BSOD on Shutdown

By Craig Brass
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

Craig Brass

Posted
Posted

Hello Guys,

I am getting the blue screen of death on shutdown (litrally seconds after clicking ok on the shutdown screen). Sometimes it shuts down fine and doesn't do it, sometimes it does. The problem is it doesn't stay up long enough for me to see what caused it.

I have a sysdata.xml, Mini041807-01.dmp and manifest.txt from the screen that pops up when it reboots. Is it safe to post these and are you able to get information from these to find out what is causing the BSODs?

Any help would be appriciated guys.

Best Regards,

Craig Brass

Link to comment
Share on other sites
Veteran

k22

Posted
Posted

sorry to tell you this, but it looks like a rootkit. read here

http://en.wikipedia.org/wiki/Rootkit

http://www.google.com/search?hl=en&q=A...G=Google+Search

removal tool here - trial version

http://www.f-secure.com/blacklight/

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000CE, {b30ab49d, 8, b30ab49d, 0}

Probably caused by : ASFWHide ( ASFWHide>+49d )

Followup: MachineOwner

---------

1: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce)

A driver unloaded without cancelling timers, DPCs, worker threads, etc.

The broken driver's name is displayed on the screen.

Arguments:

Arg1: b30ab49d, memory referenced

Arg2: 00000008, value 0 = read operation, 1 = write operation

Arg3: b30ab49d, If non-zero, the instruction address which referenced the bad memory

address.

Arg4: 00000000, Mm internal code.

Debugging Details:

------------------

WRITE_ADDRESS: b30ab49d

FAULTING_IP:

ASFWHide>+49d

b30ab49d ?? ???

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xCE

PROCESS_NAME: SetPoint.exe

IP_MODULE_UNLOADED:

ASFWHide>+49d

b30ab49d ?? ???

LAST_CONTROL_TRANSFER: from a746dd64 to b30ab49d

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

a746dd48 a746dd64 8054086c 00000005 00da0000 <Unloaded_ASFWHide>+0x49d

a746dd4c 8054086c 00000005 00da0000 00010000 0xa746dd64

a746dd64 7c90eb94 badb0d00 0013f788 000006bc nt!RtlIpv4StringToAddressExA+0x149

a746dd78 00000000 00000000 00000000 00000000 0x7c90eb94

STACK_COMMAND: kb

FOLLOWUP_IP:

ASFWHide>+49d

b30ab49d ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: ASFWHide>+49d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ASFWHide

IMAGE_NAME: ASFWHide

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: 0xCE_W_ASFWHide_+49d

BUCKET_ID: 0xCE_W_ASFWHide_+49d

Followup: MachineOwner

---------

Link to comment
Share on other sites
Collaborator

Craig Brass

Posted
  • Author
Posted

Are you sure that is a virus? ASFW is Ashampoo's Firewall. This is set to hide in the background so it cannot be shut down by a virus.

Also, SetPoint.exe is a Logitech Mouse driver isn't it?

Link to comment
Share on other sites
Veteran

k22

Posted
Posted (edited)
So I don't have a root kit?

sorry, I'm on limited time so I couldn't do thorough research on that file. it looks like the google search just says that it has been falsely detected as a rootkit. i would just update the firewall and logitech mouse drivers to the latest version and see if the issue is resolved. sorry for the scare :)

Edited by k22
Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.