有生以来第一次蓝屏

vm001

360杀毒最新版，给我搞了个蓝蓝的脸...
360AvFlt.sys这是360的驱动吧

360主动防御

收到反馈 我们看下

笙儿

请稍等，正在查看蓝屏日志。

wowocock

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
        bit 0 : value 0 = read operation, 1 = write operation
        bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804dd11d, address which referenced memory

Debugging Details:
------------------

Unable to load image \SystemRoot\system32\DRIVERS\360AvFlt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for 360AvFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for 360AvFlt.sys
*** WARNING: Unable to verify timestamp for qutmdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for qutmdrv.sys
Unable to load image \??\c:\windows\system32\drivers\mdkjmbca.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mdkjmbca.sys
*** ERROR: Module load completed but symbols could not be loaded for mdkjmbca.sys
*** WARNING: Unable to verify timestamp for hookport.sys
*** ERROR: Module load completed but symbols could not be loaded for hookport.sys

WRITE_ADDRESS:  00000000

CURRENT_IRQL:  2

FAULTING_IP:
nt!KeWaitForSingleObject+186
804dd11d 8939            mov     dword ptr [ecx],edi

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

TRAP_FRAME:  b1d664bc -- (.trap 0xffffffffb1d664bc)
ErrCode = 00000002
eax=8209114c ebx=82091144 ecx=00000000 edx=00000000 esi=81edb020 edi=81edb090
eip=804dd11d esp=b1d66530 ebp=b1d66550 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0x186:
804dd11d 8939            mov     dword ptr [ecx],edi  ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804dd11d to 804e2892

STACK_TEXT:  
b1d664bc 804dd11d badb0d00 00000000 84ebf9b7 nt!KiTrap0E+0x233
b1d66550 806f276e 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
b1d66570 f8449893 b212a000 e11ef008 819b1e18 hal!ExAcquireFastMutex+0x2a
b1d66664 b212356f 819ec508 819b1e20 e11ef008 fltMgr!FltSendMessage+0x421
WARNING: Stack unwind information not available. Following frames may be wrong.
b1d666ac b2124a00 819b1e20 e11ef008 b1d666d0 360AvFlt+0x356f
b1d66734 f8445888 81a7dbb4 b1d66754 b1d66784 360AvFlt+0x4a00
b1d66794 f84472a0 00d667d8 81a7db58 8191fd3c fltMgr!FltpPerformPreCallbacks+0x2d4
b1d667a8 f8454217 b1d667d8 f84526aa 00000000 fltMgr!FltpPassThroughInternal+0x32
b1d667c0 f8454742 b1d667d8 82124a00 00000000 fltMgr!FltpCreateInternal+0x63
b1d667f4 804e4807 81e7ac48 8191fb88 8191fd3c fltMgr!FltpCreate+0x258
b1d66804 b1b16a85 00000000 82127f38 82124af0 nt!IopfCallDriver+0x31
b1d6688c 804e4807 8205f410 8191fb88 8191fb88 qutmdrv+0xfa85
b1d6689c f8447e9b 00000000 8191fb88 8191fd60 nt!IopfCallDriver+0x31
b1d668c0 f8454754 b1d668e0 81a9a020 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
b1d668fc 804e4807 81a9a020 8191fb88 8191fb88 fltMgr!FltpCreate+0x26a
b1d6690c 805701b5 822da8e8 81a3e2cc b1d66ab4 nt!IopfCallDriver+0x31
b1d669ec 8056506c 822da900 00000000 81a3e228 nt!IopParseDevice+0xa12
b1d66a74 805696ea 00000000 b1d66ab4 00000040 nt!ObpLookupObjectName+0x56a
b1d66ac8 8057068f 00000000 00000000 b3c70101 nt!ObOpenObjectByName+0xeb
b1d66b44 8057075e 0126deb0 00100020 0126de68 nt!IopCreateFile+0x407
b1d66ba0 80570826 0126deb0 00100020 0126de68 nt!IoCreateFile+0x8e
b1d66be0 b2bef069 0126deb0 00100020 0126de68 nt!NtOpenFile+0x27
b1d66c74 b1b3c871 0126deb0 00100020 0126de68 mdkjmbca+0x11069
b1d66d44 804df7ec 0126deb0 00100020 0126de68 hookport+0x2871
b1d66d44 7c92e514 0126deb0 00100020 0126de68 nt!KiFastCallEntry+0xf8
0126e0fc 00000000 00000000 00000000 00000000 0x7c92e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
360AvFlt+356f
b212356f ??              ???

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  360AvFlt+356f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: 360AvFlt

IMAGE_NAME:  360AvFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0xA_360AvFlt+356f

BUCKET_ID:  0xA_360AvFlt+356f

Followup: MachineOwner
---------

kd> lmvm mdkjmbca
start    end        module name
b2bde000 b2c23000   mdkjmbca T (no symbols)           
    Loaded symbol image file: mdkjmbca.sys
    Image path: \??\c:\windows\system32\drivers\mdkjmbca.sys
    Image name: mdkjmbca.sys
    Timestamp:        unavailable (00000000)
    CheckSum:         00000000
    ImageSize:        00045000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
这个驱动很可疑mdkjmbca.sys
用360急救箱强力模式扫描看看。

笙儿

请看分析图：
错误文件不是360文件！而是其他文件造成的崩溃！

whitegoattaurus

应该是驱动冲突

zhq445078388

wowocock 发表于 2012-9-28 17:50
kd> !analyze -v
*******************************************************************************
*  ...

大大..你是怎么从一个自动分析里面找到这个驱动的? 我在上面的信息里面没看到他啊

zhq445078388

wowocock 发表于 2012-9-28 17:50
kd> !analyze -v
*******************************************************************************
*  ...

..奥..我看到了
Unable to load image \??\c:\windows\system32\drivers\mdkjmbca.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mdkjmbca.sys

vm001

wowocock 发表于 2012-9-28 17:50
kd> !analyze -v
*******************************************************************************
*  ...

这是360MD的东西，我安装着呢

NzSec

mdkjmbca.sys这个是md的吧

看样子是内存对象破坏，跟360没什么关系