locked
BSOD error at random - Please help RRS feed

  • Question

  • Hi everyone,

    My machine recently started getting BSOD error. Below are the relevant files that has been suggested I provide to help solve this issue. Many thanks in advance!

    DMP Files (3 in zip)

    https://drive.google.com/file/d/0B_B6XTQYy91BNElZNThuajJuN3c/view?usp=sharing

    MSINFO32 file

    https://drive.google.com/file/d/0B_B6XTQYy91BMEtsQ3RacG9Yd3M/view?usp=sharing

    System Specs

    https://drive.google.com/file/d/0B_B6XTQYy91BQjFjN1A4c2pwaFk/view?usp=sharing

    Wednesday, February 17, 2016 10:13 AM

Answers

  • Related to avc3.sys Active Virus Control filter driver from BitDefender AVC.  I would simply remove it and use the built in defender or almost any othe malware app except McAfee, Kaspersky, or Symantec

    Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\zigza\Desktop\021716-13119-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*E:\symbols*https://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*E:\symbols*https://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.19135.amd64fre.win7sp1_gdr.160121-1718
    Machine Name:
    Kernel base = 0xfffff800`03017000 PsLoadedModuleList = 0xfffff800`0325e730
    Debug session time: Wed Feb 17 06:42:40.197 2016 (UTC - 5:00)
    System Uptime: 0 days 0:08:06.071
    Loading Kernel Symbols
    .
    
    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.
    
    ..............................................................
    ................................................................
    .................................
    Loading User Symbols
    Loading unloaded module list
    .....
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck C4, {c5, fffff8800130a440, ffff, 0}
    
    Unable to load image avc3.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for avc3.sys
    *** ERROR: Module load completed but symbols could not be loaded for avc3.sys
    Probably caused by : avc3.sys ( avc3+a0440 )
    
    Followup:     MachineOwner
    ---------
    
    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
    A device driver attempting to corrupt the system has been caught.  This is
    because the driver was specified in the registry as being suspect (by the
    administrator) and the kernel has enabled substantial checking of this driver.
    If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
    be among the most commonly seen crashes.
    Arguments:
    Arg1: 00000000000000c5, Thread APC disable count changed by driver dispatch routine.
    Arg2: fffff8800130a440, Driver dispatch routine address.
    Arg3: 000000000000ffff, Current thread APC disable count.
    Arg4: 0000000000000000, Thread APC disable count before calling driver dispatch routine.
    	The APC disable count is decremented each time a driver calls
    	KeEnterCriticalRegion, FsRtlEnterFileSystem, or acquires a mutex. The APC
    	disable count is incremented each time a driver calls KeLeaveCriticalRegion,
    	FsRtlExitFileSystem, or KeReleaseMutex. Since these calls should always be in
    	pairs, this value should be zero when a thread exits. A negative value
    	indicates that a driver has disabled APC calls without re-enabling them. A
    	positive value indicates that the reverse is true.
    
    Debugging Details:
    ------------------
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 400
    
    BUILD_VERSION_STRING:  7601.19135.amd64fre.win7sp1_gdr.160121-1718
    
    SYSTEM_MANUFACTURER:  ASUS
    
    SYSTEM_PRODUCT_NAME:  All Series
    
    SYSTEM_SKU:  All
    
    SYSTEM_VERSION:  System Version
    
    BIOS_VENDOR:  American Megatrends Inc.
    
    BIOS_VERSION:  2001
    
    BIOS_DATE:  06/16/2014
    
    BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.
    
    BASEBOARD_PRODUCT:  B85M-E
    
    BASEBOARD_VERSION:  Rev X.0x
    
    DUMP_TYPE:  2
    
    BUGCHECK_P1: c5
    
    BUGCHECK_P2: fffff8800130a440
    
    BUGCHECK_P3: ffff
    
    BUGCHECK_P4: 0
    
    BUGCHECK_STR:  0xc4_c5
    
    FAULTING_IP: 
    avc3+a0440
    fffff880`0130a440 4889542410      mov     qword ptr [rsp+10h],rdx
    
    FOLLOWUP_IP: 
    avc3+a0440
    fffff880`0130a440 4889542410      mov     qword ptr [rsp+10h],rdx
    
    CPU_COUNT: 4
    
    CPU_MHZ: c78
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 3c
    
    CPU_STEPPING: 3
    
    CPU_MICROCODE: 6,3c,3,0 (F,M,S,R)  SIG: 1C'00000000 (cache) 19'00000000 (init)
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  ProductAgentSe
    
    CURRENT_IRQL:  2
    
    ANALYSIS_SESSION_HOST:  DESKTOP-DT3LSR8
    
    ANALYSIS_SESSION_TIME:  02-17-2016 08:51:44.0567
    
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    
    STACK_TEXT:  
    fffff880`09300758 fffff800`03117d40 : 00000000`000000c4 00000000`000000c5 fffff880`0130a440 00000000`0000ffff : nt!KeBugCheckEx
    fffff880`09300760 fffff800`03536c7e : fffff880`09300800 fffff800`033976cb fffff880`00000000 fffff800`035293d7 : nt!VfBugCheckNoStackUsage+0x30
    fffff880`093007a0 fffff800`0353cd5e : fffff980`0000001b fffff980`3c108ee0 00000000`00000002 fffffa80`0a7fc060 : nt!VfAfterCallDriver+0x33e
    fffff880`093007f0 fffff800`033976cb : 00000000`00000002 fffffa80`08f7c470 00000000`00000000 fffffa80`07e9f190 : nt!IovCallDriver+0x57e
    fffff880`09300850 fffff800`033ab52a : fffffa80`08f7c470 00000000`0000000c fffffa80`08f7c470 00000000`00000000 : nt!IopSynchronousServiceTail+0xfb
    fffff880`093008c0 fffff800`033ab5c6 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!IopXxxControlFile+0xc27
    fffff880`09300a00 fffff800`0308a653 : 00000000`728c2198 fffff880`09300b60 00000000`00000000 fffff800`03376eeb : nt!NtDeviceIoControlFile+0x56
    fffff880`09300a70 00000000`74bb2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`00e8ee08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74bb2e09
    
    
    STACK_COMMAND:  kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  59fc0ab513460703e18d313e8f127b2580936415
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  4a190a4fc8203a58278ab065fa401e61b86ccca6
    
    THREAD_SHA1_HASH_MOD:  cb5f414824c2521bcc505eaa03e92fa10922dad8
    
    FAULT_INSTR_CODE:  24548948
    
    SYMBOL_NAME:  avc3+a0440
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: avc3
    
    IMAGE_NAME:  avc3.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  569e3fa2
    
    FAILURE_BUCKET_ID:  X64_0xc4_c5_avc3+a0440
    
    BUCKET_ID:  X64_0xc4_c5_avc3+a0440
    
    PRIMARY_PROBLEM_CLASS:  X64_0xc4_c5_avc3+a0440
    
    TARGET_TIME:  2016-02-17T11:42:40.000Z
    
    OSBUILD:  7601
    
    OSSERVICEPACK:  1000
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 7
    
    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2016-01-22 00:06:31
    
    BUILDDATESTAMP_STR:  160121-1718
    
    BUILDLAB_STR:  win7sp1_gdr
    
    BUILDOSVER_STR:  6.1.7601.19135.amd64fre.win7sp1_gdr.160121-1718
    
    ANALYSIS_SESSION_ELAPSED_TIME: a39
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0xc4_c5_avc3+a0440
    
    FAILURE_ID_HASH:  {4120480e-a147-eadc-1614-6ef04f6b0946}
    
    Followup:     MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Wednesday, February 17, 2016 1:52 PM

All replies

  • These crashes were related to memory corruption (probably caused by a driver). 

    Please run these two tests to verify your memory and find which driver is causing the problem.  Please run verifier first.  You do not need to run memtest yet unless verifier does not find the cause, or you want to.


    If you are over-clocking anything reset to default before running these tests.
    In other words STOP!!!  If you do not know what this means you probably are not


    1-Driver verifier (for complete directions see our wiki here)

    2-Memtest. (You can read more about running memtest here)

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Wednesday, February 17, 2016 10:39 AM
  • Thanks for the reply.

    Just got back from running the verifier tests.

    Below is 4 DMP files that have been created from the test.

    https://drive.google.com/file/d/0B_B6XTQYy91BbDJIcFEzcTVZTVU/view?usp=sharing

    error that I see is AVC3.sys

    May I ask for the next step please? Thanks!

    Wednesday, February 17, 2016 1:15 PM
  • Related to avc3.sys Active Virus Control filter driver from BitDefender AVC.  I would simply remove it and use the built in defender or almost any othe malware app except McAfee, Kaspersky, or Symantec

    Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\zigza\Desktop\021716-13119-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*E:\symbols*https://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*E:\symbols*https://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.19135.amd64fre.win7sp1_gdr.160121-1718
    Machine Name:
    Kernel base = 0xfffff800`03017000 PsLoadedModuleList = 0xfffff800`0325e730
    Debug session time: Wed Feb 17 06:42:40.197 2016 (UTC - 5:00)
    System Uptime: 0 days 0:08:06.071
    Loading Kernel Symbols
    .
    
    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.
    
    ..............................................................
    ................................................................
    .................................
    Loading User Symbols
    Loading unloaded module list
    .....
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck C4, {c5, fffff8800130a440, ffff, 0}
    
    Unable to load image avc3.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for avc3.sys
    *** ERROR: Module load completed but symbols could not be loaded for avc3.sys
    Probably caused by : avc3.sys ( avc3+a0440 )
    
    Followup:     MachineOwner
    ---------
    
    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
    A device driver attempting to corrupt the system has been caught.  This is
    because the driver was specified in the registry as being suspect (by the
    administrator) and the kernel has enabled substantial checking of this driver.
    If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
    be among the most commonly seen crashes.
    Arguments:
    Arg1: 00000000000000c5, Thread APC disable count changed by driver dispatch routine.
    Arg2: fffff8800130a440, Driver dispatch routine address.
    Arg3: 000000000000ffff, Current thread APC disable count.
    Arg4: 0000000000000000, Thread APC disable count before calling driver dispatch routine.
    	The APC disable count is decremented each time a driver calls
    	KeEnterCriticalRegion, FsRtlEnterFileSystem, or acquires a mutex. The APC
    	disable count is incremented each time a driver calls KeLeaveCriticalRegion,
    	FsRtlExitFileSystem, or KeReleaseMutex. Since these calls should always be in
    	pairs, this value should be zero when a thread exits. A negative value
    	indicates that a driver has disabled APC calls without re-enabling them. A
    	positive value indicates that the reverse is true.
    
    Debugging Details:
    ------------------
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 400
    
    BUILD_VERSION_STRING:  7601.19135.amd64fre.win7sp1_gdr.160121-1718
    
    SYSTEM_MANUFACTURER:  ASUS
    
    SYSTEM_PRODUCT_NAME:  All Series
    
    SYSTEM_SKU:  All
    
    SYSTEM_VERSION:  System Version
    
    BIOS_VENDOR:  American Megatrends Inc.
    
    BIOS_VERSION:  2001
    
    BIOS_DATE:  06/16/2014
    
    BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.
    
    BASEBOARD_PRODUCT:  B85M-E
    
    BASEBOARD_VERSION:  Rev X.0x
    
    DUMP_TYPE:  2
    
    BUGCHECK_P1: c5
    
    BUGCHECK_P2: fffff8800130a440
    
    BUGCHECK_P3: ffff
    
    BUGCHECK_P4: 0
    
    BUGCHECK_STR:  0xc4_c5
    
    FAULTING_IP: 
    avc3+a0440
    fffff880`0130a440 4889542410      mov     qword ptr [rsp+10h],rdx
    
    FOLLOWUP_IP: 
    avc3+a0440
    fffff880`0130a440 4889542410      mov     qword ptr [rsp+10h],rdx
    
    CPU_COUNT: 4
    
    CPU_MHZ: c78
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 3c
    
    CPU_STEPPING: 3
    
    CPU_MICROCODE: 6,3c,3,0 (F,M,S,R)  SIG: 1C'00000000 (cache) 19'00000000 (init)
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  ProductAgentSe
    
    CURRENT_IRQL:  2
    
    ANALYSIS_SESSION_HOST:  DESKTOP-DT3LSR8
    
    ANALYSIS_SESSION_TIME:  02-17-2016 08:51:44.0567
    
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    
    STACK_TEXT:  
    fffff880`09300758 fffff800`03117d40 : 00000000`000000c4 00000000`000000c5 fffff880`0130a440 00000000`0000ffff : nt!KeBugCheckEx
    fffff880`09300760 fffff800`03536c7e : fffff880`09300800 fffff800`033976cb fffff880`00000000 fffff800`035293d7 : nt!VfBugCheckNoStackUsage+0x30
    fffff880`093007a0 fffff800`0353cd5e : fffff980`0000001b fffff980`3c108ee0 00000000`00000002 fffffa80`0a7fc060 : nt!VfAfterCallDriver+0x33e
    fffff880`093007f0 fffff800`033976cb : 00000000`00000002 fffffa80`08f7c470 00000000`00000000 fffffa80`07e9f190 : nt!IovCallDriver+0x57e
    fffff880`09300850 fffff800`033ab52a : fffffa80`08f7c470 00000000`0000000c fffffa80`08f7c470 00000000`00000000 : nt!IopSynchronousServiceTail+0xfb
    fffff880`093008c0 fffff800`033ab5c6 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!IopXxxControlFile+0xc27
    fffff880`09300a00 fffff800`0308a653 : 00000000`728c2198 fffff880`09300b60 00000000`00000000 fffff800`03376eeb : nt!NtDeviceIoControlFile+0x56
    fffff880`09300a70 00000000`74bb2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`00e8ee08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74bb2e09
    
    
    STACK_COMMAND:  kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  59fc0ab513460703e18d313e8f127b2580936415
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  4a190a4fc8203a58278ab065fa401e61b86ccca6
    
    THREAD_SHA1_HASH_MOD:  cb5f414824c2521bcc505eaa03e92fa10922dad8
    
    FAULT_INSTR_CODE:  24548948
    
    SYMBOL_NAME:  avc3+a0440
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: avc3
    
    IMAGE_NAME:  avc3.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  569e3fa2
    
    FAILURE_BUCKET_ID:  X64_0xc4_c5_avc3+a0440
    
    BUCKET_ID:  X64_0xc4_c5_avc3+a0440
    
    PRIMARY_PROBLEM_CLASS:  X64_0xc4_c5_avc3+a0440
    
    TARGET_TIME:  2016-02-17T11:42:40.000Z
    
    OSBUILD:  7601
    
    OSSERVICEPACK:  1000
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 7
    
    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2016-01-22 00:06:31
    
    BUILDDATESTAMP_STR:  160121-1718
    
    BUILDLAB_STR:  win7sp1_gdr
    
    BUILDOSVER_STR:  6.1.7601.19135.amd64fre.win7sp1_gdr.160121-1718
    
    ANALYSIS_SESSION_ELAPSED_TIME: a39
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0xc4_c5_avc3+a0440
    
    FAILURE_ID_HASH:  {4120480e-a147-eadc-1614-6ef04f6b0946}
    
    Followup:     MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Wednesday, February 17, 2016 1:52 PM
  • Hi,
    Would you mind letting me know the result of the suggestions? If you need further assistance, feel free to let me know. I will be more than happy to be of assistance.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, February 26, 2016 8:47 AM