locked
Blue screen. RRS feed

  • Question

  • Hello,

    I have been getting an error lately when I start my computer. The computer starts up and stays on for a little while (about 5 minutes) then it crashes. But when I turn it back on an error window pops up. This is the message in the window.

    Problem signature:


      Problem Event Name: BlueScreen

      OS Version: 6.1.7601.2.1.0.768.3

      Locale ID: 1033



    Additional information about the problem:


      BCCode: d1

      BCP1: 0000000000000000

      BCP2: 0000000000000002

      BCP3: 0000000000000000

      BCP4: FFFFF8800310848C

      OS Version: 6_1_7601

      Service Pack: 1_0

      Product: 768_1



    Files that help describe the problem:


      C:\Windows\Minidump\012815-60809-01.dmp

      C:\Users\Max\AppData\Local\Temp\WER-115347-0.sysdata.xml

    Thursday, January 29, 2015 1:41 AM

Answers

  • https://onedrive.live.com/redir?resid=ED5090FBDAD9BD88!107&authkey=!ACsIUpKBLF9XSME&ithint=file%2czip

    Max

    This was Related to IDSvia64.sys IDS Core Driver from Symantec Corporation.  You have 3 malware apps.  SYmantec, MBAM, and the bits of AVG.  I would remove Symantec which IMHO is rubbish, and replace with Microsoft security essentials.

    Symantec  is a frequent cause of BSOD's.  

    I would remove and replace it with Microsoft Security Essentials AT LEAST TO TEST
    http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    For Norton 360 use thishttp://symantec.pcperformancetools.com/norton-360-how-to-uninstall.html

    Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Ken\Desktop\012815-60809-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*E:\symbols
    Deferred                                       *http://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*E:\symbols;*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
    Machine Name:
    Kernel base = 0xfffff800`03206000 PsLoadedModuleList = 0xfffff800`03449890
    Debug session time: Wed Jan 28 19:28:54.356 2015 (UTC - 5:00)
    System Uptime: 0 days 0:04:15.433
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................................................
    Loading User Symbols
    Loading unloaded module list
    ...
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {0, 2, 0, fffff8800310848c}
    
    *** WARNING: Unable to verify timestamp for IDSvia64.sys
    *** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys
    Probably caused by : IDSvia64.sys ( IDSvia64+5648c )
    
    Followup: MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 0000000000000000, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff8800310848c, address which referenced memory
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034b3100
    GetUlongFromAddress: unable to read from fffff800034b31c0
     0000000000000000 Nonpaged pool
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    IDSvia64+5648c
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx]
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  System
    
    ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
    
    TRAP_FRAME:  fffff880035b65b0 -- (.trap 0xfffff880035b65b0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=fffffa8009aa4010 rbx=0000000000000000 rcx=0000000000000000
    rdx=fffffa800968a6a8 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800310848c rsp=fffff880035b6748 rbp=0000000000000000
     r8=fffffa800a480d00  r9=00000000000000a0 r10=fffff880033d3d60
    r11=fffffa8009aa4460 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    IDSvia64+0x5648c:
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx] ds:00000000`00000000=????????????????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff8000327c429 to fffff8000327ce80
    
    STACK_TEXT:  
    fffff880`035b6468 fffff800`0327c429 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`035b6470 fffff800`0327b0a0 : fffffa80`08f45f50 fffff800`033af30d fffffa80`03941bc0 fffffa80`0973e018 : nt!KiBugCheckDispatch+0x69
    fffff880`035b65b0 fffff880`0310848c : fffff880`031354b6 fffffa80`08f525b0 00000000`00000040 fffff880`031496d8 : nt!KiPageFault+0x260
    fffff880`035b6748 fffff880`031354b6 : fffffa80`08f525b0 00000000`00000040 fffff880`031496d8 00000000`000007ff : IDSvia64+0x5648c
    fffff880`035b6750 fffffa80`08f525b0 : 00000000`00000040 fffff880`031496d8 00000000`000007ff 00000000`00000001 : IDSvia64+0x834b6
    fffff880`035b6758 00000000`00000040 : fffff880`031496d8 00000000`000007ff 00000000`00000001 fffff880`03135359 : 0xfffffa80`08f525b0
    fffff880`035b6760 fffff880`031496d8 : 00000000`000007ff 00000000`00000001 fffff880`03135359 fffffa80`00000000 : 0x40
    fffff880`035b6768 00000000`000007ff : 00000000`00000001 fffff880`03135359 fffffa80`00000000 fffff800`033af30d : IDSvia64+0x976d8
    fffff880`035b6770 00000000`00000001 : fffff880`03135359 fffffa80`00000000 fffff800`033af30d fffffa80`0973e018 : 0x7ff
    fffff880`035b6778 fffff880`03135359 : fffffa80`00000000 fffff800`033af30d fffffa80`0973e018 00000000`00000000 : 0x1
    fffff880`035b6780 fffffa80`00000000 : fffff800`033af30d fffffa80`0973e018 00000000`00000000 00000000`00000002 : IDSvia64+0x83359
    fffff880`035b6788 fffff800`033af30d : fffffa80`0973e018 00000000`00000000 00000000`00000002 fffffa80`08f52588 : 0xfffffa80`00000000
    fffff880`035b6790 ffffffff`fffffcf8 : ffffffff`fffffff8 fffffa80`0a262528 fffff880`031496d8 fffff880`031097a1 : nt!ExFreePoolWithTag+0x22d
    fffff880`035b6840 ffffffff`fffffff8 : fffffa80`0a262528 fffff880`031496d8 fffff880`031097a1 00000000`00000000 : 0xffffffff`fffffcf8
    fffff880`035b6848 fffffa80`0a262528 : fffff880`031496d8 fffff880`031097a1 00000000`00000000 ffffffff`fffffcf8 : 0xffffffff`fffffff8
    fffff880`035b6850 fffff880`031496d8 : fffff880`031097a1 00000000`00000000 ffffffff`fffffcf8 ffffffff`fffffff8 : 0xfffffa80`0a262528
    fffff880`035b6858 fffff880`031097a1 : 00000000`00000000 ffffffff`fffffcf8 ffffffff`fffffff8 fffffa80`0968aab0 : IDSvia64+0x976d8
    fffff880`035b6860 00000000`00000000 : ffffffff`fffffcf8 ffffffff`fffffff8 fffffa80`0968aab0 fffffa80`0968aab0 : IDSvia64+0x577a1
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    IDSvia64+5648c
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx]
    
    SYMBOL_STACK_INDEX:  3
    
    SYMBOL_NAME:  IDSvia64+5648c
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: IDSvia64
    
    IMAGE_NAME:  IDSvia64.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  54935c2d
    
    FAILURE_BUCKET_ID:  X64_0xD1_IDSvia64+5648c
    
    BUCKET_ID:  X64_0xD1_IDSvia64+5648c
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0xd1_idsvia64+5648c
    
    FAILURE_ID_HASH:  {a1a24b00-cb24-f053-7046-406d42e1e220}
    
    Followup: MachineOwner
    ---------
    
    

     


    Wanikiya and Dyami--Team Zigzag

    • Marked as answer by ZigZag3143x Friday, January 30, 2015 1:47 AM
    Thursday, January 29, 2015 1:20 PM
  • Give it a try and disable Norton and check if that fixes your problem. 

    You can use MSE if Norton is the culprit. :)


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Max90St Friday, January 30, 2015 1:36 AM
    Friday, January 30, 2015 1:34 AM

All replies

  • what happens if you delete that file??

    Thursday, January 29, 2015 3:30 AM
  • We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.  


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here

    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, January 29, 2015 3:39 AM
  • Hello,

    I have been getting an error lately when I start my computer. The computer starts up and stays on for a little while (about 5 minutes) then it crashes. But when I turn it back on an error window pops up. This is the message in the window.

    Problem signature:


      Problem Event Name: BlueScreen

      OS Version: 6.1.7601.2.1.0.768.3

      Locale ID: 1033



    Additional information about the problem:


      BCCode: d1

      BCP1: 0000000000000000

      BCP2: 0000000000000002

      BCP3: 0000000000000000

      BCP4: FFFFF8800310848C

      OS Version: 6_1_7601

      Service Pack: 1_0

      Product: 768_1



    Files that help describe the problem:


      C:\Windows\Minidump\012815-60809-01.dmp

      C:\Users\Max\AppData\Local\Temp\WER-115347-0.sysdata.xml

     We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.  


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here
    If you have any questions about the procedure please ask



    Wanikiya and Dyami--Team Zigzag

    Thursday, January 29, 2015 4:13 AM
  • https://onedrive.live.com/redir?resid=ED5090FBDAD9BD88!107&authkey=!ACsIUpKBLF9XSME&ithint=file%2czip
    Thursday, January 29, 2015 5:01 AM
  • I'm having trouble with posting a reply with the links on it. I keep getting a message that says I can't post a image or link until my profile has been verified. I don't know what to do about this.
    Thursday, January 29, 2015 5:16 AM
  • You have installed Symentec products in your PC.

    Remove the Symentec product and restart the PC.

    Otherwise disable the symentec drivers by using Autoruns.


    Mark as Answer if it's worked. Thanks. Balamurugan_Subramaniyan

    Thursday, January 29, 2015 6:01 AM
  • https://onedrive.live.com/redir?resid=ED5090FBDAD9BD88!107&authkey=!ACsIUpKBLF9XSME&ithint=file%2czip

    Max

    This was Related to IDSvia64.sys IDS Core Driver from Symantec Corporation.  You have 3 malware apps.  SYmantec, MBAM, and the bits of AVG.  I would remove Symantec which IMHO is rubbish, and replace with Microsoft security essentials.

    Symantec  is a frequent cause of BSOD's.  

    I would remove and replace it with Microsoft Security Essentials AT LEAST TO TEST
    http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    For Norton 360 use thishttp://symantec.pcperformancetools.com/norton-360-how-to-uninstall.html

    Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Ken\Desktop\012815-60809-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*E:\symbols
    Deferred                                       *http://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*E:\symbols;*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
    Machine Name:
    Kernel base = 0xfffff800`03206000 PsLoadedModuleList = 0xfffff800`03449890
    Debug session time: Wed Jan 28 19:28:54.356 2015 (UTC - 5:00)
    System Uptime: 0 days 0:04:15.433
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................................................
    Loading User Symbols
    Loading unloaded module list
    ...
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {0, 2, 0, fffff8800310848c}
    
    *** WARNING: Unable to verify timestamp for IDSvia64.sys
    *** ERROR: Module load completed but symbols could not be loaded for IDSvia64.sys
    Probably caused by : IDSvia64.sys ( IDSvia64+5648c )
    
    Followup: MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 0000000000000000, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff8800310848c, address which referenced memory
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034b3100
    GetUlongFromAddress: unable to read from fffff800034b31c0
     0000000000000000 Nonpaged pool
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    IDSvia64+5648c
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx]
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  System
    
    ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
    
    TRAP_FRAME:  fffff880035b65b0 -- (.trap 0xfffff880035b65b0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=fffffa8009aa4010 rbx=0000000000000000 rcx=0000000000000000
    rdx=fffffa800968a6a8 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800310848c rsp=fffff880035b6748 rbp=0000000000000000
     r8=fffffa800a480d00  r9=00000000000000a0 r10=fffff880033d3d60
    r11=fffffa8009aa4460 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    IDSvia64+0x5648c:
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx] ds:00000000`00000000=????????????????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff8000327c429 to fffff8000327ce80
    
    STACK_TEXT:  
    fffff880`035b6468 fffff800`0327c429 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`035b6470 fffff800`0327b0a0 : fffffa80`08f45f50 fffff800`033af30d fffffa80`03941bc0 fffffa80`0973e018 : nt!KiBugCheckDispatch+0x69
    fffff880`035b65b0 fffff880`0310848c : fffff880`031354b6 fffffa80`08f525b0 00000000`00000040 fffff880`031496d8 : nt!KiPageFault+0x260
    fffff880`035b6748 fffff880`031354b6 : fffffa80`08f525b0 00000000`00000040 fffff880`031496d8 00000000`000007ff : IDSvia64+0x5648c
    fffff880`035b6750 fffffa80`08f525b0 : 00000000`00000040 fffff880`031496d8 00000000`000007ff 00000000`00000001 : IDSvia64+0x834b6
    fffff880`035b6758 00000000`00000040 : fffff880`031496d8 00000000`000007ff 00000000`00000001 fffff880`03135359 : 0xfffffa80`08f525b0
    fffff880`035b6760 fffff880`031496d8 : 00000000`000007ff 00000000`00000001 fffff880`03135359 fffffa80`00000000 : 0x40
    fffff880`035b6768 00000000`000007ff : 00000000`00000001 fffff880`03135359 fffffa80`00000000 fffff800`033af30d : IDSvia64+0x976d8
    fffff880`035b6770 00000000`00000001 : fffff880`03135359 fffffa80`00000000 fffff800`033af30d fffffa80`0973e018 : 0x7ff
    fffff880`035b6778 fffff880`03135359 : fffffa80`00000000 fffff800`033af30d fffffa80`0973e018 00000000`00000000 : 0x1
    fffff880`035b6780 fffffa80`00000000 : fffff800`033af30d fffffa80`0973e018 00000000`00000000 00000000`00000002 : IDSvia64+0x83359
    fffff880`035b6788 fffff800`033af30d : fffffa80`0973e018 00000000`00000000 00000000`00000002 fffffa80`08f52588 : 0xfffffa80`00000000
    fffff880`035b6790 ffffffff`fffffcf8 : ffffffff`fffffff8 fffffa80`0a262528 fffff880`031496d8 fffff880`031097a1 : nt!ExFreePoolWithTag+0x22d
    fffff880`035b6840 ffffffff`fffffff8 : fffffa80`0a262528 fffff880`031496d8 fffff880`031097a1 00000000`00000000 : 0xffffffff`fffffcf8
    fffff880`035b6848 fffffa80`0a262528 : fffff880`031496d8 fffff880`031097a1 00000000`00000000 ffffffff`fffffcf8 : 0xffffffff`fffffff8
    fffff880`035b6850 fffff880`031496d8 : fffff880`031097a1 00000000`00000000 ffffffff`fffffcf8 ffffffff`fffffff8 : 0xfffffa80`0a262528
    fffff880`035b6858 fffff880`031097a1 : 00000000`00000000 ffffffff`fffffcf8 ffffffff`fffffff8 fffffa80`0968aab0 : IDSvia64+0x976d8
    fffff880`035b6860 00000000`00000000 : ffffffff`fffffcf8 ffffffff`fffffff8 fffffa80`0968aab0 fffffa80`0968aab0 : IDSvia64+0x577a1
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    IDSvia64+5648c
    fffff880`0310848c 4c8b01          mov     r8,qword ptr [rcx]
    
    SYMBOL_STACK_INDEX:  3
    
    SYMBOL_NAME:  IDSvia64+5648c
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: IDSvia64
    
    IMAGE_NAME:  IDSvia64.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  54935c2d
    
    FAILURE_BUCKET_ID:  X64_0xD1_IDSvia64+5648c
    
    BUCKET_ID:  X64_0xD1_IDSvia64+5648c
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0xd1_idsvia64+5648c
    
    FAILURE_ID_HASH:  {a1a24b00-cb24-f053-7046-406d42e1e220}
    
    Followup: MachineOwner
    ---------
    
    

     


    Wanikiya and Dyami--Team Zigzag

    • Marked as answer by ZigZag3143x Friday, January 30, 2015 1:47 AM
    Thursday, January 29, 2015 1:20 PM
  • So if I turn my Norton off and just use windows security tools, just to see if it works I should just not use Norton?

    Also do you think I should remove the malwarebytes program as well?

    Friday, January 30, 2015 1:32 AM
  • Give it a try and disable Norton and check if that fixes your problem. 

    You can use MSE if Norton is the culprit. :)


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Max90St Friday, January 30, 2015 1:36 AM
    Friday, January 30, 2015 1:34 AM