ichase Posted February 19, 2012 Author Share Posted February 19, 2012 Thanks for the tip Tushman, installing now. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 19, 2012 Share Posted February 19, 2012 Nice article on how to use the Windows Debugging Tool: Howto: Use the Windows Debugging Tools to analyze a crash dump (BSOD) Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 19, 2012 Share Posted February 19, 2012 All this work. JUST NUKE IT! You know you want to. Here, let me help... Quote Link to comment Share on other sites More sharing options...
Tushman Posted February 20, 2012 Share Posted February 20, 2012 All this work. JUST NUKE IT! You know you want to. Here, let me help... If the operating system will no longer boot, a complete re-install would probably be the quickest solution. However, analyzing a memory dump file could still be useful. Especially if the problem was originally caused by a buggy driver for instance. Knowing this will prevent future hiccups even if you were to do a fresh install. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 20, 2012 Share Posted February 20, 2012 Ummm... It's HAMMER TIME! Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted February 20, 2012 Share Posted February 20, 2012 (edited) Hi - The bugchecks on the 4 dumps - (2) 0x1e (0xc0000005,,,) = kernel threw an exception; the excp = 1st parm = 0xc0000005 = memory access violation (2) 0x109 (,,,0x1) = kernel corruption; modification of .pdata (code section function exception handling info) The 0x109 BSODs both occurred on 29 January 2012; one just 14 seconds after boot; the other 29 seconds after boot. There are 3 basic ways for kernel corruption to occur - 1. driver modified kernel code (only Windows Updates can do this) 2. hardware failure (such as RAMs inability to hold kernel code) 3. driver developer hard-assert #3 does not apply here, so either hardware failure occurred or a rogue driver exists - which could be an outdated driver or an infected one kdcom.dll does appear in the 0x109 dumps, likely due to recent Windows Updates and kdcom has not yet been added to the Microsoft MSDL symbol server - *** WARNING: Unable to verify timestamp for kdcom.dll *** ERROR: Module load completed but symbols could not be loaded for kdcom.dll Probably caused by : kdcom.dll ( kdcom+182c ) I have the same version of kdcom in my ststem and it tested fine (note the 18 Jan timestamp) - 1: kd> lmvm kdcom start end module name fffff800`00bbc000 fffff800`00bbf000 kdcom T (no symbols) Loaded symbol image file: kdcom.dll Image path: \SystemRoot\system32\kdcom.dll Image name: kdcom.dll Timestamp: Wed Jan 18 18:31:51 2012 (4F175667) CheckSum: 0000F59B ImageSize: 00003000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 The 2 0x1e (0xc5,,,) BSODs occurred on 30 Jan and 10 Feb. Exception 0xc5 (memory access violation) can be caused by RAM failure or a driver attempting to access memory that is off limits (access denied). I often see 0xc5 where 3rd party firewalls are installed on Windows 7 & Vista systems. I noticed that NIS/N360 installation was updated before the 4th and final BSOD based on driver timestamps and am not sure if Norton was a contributing cause or not. My reccomendations would have been to run memtest86+, run Driver Verifier and check Toshiba Support for a BIOS update - (check label for exact L505 model) - BiosVersion = 1.40 BiosReleaseDate = 09/07/2009 SystemManufacturer = TOSHIBA SystemProductName = Satellite L505 The kdcom symbol issue aside, all 4 dumps named the default NT Kernel as the probable cause, leaving us with no definitive cause. I did not see any references to volsnap.sys as mentioned in prior posts. Sorry that I could not be more helpful here. Windbg Logs - http://sysnative.com/BSOD2012/jcgriff2logs..._02-20-2012.txt Kind Regards. . . John ` BSOD SUMMARY Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\021012-36254-01.dmp] Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506 Debug session time: Fri Feb 10 11:58:26.822 2012 (GMT-5) System Uptime: 0 days 18:34:45.649 Probably caused by : ntkrnlmp.exe ( nt!ObpCreateHandle+29a ) DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: rundll32.exe FAILURE_BUCKET_ID: X64_0x1E_nt!ObpCreateHandle+29a Bugcheck code 0000001E Arguments ffffffff`c0000005 fffff800`02f94a9a 00000000`00000001 00000000`00000018 BiosVersion = 1.40 BiosReleaseDate = 09/07/2009 SystemManufacturer = TOSHIBA SystemProductName = Satellite L505 MaxSpeed: 2200 CurrentSpeed: 2194 ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ ¨¨¨¨¨¨`` Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\013012-39156-01.dmp] Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506 Debug session time: Mon Jan 30 05:11:58.989 2012 (GMT-5) System Uptime: 0 days 6:27:31.721 Probably caused by : ntkrnlmp.exe ( nt!ObpCreateHandle+29a ) DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: conhost.exe FAILURE_BUCKET_ID: X64_0x1E_nt!ObpCreateHandle+29a Bugcheck code 0000001E Arguments ffffffff`c0000005 fffff800`02fbea9a 00000000`00000001 00000000`00000018 BiosVersion = 1.40 BiosReleaseDate = 09/07/2009 SystemManufacturer = TOSHIBA SystemProductName = Satellite L505 MaxSpeed: 2200 CurrentSpeed: 2194 ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ ¨¨¨¨¨¨`` Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\012912-31044-01.dmp] Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506 Debug session time: Sun Jan 29 22:39:05.682 2012 (GMT-5) System Uptime: 0 days 0:13:58.415 *** WARNING: Unable to verify timestamp for kdcom.dll *** ERROR: Module load completed but symbols could not be loaded for kdcom.dll Probably caused by : kdcom.dll ( kdcom+182c ) BUGCHECK_STR: 0x109 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: System FAILURE_BUCKET_ID: X64_0x109_kdcom+182c Bugcheck code 00000109 Arguments a3a039d8`9a0aa5a8 b3b7465e`ec88def6 fffff800`00bd182c 00000000`00000001 BiosVersion = 1.40 BiosReleaseDate = 09/07/2009 SystemManufacturer = TOSHIBA SystemProductName = Satellite L505 MaxSpeed: 2200 CurrentSpeed: 2194 ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ ¨¨¨¨¨¨`` Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\012912-28017-01.dmp] Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506 Debug session time: Sun Jan 29 18:21:30.512 2012 (GMT-5) System Uptime: 0 days 0:28:03.244 *** WARNING: Unable to verify timestamp for kdcom.dll *** ERROR: Module load completed but symbols could not be loaded for kdcom.dll Probably caused by : kdcom.dll ( kdcom+182c ) BUGCHECK_STR: 0x109 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: System FAILURE_BUCKET_ID: X64_0x109_kdcom+182c Bugcheck code 00000109 Arguments a3a039d8`9a8856cd b3b7465e`ed06901b fffff800`00bbd82c 00000000`00000001 BiosVersion = 1.40 BiosReleaseDate = 09/07/2009 SystemManufacturer = TOSHIBA SystemProductName = Satellite L505 MaxSpeed: 2200 CurrentSpeed: 2194 ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ ¨¨¨¨¨¨`` Edited February 20, 2012 by jcgriff2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 Thanks J. C. for looking. No one could ask for more than that. And some insight was obtained from your analysis. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 20, 2012 Share Posted February 20, 2012 Thanks J. C. for looking. No one could ask for more than that. And some insight was obtained from your analysis. Indeed! And welcome to Scot's, JC. Don't pay any attention to those silly Linux users from the peanut gallery. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 John, I second Fran when she stated we could not ask for anything more in your analysis. Definitely gives me some direction in hopes of saving this one. I would rather not have the owner have to buy a new laptop or purchase Windows 7. Part that bugs me is the fact that I can't access the recovery partition. That would be nice and save the owner more money. I will do some research to see if a BIOS update is available for this laptop. I already ran memtest86 and all scans came back clean. Looks like Driver Verifier could come in handy but does it run off an iso? With out any way to boot the OS, it would be the only way to run it. Thanks again for the very thorough analysis not to mention your time in helping me with this one. Ian Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted February 20, 2012 Share Posted February 20, 2012 Hi Ian... I was re-reading the thread and noticed in post #1 you mentioned that system restore failed with error code 0x8000ffff, which = catastrophic failure occurred (not much help!). I ran the dumps through 3 different versions of Windbg because each can give slightly different/ additional info - - 6.11.0001.404 - 6.12.0002.633 - 6.2.8102.0 (Windows 8 WDDK) In this case, all results were the same. I just ran them through BlueScreenView and now see volsnap.sys listed in the 2 most recent dumps just below ntoskrnl.exe (Windows NT Kernel). volsnap may be an indication of HDD failure. Did you run HDD diags, such as SeaTools for DOS, LONG test? http://www.techsupportforum.com/2828431-post7.html Also, if needed, you can purchase recovery media from Toshiba for ~$30 - http://forums.toshiba.com/t5/System-Recove.../m-p/9148#U9148 If you want to wipe the HDD and see if Windows 7 runs OK on the existing hardware, Microsoft offers Windows 7 Enterprise 90-day trial ISO - http://technet.microsoft.com/en-us/evalcenter/cc442495 I would suggest using a DOS-based low-level format first - http://sysnative.com/0x1/killdisk_imgburn.html Regards. . . John Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 If it could be hardware related issues, do you have SpinRite Ian? It is a non-destructive way to see if it can be recovered. Great idea about the Seagate tools, too J.C. So volsnap can also mean hard drive failure? Great idea on the Toshiba Restore Disks, J.C. Some of my clients have gone that route just to have a set available for times like these. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 More great food for thought John and Fran. Thank you. I have not run either any HDD Diagnostic tools or SpinRite. I now have some great info to start moving forward with. I am sure there are many watching this post so I will reply back with results. Thanks again all, Ian Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 Hope it all works out well, Ian! Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 Well the thing is, if it does not, I have definitely learned a lot with this one laptop which I am always happy to do. Currently running SeaTools for DOS long version test and will move on from there. If for some reason I am lucky enough to get this up and running with out a full wipe I will definitely recommend to the customer to purchase the backup disks from Toshiba. Either way, I have his most important data saved to external so that piece of mind is at least there at this point. I have found that most customers I deal with feel the data on the HDD is more valuable then the entire computer itself. I am sure you all can relate. I just wanted to thank you all again for taking the time to assist and give great Advice. Even you Eric I can tell you this, 1, if this was my laptop I would have used your nuke button a while back 2. The laptop would have had Linux on it eliminating the need for the nuke button in the first place. All the best, Ian Quote Link to comment Share on other sites More sharing options...
amenditman Posted February 20, 2012 Share Posted February 20, 2012 Well the thing is, if it does not, I have definitely learned a lot with this one laptop which I am always happy to do. Currently running SeaTools for DOS long version test and will move on from there. If for some reason I am lucky enough to get this up and running with out a full wipe I will definitely recommend to the customer to purchase the backup disks from Toshiba. Either way, I have his most important data saved to external so that piece of mind is at least there at this point. I have found that most customers I deal with feel the data on the HDD is more valuable then the entire computer itself. I am sure you all can relate. I just wanted to thank you all again for taking the time to assist and give great Advice. Even you Eric I can tell you this, 1, if this was my laptop I would have used your nuke button a while back 2. The laptop would have had Linux on it eliminating the need for the nuke button in the first place. All the best, Ian Linux is definitely the solution to the world's nuclear disaster problem! Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 Linux is definitely the solution to the world's nuclear disaster problem! Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 20, 2012 Share Posted February 20, 2012 There's an old saying down South, "He needed killin'." This is similar to one of my favorite sayings regarding repairing computer issues, "Sometimes, ya' just gotta' NUKE 'em!" Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 So true, Eric! Sometimes you do have to Nuke'm. However, it doesn't mean we can't learn something along the way. Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted February 20, 2012 Share Posted February 20, 2012 So volsnap can also mean hard drive failure? volsnap is actually a Microsoft VSS related driver (system restore). http://www.sysnative.com/drivers/driver.php?id=volsnap.sys Since VSS is obviously stored on the HDD, I typically recommend HDD diags to be on the safe side. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 (edited) So true, Eric! Sometimes you do have to Nuke'm. However, it doesn't mean we can't learn something along the way. Very True Fran. Let's face it. I don't make a ton of money at all and the computer repair I do on the side I do to supliment my income. If I can learn more that only results in more income to keep the roof over the head and food on the table for the family. Not to mention when I have a customer come to me after a fix and tell me how happy they are and how great their computer is running.....Well......That's a good feeling too. But with that being said, I have used the nuke option many times before. Edited February 20, 2012 by ichase Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 John, while I have you here, you mentioned Driver Analyser and I clicked on the link. With the inability to boot into the OS, can this be run from an ISO or from command prompt? I am able to get into command prompt from the Win7 Recovery CD. I used that at the beginning to run checkdsk /r Thanks Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 20, 2012 Share Posted February 20, 2012 Time is $$$. Nuke 'em! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 Ian, sometimes, it doesn't matter how well we can clean a computer, if it's not going to be trustworthy, because of massive rootkit infection and not being able to tell definitively that you got everything and you can't know for sure if there is a ticking timebomb that will go off sometime down the road, then boot'n'nuke can a really good thing. I hate to give up on a system, but sometimes, as you say, it just makes sense so the computer is a trustworthy thing for the user. Quote Link to comment Share on other sites More sharing options...
Corrine Posted February 20, 2012 Share Posted February 20, 2012 volsnap is actually a Microsoft VSS related driver (system restore). http://www.sysnative.com/drivers/driver.php?id=volsnap.sys Since VSS is obviously stored on the HDD, I typically recommend HDD diags to be on the safe side. There are variants of the TDSS rootkit that can patch volsnap.sys. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 There are variants of the TDSS rootkit that can patch volsnap.sys. You are so right Corrine! I came up against one of those on a client computer. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 Ian, sometimes, it doesn't matter how well we can clean a computer, if it's not going to be trustworthy, because of massive rootkit infection and not being able to tell definitively that you got everything and you can't know for sure if there is a ticking timebomb that will go off sometime down the road, then boot'n'nuke can a really good thing. I hate to give up on a system, but sometimes, as you say, it just makes sense so the computer is a trustworthy thing for the user. I can't agree with you more. I hate given up mainly because I am hard headed, but I do agree and have done it before where I have DBaN'd the HDD and installed the OS from scratch. Hard headed or not, I definitely know when it is time to throw in the towel. With so much great advice through this thread, Eric's solution is sounding more and more like the correct end result. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 20, 2012 Author Share Posted February 20, 2012 Update to this point - Checked for updated BIOS. There is a BIOS update from the current 1.40 to 1.50 but what it provides is not going to help. - Ran SeaTools for DOS - Long Test (2 hours 2 minutes) Test Passed, - Ran MemTest86 - Test passed. At this point, I will be leaving it up to the owner as to how he wants to proceed. Thanks everyone for your help. It has been a great learning experience even if we did not get a full "end result" of the problem. Ian Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 ROFL! Heard that! Quote Link to comment Share on other sites More sharing options...
amenditman Posted February 20, 2012 Share Posted February 20, 2012 ichase mentioned earlier in the thread that this computer was used for some NSFW adult web browsing. As such, the problem is going to re-occur. Save the user's files to an external medium, instruct user to save future files to an external medium, NUKE it. After re-install, I would recommend imaging the hdd with Clonezilla (on the PartedMagic Live distro or directly) prior to returning it to the user. That way, when you get it back in a few months you can charge full price for a full restore but save yourself a lot of aggravation. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 20, 2012 Share Posted February 20, 2012 Excellent idea on imaging the drive before you give it back. Next time you will be able to just restore the system after backing up any current personal data (if any new stuff was added). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.