Solved BSOD- IRQL Not Less or Equal 0x0a

[boweasel]

32 bit Vista Home Premium gives the BSOD named in the title. It's an HP Pavilion and it is connected to a working modem via an ethernet cable.

Only gives the IRQL on a normal boot and even then it takes probably close to a minute before the BSOD. During that minute I can bring up taskmgr, I can see my desktop and all the icons and have even managed to at least initiate TDSSKiller. But after a minute- BSOD, and always the same one.

PC boots just fine in safe mode. And I have run Malwarebytes (quick scan only) and removed 408 items, 407 of which were PUP MyWebSearch errors and 1 Trojan. I did of course reboot afetr the scan, but I cannot get to the internet using Safe Mode with Networking. I get every browser's (IE, Firefox, Chrome) version of 'page cannot be displayed.

I have unchecked almost everything from the MSconfig startup, and disabled all non-MS services.

If I run Ipconfig from an elevated prompt, I have a good IP address. The version of mbam On the PC is outdated by 18 months, but it cannot be updated because of the connection issue.

From safe mode I have attempted 4 restores, going back as far as Oct/01/12. Every one of them has, on reboot told me that it didn't work because the restore files were corrupted.

I tried Last Good Config and Directory Services Restore to no avail - same BSOD.

I hit F11 (?) on boot to go into HP Diagnostics. It passed all 5 steps.

I used a Vista 32 bit Home Premium CD. It found the OS okay, and when I clicked on startup repair I was told it could find no problems.

Then I went to the command prompt and started a chkdsk /r. It hit stage 4 of 5 (without encountering any problems on stages 1-3), and has now been motionless for at least 45 minutes at 15% - 150001 of 158256 (obviously MS has never gotten around to fixing the percentage display, but the 150001 hasn't budged). OOps, now it has. Stage 4 (USN Journal Verification) Completed - no errors. It's about 30% through stage 5 now.

Any thoughts? I have little confidence that chkdsk will make a difference. Should I be running a full scan on a newer Malwarebytes? ComboFix? I did run TDSSKiller in safe mode and it found 0 problems, which I thought was weird, since that always seems to find something - even if it's nonsense.

Finshed chkdsk- no errors found and no change to boot IRQL problem

 

[richc46]

Welcome
We can give you the best possible help if you follow these instructions
http://www.vistax64.com/crashes-debugging/282419-blue-screen-death-bsod-posting-instructions.html

 

[boweasel]

SF Diagnostic Zip File should be attached. And thanks....

 

[richc46]

Your reports indicate that your problem is a driver. It gives a Microsoft driver, however and that is rarely accurate. Run the driver verifier for 36hours to see if we can determine the true cause.
Follow these instructions for Vista or Seven
Driver Verifier - Enable and Disable - Windows 7 Forums

 

[boweasel]

Run the driver verifier for 36hours to see if we can determine the true cause.

[Gulp]... 36 hours?

And 2 questions

1. Since this PC won't boot normally, am I to assume that this process will work with safe mode? (Since I initiated the verifier I rebooted normally, it crashed, and then I rebooted into safe mode) which is where it is now (blathering that it has recovered from an unexpected shutdown)
2. What do I do after these 36 hours have passed? Will there be another file on my desktop that has to be zipped, copied to a USB drive and uploaded to you? So far I see no signs that anything is happening - I don't even see any unfamiliar processes running in taskmgr.

And thanks again.

 

[richc46]

If you get several BSODs before that you can give them to us then. If you get none, the 36 hours is to ensure that it is not a driver problem.

 

[boweasel]

If you get several BSODs before that you can give them to us then. If you get none, the 36 hours is to ensure that it is not a driver problem.

Well, I am confused. This thing can sit there for 36 days in safe mode and nothing'll happen.
And as I already said, I always get a BSOD on a normal boot. Got the one since starting the verifier. It's in safe mode now. Should I do several (normal) reboots to add to the dump file?

 

[richc46]

We want to get BSODs with verifier installed. That is how it works. It puts stress on the drivers and the weak ones BSOD. We can get rid of the weak ones.
Boot it with the Verifier installed and we will see what we get.

 

[boweasel]

Okay, there's probably about a half dozen blue screens since installing the verifier. Is that enough? Should I just let it sit here and go through this endless cycle of IRQL crashes for the whole 36 hours? And when you say 'enough' do I follow the exact same process as before to create the zip file? BTW, it DOES look like the stop code has changed - I haven't looked at every one, but the last 3 have been 0xc4 if that means anything to you.

 

[richc46]

Give me what you have now. When I get a chance I will check them out and tell you what to do.

 

[boweasel]

Attachment should be there. And there is no longer an IRQL error - about the time it shifted to the c4 stop code (I'm guessing), it switched to the more generic 'A problem has been detected' error, but it also mentions the existence of a faulty driver in the kernel stack that needs to be replaced.

 

[richc46]

C4 just means its was generated by the verifier. The results are the same.
I think the best thing to try is a system restore back a week before the problem began. It seems to be related to some change that was made, updates, software, virus

 

[boweasel]

I think the best thing to try is a system restore back a week before the problem began. It seems to be related to some change that was made, updates, software, virus

I would love to, but as I said in my first post
From safe mode I have attempted 4 restores, going back as far as Oct/01/12. Every one of them has, on reboot told me that it didn't work because the restore files were corrupted.
I was rather thinking that you'd look at those dump files, tell me what the offending driver was, and tell me how to correct it. I don't know how to open .dmp files or I'd attempt it myself..

 

[richc46]

You dont think that the first thing I did was examine the files. It gives a driver that is not the true cause. We have to find a way to resolve the problem without updating the driver. The driver is a Microsoft lead driver and not the true cause of the problem

 

[boweasel]

You dont think that the first thing I did was examine the files. It gives a driver that is not the true cause. We have to find a way to resolve the problem without updating the driver. The driver is a Microsoft lead driver and not the true cause of the problem

Sorry, I guess I misunderstood. I thought the idea of installing the verifier was to acertain the actual driver causing the problem. I gather now that this is not as simple as just going to an HP Drivers & Downloads page....

I await further suggestions.

 

[richc46]

Apology accepted.
Allow me to show you and explain exactly what every one of your reports show. There has to be at least 20, a few after the verifier
(verifier puts drivers under stress and causes bsods)

 Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
Loading Dump File [C:\Users\Richard\AppData\Local\Temp\Temp1_Boweasel (2).zip\SF_10-11-2012\Mini111012-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18538.x86fre.vistasp1_gdr.101014-0432
Machine Name:
Kernel base = 0x81811000 PsLoadedModuleList = 0x81928c70
Debug session time: Sat Nov 10 10:50:14.588 2012 (UTC - 5:00)
System Uptime: 0 days 0:01:12.260
Loading Kernel Symbols
...............................................................
..........................................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 1, 81838100}
Probably caused by : raspptp.sys ( raspptp!FreeSockContextCommon+33 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
 bit 0 : value 0 = read operation, 1 = write operation
 bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81838100, address which referenced memory
Debugging Details:
------------------
 
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81948868
Unable to read MiSystemVaType memory at 81928420
 00000000 
CURRENT_IRQL:  2
FAULTING_IP: 
nt!ExpRemoveGeneralLookaside+15
81838100 890f            mov     dword ptr [edi],ecx
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
TRAP_FRAME:  8b721c44 -- (.trap 0xffffffff8b721c44)
ErrCode = 00000002
eax=00000002 ebx=86e78570 ecx=00000000 edx=00000000 esi=86e784a8 edi=00000000
eip=81838100 esp=8b721cb8 ebp=8b721cbc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!ExpRemoveGeneralLookaside+0x15:
81838100 890f            mov     dword ptr [edi],ecx  ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER:  from 81838100 to 8186bd54
STACK_TEXT:  
8b721c44 81838100 badb0d00 00000000 1750dfe0 nt!KiTrap0E+0x2ac
8b721cbc 8182ae6a 81913200 86e78480 8b721ce4 nt!ExpRemoveGeneralLookaside+0x15
8b721ccc 8d582c84 86e784a8 00000004 86e78480 nt!ExDeleteNPagedLookasideList+0x13
8b721ce4 8d582f4e 86e78480 86e78480 8658d2b8 raspptp!FreeSockContextCommon+0x33
8b721cf8 8d582cea 86e78480 8b721d48 8d577b8f raspptp!FreeSockHandle+0x78
8b721d04 8d577b8f 86e78480 8d585448 8658d2b8 raspptp!WskDestroySockContext+0x1f
8b721d48 8d577a1f 8658d2b8 8d585440 8b721d7c raspptp!PptpInitialize+0x15b
8b721d58 8d577602 86d2a1a8 00000000 86615578 raspptp!TapipPassiveOpen+0x12
8b721d7c 819e6e88 00000000 c1105118 00000000 raspptp!MainPassiveLevelThread+0x41
8b721dc0 8183fa3e 8d5775c1 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
STACK_COMMAND:  kb
FOLLOWUP_IP: 
raspptp!FreeSockContextCommon+33
8d582c84 8d4678          lea     eax,[esi+78h]
SYMBOL_STACK_INDEX:  3
SYMBOL_NAME:  raspptp!FreeSockContextCommon+33
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: raspptp
IMAGE_NAME:  raspptp.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  47919112
FAILURE_BUCKET_ID:  0xA_raspptp!FreeSockContextCommon+33
BUCKET_ID:  0xA_raspptp!FreeSockContextCommon+33
Followup: MachineOwner
---------

At the beginning of the report you see probably caused by. This is just a hint. As a rule the cause is different for each BSOD and the analyst uses his experience to determine the true cause. In very few cases the causes are the same in all reports (as in your case) and this is the actual cause of the problem. Raspptp.sys is a lead Microsoft driver, which is getting the rap for one of the low level drivers it controls. We need to find out which one. The usual course of action is to use the verifier, but it did not work in your case
You work ok in Safe Mode, which means the cause is from non essential software.
WHAT HAVE YOU INSTALLED ABOUT THE TIME THAT THE PROBLEM BEGAN?
If you do not have a problem with a clean boot follow procedure to determine the cause.
Troubleshoot Application Conflicts by Performing a Clean Startup - Windows 7 Forums
If that does not work. Make a FULL scan with malwarebytes and your anti virus. Be sure to update them before running the scan.

 

[boweasel]

You work ok in Safe Mode, which means the cause is from non essential software.
WHAT HAVE YOU INSTALLED ABOUT THE TIME THAT THE PROBLEM BEGAN?

Unfortunately Richard, I'm unable to answer that question - this is my brother's tower, or more accurately, his wife's. And with 4 kids between the ages of 12 and 16 (2 are twins) constantly on this computer, there's almost no way to tell what sort of nonsense they've installed. When I looked at their Event Viewer I saw red system errors going back well over a month.

I do find it unsettling that even though safe mode never causes a BSOD, it also never connects to the internet. It has a perfectly good IP address according to ipconfig. I can ping that ip address, but not www.yahoo.com or google. I have opened an elevated command prompt and run netsh winsock reset to no avail. The Network Connections icon brings up a blank screen. Of course I can perform no diagnostics from internet explorer because those diagnostics are not available in safe mode (with networking). I have gone through all the services and see nothing that could be preventing a connection.


So I sort of figure that there's something tieing these 2 things together

• the bad driver that causes a BSOD abot 70 seconds after what looks like a successful, normal boot (all the desktop icons are present, the taskbar has everything it should - including the notification area)
• the lack of connectivity in SMWN

And what about that delay? In my rather limited experience, one pretty much always gets a blue screen before the desktop displays, maybe a split second after at the latest, but 70 seconds after?

Msconfig has been changed to perform a clean boot - load system services only, all non-MS services disabled, and.everything unchecked on the startup tab. I obviously continued to have the problem.

If you do not have a problem with a clean boot follow procedure to determine the cause.
Troubleshoot Application Conflicts by Performing a Clean Startup - Windows 7 Forums
If that does not work. Make a FULL scan with malwarebytes and your anti virus. Be sure to update them before running the scan.

I will use another Vista PC to get an updated malwarebytes and transfer it to the problem child. And I'll report back. If any of this additional info I've given helps you to pinpoint the cause let me know.

 

[boweasel]

New wrinkle.....
I got the newest version of ComboFix on the PC and started to run a scan as an admin. I said that it had detected rootkit activity (why didn't TDSSKiller detect it?) in the first msg box, the second box identified the rootkit as Zero Access, said that it had inserted itself into the TCP/IP stack, that it was difficult to remove, be patient, yadda, yadda yadda. The 3rd msg box said that it had to reboot to commence the cleaning (or something like that).

Two problems

1. If I let ComboFix reboot the PC normally I get the 70 second BSOD
2. If I repeatedly hit F8 and boot into safe mode, ComboFix processes are no longer running. No cmd.3XE or pev.3XE I even adjusted msconfig to always boot into safe mode with networking, and I get the same non-result after CF reboots the PC.

 

[boweasel]

All is well. The Rootkit Zero Access was the culprit. I disabled UAC, reran ComboFix and allowed it to reboot. Without that miserable UAC FUBAR-ing things, it went back into ComboFix and ran through all 50 stages. I rebooted, reset msconfig to normal boot, restored the services, rebooted again, and everything is working as it should. No BSOD, and connectivity issues have been corrected.

It says I must 'spread some Reputation around before giving it to richc46 again', which seems completely absurd since you're the only one who has leant a hand. Some rule tweaking is obviously needed here.....

 

[richc46]

Your appreciation is enough. That rule is to prevent, one person from getting all the rep.