Okay, well, I'll debug it w/o verifier:
Code:
3: kd> .bugcheck
Bugcheck code 1000007E
Arguments ffffffff`c0000006 fffff880`0c14dab9 fffff880`0ba5d848 fffff880`0ba5d0a0
Code:
3: kd> .exr fffff880`0ba5d848
ExceptionAddress: fffff8800c14dab9 (rawo5qot+0x0000000000103ab9)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 0000000000000000
Parameter[1]: 000000001818a9a2
Parameter[2]: 00000000c000000e
Inpage operation failed at 000000001818a9a2, due to I/O error 00000000c000000e
Okay, so it looks like the unhandled exception occurred due to a failure to read memory from the disk, and whatever
rawo5qot is had a say in it.
Code:
3: kd> .cxr fffff880`0ba5d0a0
rax=0000000000000000 rbx=fffff8a03bab5020 rcx=fffff8800ba5dc00
rdx=fffff8800ba5db00 rsi=fffff8a017ae49f3 rdi=000000001818a9a2
rip=fffff8800c14dab9 rsp=fffff8800ba5da80 rbp=0000000000000000
r8=fffff8800ba5db08 r9=fffff8800ba5db00 r10=0000000000000000
r11=fffff8a017ae4b68 r12=fffff8a03b8e3020 r13=fffff8a017b39590
r14=fffff8a03bab5028 r15=fffff8a017ae4968
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
rawo5qot+0x103ab9:
fffff880`0c14dab9 0fb617 movzx edx,byte ptr [rdi] ds:002b:00000000`1818a9a2=??
Taking a look at
rawo5qot's instruction, it was copying the value at address rdi to edx and zero extending the value.
Code:
3: kd> !pte 000000001818a9a2
VA 000000001818a9a2
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000600 PTE at FFFFF680000C0C50
Unable to get PXE FFFFF6FB7DBED000
Can't check rdi's contents due to small dump restrictions.
Code:
3: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
fffff880`0ba5da80 00000000`00000000 rawo5qot+0x103ab9
The only thing in the stack at the time of the crash on the thread was literally just
rawo5qot.
So I think the main question we have is, what the hell is
rawo5qot?
Code:
3: kd> lmvm rawo5qot
start end module name
fffff880`0c04a000 fffff880`0c254d40 rawo5qot T (no symbols)
Loaded symbol image file: rawo5qot.vbt
Image path: rawo5qot.vbt
Image name: rawo5qot.vbt
Timestamp: Tue Mar 03 11:04:57 2015
It's a .vbt extension, which is an extension that is associated solely with 3rd party antivirus (mostly antimalware) solutions. It can also be malware itself, although I've never personally seen malware masked into a .vbt extension. It's not showing a path, but we can find it if we need to.
You overall have a lot of unnecessary/redundant software that is probably causing conflicts, especially since most of it is 4/5 years old.
1. Emisoft.
2. CryptBox.
3. Magic ISO.
4. UltraMon:
Code:
3: kd> lmvm ultramonutility
start end module name
fffff880`08812000 fffff880`0881b000 UltraMonUtility (deferred)
Image path: UltraMonUtility.sys
Image name: UltraMonUtility.sys
Timestamp: Thu Nov 13 20:10:30 2008
2008 kernel-mode driver, lol. The amount of bugs in this... I don't even want to know.
Get rid of all of the above.
