ZarathosNY
2008-08-10, 17:43
Hi,
When I run spybot my system immediately crashes. I'm running version 1.5.2 with XP service pack3. If I boot it safe mode, it runs fine and detects no infections. I've also run Ad-Aware and Superantispyware and have the same problem. I've run WinDbg and this is the result:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini081008-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Aug 10 10:42:33.984 2008 (GMT-4)
System Uptime: 0 days 1:50:52.698
Loading Kernel Symbols
.................................................................................................................................
Loading User Symbols
Loading unloaded module list
...............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 806373f1, aa684a64, 0}
Unable to load image SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+121dd )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806373f1, The address that the exception occurred at
Arg3: aa684a64, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!HvpGetCellMapped+5f
806373f1 8b4304 mov eax,dword ptr [ebx+4]
TRAP_FRAME: aa684a64 -- (.trap 0xffffffffaa684a64)
ErrCode = 00000000
eax=00000f00 ebx=00000f00 ecx=867ba518 edx=00000003 esi=e1035758 edi=0000004c
eip=806373f1 esp=aa684ad8 ebp=aa684b20 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!HvpGetCellMapped+0x5f:
806373f1 8b4304 mov eax,dword ptr [ebx+4] ds:0023:00000f04=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: SpybotSD.exe
LAST_CONTROL_TRANSFER: from 80640133 to 806373f1
STACK_TEXT:
aa684b20 80640133 e1035758 006f004c 00000000 nt!HvpGetCellMapped+0x5f
aa684b3c 8064022f e1035758 e67839d4 00000000 nt!CmpGetValueKeyFromCache+0x4d
aa684b98 806315aa e1035758 e1a1c8ec aa684c04 nt!CmpFindValueByNameFromCache+0x65
aa684bf8 80621c8a e1a1c8c8 020a0016 7ffd6c00 nt!CmQueryValueKey+0x96
aa684ca0 ae1a01dd 00000390 7ffd6bf8 00000002 nt!NtQueryValueKey+0x2cc
WARNING: Stack unwind information not available. Following frames may be wrong.
aa684d44 8054161c 00000390 7ffd6bf8 00000002 SYMEVENT+0x121dd
aa684d44 00000001 00000390 7ffd6bf8 00000002 nt!KiFastCallEntry+0xfc
0000f518 00000000 00000000 00000000 00000000 0x1
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+121dd
ae1a01dd ?? ???
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: SYMEVENT+121dd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 450f3f43
FAILURE_BUCKET_ID: 0x8E_SYMEVENT+121dd
BUCKET_ID: 0x8E_SYMEVENT+121dd
Followup: MachineOwner
---------
Thanks,
Chris
When I run spybot my system immediately crashes. I'm running version 1.5.2 with XP service pack3. If I boot it safe mode, it runs fine and detects no infections. I've also run Ad-Aware and Superantispyware and have the same problem. I've run WinDbg and this is the result:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini081008-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Aug 10 10:42:33.984 2008 (GMT-4)
System Uptime: 0 days 1:50:52.698
Loading Kernel Symbols
.................................................................................................................................
Loading User Symbols
Loading unloaded module list
...............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 806373f1, aa684a64, 0}
Unable to load image SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+121dd )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806373f1, The address that the exception occurred at
Arg3: aa684a64, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!HvpGetCellMapped+5f
806373f1 8b4304 mov eax,dword ptr [ebx+4]
TRAP_FRAME: aa684a64 -- (.trap 0xffffffffaa684a64)
ErrCode = 00000000
eax=00000f00 ebx=00000f00 ecx=867ba518 edx=00000003 esi=e1035758 edi=0000004c
eip=806373f1 esp=aa684ad8 ebp=aa684b20 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!HvpGetCellMapped+0x5f:
806373f1 8b4304 mov eax,dword ptr [ebx+4] ds:0023:00000f04=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: SpybotSD.exe
LAST_CONTROL_TRANSFER: from 80640133 to 806373f1
STACK_TEXT:
aa684b20 80640133 e1035758 006f004c 00000000 nt!HvpGetCellMapped+0x5f
aa684b3c 8064022f e1035758 e67839d4 00000000 nt!CmpGetValueKeyFromCache+0x4d
aa684b98 806315aa e1035758 e1a1c8ec aa684c04 nt!CmpFindValueByNameFromCache+0x65
aa684bf8 80621c8a e1a1c8c8 020a0016 7ffd6c00 nt!CmQueryValueKey+0x96
aa684ca0 ae1a01dd 00000390 7ffd6bf8 00000002 nt!NtQueryValueKey+0x2cc
WARNING: Stack unwind information not available. Following frames may be wrong.
aa684d44 8054161c 00000390 7ffd6bf8 00000002 SYMEVENT+0x121dd
aa684d44 00000001 00000390 7ffd6bf8 00000002 nt!KiFastCallEntry+0xfc
0000f518 00000000 00000000 00000000 00000000 0x1
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+121dd
ae1a01dd ?? ???
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: SYMEVENT+121dd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 450f3f43
FAILURE_BUCKET_ID: 0x8E_SYMEVENT+121dd
BUCKET_ID: 0x8E_SYMEVENT+121dd
Followup: MachineOwner
---------
Thanks,
Chris