[SOLVED] BSOD can't figure out reason

Nov 28, 2021
7
1
15
Hi.


Please help me figure this out. I have tried to google for various error codes found in WinDbg and BlueScreenView, but every result google provides is related to different things.
I have been experiencing BSOD only recently, for about 2 months. It's not happening every day, but it's still quite annoying to face.
~2 weeks ago I also upgraded my MB and RAM, installed fresh Win11 and BOSD is still following me.

WinDbg log: https://pastebin.com/aFsZU7GJ

BlueScreenView shows problem in this line:
ntoskrnl.exe ntoskrnl.exe+2d6afe fffff80647600000 fffff80648648000 0x01048000 0x6f970119 29-Apr-29 17:26:33


My PC specs:
Windows 11 Home (21H2, 22000.675)
Asus ROG Strix B550-E
AMD Ryzen 5 3600
AORUS GeForce RTX™ 3060 Ti ELITE 8G (rev. 2.0)
G.Skill DIMM 32 GB DDR4-3600 F4-3600C16Q-32GTZNC
Deepcool DQ850-M-V2L, 850W, 80PLUS Gold


I will appreciate help in any way. If additional information is needed, please let me know and I will update the thread.
 
Solution
dism command below will repair core window files
delete the page file to dump malware that hides in the pagefile.sys
download rammap from here: https://docs.microsoft.com/en-us/sysinternals/downloads/rammap
run it and find the menu items that say empty, select them all
to clear out malware hiding in standby memory.

try to figure out what tool you ran and where you got it that caused the infection. Try to remove the drivers you have that are easy to infect your system.
----------
to fix the modified windows files:
turn off windows virtual memory, reboot (don't turn it back on yet)
run cmd.exe as an admin
then run
dism.exe /online /cleanup-image /restorehealth

download and run autoruns...
Windows compresses data in memory to save space. When it actually need to access the info it has to decompress it. During the decompression the data was corrupted.
from the memory address used, it looks like a common driver problem.

you should put up the actual minidump so it can be inspected for driver names/dates
and windows files can be checked for modifications.

you can get the list of drivers in windbg by running the command
lmiftsm
you can run this command to look for modified windows core files:
!for_each_module !chkimg @#ModuleName
(this command will show a error for every non microsoft file)

inspecting the driver list, you would also remove any overclock driver.

you can run memtest86 to confirm that your memory timings are correct and there are no memory defects
 
Last edited:
  • Like
Reactions: db9s
Thank you for your response!

you can get the list of drivers in windbg by running the command
lmiftsm

By running this command, the only thing that catches my eyes was this. Could this be the source of my issue?
Code:
fffff806`57ad0000 fffff806`57af8000   MpKslDrv \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A9D91226-2432-4325-BA96-79F6C461F80C}\MpKslDrv.sys Sun Dec 14 06:05:57 2008 (49448625)




!for_each_module !chkimg @#ModuleName
Im not sure how to use this one, sorry.

Here's my minidump file.
https://drive.google.com/file/d/1aAvGmmFZSHOJJJi0zUt9l-35F-Q-YbXB/view?usp=sharing
 
dism command below will repair core window files
delete the page file to dump malware that hides in the pagefile.sys
download rammap from here: https://docs.microsoft.com/en-us/sysinternals/downloads/rammap
run it and find the menu items that say empty, select them all
to clear out malware hiding in standby memory.

try to figure out what tool you ran and where you got it that caused the infection. Try to remove the drivers you have that are easy to infect your system.
----------
to fix the modified windows files:
turn off windows virtual memory, reboot (don't turn it back on yet)
run cmd.exe as an admin
then run
dism.exe /online /cleanup-image /restorehealth

download and run autoruns
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
find the menu item to hide microsoft entries and look at the list.

disable suspect drivers that malware uses to get into your system:
see the microsoft doc below.
look in the task scheduler to see if something is running that should not be.

now turn the virtual memory back on and reboot the system

------------
malware.
your core windows files have been modified. You have drivers installed that are easy to infect with malware now that people published tutorials on how to use these drivers to infect your system.

here is a tutorial on how to use msio64.sys to infect your system

here is a list of some of these drivers that microsoft sees as vectors for malware:
https://docs.microsoft.com/en-us/wi...trol/microsoft-recommended-driver-block-rules
 
Solution
Thank you for your time and effort! I appreciate it.

dism command below will repair core window files
delete the page file to dump malware that hides in the pagefile.sys
download rammap from here: https://docs.microsoft.com/en-us/sysinternals/downloads/rammap
run it and find the menu items that say empty, select them all
to clear out malware hiding in standby memory.
Did it.


to fix the modified windows files:
turn off windows virtual memory, reboot (don't turn it back on yet)
run cmd.exe as an admin
then run
dism.exe /online /cleanup-image /restorehealth
Did it.

download and run autoruns
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
find the menu item to hide microsoft entries and look at the list.

disable suspect drivers that malware uses to get into your system:
see the microsoft doc below.
look in the task scheduler to see if something is running that should not be.
Quite unsure about this one. Everything looks fine-ish by my eyes.
WwYFDrR.png
haKg87E.png




malware.
your core windows files have been modified. You have drivers installed that are easy to infect with malware now that people published tutorials on how to use these drivers to infect your system.
I can't really wrap my head around how I could have managed this since I try to take care of my security. I am way past of time when I downloaded torrents, cracked games and software, pirated windows etc...
The more I learn, the less I understand about computer world, it always kinda amaze me how huge it actually is. Seems bit weird to me that this problem followed me even after getting new MB+RAM and getting fresh windows, leaving all old files behind.

Thank you, again, for your time and help with my issue.
 
well I see a lot of problems with the files you have shown.

think of asus armory crate as one big rootkit that places files on your system before windows boots. I would disable it in bios, reboot delete the files and remove the tasks from task scheduler.
then start removing the hackable drivers that come from free tools.
ie winring driver on your system and msio driver. I would even suspect any of the drivers that come from the motherboard vendor. Do not install their utility drivers or drivers that control LEDs.

the best way to hack a system now is to focus on the custom motherboard drivers that do not come with windows. people run free tools that hackers add malware to and put on the web as free downloads. Even sites that just collect the tools for you can have custom hacks in them.

I think Microsoft had made it so they can ban certain drivers in a enterprise windows. I think they will start to allow this on non enterprise versions at some point but the motherboard vendors will get upset.

At some point windows should not allow modified core files from loading or at least log a warning that the file has been modified. old versions of windows it was ok (windows 7 days)

the problem will not be fixed as long as the motherboard vendors try to out do each other using poorly written drivers. Windows can detect these drivers but they basically will not update them or remove them as a general policy. This is why they are pushing the driver ban list for windows defender. You would have to opt in to ban a driver. (feature in enterprise version)