of your dump reports. I will be very happy to analyze and help you.

Click to expand...

Hello again, and thank you so much for taking a look into my issue. I have now attached all the minidump reports I have stored on my computer. In addition,
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.256.1
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: 00000000
BCP2: 00000002
BCP3: 00000001
BCP4: 820BDEF9
OS Version: 6_0_6002
Service Pack: 2_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\Mini020811-02.dmp
C:\Users\Hunter\AppData\Local\Temp\WER-51230-0.sysdata.xml
C:\Users\Hunter\AppData\Local\Temp\WER3590.tmp.version.txt

Thanks again!

I am sorry for the delay. I need to connect to the MS servers to help. They seem to be experiencing problems. I will analyze your files as soon as possible.

Sorry that I had you wait, but I have good results
It seems that you have given me four reports. Two were from 2009 and I ignored them. The others were current. They show that Symantec is the problem.
Unistall Symantec and install Microsoft Security Essentials and Malwarebytes in its place.
Use the uninstall tool.

Hello again,

Thank you for your time, and your response was very prompt and helpful :D However, when I boot into Safe Mode to try and uninstall Symantec, I get the error,

"The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

Is there any way to fix this on my end?

Can you boot in safe mode to get to system restore?

Yes I can

Try to use system restore and go back before the problem.

I tried a few different restore points to no avail. Either I boot up normally and crash out as I originally described, or I boot in safe mode and cannot uninstall Symantec due to the error message that I receive about Windows installer. However, it seems that only get the message when I try to uninstall Symantec specifically. I have removed a couple of other programs without issue.

You may have a virus on top of everything else.
Do you have stuff you do not want to lose?

No, everything I have on this system is recoverable.

Do you have a Vista install DVD?

Hello again,

I was able to resolve the issue and disable Symantec after consulting with a friend of mine. My computer is now back to normal. Thank you so much for your time and help. =)

richc46 said:

Code:

 Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
Loading Dump File [C:\Users\richc46\AppData\Local\Temp\Temp1_Mini020811-01[1].zip\Mini020811-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18267.x86fre.vistasp2_gdr.100608-0458
Machine Name:
Kernel base = 0x8200c000 PsLoadedModuleList = 0x82123c70
Debug session time: Tue Feb  8 18:50:39.355 2011 (GMT-5)
System Uptime: 0 days 0:01:05.182
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 1, 820c7ef9}
Unable to load image \SystemRoot\System32\Drivers\SRTSPL.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SRTSPL.SYS
*** ERROR: Module load completed but symbols could not be loaded for SRTSPL.SYS
Probably caused by : SRTSPL.SYS ( SRTSPL+1834e )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
 bit 0 : value 0 = read operation, 1 = write operation
 bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 820c7ef9, address which referenced memory
Debugging Details:
------------------
 
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82143868
Unable to read MiSystemVaType memory at 82123420
 00000000 
CURRENT_IRQL:  2
FAULTING_IP: 
nt!ExDeleteResourceLite+20
820c7ef9 8901            mov     dword ptr [ecx],eax
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
TRAP_FRAME:  8af63a58 -- (.trap 0xffffffff8af63a58)
ErrCode = 00000002
eax=00000000 ebx=82051548 ecx=00000000 edx=00000000 esi=9e599518 edi=00000000
eip=820c7ef9 esp=8af63acc ebp=8af63ae0 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ExDeleteResourceLite+0x20:
820c7ef9 8901            mov     dword ptr [ecx],eax  ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from 820c7ef9 to 82059fd9
STACK_TEXT:  
8af63a58 820c7ef9 badb0d00 00000000 00000000 nt!KiTrap0E+0x2e1
8af63ae0 9e5a734e 9e599518 8803bf38 9e59d545 nt!ExDeleteResourceLite+0x20
WARNING: Stack unwind information not available. Following frames may be wrong.
8af63b18 82177a68 8803bf38 88e1c000 00000000 SRTSPL+0x1834e
8af63cfc 82178029 00000001 00000000 8af63d24 nt!IopLoadDriver+0x805
8af63d44 820b1e22 9c314d00 00000000 8478cad0 nt!IopLoadUnloadDriver+0x70
8af63d7c 821e1c42 9c314d00 e0a063ee 00000000 nt!ExpWorkerThread+0xfd
8af63dc0 8204af4e 820b1d25 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
STACK_COMMAND:  kb
FOLLOWUP_IP: 
SRTSPL+1834e
9e5a734e ??              ???
SYMBOL_STACK_INDEX:  2
SYMBOL_NAME:  SRTSPL+1834e
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: SRTSPL
IMAGE_NAME:  SRTSPL.SYS
DEBUG_FLR_IMAGE_TIMESTAMP:  47e2970b
FAILURE_BUCKET_ID:  0xA_SRTSPL+1834e
BUCKET_ID:  0xA_SRTSPL+1834e
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
 bit 0 : value 0 = read operation, 1 = write operation
 bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 820c7ef9, address which referenced memory
Debugging Details:
------------------
 
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82143868
Unable to read MiSystemVaType memory at 82123420
 00000000 
CURRENT_IRQL:  2
FAULTING_IP: 
nt!ExDeleteResourceLite+20
820c7ef9 8901            mov     dword ptr [ecx],eax
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
TRAP_FRAME:  8af63a58 -- (.trap 0xffffffff8af63a58)
ErrCode = 00000002
eax=00000000 ebx=82051548 ecx=00000000 edx=00000000 esi=9e599518 edi=00000000
eip=820c7ef9 esp=8af63acc ebp=8af63ae0 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ExDeleteResourceLite+0x20:
820c7ef9 8901            mov     dword ptr [ecx],eax  ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from 820c7ef9 to 82059fd9
STACK_TEXT:  
8af63a58 820c7ef9 badb0d00 00000000 00000000 nt!KiTrap0E+0x2e1
8af63ae0 9e5a734e 9e599518 8803bf38 9e59d545 nt!ExDeleteResourceLite+0x20
WARNING: Stack unwind information not available. Following frames may be wrong.
8af63b18 82177a68 8803bf38 88e1c000 00000000 SRTSPL+0x1834e
8af63cfc 82178029 00000001 00000000 8af63d24 nt!IopLoadDriver+0x805
8af63d44 820b1e22 9c314d00 00000000 8478cad0 nt!IopLoadUnloadDriver+0x70
8af63d7c 821e1c42 9c314d00 e0a063ee 00000000 nt!ExpWorkerThread+0xfd
8af63dc0 8204af4e 820b1d25 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
STACK_COMMAND:  kb
FOLLOWUP_IP: 
SRTSPL+1834e
9e5a734e ??              ???
SYMBOL_STACK_INDEX:  2
SYMBOL_NAME:  SRTSPL+1834e
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: SRTSPL
IMAGE_NAME:  SRTSPL.SYS
DEBUG_FLR_IMAGE_TIMESTAMP:  47e2970b
FAILURE_BUCKET_ID:  0xA_SRTSPL+1834e
BUCKET_ID:  0xA_SRTSPL+1834e
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
 bit 0 : value 0 = read operation, 1 = write operation
 bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 820c7ef9, address which referenced memory
Debugging Details:
------------------
 
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82143868
Unable to read MiSystemVaType memory at 82123420
 00000000 
CURRENT_IRQL:  2
FAULTING_IP: 
nt!ExDeleteResourceLite+20
820c7ef9 8901            mov     dword ptr [ecx],eax
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
TRAP_FRAME:  8af63a58 -- (.trap 0xffffffff8af63a58)
ErrCode = 00000002
eax=00000000 ebx=82051548 ecx=00000000 edx=00000000 esi=9e599518 edi=00000000
eip=820c7ef9 esp=8af63acc ebp=8af63ae0 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ExDeleteResourceLite+0x20:
820c7ef9 8901            mov     dword ptr [ecx],eax  ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from 820c7ef9 to 82059fd9
STACK_TEXT:  
8af63a58 820c7ef9 badb0d00 00000000 00000000 nt!KiTrap0E+0x2e1
8af63ae0 9e5a734e 9e599518 8803bf38 9e59d545 nt!ExDeleteResourceLite+0x20
WARNING: Stack unwind information not available. Following frames may be wrong.
8af63b18 82177a68 8803bf38 88e1c000 00000000 SRTSPL+0x1834e
8af63cfc 82178029 00000001 00000000 8af63d24 nt!IopLoadDriver+0x805
8af63d44 820b1e22 9c314d00 00000000 8478cad0 nt!IopLoadUnloadDriver+0x70
8af63d7c 821e1c42 9c314d00 e0a063ee 00000000 nt!ExpWorkerThread+0xfd
8af63dc0 8204af4e 820b1d25 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
STACK_COMMAND:  kb
FOLLOWUP_IP: 
SRTSPL+1834e
9e5a734e ??              ???
SYMBOL_STACK_INDEX:  2
SYMBOL_NAME:  SRTSPL+1834e
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: SRTSPL
IMAGE_NAME:  SRTSPL.SYS
DEBUG_FLR_IMAGE_TIMESTAMP:  47e2970b
FAILURE_BUCKET_ID:  0xA_SRTSPL+1834e
BUCKET_ID:  0xA_SRTSPL+1834e
Followup: MachineOwner
---------

Sorry that I had you wait, but I have good results
It seems that you have given me four reports. Two were from 2009 and I ignored them. The others were current. They show that Symantec is the problem.
Unistall Symantec and install Microsoft Security Essentials and Malwarebytes in its place.
Use the uninstall tool.

Click to expand...

That was the first advice. Glad that it worked out.