Craig Brass Posted April 18, 2007 Share Posted April 18, 2007 Hello Guys, I am getting the blue screen of death on shutdown (litrally seconds after clicking ok on the shutdown screen). Sometimes it shuts down fine and doesn't do it, sometimes it does. The problem is it doesn't stay up long enough for me to see what caused it. I have a sysdata.xml, Mini041807-01.dmp and manifest.txt from the screen that pops up when it reboots. Is it safe to post these and are you able to get information from these to find out what is causing the BSODs? Any help would be appriciated guys. Best Regards, Craig Brass Link to comment Share on other sites More sharing options...
k22 Posted April 18, 2007 Share Posted April 18, 2007 post the .dmp file Link to comment Share on other sites More sharing options...
Craig Brass Posted April 19, 2007 Author Share Posted April 19, 2007 There. http://www.craigbrass.net/Mini041807-01.dmp Link to comment Share on other sites More sharing options...
k22 Posted April 19, 2007 Share Posted April 19, 2007 sorry to tell you this, but it looks like a rootkit. read here http://en.wikipedia.org/wiki/Rootkit http://www.google.com/search?hl=en&q=A...G=Google+Search removal tool here - trial version http://www.f-secure.com/blacklight/ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 100000CE, {b30ab49d, 8, b30ab49d, 0} Probably caused by : ASFWHide ( ASFWHide>+49d ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) A driver unloaded without cancelling timers, DPCs, worker threads, etc. The broken driver's name is displayed on the screen. Arguments: Arg1: b30ab49d, memory referenced Arg2: 00000008, value 0 = read operation, 1 = write operation Arg3: b30ab49d, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, Mm internal code. Debugging Details: ------------------ WRITE_ADDRESS: b30ab49d FAULTING_IP: ASFWHide>+49d b30ab49d ?? ??? CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xCE PROCESS_NAME: SetPoint.exe IP_MODULE_UNLOADED: ASFWHide>+49d b30ab49d ?? ??? LAST_CONTROL_TRANSFER: from a746dd64 to b30ab49d STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. a746dd48 a746dd64 8054086c 00000005 00da0000 <Unloaded_ASFWHide>+0x49d a746dd4c 8054086c 00000005 00da0000 00010000 0xa746dd64 a746dd64 7c90eb94 badb0d00 0013f788 000006bc nt!RtlIpv4StringToAddressExA+0x149 a746dd78 00000000 00000000 00000000 00000000 0x7c90eb94 STACK_COMMAND: kb FOLLOWUP_IP: ASFWHide>+49d b30ab49d ?? ??? SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ASFWHide>+49d FOLLOWUP_NAME: MachineOwner MODULE_NAME: ASFWHide IMAGE_NAME: ASFWHide DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: 0xCE_W_ASFWHide_+49d BUCKET_ID: 0xCE_W_ASFWHide_+49d Followup: MachineOwner --------- Link to comment Share on other sites More sharing options...
Craig Brass Posted April 19, 2007 Author Share Posted April 19, 2007 Are you sure that is a virus? ASFW is Ashampoo's Firewall. This is set to hide in the background so it cannot be shut down by a virus. Also, SetPoint.exe is a Logitech Mouse driver isn't it? Link to comment Share on other sites More sharing options...
RaisinCain Posted April 19, 2007 Share Posted April 19, 2007 It's just saying that the setpoint.exe driver did not terminate properly upon shutdown. Link to comment Share on other sites More sharing options...
Craig Brass Posted April 19, 2007 Author Share Posted April 19, 2007 So I don't have a root kit? Link to comment Share on other sites More sharing options...
k22 Posted April 19, 2007 Share Posted April 19, 2007 (edited) So I don't have a root kit? sorry, I'm on limited time so I couldn't do thorough research on that file. it looks like the google search just says that it has been falsely detected as a rootkit. i would just update the firewall and logitech mouse drivers to the latest version and see if the issue is resolved. sorry for the scare :) Edited April 19, 2007 by k22 Link to comment Share on other sites More sharing options...
Recommended Posts