Hi,
Updating drivers, has narrowed "attack surface" down.
last 5 out of 6 dumps are due to page fault...
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
This indicates that an attempt was made to execute non-executable memory.
None of these dumps directly points to quilty driver, which is marked in red below, just before fault occurs:
Code:
4: kd> kvChild-SP RetAddr : Args to Child : Call Site
ffffd000`afeacc28 fffff800`fb232ee8 : 00000000`000000fc ffffe000`274c5250 80000002`8cd5b963 ffffd000`afeace70 : nt!KeBugCheckEx
ffffd000`afeacc30 fffff800`fb283e4e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4cd28
ffffd000`afeacc70 fffff800`fb1f8a11 : ffffd000`af040180 ffffd000`afeacd00 ffffe000`262d2880 00000000`00000000 : nt!MiRaisedIrqlFault+0x152
ffffd000`afeaccb0 fffff800`fb1dff2f : 00000000`00000008 ffffd000`af040180 00000000`80000300 fffff800`bec00000 : nt! ?? ::FNODOBFM::`string'+0x12851
[COLOR=#0000cd]ffffd000`afeace70 ffffe000`274c5250 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :[/COLOR] [COLOR=#0000cd]nt!KiPageFault+0x12f (TrapFrame @ ffffd000`afeace70)[/COLOR]
[COLOR=#ff0000]ffffd000`afead000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffe000`274c5250[/COLOR]
4: kd> !pte 800000028cd5b963
VA 800000028cd5b963
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00050 PDE at FFFFF6FB4000A330 PTE at FFFFF68001466AD8
Unable to get PPE FFFFF6FB7DA00050
[COLOR=#ff8c00]WARNING: noncanonical VA, accesses will fault ![/COLOR]
[COLOR=#006400]// Note: VA stands for "Valid" and "Accessed" [/COLOR]
4: kd> .trap ffffd000`afeace70
[COLOR=#0000cd]NOTE: The trap frame does not contain all registers.[/COLOR]
[COLOR=#0000cd]Some register values may be zeroed or incorrect.[/COLOR]
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000004
rdx=0000000206f93000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffe000274c5250 rsp=ffffd000afead000 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000004 r10=0000000000000000
r11=fffff800fb1e288f r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na pe nc
ffffe000`274c5250 0100 [COLOR=#ff0000]add dword ptr [rax],eax ds:00000000`00000000=????????[/COLOR]
PAGE_FAULT_IN_NONPAGED_AREA
This indicates that invalid system memory has been referenced
Hopefully this time the guilty driver has been caught
Code:
10: kd> kvChild-SP RetAddr : Args to Child : Call Site
ffffd001`8b71ba78 fffff803`377f805e : 00000000`00000050 ffffffff`ffffffff 00000000`00000001 ffffd001`8b71bce0 : nt!KeBugCheckEx
ffffd001`8b71ba80 fffff803`376cb839 : 00000000`00000001 ffffe001`a2e2a040 ffffd001`8b71bce0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x1ee9e
ffffd001`8b71bb20 fffff803`377d2f2f : 00000000`00000001 00000000`c0000001 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x769
[COLOR=#0000cd]ffffd001`8b71bce0 fffff800`d19ce71b : fffff800`d19c46a9 00000000`80000301 fffff800`d19ac000 ffffe001`a56e1480 : nt!KiPageFault+0x12f (TrapFrame @ ffffd001`8b71bce0)[/COLOR]
ffffd001`8b71be78 fffff800`d19c46a9 : 00000000`80000301 fffff800`d19ac000 ffffe001`a56e1480 ffffd001`8b71bf78 : [COLOR=#ff0000]aswVmm+0x2271b[/COLOR]
[COLOR=#ff0000]ffffd001`8b71be80 00000000`80000301 : fffff800`d19ac000 ffffe001`a56e1480 ffffd001`8b71bf78 ffffd001`8b71bf78 : aswVmm+0x186a9[/COLOR]
ffffd001`8b71be88 fffff800`d19ac000 : ffffe001`a56e1480 ffffd001`8b71bf78 ffffd001`8b71bf78 fffff800`d19bcdeb : 0x80000301
[COLOR=#ff0000]ffffd001`8b71be90 ffffe001`a56e1480 : ffffd001`8b71bf78 ffffd001`8b71bf78 fffff800`d19bcdeb ffffd001`8a72a180 : aswVmm[/COLOR]
ffffd001`8b71be98 ffffd001`8b71bf78 : ffffd001`8b71bf78 fffff800`d19bcdeb ffffd001`8a72a180 fffff803`377cbf33 : 0xffffe001`a56e1480
ffffd001`8b71bea0 ffffd001`8b71bf78 : fffff800`d19bcdeb ffffd001`8a72a180 fffff803`377cbf33 ffffe001`a56e1480 : 0xffffd001`8b71bf78
ffffd001`8b71bea8 fffff800`d19bcdeb : ffffd001`8a72a180 fffff803`377cbf33 ffffe001`a56e1480 00000000`00000003 : 0xffffd001`8b71bf78
[COLOR=#ff0000]ffffd001`8b71beb0 ffffd001`8a72a180 : fffff803`377cbf33 ffffe001`a56e1480 00000000`00000003 ffffd001`8b71bf58 : aswVmm+0x10deb[/COLOR]
ffffd001`8b71beb8 fffff803`377cbf33 : ffffe001`a56e1480 00000000`00000003 ffffd001`8b71bf58 00000000`00000000 : 0xffffd001`8a72a180
ffffd001`8b71bec0 ffffd001`8b71bff8 : 00000000`00000000 00000000`00000000 00000000`00000246 00000000`00000000 : nt!SwapContext_PatchLdtBypass+0x7
ffffd001`8b71bf00 00000000`00000000 : 00000000`00000000 00000000`00000246 00000000`00000000 ffffe001`a56f67a0 : 0xffffd001`8b71bff8
10: kd> .trap ffffd001`8b71bce0
[COLOR=#0000cd]NOTE: The trap frame does not contain all registers.[/COLOR]
[COLOR=#0000cd]Some register values may be zeroed or incorrect.[/COLOR]
rax=ffffffffffffffff rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800d19ce71b rsp=ffffd0018b71be78 rbp=ffffd0018a754b01
r8=000000000000044f r9=0101010101010101 r10=000000c34b792bf8
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz ac pe nc
aswVmm+0x2271b:
fffff800`d19ce71b 488910 [COLOR=#ff0000]mov qword ptr [rax],rdx ds:ffffffff`ffffffff=????????????????[/COLOR]
10: kd> lmvm aswVmm
start end module name
fffff800`d19ac000 fffff800`d19f0000 aswVmm T (no symbols)
Loaded symbol image file: aswVmm.sys
[COLOR=#ff0000] Image path: \SystemRoot\System32\Drivers\aswVmm.sys[/COLOR]
[COLOR=#ff0000] Image name: aswVmm.sys[/COLOR]
Timestamp: Fri Mar 20 12:57:07 2015 (550C0B13)
CheckSum: 00047A9F
ImageSize: 00044000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
The above driver belongs to Avast! antivirus and is known to produce BSOD, therefore it deserves to be removed from system at least while we track this issue down.
During that time I would recommend to use built in Windows defender which will auto enable it self upon avast removal.
Update windows which will in turn update windows defender.
Please note that conventional removal might not work in some cases, therefore the safest way is to use
Avast removal utility
And of course share new results, try to reproduce BSOD