火绒安全软件

标题: 安装火绒后系统空闲时间蓝屏 [打印本页]

---

作者: TTHREE    时间: 2021-2-20 19:30
标题: 安装火绒后系统空闲时间蓝屏
本人于2021-2-18日安装火绒，版本如图安装完成后系统在空闲时间（不关机挂着）经常蓝屏，频率大概一天一次。
蓝屏代码多为IRQL_NOT_LESS_OR_EQUAL（2021-2-9日后）

蓝屏在空闲时间发生，操作电脑时蓝屏仅有一次，当时在用edge看视频，无其他软件，分别开启FPU，memtest，甜甜圈烤机一天，无蓝屏现象，关闭后会在8小时内蓝屏

最后用dism++恢复安装火绒前最新一次备份解决。

minidump文件已经上传，2021-2-9日后的dump文件因为恢复备份丢失，仅有一张图


那个1G大的MEMORY.DUMP在windbg下的分析

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:UsershjtDesktopMEMORY.DMP]

Kernel Bitmap Dump File: Kernel address space is ***ailable, User address space may not be ***ailable.

Symbol search path is: srv*

Executable search path is:

Windows 10 Kernel Version 19041 MP (8 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 19041.1.amd64fre.vb_release.191206-1406

Machine Name:

Kernel base = 0xfffff801`77200000 PsLoadedModuleList = 0xfffff801`77e2a390

Debug session time: Fri Feb 12 12:34:04.480 2021 (UTC + 8:00)

System Uptime: 0 days 1:21:15.231

Loading Kernel Symbols

...............................................................

.......Page 806252 not present in the dump file. Type ".hh dbgerr004" for details

.........................................................

................................................................

............................

Loading User Symbols

PEB is paged out (Peb.Ldr = 000000ed`c3214018).  Type ".hh dbgerr001" for details

Loading unloaded module list

........

For analysis of this file, run !analyze -v

7: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If kernel debugger is ***ailable get stack backtrace.

Arguments:

Arg1: 0000000000000002, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000008, value 0 = read operation, 1 = write operation

Arg4: 0000000000000002, address which referenced memory

Debugging Details:

------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec

    Value: 2

    Key  : Analysis.DebugAnalysisProvider.CPP

    Value: Create: 8007007e on DESKTOP-UBG17LS

    Key  : Analysis.DebugData

    Value: CreateObject

    Key  : Analysis.DebugModel

    Value: CreateObject

    Key  : Analysis.Elapsed.Sec

    Value: 87

    Key  : Analysis.Memory.CommitPeak.Mb

    Value: 77

    Key  : Analysis.System

    Value: CreateObject

BUGCHECK_CODE:  d1

BUGCHECK_P1: 2

BUGCHECK_P2: 2

BUGCHECK_P3: 8

BUGCHECK_P4: 2

READ_ADDRESS:  0000000000000002

PROCESS_NAME:  NoiseCancelingEngine.exe

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

TRAP_FRAME:  ffff9809232faf10 -- (.trap 0xffff9809232faf10)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=0000000000000000 rbx=0000000000000000 rcx=0000000000040246

rdx=ffffa601e9760180 rsi=0000000000000000 rdi=0000000000000000

rip=0000000000000002 rsp=ffff9809232fb0a0 rbp=ffffce0cb0e871f0

r8=000000000000082f  r9=000000000000002f r10=0000fffff801774e

r11=ffff95fa4b800000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na pe nc

00000000`00000002 ??              ???

Resetting default scope

FAILED_INSTRUCTION_ADDRESS:

+0

00000000`00000002 ??              ???

STACK_TEXT:  

ffff9809`232fadc8 fffff801`77607a69 : 00000000`0000000a 00000000`00000002 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx

ffff9809`232fadd0 fffff801`77603d69 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69

ffff9809`232faf10 00000000`00000002 : fffff801`77f25440 00000000`00000000 ffffce0c`b0e87218 00000000`00000001 : nt!KiPageFault+0x469

ffff9809`232fb0a0 fffff801`77f25440 : 00000000`00000000 ffffce0c`b0e87218 00000000`00000001 00000000`00000001 : 0x2

ffff9809`232fb0a8 00000000`00000000 : ffffce0c`b0e87218 00000000`00000001 00000000`00000001 00000000`00000001 : nt!ExNode0

SYMBOL_NAME:  nt!KiPageFault+469

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  469

FAILURE_BUCKET_ID:  AV_CODE_AV_NULL_IP_nt!KiPageFault

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4ce35ff9-c5cf-d66d-0323-0f05e33f6692}

Followup:     MachineOwner

---------

7: kd> !blackboxbsd

Version: 176

Product type: 1

Auto advanced boot: FALSE

Advanced boot menu timeout: 30

Last boot succeeded: TRUE

Last boot shutdown: FALSE

Sleep in progrees: FALSE

Power button timestamp: 0

System running: TRUE

Connected standby in progress: FALSE

User shutdown in progress: FALSE

System shutdown in progress: FALSE

Sleep in progress: 0

Connected standby scenario instance id: 0

Connected standby entry reason: 0

Connected standby exit reason: 0

System sleep transitions to on: 0

Last reference time: 0x1d700f4374b5f60

Last reference time checksum: 0xa6b09a0b

Last update boot id: 82

Boot attempt count: 1

Last boot checkpoint: TRUE

Checksum: 0xdb

Last boot id: 82

Last successful shutdown boot id: 81

Last reported abnormal shutdown boot id: 81

Error info boot id: 0

Error info repeat count: 0

Error info other error count: 0

Error info code: 0

Error info other error count: 0

Power button last press time: 0

Power button cumulative press count: 0

Power button last press boot id: 0

Power button last power watchdog stage: 0

Power button watchdog armed: FALSE

Power button shutdown in progress: FALSE

Power button last release time: 0

Power button cumulative release count: 0

Power button last release boot id: 0

Power button error count: 0

Power button current connected standby phase: 0

Power button transition latest checkpoint id: 0

Power button transition latest checkpoint type: 0

Power button transition latest checkpoint sequence number: 0

7: kd> !blackboxntfs

NTFS Blackbox Data

0 Slow I/O Timeout Records Found

0 Oplock Break Timeout Records Found

7: kd> !blackboxpnp

    PnpActivityId      : {00000000-0000-0000-0000-000000000000}

    PnpActivityTime    : 132575731994462940

    PnpEventInformation: 0

    PnpEventInProgress : 0

    PnpProblemCode     : 21

    PnpVetoType        : 0

    DeviceId           : ROOTNET002

    VetoString         :

7: kd> lmvm nt

Browse full module list

start             end                 module name

fffff801`77200000 fffff801`78246000   nt         (pdb symbols)          C:ProgramDatadbgsym
tkrnlmp.pdb5278AFF86C341677D7D7835C85B7B8441
tkrnlmp.pdb

    Loaded symbol image file: ntkrnlmp.exe

    Image path: ntkrnlmp.exe

    Image name: ntkrnlmp.exe

    Browse all global symbols  functions  data

    Image was built with /Brepro flag.

    Timestamp:        0D8333E6 (This is a reproducible build file hash, not a timestamp)

    CheckSum:         00A5938C

    ImageSize:        01046000

    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    Information from resource tables:

minidump.zip

2021-2-20 19:26 上传

点击文件名下载附件

下载积分: 金钱 -1

911.63 KB, 下载次数: 3, 下载积分: 金钱 -1

dump文件

---

作者: 火绒运营专员    时间: 2021-2-20 19:37
您好, 我们看下蓝屏日志, 有结果后给您答复~

---

作者: 火绒运营专员    时间: 2021-2-22 13:30
您好,麻烦您下载运行火绒恶性木马专杀工具处理, 处理之后需要重启电脑. 如果处理后还存在问84题您再跟帖反馈. 如果双击后无反应, 您将专杀修改随机名后重新尝试运行.
下载地址: http://bbs.huorong.cn/thread-18575-1-1.html

---

作者: 火绒运营专员    时间: 2021-2-24 14:57
您好, 请问使用专杀工具处理后, 还有再出现蓝屏问题吗?

---

作者: 火绒运营专员    时间: 2021-3-1 15:19
楼主您好，一周仍未收到您的回复，您的帖子帮您关闭了，后续有问题麻烦到论坛发新帖，会有专人帮您跟进的~ 再次感谢您的支持~

---

欢迎光临 火绒安全软件 (https://bbs.huorong.cn/)

Powered by Discuz! X3.4