Kernel Panic

Question

Level 1

89 points

Kernel Panic

Since the last update (2 or 3 days ago) my Mini has been hard-crashing (kernel panic, forcing me to shut down) at least once a day. I haven't had a hard-crash like this in probably a year or more. The last update included iTunes 10.2.1, Safari 5.0.4, and Java for Mac 10.6 Update 4.

Any ideas what may be causing this?
===================================

Interval Since Last Panic Report: 4483158 sec
Panics Since Last Report: 2
Anonymous UUID: 830348B5-8E64-485B-9B8D-97DAE50143C9

Fri Mar 11 08:22:06 2011
panic(cpu 1 caller 0x226b53): "thread_invoke: preemption_level -1, possible cause: unlocking an unlocked mutex or spinlock"@/SourceCache/xnu/xnu-1504.9.26/osfmk/kern/sched_prim.c:1471
Backtrace (CPU 1), Frame : Return Address (4 potential args on stack)
0x5724be18 : 0x21b50c (0x5d4438 0x5724be4c 0x223974 0x0)
0x5724be68 : 0x226b53 (0x58babc 0xffffffff 0x58ba54 0x226423)
0x5724bee8 : 0x227259 (0x74297c4 0x0 0x42bb3000 0x1)
0x5724bf58 : 0x2272c4 (0x22fc20 0x863ea0 0x0 0x2a358d)
0x5724bf78 : 0x22fdba (0x22fc20 0x863ea0 0x0 0x0)
0x5724bfc8 : 0x2a06cc (0x863ea0 0x0 0x10 0x7970404)

BSD process name corresponding to current thread: kernel_task

Mac OS version:
10J567

Kernel version:
Darwin Kernel Version 10.6.0: Wed Nov 10 18:13:17 PST 2010; root:xnu-1504.9.26~3/RELEASE_I386
System model name: Macmini3,1 (Mac-F22C86C8)

System uptime in nanoseconds: 77888165553093
unloaded kexts:
(none)
loaded kexts:
com.parallels.kext.prl_vnic 6.0 11994.637263
com.parallels.kext.prl_netbridge 6.0 11994.637263
com.parallels.kext.prl usbconnect 6.0 11994.637263
com.parallels.kext.prl hidhook 6.0 11994.637263
com.eltima.ElmediaPlayer.kext 1.0
com.parallels.kext.prl_hypervisor 6.0 11994.637263
com.microsoft.driver.MicrosoftKeyboardUSB 8.0
com.microsoft.driver.MicrosoftKeyboard 8.0
com.apple.filesystems.afpfs 9.7 - last loaded 3644688181923
com.apple.nke.asp_tcp 5.0
com.apple.driver.AppleHWSensor 1.9.3d0
com.apple.filesystems.autofs 2.1.0
com.apple.driver.ApplePlatformEnabler 2.0.2d1
com.apple.driver.AppleTyMCEDriver 1.0.2d2
com.apple.driver.AGPM 100.12.19
com.apple.driver.InternalModemSupport 2.6.2
com.apple.driver.AppleIntelYonahProfile 14
com.apple.driver.AppleUpstreamUserClient 3.4.5
com.apple.driver.AppleIntelPenrynProfile 17
com.apple.Dont Steal_Mac_OSX 7.0.0
com.apple.driver.AppleHDA 1.9.9f12
com.apple.driver.AppleMCCSControl 1.0.17
com.apple.driver.AppleIntelNehalemProfile 11
com.apple.driver.AudioAUUC 1.13
com.apple.driver.AudioIPCDriver 1.1.6
com.apple.nvenet 2.0.15
com.apple.driver.AirPortBrcm43xx 423.91.27
com.apple.driver.AppleIntelMeromProfile 19
com.apple.GeForce 6.2.6
com.apple.driver.AirPortBrcm43224 426.36.1
com.apple.driver.ACPI SMCPlatformPlugin 4.5.0d5
com.apple.driver.AppleLPC 1.4.12
com.apple.driver.AppleIRController 303.8
com.apple.iokit.SCSITaskUserClient 2.6.5
com.apple.driver.PioneerSuperDrive 2.5.8
com.apple.iokit.IOAHCIBlockStorage 1.6.3
com.apple.BootCache 31
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib 1.0.0d1
com.apple.driver.AppleEFINVRAM 1.4.0
com.apple.driver.AppleAHCIPort 2.1.5
com.apple.driver.AppleUSBHub 4.1.7
com.apple.driver.AppleFWOHCI 4.7.1
com.apple.driver.AppleUSBEHCI 4.1.7
com.apple.driver.AppleUSBOHCI 4.1.5
com.apple.driver.AppleRTC 1.3.1
com.apple.driver.AppleHPET 1.5
com.apple.driver.AppleACPIButtons 1.3.5
com.apple.driver.AppleSMBIOS 1.6
com.apple.driver.AppleACPIEC 1.3.5
com.apple.driver.AppleAPIC 1.4
com.apple.driver.AppleIntelCPUPowerManagementClient 105.13.0
com.apple.security.sandbox 1
com.apple.security.quarantine 0
com.apple.nke.applicationfirewall 2.1.11
com.apple.driver.AppleIntelCPUPowerManagement 105.13.0
com.apple.driver.AppleHDAPlatformDriver 1.9.9f12
com.apple.driver.AppleProfileReadCounterAction 17
com.apple.driver.AppleProfileTimestampAction 10
com.apple.driver.AppleProfileThreadInfoAction 14
com.apple.driver.AppleProfileRegisterStateAction 10
com.apple.driver.AppleProfileKEventAction 10
com.apple.driver.AppleProfileCallstackAction 20
com.apple.iokit.IOSurface 74.2
com.apple.iokit.IOBluetoothSerialManager 2.3.8f7
com.apple.iokit.IOSerialFamily 10.0.3
com.apple.driver.AppleHDAHardwareConfigDriver 1.9.9f12
com.apple.driver.DspFuncLib 1.9.9f12
com.apple.driver.AppleHDAController 1.9.9f12
com.apple.iokit.IOHDAFamily 1.9.9f12
com.apple.nvidia.nv50hal 6.2.6
com.apple.iokit.IOFireWireIP 2.0.3
com.apple.iokit.AppleProfileFamily 41
com.apple.NVDAResman 6.2.6
com.apple.iokit.IONDRVSupport 2.2
com.apple.iokit.IOGraphicsFamily 2.2
com.apple.iokit.IO80211Family 312
com.apple.iokit.IONetworkingFamily 1.9
com.apple.driver.NVSMU 2.2.7
com.apple.driver.AppleSMC 3.1.0d3
com.apple.driver.IOPlatformPluginFamily 4.5.0d5
com.apple.driver.AppleSMBusPCI 1.0.8d0
com.apple.driver.AppleUSBAudio 2.7.6f4
com.apple.iokit.IOAudioFamily 1.8.0fc1
com.apple.kext.OSvKernDSPLib 1.3
com.apple.driver.BroadcomUSBBluetoothHCIController 2.3.8f7
com.apple.driver.AppleUSBBluetoothHCIController 2.3.8f7
com.apple.iokit.IOBluetoothFamily 2.3.8f7
com.apple.iokit.IOUSBHIDDriver 4.1.5
com.apple.iokit.IOSCSIBlockCommandsDevice 2.6.5
com.apple.iokit.IOUSBMassStorageClass 2.6.5
com.apple.driver.AppleUSBComposite 3.9.0
com.apple.iokit.IOSCSIMultimediaCommandsDevice 2.6.5
com.apple.iokit.IOBDStorageFamily 1.6
com.apple.iokit.IODVDStorageFamily 1.6
com.apple.iokit.IOCDStorageFamily 1.6
com.apple.driver.XsanFilter 402.1
com.apple.iokit.IOAHCISerialATAPI 1.2.5
com.apple.iokit.IOSCSIArchitectureModelFamily 2.6.5
com.apple.driver.AppleFileSystemDriver 2.0
com.apple.iokit.IOAHCIFamily 2.0.4
com.apple.iokit.IOUSBUserClient 4.1.5
com.apple.iokit.IOFireWireFamily 4.2.6
com.apple.iokit.IOUSBFamily 4.1.7
com.apple.driver.AppleEFIRuntime 1.4.0
com.apple.iokit.IOHIDFamily 1.6.5
com.apple.iokit.IOSMBusFamily 1.1
com.apple.security.TMSafetyNet 6
com.apple.kext.AppleMatch 1.0.0d1
com.apple.driver.DiskImages 289
com.apple.iokit.IOStorageFamily 1.6.2
com.apple.driver.AppleACPIPlatform 1.3.5
com.apple.iokit.IOPCIFamily 2.6
com.apple.iokit.IOACPIFamily 1.3.0

Mac Mini MB464LL, Mac OS X (10.6.6), 4GB RAM

Posted on Mar 11, 2011 7:29 AM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Mar 11, 2011 8:53 AM in response to Miggl

You have a kernel extension installed by "Elmedia Player." A media player has no business installing a kernel extension, and I'd be suspicious it was a trojan. Remove it and reboot.

Reply

Answer 2

Linc Davis

Level 10

209,547 points

Mar 11, 2011 9:10 AM in response to Miggl

I just did a search for ' "Elmedia Player" panic ' and got 3,000 hits. Searching for ' "Elmedia Player" trojan ' yielded 13,000 hits.

So that piqued my curiosity. I downloaded it, and found that it installs as an application, which then prompts for an administrator password so it can further install a kernel extension and a root daemon -- in other words, a full rootkit.

This is absolutely unacceptable behavior for a movie player. As far as I'm concerned, it IS a trojan until proven otherwise. The fact that it's utter garbage has already been proven.

Reply

Answer 3

Miggl Author

Level 1

89 points

Mar 11, 2011 9:21 AM in response to Linc Davis

Thank you for your attention to this issue! Here's the crux: I already uninstalled ElMedia player just after installing it months ago. MacKeeper doesn't find anything related to it either. What is the best way to go about removing the traces left behind?

~Mike

Reply

Answer 4

Linc Davis

Level 10

209,547 points

Mar 11, 2011 9:40 AM in response to Miggl

You didn't uninstall the whole thing. Look in /System/Library/Extensions for anything with "ElMedia" in the name. As for what other modifications it may have made to your system, if it's malicious, it could have done anything.

In the future, if an application prompts you for your password, cancel unless you know exactly what it's going to do and why. A common method of distributing trojans in the Windows world is to put up a "free p0rn" or warez site with videos that can only be viewed with a "codec" that the site conveniently offers for download. I believe a similar attack has even been mounted against Mac users, though I don't recall the details.

Reply

Answer 5

Miggl Author

Level 1

89 points

Mar 11, 2011 9:46 AM in response to Linc Davis

I didn't see anything under the Extensions folder that relates to Elmedia or Eltima.
I did remove the appropriate folders under Application Support, though.

As for entering a password: nearly every software application I install on the Mac asks for my password. This one was no different. Since I prompted the install, I didn't worry about it.

Reply

Answer 6

Linc Davis

Level 10

209,547 points

Mar 11, 2011 9:54 AM in response to Miggl

Download the player again and run the Uninstaller package on the disk image. It's innocuous.

There's a big difference between being prompted for your password when you run an installer, and when you launch an application. An application should rarely if ever need to prompt once it has been installed. If it does, that's probably because it wants to install something else. That may or may not be legitimate. You have to consider the source and the purpose.

The version of this player that I downloaded didn't have an installer (though it does have an uninstaller.) The rootkit is installed when you launch the application and it prompts for a password.

Reply

Answer 7

Miggl Author

Level 1

89 points

Mar 11, 2011 9:56 AM in response to Linc Davis

Interesting! Thanks for your insights. I did download the DMG and run the uninstaller. It says it's installing the uninstaller, which seemed strange to me. But after running it, I didn't see anything left of Elmedia. Maybe that's why my entries in the Extensions folder were missing.

Thanks!
~Mike

Reply

Answer 8

Miggl Author

Level 1

89 points

Mar 11, 2011 5:25 PM in response to Miggl

marking as unanswered => not verified yet.

Reply

Answer 9

Mar 11, 2011 5:38 PM in response to Miggl

Hi

I have the same kernel panics with the possible cause being reported as "unlocking an unlocked mutex or spinlock". I reported this here:

http://discussions.apple.com/thread.jspa?messageID=13204058#13204058

I don't have the Elmedia Player kext, but I'm wondering if these panics are somehow related?

thanks

Reply

Answer 10

Miggl Author

Level 1

89 points

Mar 12, 2011 7:14 AM in response to Marcus Foth

In reading your post, I did a permission repair (which found quite a few anomalies), also tried a disk repair, but no errors found.

I then tried to perform a backup, and lo and behold it failed! I then investigated my backup drive and found that it was not properly seated in its dock (mobile external USB drive).

This may have been the cause of the issue. I'll wait and see if I get another panic attack. 🙂

~Mike

Reply

Answer 11

Mar 17, 2011 6:52 AM in response to Linc Davis

Hi! As a representative of Eltima Software which is a developer of Elmedia Player I can assure you that it doesn't contain any viruses. We ask our users to enter administrator password, which is required to install Elmedia Player components, but we don't insist on this. However without password you will not be able to use all the functionality of Player. Also we don't see anything bad in installing root components. In any case you are welcome to scan our software with antivirus .

Reply

Answer 12

Linc Davis

Level 10

209,547 points

Mar 17, 2011 7:16 AM in response to Eltima Software team

I fail to see the relevance of your comment.

What are the functions of the rootkit (kernel extension and root daemon) that your product installs? Why can those functions not be carried out by user-space code running with the user's privileges, as with every other media player?

Reply

Answer 13

Mar 21, 2011 5:42 AM in response to Linc Davis

Sorry, but we can't provide all users with such information. If you really need to know this, please e-mail us at support@eltima.com and we'll reply you privately.

Reply

Answer 14

Linc Davis

Level 10

209,547 points

Mar 21, 2011 6:37 AM in response to Eltima Software team

If you're not willing to answer the question publicly, then it's already answered. Thanks. Any time this issue comes up in the future, I'll refer to your response above.

Reply

Answer 15

Pjfugazi

Level 1

0 points

Apr 12, 2011 6:17 PM in response to Miggl

Hi. I can tell you with certainty that this does solve the issue. I did in fact download their player. I immediately starting experiencing kernel panics...after NEVER having had one before on my machine. I used app zapper to uninstall. I STILL experienced kernel panics. 4 hours and about 20 system crashes later I finally tried this and it worked. Their install is very odd and put things in places that could not be detected or wiped. If you see something like the below in your crash report, follow the above instructions re: using their uninstall and the problem is solved. Good luck!!

Kernel Extensions in backtrace (with dependencies):
com.eltima.ElmediaPlayer.kext(1.0)@0xffffff7f812ef000->0xffffff7f812f1fff

Reply