Solved Random BSOD, Random erros, Debug says ntoskrnl.exe

[Surgikill]

Hey guys, so I am in a bit of a pickle. I have an HP m6-k015dx laptop and it is giving me hell. I will get random BSOD's, usually at or a short while after login. They usually happen consecutively and then stop. I was able to enable driver verifier in order to see what was wrong. After it was enabled it did not crash so I decided to use memtest to check the RAM. 50% into the first pass it had detected 650 errors. So I tested each stick in each slot and it came back fine. I then tested both sticks again and it came back without an error. I tried to boot normally but I received multiple BSOD's. I then booted into safe mode with networking and received a BSOD. After that I booted into safe mode and was able to retrieve my minidump files. After analyzing them on another computer each one says that it is probably caused by ntoskrnl.exe What is my course of action from here on out? I really have no idea what to do.

My mindump files are zipped and attached.

 

[MasterChief]

Set Optimized Defaults in the bios, then save. Check that storage is set to AHCI mode, if that is how it is currently set. If not, change the setting to that. Save.

Boot to Windows.

Download/install/run CPU-Z.

Type snippingtool into the Start menu then press Enter. Use it to make a screenshot of CPU-Z Memory tab.

Then, make a screenshot of the SPD tab - one for each stick of RAM you have. So if two sticks, two screenshots for this...etc... (Change the slot # to get to others, in top left of tab.)

Please attach the saved screenshots (.jpg format is good) to a new post here.

 

[MasterChief]

We should get rid of this:

WPRO_41_2001 WPRO_41_2001.sys Mon Nov 07 16:04:48 2011 (4EB847F0)

Uninstall WinPcap normally.

If it is not in the uninstall list, then do this instead:

Delete this file:

C:\Windows\System32\drivers\WPRO_41_2001.sys

Then open Regedit and locate its key (might take a little effort, depending on if it is named similarly, as WinPcap, or something else even) - delete the key.

Here is the location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

Reboot.

 

[Surgikill]

I deleted that driver and the reg key. I am unable to get any memory info for you because cpu-z encounters error 0x43c (1084) during initialization and nothing is displayed on the memory tab or the SPD tab.

 

[MasterChief]

Ok, cool for now.

Just wait it out and see how it goes. If it crashes, please re-run the tool again and post the logs, as you did before.

The memory might be set unwell, but we'll see.

Maybe it won't even crash anymore.

 

[Surgikill]

special pool detected memory corruption. So I booted, logged in, really slow and sluggish, turned off driver verifier, tried to reboot and got a BSOD with special pool detected memory corruption. So it is restarting again and I'll post the dump file.

 

[Surgikill]

Okay I am logged in and it has not bsod'd so far. Heres the dump file for the last BSOD.

 

[MasterChief]

This WinPcap driver still exists and is active, in your latest crash dump just posted.

Perhaps the software that you installed that installed it too, re-installed it.

Check about that again.

0: kd> lmvm WPRO_41_2001
start             end                 module name
fffff800`034db000 fffff800`034e7000   WPRO_41_2001   (deferred)             
    Image path: \SystemRoot\system32\drivers\WPRO_41_2001.sys
    Image name: WPRO_41_2001.sys
    Timestamp:        Mon Nov 07 16:04:48 2011 (4EB847F0)
    CheckSum:         00015ADC
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

What I would do for now too is to remove a stick of RAM. Run the machine like that until you're confident that it is stable.

If it is, replace the RAM with the other stick and try again. See how that goes.

Maybe one of them will crash a lot and the other not. Basically, experiment doing real things that you normally would use the machine for.

 

[Surgikill]

What is it associated with? It says it was installed today, so I am unsure of what it is or where it came from.

 

[MasterChief]

Dunno, can't say.

Quite a few machines bsoding have it though, and I don't like the date of it, especially because of its function and type of driver it is.

If you make a screenshot or 2 of your installed software programs, I can probably guess which it is a component of.

 

[Surgikill]

Just got another 2 BSOD. One said memory management and the other said irql driver less or not egual to and had iastora.sys in parentheses. This was after I deleted wpro. I will try to get the dump files and the screenshots.

 

[Surgikill]

I am running a malware scan. Just checked with two other computers similar to mine and it doesn't show up on theirs. This installs itself on boot which causes it to BSOD.

 

[Surgikill]

Here's the screenshots of installed programs.

 

[MasterChief]

Ya, it is likely that one stick of RAM is bad (especially because of what you were saying in the OP). The iastora.sys driver you have is good. The machine is almost definitely crashing because of RAM and not drivers.

So, I would do as I said, about running only one stick at a time until you can figure out if one of them crashes while the other does not.

You can visit your motherboard site to download/install latest Intel Rapid Storage driver, but like I said, what you have already is good and it might actually already be the latest.

Could be Pando Media Booster installing the WinPcap driver. It's only a guess though. On the other hand, maybe it is malware installing it on you. It is a very useful tool to any black hat hacker. It can capture all data in or out of your adapter.

Ensure you've set Optimized Defaults in the bios. That should at least try to set the memory as it needs to be, if it is already not.

 

[Surgikill]

it's not pando media booster. That is associated with league. Two other systems are running league without that driver. The RAM may be bad, but I already tested each stick individually without any problems, and I tested both sticks without a problem. It may be malware because it will only BSOD after I delete that driver and restart. MBAM should find something.

EDIT: CPU-Z is working now, I will get you those numbers.

 

[Surgikill]

Here is the CPU-Z info

 

[MasterChief]

It may be malware because it will only BSOD after I delete that driver and restart.

EDIT: CPU-Z is working now, I will get you those numbers.

Makes a little sense, being that I didn't like that driver since the first I've ever seen it a couple of days ago when I first started debugging again. The modern WinPcap that would not crash Windows 7 or 8 is npf.sys. I have it and use it, as part of Wireshark.

I don't see the JEDEC for 800 MHz, but going by the other similar ones, I can tell the memory is set decently.

What you can do, for now, is to make a .txt file with Notepad and save it as WPRO_41_2001.txt. Change the .txt to .sys after saving. Move it to the driver folder location C:\Windows\System32\drivers, then set the Security on it to not allow write access to any account.

That should stop anything trying to install a real driver.

Reboot and see if that file is still 0 kb or not.

 

[Surgikill]

I'm in safe mode performing a virus scan. Will do that if nothing turns up from MBAM.

 

[Surgikill]

Virus scan didn't detect anything on the c drive. Those other people that are having the BSOD with WPRO, could you post their program lists? I want to see if anything correlates.

 

[MasterChief]

I don't have that with me at all.

Here are two threads it was involved in:

http://www.eightforums.com/bsod-cra...st-cold-boot-always-bsod-windows-loading.html

http://www.eightforums.com/bsod-cra...ted_expool-windows-8-a.html?highlight=WinPcap