Constantly Rebooting [DUMP LOG]

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 85f675d0, ba52dcb0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFastCallEntry+fc )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 85f675d0, The address that the exception occurred at
Arg3: ba52dcb0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+ffffffff85f675d0
85f675d0 ?? ???

TRAP_FRAME: ba52dcb0 -- (.trap ffffffffba52dcb0)
Unable to read trap frame at ba52dcb0

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 01befaec to 85f675d0

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba52dd20 01befaec ba52dd64 85f67532 ba52dd64 0x85f675d0
ba52dd30 804dd99f 00000420 00000000 00000000 0x1befaec
ba52dd30 7c90eb94 00000420 00000000 00000000 nt!KiFastCallEntry+0xfc
01befb00 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
nt!KiFastCallEntry+fc
804dd99f 8be5 mov esp,ebp

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiFastCallEntry+fc

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

STACK_COMMAND: .trap ffffffffba52dcb0 ; kb

FAILURE_BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

Followup: MachineOwner
---------

 

Here's another

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 85f745d0, The address that the exception occurred at
Arg3: ba638cb0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+ffffffff85f745d0
85f745d0 ?? ???

TRAP_FRAME: ba638cb0 -- (.trap ffffffffba638cb0)
Unable to read trap frame at ba638cb0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 01c0faec to 85f745d0

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ba638d20 01c0faec ba638d64 85f74532 ba638d64 0x85f745d0
ba638d30 804dd99f 00000528 00000000 00000000 0x1c0faec
ba638d30 7c90eb94 00000528 00000000 00000000 nt!KiFastCallEntry+0xfc
01c0fb00 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
nt!KiFastCallEntry+fc
804dd99f 8be5 mov esp,ebp

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiFastCallEntry+fc

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

STACK_COMMAND: .trap ffffffffba638cb0 ; kb

FAILURE_BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

Followup: MachineOwner
---------

 

Hi,

You don't post the module list of your debug report and it is very useful to diagnostic your problem. Probably your windows is infected with the virus called Backdoor.Rustock.
http://www.symantec.com/avcenter/venc/data/backdoor.rustock.html

 

cpc2004- could you elaborate on your diagnosis.. I'm not able to make the connection between the !analyze data and the virus you are referring to.

 

Hi Joe,

The problem owner does not provide the module list and I cannot confirm whether his windows has the module i386p or not. My comment is probably it is virus Backdoor.Rustock.

Refer the following problems, the symptom is very similar.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21705735.html#15849369

http://www.techspot.com/vb/showthread.php?p=243702#post243702

I have another two cases relating the same virus and the symptoms are different.
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21707752.html#15774147
http://www.techspot.com/vb/topic42781.html

 

Actually he is right

I just did a search on a strange service that Spybot just found and it is tied to Backdoor.Rustock.

Thanks cpc2004