[SOLVED] Driver Power State Failure - Windows 8.1 x64

blueelvis · Jun 12, 2014

Hi sysnative people ^_^,

I am working on a case in which the system is giving Driver_Power_State_Failure but the problem is that there is no IRP packet inside the dump file dunno why?

At first, after a bit of further analysis, I suspected that a rootkit is present as the analysis showed that the FLINK and BLINK pointers are damaged and are corrupt, So I asked the user to run GMER and asMBR which did not yield any kind of rootkit, so could you please help me out? Below are the attached dump files.

View attachment 8260
Also below are the logs of aswMBR and GMER :-

Code:

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-06-10 17:50:36
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000002d WDC_WD5000LPVX-22V0TT0 rev.01.01A01 465.76GB
Running: b1cses3j.exe; Driver: C:\Users\MATTQ~1\AppData\Local\Temp\uwlorkog.sys


---- Kernel code sections - GMER 2.1 ----

.text    C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 1                                                                                                                                                 fffff960000c4201 7 bytes [20, 0A, 02, 00, F0, 70, 01]
.text    C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 9                                                                                                                                                 fffff960000c4209 6 bytes [88, B0, FF, 01, 23, DC]

---- User code sections - GMER 2.1 ----

.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 381                                                                                       000000007729137d 16 bytes {JMP 0xffffffffffffffd3}
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 386                                                                                       0000000077291512 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                             0000000077291551 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuSetStackPointer + 23                                                                                   0000000077291577 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuResetToConsistentState + 516                                                                           0000000077291784 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuThreadInit + 50                                                                                        00000000772917c2 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                   00000000772917e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                       0000000077291834 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 1                                                                               0000000077291841 24 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 513                                                                             0000000077291a41 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    ...                                                                                                                                                                                                 * 2
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                             0000000077292ae0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                         0000000077292c1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Program Files (x86)\Mozilla Firefox\firefox.exe[5500] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessDebugEvent + 3                                                                                  0000000077292c43 8 bytes [7C, 68, 16, FF, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 381                                                                                                       000000007729137d 16 bytes {JMP 0xffffffffffffffd3}
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 386                                                                                                       0000000077291512 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                             0000000077291551 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuSetStackPointer + 23                                                                                                   0000000077291577 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuResetToConsistentState + 516                                                                                           0000000077291784 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuThreadInit + 50                                                                                                        00000000772917c2 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                                   00000000772917e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                       0000000077291834 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 1                                                                                               0000000077291841 24 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 513                                                                                             0000000077291a41 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    ...                                                                                                                                                                                                 * 2
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                             0000000077292ae0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                         0000000077292c1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Desktop\aswmbr.exe[5440] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessDebugEvent + 3                                                                                                  0000000077292c43 8 bytes [7C, 68, 4F, 7F, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDefaultNpAcl + 772                                                                                                    00007fffea55293c 8 bytes {JMP 0xffffffffffffff8c}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmAddToAverageDWORD + 21                                                                                             00007fffea552959 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmSetIfMaxDWORD + 95                                                                                                 00007fffea5529c7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!EtwEventWriteEndScenario + 220                                                                                           00007fffea552aac 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmEndSession + 272                                                                                                   00007fffea552bc4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmStartSession + 8                                                                                                   00007fffea553018 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmStartSession + 940                                                                                                 00007fffea5533bc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!EtwEventWriteFull + 64                                                                                                   00007fffea553404 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!EtwEventWriteFull + 503                                                                                                  00007fffea5535bb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmIsSessionDisabled + 792                                                                                            00007fffea553fe0 8 bytes {JMP 0xffffffffffffffa9}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlVerifyVersionInfo + 835                                                                                               00007fffea554933 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!SbSelectProcedure + 336                                                                                                  00007fffea554bac 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!SbSelectProcedure + 472                                                                                                  00007fffea554c34 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    ...                                                                                                                                                                                                 * 2
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlGetNtProductType + 567                                                                                                00007fffea55543f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmAddToStream + 592                                                                                                  00007fffea5556b4 8 bytes {JMP 0xffffffffffffffa9}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmAddToStreamEx + 875                                                                                                00007fffea555a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmEventEnabled + 139                                                                                                 00007fffea555f8b 8 bytes {JMP 0xffffffffffffffd1}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmEventEnabled + 224                                                                                                 00007fffea555fe0 16 bytes {JMP 0xffffffffffffffcf}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!WinSqmEventWrite + 119                                                                                                   00007fffea5560df 8 bytes {JMP 0xffffffffffffffac}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!EtwEventWrite + 43                                                                                                       00007fffea556113 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!EtwEventWrite + 628                                                                                                      00007fffea55635c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    ...                                                                                                                                                                                                 * 3
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateBoundaryDescriptor + 584                                                                                        00007fffea556658 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAddSIDToBoundaryDescriptor + 8                                                                                        00007fffea556668 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAddSIDToBoundaryDescriptor + 519                                                                                      00007fffea556867 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDeleteBoundaryDescriptor + 23                                                                                         00007fffea556887 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!A_SHAFinal + 300                                                                                                         00007fffea556bf0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!A_SHAInit + 44                                                                                                           00007fffea556c24 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateServiceSid + 292                                                                                                00007fffea559188 8 bytes {JMP 0xffffffffffffffdc}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLengthRequiredSid + 20                                                                                                00007fffea5591a4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLengthRequiredSid + 352                                                                                               00007fffea5592f0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlInitializeSid + 35                                                                                                    00007fffea55931b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAddAce + 339                                                                                                          00007fffea55950b 8 bytes {JMP 0xffffffffffffffdc}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlNewSecurityObjectEx + 99                                                                                              00007fffea559577 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlIsValidProcessTrustLabelSid + 103                                                                                     00007fffea5595e7 8 bytes {JMP 0xffffffffffffffe6}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlIsValidProcessTrustLabelSid + 751                                                                                     00007fffea55986f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSidDominatesForTrust + 135                                                                                            00007fffea559a67 8 bytes {JMP 0xffffffffffffffaa}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCreateSecurityDescriptor + 43                                                                                         00007fffea55a7bf 8 bytes {JMP 0xfffffffffffffff5}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlSetDaclSecurityDescriptor + 104                                                                                       00007fffea55a8e8 8 bytes {JMP 0xffffffffffffffe5}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAddMandatoryAce + 356                                                                                                 00007fffea55aa78 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlMapGenericMask + 64                                                                                                   00007fffea55d270 8 bytes {JMP 0xffffffffffffffd0}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlOpenCurrentUser + 208                                                                                                 00007fffea55d39c 8 bytes {JMP 0xffffffffffffffa3}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlCheckTokenCapability + 952                                                                                            00007fffea55d75c 8 bytes [F0, 69, F8, 7F, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAppendUnicodeToString + 167                                                                                           00007fffea55e56b 8 bytes [D0, 69, F8, 7F, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLengthSidAsUnicodeString + 84                                                                                         00007fffea55e5c8 8 bytes {JMP 0xffffffffffffffdc}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlValidSecurityDescriptor + 243                                                                                         00007fffea55e6c3 8 bytes [B0, 69, F8, 7F, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlAddAccessAllowedAce + 379                                                                                             00007fffea55e847 8 bytes [A0, 69, F8, 7F, 00, 00, 00, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread                                                                                                   00007fffea5dac50 8 bytes {JMP QWORD [RIP-0x7c8ac]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread                                                                                                 00007fffea5dadd0 8 bytes {JMP QWORD [RIP-0x7c86b]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                                       00007fffea5dae00 8 bytes {JMP QWORD [RIP-0x7db96]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                                     00007fffea5daf20 8 bytes {JMP QWORD [RIP-0x7d7ca]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                                         00007fffea5dafd0 8 bytes {JMP QWORD [RIP-0x7dc3a]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                                         00007fffea5db690 8 bytes {JMP QWORD [RIP-0x7ce4f]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread                                                                                                       00007fffea5db990 8 bytes {JMP QWORD [RIP-0x7d2d3]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                       00007fffea5dc210 8 bytes {JMP QWORD [RIP-0x7dc4e]}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuSetContext + 381                                                                                                   000000007729137d 16 bytes {JMP 0xffffffffffffffd3}
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuGetContext + 386                                                                                                   0000000077291512 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuSetInstructionPointer + 49                                                                                         0000000077291551 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuSetStackPointer + 23                                                                                               0000000077291577 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuResetToConsistentState + 516                                                                                       0000000077291784 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuThreadInit + 50                                                                                                    00000000772917c2 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuGetStackPointer + 23                                                                                               00000000772917e7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessInit + 68                                                                                                   0000000077291834 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 1                                                                                           0000000077291841 24 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuNotifyAffinityChange + 513                                                                                         0000000077291a41 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    ...                                                                                                                                                                                                 * 2
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuFlushInstructionCache + 16                                                                                         0000000077292ae0 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuInitializeStartupContext + 308                                                                                     0000000077292c1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text    C:\Users\Matt Q\Downloads\b1cses3j.exe[4524] C:\WINDOWS\system32\wow64cpu.dll!CpuProcessDebugEvent + 3                                                                                              0000000077292c43 8 bytes [7C, 68, F8, 7F, 00, 00, 00, ...]

---- User IAT/EAT - GMER 2.1 ----

IAT      C:\WINDOWS\Explorer.EXE[2616] @ C:\WINDOWS\system32\RPCRT4.dll[ntdll.dll!NtAlpcConnectPortEx]                                                                                                       [52d41250] 

---- Threads - GMER 2.1 ----

Thread   C:\WINDOWS\system32\csrss.exe [720:912]                                                                                                                                                             fffff96000944b90
Thread   C:\WINDOWS\system32\svchost.exe [904:360]                                                                                                                                                           00007fffe6591b40
Thread   C:\WINDOWS\System32\svchost.exe [456:1088]                                                                                                                                                          00007fffe34b1400
Thread   C:\WINDOWS\System32\svchost.exe [456:1144]                                                                                                                                                          00007fffe3441ed0
Thread   C:\WINDOWS\System32\svchost.exe [456:1204]                                                                                                                                                          00007fffe30ee054
Thread   C:\WINDOWS\System32\svchost.exe [456:1212]                                                                                                                                                          00007fffe333e840
Thread   C:\WINDOWS\System32\svchost.exe [456:1256]                                                                                                                                                          00007fffe2c1ed08
Thread   C:\WINDOWS\System32\svchost.exe [456:1296]                                                                                                                                                          00007fffe314482c
Thread   C:\WINDOWS\System32\svchost.exe [456:3848]                                                                                                                                                          00007fffdc196dd0
Thread   C:\WINDOWS\System32\svchost.exe [456:3856]                                                                                                                                                          00007fffdc194f30
Thread   C:\WINDOWS\system32\svchost.exe [616:1308]                                                                                                                                                          00007fffe1261ee0
Thread   C:\WINDOWS\system32\svchost.exe [616:2368]                                                                                                                                                          00007fffde2dcbc0
Thread   C:\WINDOWS\system32\svchost.exe [616:2412]                                                                                                                                                          00007fffdf401b40
Thread   C:\WINDOWS\system32\svchost.exe [616:3004]                                                                                                                                                          00007fffdc5b79a0
Thread   C:\WINDOWS\system32\svchost.exe [616:3008]                                                                                                                                                          00007fffdc5b73e0
Thread   C:\WINDOWS\system32\svchost.exe [616:3012]                                                                                                                                                          00007fffdc614e0c
Thread   C:\WINDOWS\system32\svchost.exe [616:2608]                                                                                                                                                          00007fffdc3b2b48
Thread   C:\WINDOWS\system32\svchost.exe [616:2604]                                                                                                                                                          00007fffdc45130c
Thread   C:\WINDOWS\system32\svchost.exe [616:2700]                                                                                                                                                          00007fffdc45130c
Thread   C:\WINDOWS\system32\svchost.exe [616:1340]                                                                                                                                                          00007fffdc614e0c
Thread   C:\WINDOWS\system32\svchost.exe [616:6412]                                                                                                                                                          00007fffde9d5340
Thread   C:\WINDOWS\system32\svchost.exe [616:6652]                                                                                                                                                          00007fffdcd710e0
Thread   C:\WINDOWS\system32\svchost.exe [616:3636]                                                                                                                                                          00007fffc40438e0
Thread   C:\WINDOWS\system32\svchost.exe [724:2636]                                                                                                                                                          00007fffddf10b50
Thread   C:\WINDOWS\system32\svchost.exe [724:2680]                                                                                                                                                          00007fffddf0c574
Thread   C:\WINDOWS\system32\svchost.exe [724:2684]                                                                                                                                                          00007fffddf0f55c
Thread   C:\WINDOWS\system32\svchost.exe [724:2688]                                                                                                                                                          00007fffddf11674
Thread   C:\WINDOWS\system32\svchost.exe [724:2692]                                                                                                                                                          00007fffddf07490
Thread   C:\WINDOWS\system32\svchost.exe [724:2760]                                                                                                                                                          00007fffddb74b04
Thread   C:\WINDOWS\system32\svchost.exe [724:1564]                                                                                                                                                          00007fffddf0d5a0
Thread   C:\WINDOWS\system32\svchost.exe [724:5776]                                                                                                                                                          00007fffc40c6c08
Thread   C:\WINDOWS\system32\svchost.exe [724:4760]                                                                                                                                                          00007fffc40c6800
Thread   C:\WINDOWS\system32\svchost.exe [1128:1116]                                                                                                                                                         00007fffdf7e4b30
Thread   C:\WINDOWS\system32\svchost.exe [1128:2056]                                                                                                                                                         00007fffdeb2dff0
Thread   C:\WINDOWS\system32\svchost.exe [1128:2668]                                                                                                                                                         00007fffddc73584
Thread   C:\WINDOWS\system32\svchost.exe [1128:2672]                                                                                                                                                         00007fffddc73560
Thread   C:\WINDOWS\system32\svchost.exe [1128:2676]                                                                                                                                                         00007fffddc86738
Thread   C:\WINDOWS\system32\svchost.exe [1128:2828]                                                                                                                                                         00007fffdd541ef8
Thread   C:\WINDOWS\system32\svchost.exe [1128:2836]                                                                                                                                                         00007fffdd5335f4
Thread   C:\WINDOWS\system32\svchost.exe [1128:2844]                                                                                                                                                         00007fffdd5335f4
Thread   C:\WINDOWS\system32\svchost.exe [1128:2848]                                                                                                                                                         00007fffdd5335f4
Thread   C:\WINDOWS\system32\svchost.exe [1128:2852]                                                                                                                                                         00007fffdd5335f4
Thread   C:\WINDOWS\system32\svchost.exe [1128:2856]                                                                                                                                                         00007fffdd5335f4
Thread   C:\WINDOWS\system32\svchost.exe [1128:3624]                                                                                                                                                         00007fffde9d5340
Thread   C:\WINDOWS\system32\svchost.exe [1128:3464]                                                                                                                                                         00007fffdfb514f0
Thread   C:\WINDOWS\system32\svchost.exe [1360:1800]                                                                                                                                                         00007fffdfb22b90
Thread   C:\WINDOWS\system32\svchost.exe [1360:2620]                                                                                                                                                         00007fffdfb267bc
Thread   C:\WINDOWS\system32\svchost.exe [1360:2816]                                                                                                                                                         00007fffdd092110
Thread   C:\WINDOWS\system32\svchost.exe [1360:2820]                                                                                                                                                         00007fffdd061584
Thread   C:\WINDOWS\system32\svchost.exe [1360:2868]                                                                                                                                                         00007fffdcfd1b40
Thread   C:\WINDOWS\system32\svchost.exe [1360:992]                                                                                                                                                          00007fffe35a1040
Thread   C:\WINDOWS\system32\svchost.exe [1360:76]                                                                                                                                                           00007fffe35a4608
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:1640]                                                                                                                                                           0000000000c2301f
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:1728]                                                                                                                                                           00000000711e6c50
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3088]                                                                                                                                                           000000006f721120
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3180]                                                                                                                                                           00000000713257fe
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3208]                                                                                                                                                           000000006f4df6c8
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3212]                                                                                                                                                           000000006f4df6c8
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3344]                                                                                                                                                           000000006cd3b503
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3356]                                                                                                                                                           000000006cd3b503
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3360]                                                                                                                                                           000000006cd3b503
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3376]                                                                                                                                                           000000006c2b6b60
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3380]                                                                                                                                                           000000006c2b6b60
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3388]                                                                                                                                                           000000006c300320
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3396]                                                                                                                                                           000000006c6f975d
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3460]                                                                                                                                                           000000006f4df6c8
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:3472]                                                                                                                                                           000000006cbb8730
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:2552]                                                                                                                                                           0000000055c01b6e
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [1636:5920]                                                                                                                                                           000000007325a4c5
Thread   C:\WINDOWS\SYSTEM32\ntdll.dll [2120:2124]                                                                                                                                                           000000000040f0bc
Thread   C:\WINDOWS\system32\taskhostex.exe [2072:3232]                                                                                                                                                      00007fffdd7d2310
Thread   C:\WINDOWS\system32\taskhostex.exe [2072:1312]                                                                                                                                                      00007fffdd9022a0
Thread   C:\WINDOWS\system32\taskhostex.exe [2072:1460]                                                                                                                                                      00007fffea01bc40
Thread   C:\WINDOWS\system32\taskhostex.exe [2072:344]                                                                                                                                                       00007fffe1011120
Thread   C:\WINDOWS\system32\taskhostex.exe [2072:3568]                                                                                                                                                      00007fffdf7e4b30
Thread   C:\WINDOWS\Explorer.EXE [2616:1216]                                                                                                                                                                 00007fffd41157a4
Thread   C:\WINDOWS\Explorer.EXE [2616:3288]                                                                                                                                                                 00007fffd233e780
Thread   C:\WINDOWS\Explorer.EXE [2616:1588]                                                                                                                                                                 00007fffe2c1ed08
Thread   C:\WINDOWS\Explorer.EXE [2616:1584]                                                                                                                                                                 00007fffe2c1ed08
Thread   C:\WINDOWS\Explorer.EXE [2616:3456]                                                                                                                                                                 00007fffd216a760
Thread   C:\WINDOWS\Explorer.EXE [2616:1220]                                                                                                                                                                 00007fffe2c1ed08
Thread   C:\WINDOWS\Explorer.EXE [2616:2396]                                                                                                                                                                 00007fffdfc71e40
Thread   C:\WINDOWS\Explorer.EXE [2616:1528]                                                                                                                                                                 00007fffdd318c54
Thread   C:\WINDOWS\Explorer.EXE [2616:5428]                                                                                                                                                                 00007fffd40076cc
Thread   C:\WINDOWS\Explorer.EXE [2616:5724]                                                                                                                                                                 00007fffd40076cc
Thread   C:\WINDOWS\Explorer.EXE [2616:5548]                                                                                                                                                                 00007fffd40076cc
Thread   C:\WINDOWS\Explorer.EXE [2616:3096]                                                                                                                                                                 00007fffd40076cc
Thread   C:\WINDOWS\Explorer.EXE [2616:6576]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:4888]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:1196]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:2912]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:1576]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:5528]                                                                                                                                                                 00007fffe04c2774
Thread   C:\WINDOWS\Explorer.EXE [2616:3488]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:7100]                                                                                                                                                                 00007fffe1f71e70
Thread   C:\WINDOWS\Explorer.EXE [2616:5948]                                                                                                                                                                 00007fffe1f71c00
Thread   C:\WINDOWS\Explorer.EXE [2616:5652]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\WINDOWS\Explorer.EXE [2616:4528]                                                                                                                                                                 00007fffdd31d6bc
Thread   C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [3820:1096]                                                                                                                           00007fffe04c2774
Thread   C:\WINDOWS\System32\Taskmgr.exe [5180:3052]                                                                                                                                                         00007fffe04c2774
---- Processes - GMER 2.1 ----

Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\aswEngin.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (High level antivirus engine/ALWIL Software)(2014-06-11 00:38:44)           0000000064280000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\aswScan.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (Low level antivirus engine/ALWIL Software)(2014-06-11 00:38:44)             0000000064200000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\MSVCP71.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (Microsoft® C++ Runtime Library/Microsoft Corporation)(2014-06-11 00:38:44)  000000007c3a0000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\aswCmnOS.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (Antivirus HW dependent library/ALWIL Software)(2014-06-11 00:38:44)        0000000064000000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\aswCmnB.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (High level portable functions/ALWIL Software)(2014-06-11 00:38:44)          0000000064080000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\aswCmnS.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (Common non-portable functions/ALWIL Software)(2014-06-11 00:38:44)          0000000064100000
Library  C:\Users\MATTQ~1\AppData\Local\Temp\_av4_\MSVCR71.dll (*** suspicious ***) @ C:\Users\Matt Q\Desktop\aswmbr.exe [5440] (Microsoft® C Runtime Library/Microsoft Corporation)(2014-06-11 00:38:44)    000000007c340000

---- Disk sectors - GMER 2.1 ----

Disk     \Device\Harddisk0\DR0                                                                                                                                                                               unknown MBR code

---- EOF - GMER 2.1 ----

Code:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-06-10 17:38:44
-----------------------------
17:38:44.810    OS Version: Windows x64 6.2.9200 
17:38:44.810    Number of processors: 4 586 0x3A09
17:38:44.811    ComputerName: THEBLACKSAX  UserName: Matt Q
17:38:44.859    Initialze error 1 
17:39:12.388    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000002d
17:39:12.390    Disk 0 Vendor: WDC_WD5000LPVX-22V0TT0 01.01A01 Size: 476940MB BusType: 11
17:39:12.395    Disk 0 MBR read successfully
17:39:12.396    Disk 0 MBR scan
17:39:12.399    Disk 0 unknown MBR code
17:39:12.417    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
17:39:12.419    Disk 0 scanning C:\WINDOWS\system32\drivers
17:39:12.421    Service scanning
17:39:12.937    Modules scanning
17:39:12.940    Disk 0 trace - called modules:
17:39:12.944    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys 
17:39:12.948    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000c9def4e0]
17:39:12.951    3 CLASSPNP.SYS[fffff80184b9927b] -> nt!IofCallDriver -> \Device\0000002d[0xffffe000c79b54a0]
17:39:12.954    Scan finished successfully
17:39:50.177    Disk 0 MBR has been saved successfully to "C:\Users\Matt Q\Desktop\MBR.dat"
17:39:50.193    The log file has been saved successfully to "C:\Users\Matt Q\Desktop\aswMBR log June 10 2014.txt"

Jared · Jun 12, 2014

There is no definite cause but I have a few ideas, starting with the USB Bluetooth Hard Copy Replacement server cable driver.

Code:

fffff800`919d5000 fffff800`919e3000   [COLOR=#0000cd]hidusb.sys
[/COLOR]fffff800`919c7000 fffff800`919d5000   [COLOR=#0000cd]hidusb.sys[/COLOR]
fffff800`911be000 fffff800`911cc000   [COLOR=#0000cd]hidusb.sys[/COLOR]
fffff800`918ec000 fffff800`91919000   tunnel.sys
fffff800`8f87b000 fffff800`8f8a6000   [COLOR=#ff0000]btath_avdt.s[/COLOR]
fffff800`903e1000 fffff800`903f9000   [COLOR=#ff0000]btath_lwflt.[/COLOR]
fffff800`8fe21000 fffff800`8fe3d000   [COLOR=#ff0000]btath_flt.sy[/COLOR]
fffff800`8f471000 fffff800`8f47d000   dump_storpor
fffff800`8f836000 fffff800`8fb00000   dump_iaStorA
fffff800`8fb00000 fffff800`8fb16000   dump_dumpfve
fffff800`8fe00000 fffff800`8fe3d000   sdbus.sys
fffff800`903a4000 fffff800`903fc000   RtsPStor.sys
fffff800`909a8000 fffff800`909e6000   WUDFRd.sys
fffff800`8dff0000 fffff800`8e000000   dam.sys 
fffff800`8d48b000 fffff800`8d496000   klelam.sys
fffff800`8e4aa000 fffff800`8e4b6000   hwpolicy.sys

The hidub.sys is the onboard Windows USB driver that controls the USB ports, tie that in with the bluetooth USB driver and I think that's the issue.

I can't check the timestamp but I would have the OP update the driver if there is a new one available from ATHEROS drivers for Microsoft Windows (Atheros?????)

Given that there are no Kernel Memory Dumps I cannot check everything.

As for the IRPs not being loge dI don't really know, I've never encountered such issues.

I take it the OP is using a wireless network card?

Code:

Name    [00000002] Qualcomm Atheros AR5BWB222 Wireless Network Adapter

He should update the driver for it...

Code:

2: kd> [COLOR=#008000]lmvm athw8x[/COLOR]start             end                 module name
fffff801`13cb7000 fffff801`14040000   athw8x     (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\athw8x.sys
    Image name: athw8x.sys
    Timestamp:        [COLOR=#ff0000]Thu Jan 17 09:15:39 2013[/COLOR] (50F7C13B)
    CheckSum:         00386204
    ImageSize:        00389000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Finally, you mentioned he's using Avast, correct?

Well he has Kaspersky installed and it's causing issues, no more than 1 real time Anti Virus should be installed at the same time as they can conflict.

Code:

Unable to load image \SystemRoot\system32\DRIVERS\klim6.sys, Win32 error 0n2*** WARNING: Unable to verify timestamp for klim6.sys
*** ERROR: Module load completed but symbols could not be loaded for klim6.sys
 [COLOR=#ff0000]klim6+0x2130[/COLOR]

I would have him uninstall both of them and use Microsoft Security Essentials instead.

Use the Kaspersky uninstall tool.

Microsoft Security Essentials - Microsoft Windows

Patrick · Jun 12, 2014

There is no IRP in the 4th parameter because the cause of the bug check itself is different.

Code:

3: kd> .bugcheck
Bugcheck code 0000009F
Arguments [COLOR=#ff0000]00000000`00000004[/COLOR] 00000000`0000012c ffffe001`e89a0880 ffffd001`e6569950

There will be an IRP located in the 4th parameter for a blocked IRP address if there is one (first parameter must be 3). If the 1st parameter is 4 (like it is in this case), it implies a power IRP has failed to synchronize with the PnP Manager. With this said, you will need a kernel-dump to properly debug this type of bug check as not information lies within the minidump. Specifically, you cannot dump !locks and check the !thread output to see what driver is causing the lock.

I see no avast! drivers loaded in the modules list, but I do see Kaspersky.

Code:

3: kd> k
Child-SP          RetAddr           Call Site
ffffd001`e6945b10 fffff801`8e0d3d1e nt!KiSwapContext+0x76
ffffd001`e6945c50 fffff801`8e0d3779 nt!KiSwapThread+0x14e
ffffd001`e6945cf0 fffff801`8e0e3dfa nt!KiCommitThreadWait+0x129
ffffd001`e6945d70 fffff801`c2fa622c nt!KeWaitForSingleObject+0x22a
ffffd001`e6945e00 fffff801`c2faadd5 storport!RaSendIrpSynchronous+0x70
ffffd001`e6945e60 fffff801`c2facd50 storport!RaidBusEnumeratorIssueSynchronousRequest+0x191
ffffd001`e6946090 fffff801`c2faca69 storport!RaidBusEnumeratorIssueReportLuns+0x68
ffffd001`e69460f0 fffff801`c2fac70e storport!RaidBusEnumeratorGetLunListFromTarget+0x59
ffffd001`e6946170 fffff801`c2faa8d4 storport!RaidBusEnumeratorGetLunList+0x7e
ffffd001`e6946260 fffff801`c2fabce7 storport!RaidAdapterEnumerateBus+0x94
ffffd001`e69463d0 fffff801`c2fab8d6 storport!RaidAdapterRescanBus+0xb7
ffffd001`e69464b0 fffff801`c2fa5ccd storport!RaidAdapterQueryDeviceRelationsIrp+0xa6
ffffd001`e6946570 fffff801`c2f9fdd1 storport!RaidAdapterPnpIrp+0x18d
ffffd001`e6946610 fffff801`8e422efa storport!RaDriverPnpIrp+0x8d
ffffd001`e6946650 fffff801`8e422dac nt!PnpAsynchronousCall+0x102
ffffd001`e6946690 fffff801`8e422c1d nt!PnpQueryDeviceRelations+0x88
ffffd001`e6946750 fffff801`8e431a94 nt!PipEnumerateDevice+0xe9
ffffd001`e69467d0 fffff801`8e5020a5 nt!PipProcessDevNodeTree+0x17c
ffffd001`e6946a50 fffff801`8e17382c nt!PiProcessReenumeration+0x91
ffffd001`e6946aa0 fffff801`8e0d0adb nt!PnpDeviceActionWorker+0x168
ffffd001`e6946b50 fffff801`8e14c794 nt!ExpWorkerThread+0x293
ffffd001`e6946c00 fffff801`8e1d75c6 nt!PspSystemThreadStartup+0x58
ffffd001`e6946c60 00000000`00000000 nt!KiStartSystemThread+0x16

Many Microsoft Storage Port driver calls, and the lock appears to occur at and or shortly after storport!RaSendIrpSynchronous+0x70. As mentioned above, Kaspersky may be behind the crashes by causing file system conflicts.

Code:

3: kd> lmvm 94766073
start             end                 module name
fffff801`c381c000 fffff801`c3f7b000   94766073   (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\94766073.sys
    Image name: 94766073.sys
    Timestamp:        Fri Mar 04 04:20:03 2011

Concerned about this driver, unsure as to what it may be. avastMBR and GMER fail to detect a rootkit, so it may just be a driver for Kaspersky (Kaspersky uses weird #'d drivers at times) or something irrelevant.

Have the user remove NTI CD-ROM Filter Driver by NewTech Infosystems (likely a part of Acer Empowering Technology), and ExpressCache as well.

Regards,

Patrick

jcgriff2 · Jun 12, 2014

Update Intel Storage drivers -

Code:

1: kd>[B] !irp ffffe00036abf2c0[/B]
Irp is active with 4 stacks 3 is current (= 0xffffe00036abf420)
 No Mdl: No System Buffer: Thread 00000000:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
>[ 16, 2]   0 e1 ffffe0002ffa9050 00000000 fffff8031312b2d8-ffffe00035503300 Success Error Cancel pending
	      *** WARNING: Unable to verify timestamp for [COLOR="#FF0000"]iaStorA.sys[/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for iaStorA.sys
 \Driver\iaStorA	nt!PopRequestCompletion
			Args: 00015500 00000001 00000004 00000003
 [  0, 0]   0  0 00000000 00000000 00000000-ffffe00035503300    

			Args: 00000000 00000000 00000000 00000000

Code:

1: kd> [B]lmvm iaStorA[/B]
start             end                 module name
fffff801`60840000 fffff801`60b0a000   iaStorA  T (no symbols)           
    Loaded symbol image file: [COLOR="#FF0000"]iaStorA.sys[/COLOR]    
Image path: \SystemRoot\System32\drivers\iaStorA.sys
    Image name: iaStorA.sys
    Timestamp:        Thu Aug 16 16:32:56 2012 (502D58F8)
    CheckSum:         0009F2E9
    ImageSize:        002CA000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

http://sysnative.com/drivers/driver.php?id=iaStorA.sys

Also, make sure the firmware is up-to-date for the 20 GB SSD.

Regards. . .

jcgriff2

Jared · Jun 13, 2014

jcgriff2 said:

Update Intel Storage drivers -

Code:

1: kd>[B] !irp ffffe00036abf2c0[/B]
Irp is active with 4 stacks 3 is current (= 0xffffe00036abf420)
 No Mdl: No System Buffer: Thread 00000000:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

            Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

            Args: 00000000 00000000 00000000 00000000
>[ 16, 2]   0 e1 ffffe0002ffa9050 00000000 fffff8031312b2d8-ffffe00035503300 Success Error Cancel pending
          *** WARNING: Unable to verify timestamp for [COLOR=#FF0000]iaStorA.sys[/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for iaStorA.sys
 \Driver\iaStorA    nt!PopRequestCompletion
            Args: 00015500 00000001 00000004 00000003
 [  0, 0]   0  0 00000000 00000000 00000000-ffffe00035503300    

            Args: 00000000 00000000 00000000 00000000

Code:

1: kd> [B]lmvm iaStorA[/B]
start             end                 module name
fffff801`60840000 fffff801`60b0a000   iaStorA  T (no symbols)           
    Loaded symbol image file: [COLOR=#FF0000]iaStorA.sys[/COLOR]    
Image path: \SystemRoot\System32\drivers\iaStorA.sys
    Image name: iaStorA.sys
    Timestamp:        Thu Aug 16 16:32:56 2012 (502D58F8)
    CheckSum:         0009F2E9
    ImageSize:        002CA000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

http://sysnative.com/drivers/driver.php?id=iaStorA.sys

Also, make sure the firmware is up-to-date for the 20 GB SSD.

Regards. . .

jcgriff2

You may know differently to me but I've found that Intel Rapid Storage Technology isn't needed.
I've also found that updating the driver doesn't fix the issue, you have to uninstall it via device manager.

Unless you know otherwise.

Patrick · Jun 13, 2014

Correct, it isn't need. However, as you noted, you need to uninstall it a certain way or you may not be able to boot. I've written an article on MS Community about it - Uninstalling the Intel(R) Rapid Storage Technology driver - Microsoft Community

Regards,

Patrick

Jared · Jun 13, 2014

Very good Patrick :)

I've bookmarked it, the amount of cases I've seen caused by IRST it's going to be very helpful.

Patrick · Jun 13, 2014

Glad it helps.

I know satrow and I got tired of typing it, so he worked on a reply a few months back and I finally transitioned it to a canned reply/article.

blueelvis · Jun 15, 2014

Thanks for that article as I have also bookmarked it.

Thanks people for helping me on this one. I have notified the user about the steps and the things to do and let us see how it goes. Btw, here is an update by the user on how the issue is occuring :-

As another update, the computer seems to be able to start up once and go to sleep once without restarting, and once the computer wakes up from this initial sleep, I get a notification saying:

Intel Rapid Storage Technology
SATA Disk on Controller 0, Port 1: Detected

Now after this notification if I put the computer to sleep, it will restart, probably experiencing the error. So, I let the computer restart again and watched the Intel application and it doesn't seem to have one of the internal ports connected on initial startup, but as soon as I put it to sleep and wake it up again, it connects to the SSD inside and later disconnects leaving an empty internal port. It seems that somewhere between waking up the computer, connecting to the SSD and later disconnecting causes the error to occur when the computer goes to sleep.

So, it may be the case of Intel Rapid Storage being at fault like jcgriff said.

Jared · Jun 16, 2014

Yes, Intel Rapid Storage Technology can cause a lot of issues, BSODs are one of them, it should be remove as it is completely unnecessary.

blueelvis · Jun 16, 2014

TheMooMooTV said:
Yes, Intel Rapid Storage Technology can cause a lot of issues, BSODs are one of them, it should be remove as it is completely unnecessary.

OEM's should not recommend this piece of software seriously <_<. Very Troublesome indeed.

Anyways, the good news is that the issue has been resolved. On removing the ExpressCache, the problem has been fixed. Thanks everyone ^_^

Patrick · Jun 22, 2014

Oops, forgot to check up on this!

Glad to hear it's solved.

LilBambi · Jun 22, 2014

Thanks for the article Patrick! Great job folks!

[SOLVED] Driver Power State Failure - Windows 8.1 x64

blueelvis

BSOD Kernel Dump Senior Analyst

Jared

Sysnative Staff, BSOD Kernel Dump Expert

Patrick

Sysnative Staff

jcgriff2

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Jared

Sysnative Staff, BSOD Kernel Dump Expert

Patrick

Sysnative Staff

Jared

Sysnative Staff, BSOD Kernel Dump Expert

Patrick

Sysnative Staff

blueelvis

BSOD Kernel Dump Senior Analyst

Jared

Sysnative Staff, BSOD Kernel Dump Expert

blueelvis

BSOD Kernel Dump Senior Analyst

Patrick

Sysnative Staff

LilBambi

BSOD Kernel Dump Senior Analyst

[SOLVED] Driver Power State Failure - Windows 8.1 x64

BSOD Kernel Dump Senior Analyst

Sysnative Staff, BSOD Kernel Dump Expert

Sysnative Staff

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

Sysnative Staff, BSOD Kernel Dump Expert

Sysnative Staff

Sysnative Staff, BSOD Kernel Dump Expert

Sysnative Staff

BSOD Kernel Dump Senior Analyst

Sysnative Staff, BSOD Kernel Dump Expert

BSOD Kernel Dump Senior Analyst

Sysnative Staff

BSOD Kernel Dump Senior Analyst

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)