1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Constantly Rebooting [DUMP LOG]

Discussion in 'Windows Server System' started by jkimery, 2006/02/02.

  1. 2006/02/02
    jkimery

    jkimery Inactive Thread Starter

    Joined:
    2006/02/02
    Messages:
    3
    Likes Received:
    0
    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, 85f675d0, ba52dcb0, 0}

    Probably caused by : ntkrnlmp.exe ( nt!KiFastCallEntry+fc )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 85f675d0, The address that the exception occurred at
    Arg3: ba52dcb0, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

    FAULTING_IP:
    +ffffffff85f675d0
    85f675d0 ?? ???

    TRAP_FRAME: ba52dcb0 -- (.trap ffffffffba52dcb0)
    Unable to read trap frame at ba52dcb0

    CUSTOMER_CRASH_COUNT: 2

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x8E

    LAST_CONTROL_TRANSFER: from 01befaec to 85f675d0

    STACK_TEXT:
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    ba52dd20 01befaec ba52dd64 85f67532 ba52dd64 0x85f675d0
    ba52dd30 804dd99f 00000420 00000000 00000000 0x1befaec
    ba52dd30 7c90eb94 00000420 00000000 00000000 nt!KiFastCallEntry+0xfc
    01befb00 00000000 00000000 00000000 00000000 0x7c90eb94


    FOLLOWUP_IP:
    nt!KiFastCallEntry+fc
    804dd99f 8be5 mov esp,ebp

    SYMBOL_STACK_INDEX: 2

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: nt!KiFastCallEntry+fc

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

    STACK_COMMAND: .trap ffffffffba52dcb0 ; kb

    FAILURE_BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

    BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

    Followup: MachineOwner
    ---------
     
  2. 2006/02/02
    jkimery

    jkimery Inactive Thread Starter

    Joined:
    2006/02/02
    Messages:
    3
    Likes Received:
    0
    Here's another

    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 85f745d0, The address that the exception occurred at
    Arg3: ba638cb0, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

    FAULTING_IP:
    +ffffffff85f745d0
    85f745d0 ?? ???

    TRAP_FRAME: ba638cb0 -- (.trap ffffffffba638cb0)
    Unable to read trap frame at ba638cb0

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x8E

    LAST_CONTROL_TRANSFER: from 01c0faec to 85f745d0

    STACK_TEXT:
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    ba638d20 01c0faec ba638d64 85f74532 ba638d64 0x85f745d0
    ba638d30 804dd99f 00000528 00000000 00000000 0x1c0faec
    ba638d30 7c90eb94 00000528 00000000 00000000 nt!KiFastCallEntry+0xfc
    01c0fb00 00000000 00000000 00000000 00000000 0x7c90eb94


    FOLLOWUP_IP:
    nt!KiFastCallEntry+fc
    804dd99f 8be5 mov esp,ebp

    SYMBOL_STACK_INDEX: 2

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: nt!KiFastCallEntry+fc

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

    STACK_COMMAND: .trap ffffffffba638cb0 ; kb

    FAILURE_BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

    BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

    Followup: MachineOwner
    ---------
     

  3. to hide this advert.

  4. 2006/02/02
    cpc2004

    cpc2004 Inactive

    Joined:
    2005/07/08
    Messages:
    366
    Likes Received:
    0
  5. 2006/02/03
    JoeHobart

    JoeHobart Inactive Alumni

    Joined:
    2004/05/19
    Messages:
    919
    Likes Received:
    1
    cpc2004- could you elaborate on your diagnosis.. I'm not able to make the connection between the !analyze data and the virus you are referring to.
     
  6. 2006/02/03
    cpc2004

    cpc2004 Inactive

    Joined:
    2005/07/08
    Messages:
    366
    Likes Received:
    0
    Hi Joe,

    The problem owner does not provide the module list and I cannot confirm whether his windows has the module i386p or not. My comment is probably it is virus Backdoor.Rustock.

    Refer the following problems, the symptom is very similar.

    http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21705735.html#15849369

    http://www.techspot.com/vb/showthread.php?p=243702#post243702

    I have another two cases relating the same virus and the symptoms are different.
    http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21707752.html#15774147
    http://www.techspot.com/vb/topic42781.html
     
    Last edited: 2006/02/03
  7. 2006/02/03
    jkimery

    jkimery Inactive Thread Starter

    Joined:
    2006/02/02
    Messages:
    3
    Likes Received:
    0
    Actually he is right

    I just did a search on a strange service that Spybot just found and it is tied to Backdoor.Rustock.

    Thanks cpc2004
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.