Occasional BSODs

[Lamenth]

Hello,
I hope you can help me with my problem.
Since a few months, I get several BSODs on an irregular basis.
I updated my drivers and ran an anti-virus scan using Avast! (also tried the pre-windows scan), but they keep coming.
Iv'e noticed that sometimes after a crash the computer boots without a single a RAM card (im running a 4GB RAM using two cards).
Thanks, Lamenth.

 

[Shintaro]

Hi,

Please install Service Pack 1.

Missing Windows 7 Service Pack 1 
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621 
System Uptime: 0 days 0:00:41.043 
Probably caused by : Ntfs.sys ( Ntfs! ?? ::FNODOBFM::`string'+2cc9 ) 
BugCheck 24, {1904fb, fffff8800359fe28, fffff8800359f690, 0} 
BugCheck Info: NTFS_FILE_SYSTEM (24) 
Bugcheck code 00000024 
Arguments: 
Arg1: 00000000001904fb 
Arg2: fffff8800359fe28 
Arg3: fffff8800359f690 
Arg4: 0000000000000000 
PROCESS_NAME: System 
BUGCHECK_STR: 0x24 
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT 
FAILURE_BUCKET_ID: X64_0x24_NULL_IP_Ntfs!_??_::FNODOBFM::_string_+2cc9

 

[Lamenth]

That would be the solution or just a step while getting to it?

 

[Shintaro]

It is the starting point. The point of Service Packs / patches is to fix problems, for example crashes.

 

[Lamenth]

I see, so i'm guessing it means i'll have to upload a new .dmp file the next time it happens? (I'll edit this messege)

 

[Shintaro]

Correct, are you able to install the Service Pack?

 

[Lamenth]

I did.here's the up to date .dmp file:

 

[Shintaro]

It appears that something is conflicting with the Windows Shadow Copy Service.
It could be this unknown driver:

aeynmvg5.SYS Wed Jul 15 07:12:55 2009 (4A5CF4D7)

Probably caused by : volsnap.sys ( volsnap! ?? ::FNODOBFM::`string'+19db )
BugCheck 1E, {0, 0, 0, 0}
BugCheck Info: KMODE_EXCEPTION_NOT_HANDLED (1e)
Bugcheck code 0000001E
Arguments:
Arg1: 0000000000000000, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
BUGCHECK_STR: 0x1E_0
PROCESS_NAME: System
FAILURE_BUCKET_ID: X64_0x1E_0_volsnap!_??_::FNODOBFM::_string_+19db

1/ Please download and run Windows Defender Offline. It will create a CD / DVD / USB and will boot and scan your hard drive offline.
2/ Download and run TDSSKiller.
3/ Install Malwarebytes (Free Version) and scan your computer.
4/ Please update the computer spec part of your profile so that we know what kind of hardware you have.
5/ Please run chkdsk.
6/ Are you running any backup software?
_________________________

 

[Lamenth]

No backup softwares,all scans showed my PC is clean.
my PC is:
Gigabyte P55-US3L
ATI Radeon HD 5770
x2 Corsair 2GB DDR3
Intel i5 750

By the way,I highly appreciate your time and effort trying to solve this. thank you so much!

 

[Shintaro]

1/ Please put c:\System32\Drivers\aeynmvg5.SYS in a zip file and upload it to the forum.
2/ Uninstall Daemon Tools
3/ Please run Driver Verifier

Driver verifier

The Driver Verifier tool that is included in every version of Windows since Windows 2000 it is used to detect and troubleshoot many driver issues that are known to cause system corruption, failures, or other unpredictable behavior.

***FIRST: Please backup your stuff and then make sure you've got access to another computer so you can contact us if problems arise.
Then make a System Restore point (so you can restore the system using the Windows 7 Startup Repair feature.)

1. Go to Start and type in "verifier" (without the quotes) and press Enter
2. Select "Create custom settings (for code developers)" and click "Next"
3. Select "Select individual settings from a full list" and click "Next"
4. Select:
   ---- Special Pool
   ---- Pool Tracking
   ---- Force IRQL Checking
   ----Deadlock Detection
   ---- Security Checks (Windows 7 & 8)
   ---- DDI compliance checking (Windows 8)
   ---- Miscellaneous Checks
   
5. Click "Next"
6. Select "Select driver names from a list" and click "Next"
7. Then select all drivers NOT provided by Microsoft and click "Next"
8. Select "Finish" on the next page.

Reboot the system and wait for it to crash to the Blue Screen.
Continue to use your system normally, and if you know what causes the crash, do that repeatedly.
The objective here is to get the system to crash because Driver Verifier is stressing the drivers out.

How Long should I wait for a crash?

- If it doesn't crash for you, then let it run for at least 36 hours of continuous operation.

How do I turn Driver Verifier off?!

- Reboot into Windows (after the crash) and turn off Driver Verifier by going back in and selecting "Delete existing settings" on the first page.

- Or press the Windows Key + R, and type in "verifier /reset" (Without the quotes)

- Then locate and zip up the memory dump file and upload it with your next post. then locate and zip up the memory dump file and upload it with your next post.

I can't get in to Windows, what do I do?

- If Windows will not start and get to a login screen or desktop, because it crashes too soon, try it in Safe Mode.


- If you can't get into Safe Mode, try using System Restore from your installation DVD to set the system back to the previous restore point that you created.

_________________________

 

[Lamenth]

c:\System32\Drivers\aeynmvg5.SYS
No such file was found.Hidden files are shown to me,and yet I couldn't find it,btw I was checking in C:\Windows\System32\Drivers\
But I assumed you just miss-typed.
Daemon Tools was removed.
The main problem is that after Windows is loaded,in the user selection screen,my keyboard and mouse both freezes.
EDIT: I restored using safe mode to a pre-verifier point,and now I wait for your next post.

 

[Shintaro]

Mate,

I am pretty sure you have a virus or root kit.
Drivers just don't disappear.

Here is a short list of the drivers on your system from the crash dump file:

fffff880`01b38000 fffff880`01b8d000  MDFSYSNT MDFSYSNT.sys Wed May 19 00:07:22 2010 (4BF29F1A)
fffff880`01b8d000 fffff880`01b96000  hwpolicy hwpolicy.sys Sat Nov 20 20:18:54 2010 (4CE7927E)
fffff880`01b96000 fffff880`01bd0000  fvevol  fvevol.sys  Sat Nov 20 20:24:06 2010 (4CE793B6)
fffff880`01bd0000 fffff880`01be6000  disk  disk.sys  Tue Jul 14 09:19:57 2009 (4A5BC11D)
fffff880`02e00000 fffff880`02e1b000  wanarp  wanarp.sys  Sat Nov 20 21:52:36 2010 (4CE7A874)
fffff880`02e1b000 fffff880`02e2f000  termdd  termdd.sys  Sat Nov 20 22:03:40 2010 (4CE7AB0C)
fffff880`02e5e000 fffff880`02e80000  tdx  tdx.sys  Sat Nov 20 20:21:54 2010 (4CE79332)
fffff880`02e80000 fffff880`02e8d000  TDI  TDI.SYS  Sat Nov 20 20:22:06 2010 (4CE7933E)
fffff880`02e8d000 fffff880`02e9f000  aswTdi  aswTdi.SYS  Tue Nov 29 04:52:18 2011 (4ED3CA52)
fffff880`02e9f000 fffff880`02f28000  afd  afd.sys  Wed Dec 28 14:59:20 2011 (4EFA9418)
fffff880`02f28000 fffff880`02f35000  aswRdr  aswRdr.SYS  Tue Nov 29 04:52:20 2011 (4ED3CA54)
fffff880`02f35000 fffff880`02f7a000  netbt  netbt.sys  Sat Nov 20 20:23:18 2010 (4CE79386)
fffff880`02f7a000 fffff880`02f83000  wfplwf  wfplwf.sys  Tue Jul 14 10:09:26 2009 (4A5BCCB6)
fffff880`02f83000 fffff880`02fa9000  pacer  pacer.sys  Sat Nov 20 21:52:18 2010 (4CE7A862)
fffff880`02fa9000 fffff880`02fbf000  vwififlt vwififlt.sys Tue Jul 14 10:07:22 2009 (4A5BCC3A)
fffff880`02fbf000 fffff880`02fce000  netbios  netbios.sys  Tue Jul 14 10:09:26 2009 (4A5BCCB6)
fffff880`02fce000 fffff880`02feb000  serial  serial.sys  Tue Jul 14 10:00:40 2009 (4A5BCAA8)
fffff880`03e00000 fffff880`03e21000  WudfPf  WudfPf.sys  Sat Nov 20 21:42:44 2010 (4CE7A624)
fffff880`03e21000 fffff880`03e29000  diginet  diginet.sys  Thu Dec 04 18:12:13 2008 (493782CD)
fffff880`03e29000 fffff880`03e3e000  lltdio  lltdio.sys  Tue Jul 14 10:08:50 2009 (4A5BCC92)
fffff880`03f47000 fffff880`03f64000  usbccgp  usbccgp.sys  Sat Nov 20 21:44:03 2010 (4CE7A673)
fffff880`03f79000 fffff880`03f87000  kbdhid  kbdhid.sys  Sat Nov 20 21:33:25 2010 (4CE7A3F5)
fffff880`03f87000 fffff880`03f95000  monitor  monitor.sys  Tue Jul 14 09:38:52 2009 (4A5BC58C)
fffff880`03f95000 fffff880`03fb8000  luafv  luafv.sys  Tue Jul 14 09:26:13 2009 (4A5BC295)
fffff880`03fb8000 fffff880`03ff4000  aswMonFlt aswMonFlt.sys Tue Nov 29 04:52:10 2011 (4ED3CA4A)
fffff880`03ff4000 fffff880`03ffd000  aswFsBlk aswFsBlk.SYS Tue Nov 29 04:51:52 2011 (4ED3CA38)

fffff880`04200000 fffff880`04245000  aeynmvg5 aeynmvg5.SYS Wed Jul 15 07:12:55 2009 (4A5CF4D7)

fffff880`04245000 fffff880`04255000  CompositeBus CompositeBus.sys Sat Nov 20 21:33:17 2010 (4CE7A3ED)
fffff880`04255000 fffff880`0426b000  AgileVpn AgileVpn.sys Tue Jul 14 10:10:24 2009 (4A5BCCF0)
fffff880`0426b000 fffff880`0428c000  raspptp  raspptp.sys  Sat Nov 20 21:52:31 2010 (4CE7A86F)
fffff880`0428c000 fffff880`042ed000  atikmpag atikmpag.sys Tue Jun 12 02:26:14 2012 (4FD61C26)
fffff880`042ed000 fffff880`042f8000  rdpbus  rdpbus.sys  Tue Jul 14 10:17:46 2009 (4A5BCEAA)
fffff880`04302000 fffff880`0433f000  Rt64win7 Rt64win7.sys Fri Jul 10 20:10:11 2009 (4A571383)
fffff880`0433f000 fffff880`04363000  rasl2tp  rasl2tp.sys  Sat Nov 20 21:52:34 2010 (4CE7A872)
fffff880`04363000 fffff880`0436f000  ndistapi ndistapi.sys Tue Jul 14 10:10:00 2009 (4A5BCCD8)
fffff880`0436f000 fffff880`0439e000  ndiswan  ndiswan.sys  Sat Nov 20 21:52:32 2010 (4CE7A870)

Could you please run those scans again and capture the screen on completion. Then post the screen captures to the forum. I would like to see the results.

 

[Lamenth]

Are you asking for all scans? because that might take some time.
here's the latest .dmp file, I guess it could possibly help pointing this problem out.

 

[Shintaro]

In particular I am interested in the Windows Defender offline scan results.

 

[Shintaro]

After you have run that OFFLINE scan.

Daemon tools SCSI Pass through is still on your computer.
1. Download SPTD installer from DuplexSecure - Downloads.
2. Run it.
3. Click Uninstall.
4. Reboot your PC after uninstalling.

Lets test your RAM (Memory)

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff880060b62b1, The address that the exception occurred at
Arg3: 0000000000000001, Parameter 0 of the exception
Arg4: 0000000000000007, Parameter 1 of the exception

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032be100
GetUlongFromAddress: unable to read from fffff800032be1c0
0000000000000000 Nonpaged pool

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
+775a22c020
fffff880`060b62b1 0000            add     byte ptr [rax],al

BUGCHECK_STR:  0x1E_c0000005_R

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre

TRAP_FRAME:  fffff88009ea7780 -- (.trap 0xfffff88009ea7780)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000007 rbx=0000000000000000 rcx=fffffa8006066bb8
rdx=0000000000000003 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880060b62b1 rsp=fffff88009ea7910 rbp=fffffa8006066bb8
r8=fffff88009ea7b20  r9=0000000000000000 r10=fffff88003163c40
r11=fffffa8007088b18 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
fffff880`060b62b1 0000            add     byte ptr [rax],al ds:00000000`00000007=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800030d9d88 to fffff8000308f1c0

STACK_TEXT: 
fffff880`09ea6ef8 fffff800`030d9d88 : 00000000`0000001e ffffffff`c0000005 fffff880`060b62b1 00000000`00000001 : nt!KeBugCheckEx
fffff880`09ea6f00 fffff800`0308e842 : fffff880`09ea76d8 fffffa80`06066bbe fffff880`09ea7780 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x48d3d
fffff880`09ea75a0 fffff800`0308d3ba : 00000000`00000001 00000000`00000007 00000000`00000000 fffffa80`06066bbe : nt!KiExceptionDispatch+0xc2
fffff880`09ea7780 fffff880`060b62b1 : fffffa80`05290018 00000000`00000000 00000000`00000000 fffff880`040c7530 : nt!KiPageFault+0x23a
fffff880`09ea7910 fffffa80`05290018 : 00000000`00000000 00000000`00000000 fffff880`040c7530 fffff880`040c7530 : 0xfffff880`060b62b1
fffff880`09ea7918 00000000`00000000 : 00000000`00000000 fffff880`040c7530 fffff880`040c7530 00000000`00000000 : 0xfffffa80`05290018


STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    fffff8000308fd2d - nt!RcConsolidateFrames+11d
    [ 00:02 ]
1 error : !nt (fffff8000308fd2d)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  ONE_BIT

FAILURE_BUCKET_ID:  X64_MEMORY_CORRUPTION_ONE_BIT

BUCKET_ID:  X64_MEMORY_CORRUPTION_ONE_BIT

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_memory_corruption_one_bit

FAILURE_ID_HASH:  {2dbb898e-c425-bad1-90fe-71c78117521f}

Please run MemTest86. There software needs to run through at lease 8 passes. This will take some time, so maybe you need to let it run over night. Here is a HowTo on MemTest86. Please run MemTest86. There software needs to run through at lease 8 passes. This will take some time, so maybe you need to let it run over night. Here is a HowTo on MemTest86.
_________________________

 

[Shintaro]

Also please download and run CPU-Z.
Go to the About tab. Save as .html.
Save the .html file some where, put it in a zip file and upload it to the forum please.

 

[Lamenth]

CPU-Z , the latest .dmp
And tonight i'll run the MemTest86 using a disk on key.

 

[Shintaro]

When Memtest86 has done 8 passes, use the camera in a mobile phone to take a picture and post it to the forum please.

 

[Shintaro]

1/ Please uninstall Avast!, just until we find the problem. And use Windows Defender. Make sure you update it.

2/ Ok, I really need verifier on. Please try again but this time only select drivers that start with "ati" for example atikmdag.sys

Debugging Details:
------------------
Could not read faulting driver name

The crash dump says that it was a problem in non-paged area (Your computers RAM) and the process that was executing at the time was pes2014.exe(Pro Evolution Soccer 2014). So the results of Memtest86 are very important!

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffaa00e849018, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88004afafb5, If non-zero, the instruction address which referenced the bad memory
   address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003316100
GetUlongFromAddress: unable to read from fffff800033161c0
 fffffaa00e849018 Nonpaged pool

FAULTING_IP:
atikmdag+9fb5
fffff880`04afafb5 8b4108  mov  eax,dword ptr [rcx+8]

MM_INTERNAL_CODE:  5

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  pes2014.exe

CURRENT_IRQL:  0

 

[Lamenth]

Well, I ran Memtest over night, 13 passes with zero errors.
Regarding your last post,I assumed running it again won't do any harm but the opposite.
So I ran it again for 6 passes.
*I only took a picture of the second run because I didnt take any on the first run,I thought it'd save a log file or so.