jb1013
asked on
BSOD 0x0000008E when attempting to install IE7, WMP11, or KB922582 (minidump included)
0x0000008E (0xC0000005, 0xEEA4280E, 0xEC5FCA20, 0x00000000)
This computer initially had a pretty bad malware infection that has been cleaned. But now there is an issue with installing updates via Windows update. The 3 updates in the Subject of the thread are the only ones I can't get to install. Actually now its just IE7 and WMP11. I was able to get the KB922582 update to install by extracting it another another computer and running the update.exe manually.
Here's the Minidump with !analyze -v
I really don't know much about debugging this so if anyone can offer some assistance I'd be grateful. My only other resort at this point I believe is fresh install, from what I've been reading a repair install won't do the trick.
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini1
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
**************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
**************************
Executable search path is:
**************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
**************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:50:13.671 2006 (GMT-8)
System Uptime: 0 days 0:03:19.218
**************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
**************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
..........................
Loading User Symbols
Loading unloaded module list
.............
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, eea4180e, ebdf7a20, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
Probably caused by : ntoskrnl.exe ( nt+edf51 )
Followup: MachineOwner
---------
kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
KERNEL_MODE_EXCEPTION_NOT_
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eea4180e, The address that the exception occurred at
Arg3: ebdf7a20, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
MODULE_NAME: nt
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
+ffffffffeea4180e
eea4180e 8a1401 mov dl,byte ptr [ecx+eax]
TRAP_FRAME: ebdf7a20 -- (.trap ffffffffebdf7a20)
ErrCode = 00000000
eax=00000000 ebx=eea473d6 ecx=0101d000 edx=804fde5f esi=00001000 edi=0101c000
eip=eea4180e esp=ebdf7a94 ebp=ebdf7aa0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
eea4180e 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope
CUSTOMER_CRASH_COUNT: 24
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from eea4370a to eea4180e
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7af4 eea4381a 81f98020 01000000 01000218 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 0xeea4381a
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt+0xedf51
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt+0xeebaa
ebdf7d64 7c90eb94 badb0d00 00e3f4a0 00000000 nt+0x65808
ebdf7d68 badb0d00 00e3f4a0 00000000 00000000 0x7c90eb94
ebdf7d6c 00e3f4a0 00000000 00000000 00000000 0xbadb0d00
ebdf7d70 00000000 00000000 00000000 00000000 0xe3f4a0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt+edf51
805c4f51 ?? ???
SYMBOL_STACK_INDEX: 4
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntoskrnl.exe
SYMBOL_NAME: nt+edf51
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
This computer initially had a pretty bad malware infection that has been cleaned. But now there is an issue with installing updates via Windows update. The 3 updates in the Subject of the thread are the only ones I can't get to install. Actually now its just IE7 and WMP11. I was able to get the KB922582 update to install by extracting it another another computer and running the update.exe manually.
Here's the Minidump with !analyze -v
I really don't know much about debugging this so if anyone can offer some assistance I'd be grateful. My only other resort at this point I believe is fresh install, from what I've been reading a repair install won't do the trick.
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini1
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
**************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
**************************
Executable search path is:
**************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
**************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:50:13.671 2006 (GMT-8)
System Uptime: 0 days 0:03:19.218
**************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
**************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
..........................
Loading User Symbols
Loading unloaded module list
.............
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, eea4180e, ebdf7a20, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
Probably caused by : ntoskrnl.exe ( nt+edf51 )
Followup: MachineOwner
---------
kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
KERNEL_MODE_EXCEPTION_NOT_
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eea4180e, The address that the exception occurred at
Arg3: ebdf7a20, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
MODULE_NAME: nt
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
+ffffffffeea4180e
eea4180e 8a1401 mov dl,byte ptr [ecx+eax]
TRAP_FRAME: ebdf7a20 -- (.trap ffffffffebdf7a20)
ErrCode = 00000000
eax=00000000 ebx=eea473d6 ecx=0101d000 edx=804fde5f esi=00001000 edi=0101c000
eip=eea4180e esp=ebdf7a94 ebp=ebdf7aa0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
eea4180e 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope
CUSTOMER_CRASH_COUNT: 24
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from eea4370a to eea4180e
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7af4 eea4381a 81f98020 01000000 01000218 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 0xeea4381a
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt+0xedf51
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt+0xeebaa
ebdf7d64 7c90eb94 badb0d00 00e3f4a0 00000000 nt+0x65808
ebdf7d68 badb0d00 00e3f4a0 00000000 00000000 0x7c90eb94
ebdf7d6c 00e3f4a0 00000000 00000000 00000000 0xbadb0d00
ebdf7d70 00000000 00000000 00000000 00000000 0xe3f4a0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt+edf51
805c4f51 ?? ???
SYMBOL_STACK_INDEX: 4
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntoskrnl.exe
SYMBOL_NAME: nt+edf51
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
Follow the exact steps that are provided below: Do not miss out any:
1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local system account" is selected and the option "Allow service to interact with desktop" is unchecked.
4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic". Then please click the button "Start" under "Service Status" to start the service.
6. Repeat the above steps with the other service: Background Intelligent Transfer Service (BITS)
==========================
Re-register Windows Update components and Clear the corrupted Windows Update temp folder
1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:
REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL
After the above steps are finished reboot.
Cheers
Gopal Krishna K
1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local system account" is selected and the option "Allow service to interact with desktop" is unchecked.
4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic". Then please click the button "Start" under "Service Status" to start the service.
6. Repeat the above steps with the other service: Background Intelligent Transfer Service (BITS)
==========================
Re-register Windows Update components and Clear the corrupted Windows Update temp folder
1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:
REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL
After the above steps are finished reboot.
Cheers
Gopal Krishna K
Since temporary folder of Windows Update may be corrupted. We can refer to the following steps to rename this folder
1. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.
net stop WuAuServ
2. Click Start, Run, type: %windir% and press Enter.
3. In the opened folder, rename the folder SoftwareDistribution to SDold.
4. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.
net start WuAuServ
If having a problem with renaming the file named SofwareDistribution -
'Error Renaming File or Folder , Cannot rename SofwareDistribution: Acces is denied. Make sure the disk is not full or write protected and that it is not curently in use'
When you're modifying the properties of the Automatic Updates (aka wuauserv) service, change the startup type from 'Automatic' to 'Manual.' Then reboot. The effect is that the service doesn't start at all on bootup, so there's no need for the net stop command. After all is said and done, recommend changing the startup type for that service back to 'Automatic.'.
Cheers,
Gopal Krishna K
1. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.
net stop WuAuServ
2. Click Start, Run, type: %windir% and press Enter.
3. In the opened folder, rename the folder SoftwareDistribution to SDold.
4. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.
net start WuAuServ
If having a problem with renaming the file named SofwareDistribution -
'Error Renaming File or Folder , Cannot rename SofwareDistribution: Acces is denied. Make sure the disk is not full or write protected and that it is not curently in use'
When you're modifying the properties of the Automatic Updates (aka wuauserv) service, change the startup type from 'Automatic' to 'Manual.' Then reboot. The effect is that the service doesn't start at all on bootup, so there's no need for the net stop command. After all is said and done, recommend changing the startup type for that service back to 'Automatic.'.
Cheers,
Gopal Krishna K
Hi,
The problem maybe related to Windows AutoUpdate. Disable Windows AutoUpdate may resolve the blue screen problem. Refer the following case
https://www.experts-exchange.com/questions/22069100/BSOD.html
The problem maybe related to Windows AutoUpdate. Disable Windows AutoUpdate may resolve the blue screen problem. Refer the following case
https://www.experts-exchange.com/questions/22069100/BSOD.html
ASKER
Thanks for the suggestions. I've tried these to no avail. And yes there is no BSOD unless I try to install the updates. Doesn't matter if I use Windows Update or try to install the updates locally. Also doesn't seem to matter if they AutoUpdate is on or off.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Refer the last comment of https://www.experts-exchange.com/questions/22069100/BSOD.html. Maybe your windows is infected with spyware or virus.
ASKER
The last comment that redirects to Google groups?
Yes, I actually found that thread before I posted. This computer has been thouroghly cleaned of Malware including the steps taken in that post and more. Its been scanned with and for everything under the sun, including rootkits. I'm 99% sure that the Malware is off. I think the registry hive is corrupted. I found another post about repairing the hive, but I'm hesitant to do that. Although, it will be getting a format and reinstall if I don't get this sorted. I suppose then I'll that as a last ditch effort.
Thanks for your responses.
Yes, I actually found that thread before I posted. This computer has been thouroghly cleaned of Malware including the steps taken in that post and more. Its been scanned with and for everything under the sun, including rootkits. I'm 99% sure that the Malware is off. I think the registry hive is corrupted. I found another post about repairing the hive, but I'm hesitant to do that. Although, it will be getting a format and reinstall if I don't get this sorted. I suppose then I'll that as a last ditch effort.
Thanks for your responses.
If the registry is corrupted, the stack trace will have the footprint of reading the software hive (for example nt!HvpGetCellMapped+d0 ). For your case, I can't find any footprint relating to reading or writing registry.
Refer the following case and it is infected with virus. The stack trace of this problem matches your problem.
http://www.windowsbbs.com/showthread.php?t=59210
Can you post HJT log here?
http://www.windowsbbs.com/showthread.php?t=59210
Can you post HJT log here?
ASKER
Logfile of HijackThis v1.99.1
Scan saved at 12:32:39 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\LEXPPS
C:\Program Files\Java\jre1.5.0_09\bin
C:\Program Files\Common Files\AOL\1127748015\ee\AO
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntf
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREF
C:\Documents and Settings\Owner\gotomypc_37
C:\DOCUME~1\Owner\LOCALS~1
C:\Documents and Settings\Owner\Desktop\Hij
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127748015\ee\AO
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\A
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Scan saved at 12:32:39 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\LEXPPS
C:\Program Files\Java\jre1.5.0_09\bin
C:\Program Files\Common Files\AOL\1127748015\ee\AO
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\PROGRA~1\Grisoft\AVGFRE
C:\PROGRA~1\Grisoft\AVGFRE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntf
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREF
C:\Documents and Settings\Owner\gotomypc_37
C:\DOCUME~1\Owner\LOCALS~1
C:\Documents and Settings\Owner\Desktop\Hij
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127748015\ee\AO
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dump
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\A
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
From the suggestion by cpc2004, here is your HijackThis log analysis >
http://www.hijackthis.de/logfiles/767af20510c9e84f03cc05edac8dc664.html
C:\Documents and Settings\Owner\Desktop\Hij
Some information below on this 'Nasty' entry, which you could 'Fix'. You could also see if you recognise any of the 'Unknown' entries using this same "liutilities" link, and fix them if you don't.
Just in case you haven't used HJT before, the technique is to create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.
"search - search.exe":
http://www.liutilities.com/products/wintaskspro/processlibrary/search/
http://www.hijackthis.de/logfiles/767af20510c9e84f03cc05edac8dc664.html
C:\Documents and Settings\Owner\Desktop\Hij
Some information below on this 'Nasty' entry, which you could 'Fix'. You could also see if you recognise any of the 'Unknown' entries using this same "liutilities" link, and fix them if you don't.
Just in case you haven't used HJT before, the technique is to create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.
"search - search.exe":
http://www.liutilities.com/products/wintaskspro/processlibrary/search/
ASKER
Actually search.exe IS HJT renamed, so that some variants of malware can't hide from it.
I'm pretty familiar with HJT, and have parsed the logfile and gone over it a dozen times. I can't find anything that is suspect. I've scanned with everything I can think of. Although, I just did a scan Panda Active scan an it did find a spyware variant that the others missed.
I'm pretty familiar with HJT, and have parsed the logfile and gone over it a dozen times. I can't find anything that is suspect. I've scanned with everything I can think of. Although, I just did a scan Panda Active scan an it did find a spyware variant that the others missed.
ASKER
I removed the other spyware variant, found by Panda Scan, it was just a remnant .dat file.
I did just find a bunch of strange folders under the roots of the C:\ drive. Like "ca40a3b1422e3eee8e70fd" there was about half a dozen of them with different alpha numeric strings. They appear to be temp directories from failed IE7 installations. I was able to just manually delete all but two of them. The others I'm working on now. The files inside these are deleting EXTREMELY slow, and some have ownership that won't allow deletion, like the "Update" folder in each of these. Taking ownership, seems to work, but like I said its just deleting one file at a time very slowly. Weird.
Well I managed to delete all those, and tried the IE7 installation again. Same issue. BSOD!!! This is really annoying. ;(
I did just find a bunch of strange folders under the roots of the C:\ drive. Like "ca40a3b1422e3eee8e70fd" there was about half a dozen of them with different alpha numeric strings. They appear to be temp directories from failed IE7 installations. I was able to just manually delete all but two of them. The others I'm working on now. The files inside these are deleting EXTREMELY slow, and some have ownership that won't allow deletion, like the "Update" folder in each of these. Taking ownership, seems to work, but like I said its just deleting one file at a time very slowly. Weird.
Well I managed to delete all those, and tried the IE7 installation again. Same issue. BSOD!!! This is really annoying. ;(
ASKER
Those folders are definately temp folders for IE7 installation. Its the extraction location. The BSOD comes after the validation, and update portion of the installation, then it starts the Malicious software removal tool and towards the end of it, or when it switchs to the next step is crashes.
With WMP11, it validates, you accept the EULA, then click next and crash.
With WMP11, it validates, you accept the EULA, then click next and crash.
Thanks for the report. Maybe this previous thread will help in temporarily removing IE 7. Look for the various comments by Merete:
"Unable to uninstall IE7 per MS instructions":
https://www.experts-exchange.com/questions/22078766/BSOD-0x0000008E-when-attempting-to-install-IE7-WMP11-or-KB922582-minidump-included.html?anchorAnswerId=18055037#a18055037
Have you tried these two >>
http://housecall.trendmicro.com
and ...
http://www.ewido.net/en/download/ <... update first, then scan in Safe mode:
"Unable to uninstall IE7 per MS instructions":
https://www.experts-exchange.com/questions/22078766/BSOD-0x0000008E-when-attempting-to-install-IE7-WMP11-or-KB922582-minidump-included.html?anchorAnswerId=18055037#a18055037
Have you tried these two >>
http://housecall.trendmicro.com
and ...
http://www.ewido.net/en/download/ <... update first, then scan in Safe mode:
Apologies ... that should be >>
"Unable to uninstall IE7 per MS instructions":
https://www.experts-exchange.com/questions/22044611/Unable-to-uninstall-IE7-per-MS-instructions.html
"Unable to uninstall IE7 per MS instructions":
https://www.experts-exchange.com/questions/22044611/Unable-to-uninstall-IE7-per-MS-instructions.html
ASKER
Yes I've scanned with Ewido in Safe mode, i've done Kapersky online, Trend Micro online, Bitdefender online, Panda Active Scan, AVG, Spybot, Adaware, Look2MeDestrorer, Vundofix, Blacklight, and probably a few I'm forgetting.
If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it. I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.
FYI, the problem is not with removing IE7 its with installing it.
If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it. I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.
FYI, the problem is not with removing IE7 its with installing it.
Can you attach the minidump at webspace. I want to analyse your minidump to find out the root cause of the problem. There have several open cases for similar problem at any other forums.
Unistall Windows patch KB922582 and reinstall in safe mode.
ASKER
Yes I've scanned with Ewido in Safe mode, i've done Kapersky online, Trend Micro online, Bitdefender online, Panda Active Scan, AVG, Spybot, Adaware, Look2MeDestrorer, Vundofix, Blacklight, and probably a few I'm forgetting.
If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it. I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.
FYI, the problem is not with removing IE7 its with installing it.
If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it. I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.
FYI, the problem is not with removing IE7 its with installing it.
ASKER
Quote cpc2004 "Can you attach the minidump at webspace."
Can you elaborate on what you mean by this. This for the explanation.
Can you elaborate on what you mean by this. This for the explanation.
Upload the minidumps at webspace. If you don't have your webspace and you can get a public webspace. For example http://www.rapidshare.de/ is a public webspace. After you upload the mimidump, post the url link of the minidump here. You can delete the upload dump files at any time.
Probably your windows auto update module is screwed up. Someone at another forum uninstall KB922582 and re-install it at safe mode. Then the problem is resolved.
ASKER
Uninstalling and reinstalling in safe mode did not work. BSOD when attempting to reinstall. The only way I was able to install KB922592 was to extract it using another computer then install it from the Update.exe manually. It seems to crash on the extraction process on this update. Also I suppose of note. Its very strange. When I attempted to redownload the this update from the Administrative section of Windows update, the download just hangs and wont come down on the problem computer. The PopUp comes up but it just hangs. So I downloaded it from another computer.
http://www.axiscc.com/temp/Mini120106-01.dmp
http://www.axiscc.com/temp/Mini120106-02.dmp
http://www.axiscc.com/temp/Mini120106-03.dmp
I have to run out for a bit, but when I get back the system is getting formatted. :(
http://www.axiscc.com/temp/Mini120106-01.dmp
http://www.axiscc.com/temp/Mini120106-02.dmp
http://www.axiscc.com/temp/Mini120106-03.dmp
I have to run out for a bit, but when I get back the system is getting formatted. :(
Before you actually format you could take a quick look at this next thread. You may decide it's worth re-registering the files as shown. If no good there's nothing lost ...
https://www.experts-exchange.com/questions/21823354/Windows-update-won't-update.html
https://www.experts-exchange.com/questions/21823354/Windows-update-won't-update.html
In particular, note all comments in the "Accepted Answer" by moh10ly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to all of you that provided assistance.
Jonvee, I really appreciate the Chsdsk /r suggestion. I had run a memory check, and Drive Fitness Test, but I hadn't done the chkdsk, which was the correct solution.
cpc2004, thank you for looking over my minidumps, and helping me out.
Again, Experts-Exchange has come through for me!!!
Jonvee, I really appreciate the Chsdsk /r suggestion. I had run a memory check, and Drive Fitness Test, but I hadn't done the chkdsk, which was the correct solution.
cpc2004, thank you for looking over my minidumps, and helping me out.
Again, Experts-Exchange has come through for me!!!
jb1013 ... we aim to please :)
Glad you were able to avoid that format ... and thank you!
Glad you were able to avoid that format ... and thank you!
ASKER
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini1
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:50:13.671 2006 (GMT-8)
System Uptime: 0 days 0:03:19.218
Loading Kernel Symbols
..........................
Loading User Symbols
Loading unloaded module list
.............
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, eea4180e, ebdf7a20, 0}
Probably caused by : ntkrnlpa.exe ( nt!PspCreateThread+3e3 )
Followup: MachineOwner
---------
kd> .reload
Loading Kernel Symbols
..........................
Loading User Symbols
Loading unloaded module list
.............
kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
KERNEL_MODE_EXCEPTION_NOT_
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eea4180e, The address that the exception occurred at
Arg3: ebdf7a20, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
+ffffffffeea4180e
eea4180e 8a1401 mov dl,byte ptr [ecx+eax]
TRAP_FRAME: ebdf7a20 -- (.trap ffffffffebdf7a20)
ErrCode = 00000000
eax=00000000 ebx=eea473d6 ecx=0101d000 edx=804fde5f esi=00001000 edi=0101c000
eip=eea4180e esp=ebdf7a94 ebp=ebdf7aa0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
eea4180e 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope
CUSTOMER_CRASH_COUNT: 24
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: xmllitesetup.ex
LAST_CONTROL_TRANSFER: from eea4370a to eea4180e
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 nt!PspCreateThread+0x3e3
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt!PspCreateThread+0x3e3
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt!NtCreateThread+0xfc
ebdf7d3c 7c90eb94 00e3f868 001f03ff 00000000 nt!KiFastCallEntry+0xf8
00e3fee4 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PspCreateThread+3e3
805c4f51 57 push edi
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!PspCreateThread+3e3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: 0x8E_nt!PspCreateThread+3e
BUCKET_ID: 0x8E_nt!PspCreateThread+3e
Followup: MachineOwner
---------