BSOD after new Windows 10 install

[stryker19]

Hello All,

I'm new here. Well, not really new. I've been reading on this forum for years. I'm trying to help get my father-in-law's computer going. He had it built in 2009. I guess it has always had intermittent BSOD's. They have recently gotten worse. Motherboard is an Intel DP55KG. I've replaced the power supply with an Antec HCG650, the RAM with 2x G.Skill Ripjaws X DDR3-1600 CL 8-8-8-24 (8gb total), the HDD with a 1tb Samsung 860 EVO SSD. I just recently installed the SSD. I disconnected all previous drives installed the SSD, and installed brand new Windows 10 to it from a flash drive. BSOD's are still about 5x per day during idle and usage. I'm sure it has to be either the motherboard or the graphics card (ATI Radeon HD 5750.) Is there a way to determine which it is or just replace one and if that doesn't work replace the other. I have WhoCrashed and BlueScreenView if crash info helps.

 

[stryker19]

It just crashed again, but windows didn't create a file... Good news though. Drive is now letting me upload the earlier memory.dmp file.

 

[stryker19]

The full Memory.dmp file is now live!

 

[johnbl]

looks like various other key files have been modifed also:
files that hold network related functions, the storage driver and files that load windows driver framework drivers.

I would just do a clean reinstall from a clean updated windows image.

-----------
looks like your win32k has been infected.
5769 errors : win32k (ffffb424f635bfff-ffffb424f635e097)

when I look up win32k!NtGdiSetDIBitsToDeviceInternal
I see how to hack info on how to hack the function written in Russian and Chinese (as far as I can tell) you had some user mode program try and call this function. you can stop the program but your win32k file would still have to be repaired.

you might want to do a repair of you windows install. maybe the dism.exe command will repair the file but you will still need to find out how the change was made. often the fastest fix is to reinstall windows from a current clean install image.

since the function called is a graphic function. I would remove
GlarySoft - Glary Utilities Startup Manager Tool driver
GUBootStartup.sys it might be making the bad call.

you can use autoruns from here to delete the driver from being loaded when windows starts up.
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

delete it, reboot then start cmd.exe as an admin and run
dism.exe /online /cleanup-image /restorehealth

it might fix the win32k.sys file.
I will see if there is something else that shows up in the debugger. its running very slowly for some reason.

 

[stdragon]

sfc /scannow

That will also validate the checksum of system files. If there's corruption, it should identify.

 

[johnbl]

the system file checker can work but malware often corrupts the file that it uses to do the fix so the fix fails.
the dism.exe command is recommended for windows 8 and above since it gets the files from windows update server so they will not have been modified.
on windows 7 when the sfc fails you will have to provide a repair image to do the repair.

sfc /scannow

That will also validate the checksum of system files. If there's corruption, it should identify.

 

[stdragon]

Right. But the point is in determining if in fact the files are corrupted, not why.

Before you can solve the problem, the scope of it needs to be more defined.

Personally, I think this is a HW related issue. The bit stream is getting corrupted at either the CPU, RAM, or storage controller as data is fetched from LBA.

 

[johnbl]

the changes to the win32k were very directed.
for example: here is the first change seen in the win32 kernel
expected code:
_____________________________________________
win32k!W32pServiceTable+0xfff:
ffffb424`f635bfff 00a64f0000b8 add byte ptr [rsi-47FFFFB1h],ah
ffffb424`f635c005 4f0000 add byte ptr [r8],r8b
ffffb424`f635c008 6e outs dx,byte ptr [rsi]
ffffb424`f635c009 810000ca4f00 add dword ptr [rax],4FCA00h
ffffb424`f635c00f 00dc add ah,bl
ffffb424`f635c011 4f0000 add byte ptr [r8],r8b
ffffb424`f635c014 ee out dx,al
ffffb424`f635c015 4f0000 add byte ptr [r8],r8b
ffffb424`f635c018 005000 add byte ptr [rax],dl
ffffb424`f635c01b 0012 add byte ptr [rdx],dl
ffffb424`f635c01d 50 push rax
ffffb424`f635c01e 0000 add byte ptr [rax],al
ffffb424`f635c020 2450 and al,50h
ffffb424`f635c022 0000 add byte ptr [rax],al
ffffb424`f635c024 3650 push rax
ffffb424`f635c026 0000 add byte ptr [rax],al
ffffb424`f635c028 4850 push rax
ffffb424`f635c02a 0000 add byte ptr [rax],al
ffffb424`f635c02c 5a pop rdx
ffffb424`f635c02d 50 push rax
ffffb424`f635c02e 0000 add byte ptr [rax],al
ffffb424`f635c030 6c ins byte ptr [rdi],dx
ffffb424`f635c031 50 push rax
ffffb424`f635c032 0000 add byte ptr [rax],al
ffffb424`f635c034 7e50 jle win32k!W32pServiceTable+0x1086 (ffffb424`f635c086) Branch
__________________________________________

and here was what was in the actual image:

ffffb424`f635bfff ff60fa jmp qword ptr [rax-6]
-----------------------------------------------------------------------
it just passes off execution to the address in the register.

there are 8344 bytes modified all in the various functions of win32k!W32pServiceTable

just due to the nature of the changes I don't think it is a hardware problem, but a directed change to the code.
a method to call a function win32 kernel function and have control passed to the address put in a register.

this is the function as it was in memory of the machine rather than the file on disk it was what is actually being exectued.


normally, you would want to find and block whatever program made the changes. Then run the dism command to repair any files on disk, delete the pagefile.sys, create a new one, then do a full shutdown to force windows to reload the file images from disk and redo its compression.

Right. But the point is in determining if in fact the files are corrupted, not why.

Before you can solve the problem, the scope of it needs to be more defined.

Personally, I think this is a HW related issue. The bit stream is getting corrupted at either the CPU, RAM, or storage controller as data is fetched from LBA.

 

[stdragon]

If malware (rootkit) is suspect here, then the quickest path would be to backup the system and perform a "nuke-and-pave" from a fresh copy of Windows 10 created via the Windows Media Creation Tool on a new 8GB USB thumb drive.

Just to rule out being rooted, I'd recommend booting from the new USB thumb drive and performing a DISKPART CLEAN command against the internal drive. Then proceed to install Windows 10 again.

 

[stryker19]

This system is a new installation of Windows 10 on a new Samsung 860 EVO 1TB SSD in which I used a Windows 10 USB drive and the Windows Media Creation Tool. The problem was present on the old HDD with Windows 7 also. Do you still think a fresh install would help? I had 2 BSODs today. One read Whea_Uncorrectable_Error, but didn't leave any .dmp files. For the other BSOD I uploaded the mini.dmp and memory.dmp into the drive folder. They're in the folder with today's date.

 

[stryker19]

I should mention I tried DISM and SFC with nothing found.

 

[stryker19]

MEMORY.DMP and MINI.DMP from yesterday now in the drive folder.

 

[stryker19]

Update; I had the first BSOD since 12-30. Here is the link to the dmp files.

https://drive.google.com/drive/folders/11fSLA8fp8v0yQUjjAuWznPQ_JmFJoW28?usp=sharing

 

[stryker19]

I've uploaded two new folders on drive. Can someone look at them and let me know if there is any more I can do? Also, I got one yesterday that didn't generate any report. The screen said Clock_Watchdog_Timeout. The research I did lead me to believe it could be the CPU. Is there a chance all this could be the processor? Would the motherboard going bad give the same code?

https://drive.google.com/drive/folders/16IBzJr7K9JK4bnFhud8Jpb8mA0d-PAGb?usp=sharing