Solved

BSOD 0x0000008E when attempting to install IE7, WMP11, or KB922582 (minidump included)

Posted on 2006-11-30
30
7,739 Views
Last Modified: 2013-11-18
0x0000008E (0xC0000005, 0xEEA4280E, 0xEC5FCA20, 0x00000000)

This computer initially had a pretty bad malware infection that has been cleaned.  But now there is an issue with installing updates via Windows update.  The 3 updates in the Subject of the thread are the only ones I can't get to install.  Actually now its just IE7 and WMP11.  I was able to get the KB922582 update to install by extracting it another another computer and running the update.exe manually.

Here's the Minidump with  !analyze -v

I really don't know much about debugging this so if anyone can offer some assistance I'd be grateful.  My only other resort at this point I believe is fresh install, from what I've been reading a repair install won't do the trick.  


Microsoft (R) Windows Debugger  Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini113006-24.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:50:13.671 2006 (GMT-8)
System Uptime: 0 days 0:03:19.218
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, eea4180e, ebdf7a20, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Probably caused by : ntoskrnl.exe ( nt+edf51 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eea4180e, The address that the exception occurred at
Arg3: ebdf7a20, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  42250a1d

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+ffffffffeea4180e
eea4180e 8a1401          mov     dl,byte ptr [ecx+eax]

TRAP_FRAME:  ebdf7a20 -- (.trap ffffffffebdf7a20)
ErrCode = 00000000
eax=00000000 ebx=eea473d6 ecx=0101d000 edx=804fde5f esi=00001000 edi=0101c000
eip=eea4180e esp=ebdf7a94 ebp=ebdf7aa0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
eea4180e 8a1401          mov     dl,byte ptr [ecx+eax]      ds:0023:0101d000=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  24

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

BUGCHECK_STR:  0x8E

LAST_CONTROL_TRANSFER:  from eea4370a to eea4180e

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7af4 eea4381a 81f98020 01000000 01000218 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 0xeea4381a
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt+0xedf51
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt+0xeebaa
ebdf7d64 7c90eb94 badb0d00 00e3f4a0 00000000 nt+0x65808
ebdf7d68 badb0d00 00e3f4a0 00000000 00000000 0x7c90eb94
ebdf7d6c 00e3f4a0 00000000 00000000 00000000 0xbadb0d00
ebdf7d70 00000000 00000000 00000000 00000000 0xe3f4a0


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt+edf51
805c4f51 ??              ???

SYMBOL_STACK_INDEX:  4

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  ntoskrnl.exe

SYMBOL_NAME:  nt+edf51

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
0
Comment
Question by:jb1013
  • 12
  • 9
  • 7
  • +1
30 Comments
 
LVL 1

Author Comment

by:jb1013
ID: 18051130
Sorry this may be more useful.  With the symbols.

Microsoft (R) Windows Debugger  Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini113006-24.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Nov 30 18:50:13.671 2006 (GMT-8)
System Uptime: 0 days 0:03:19.218
Loading Kernel Symbols
...............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, eea4180e, ebdf7a20, 0}

Probably caused by : ntkrnlpa.exe ( nt!PspCreateThread+3e3 )

Followup: MachineOwner
---------

kd> .reload
Loading Kernel Symbols
...............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.............
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eea4180e, The address that the exception occurred at
Arg3: ebdf7a20, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+ffffffffeea4180e
eea4180e 8a1401          mov     dl,byte ptr [ecx+eax]

TRAP_FRAME:  ebdf7a20 -- (.trap ffffffffebdf7a20)
ErrCode = 00000000
eax=00000000 ebx=eea473d6 ecx=0101d000 edx=804fde5f esi=00001000 edi=0101c000
eip=eea4180e esp=ebdf7a94 ebp=ebdf7aa0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
eea4180e 8a1401          mov     dl,byte ptr [ecx+eax]      ds:0023:0101d000=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  24

DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  xmllitesetup.ex

LAST_CONTROL_TRANSFER:  from eea4370a to eea4180e

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 nt!PspCreateThread+0x3e3
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt!PspCreateThread+0x3e3
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt!NtCreateThread+0xfc
ebdf7d3c 7c90eb94 00e3f868 001f03ff 00000000 nt!KiFastCallEntry+0xf8
00e3fee4 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!PspCreateThread+3e3
805c4f51 57              push    edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!PspCreateThread+3e3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  42250a1d

FAILURE_BUCKET_ID:  0x8E_nt!PspCreateThread+3e3

BUCKET_ID:  0x8E_nt!PspCreateThread+3e3

Followup: MachineOwner
---------
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 18051170
Follow the exact steps that are provided below: Do not miss out any:

1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local system account" is selected and the option "Allow service to interact with desktop" is unchecked.

4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic". Then please click the button "Start" under "Service Status" to start the service.
6. Repeat the above steps with the other service: Background Intelligent Transfer Service (BITS)


================================ NEXT ================================


Re-register Windows Update components and Clear the corrupted Windows Update temp folder


1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

After the above steps are finished reboot.

Cheers
Gopal Krishna K
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 18051184
Since temporary folder of Windows Update may be corrupted. We can refer to the following steps to rename this folder

1. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.

net stop WuAuServ

2. Click Start, Run, type: %windir% and press Enter.
3. In the opened folder, rename the folder SoftwareDistribution to SDold.
4. Click Start, Run, type: cmd and press Enter. Please run the following command in the opened window.

net start WuAuServ
 
If having a problem with renaming the file named SofwareDistribution -
'Error Renaming File or Folder , Cannot rename SofwareDistribution: Acces is denied. Make sure the disk is not full or write protected and that it is not curently in use'

When you're modifying the properties of the Automatic Updates (aka wuauserv) service, change the startup type from 'Automatic' to 'Manual.' Then reboot. The effect is that the service doesn't start at all on bootup, so there's no need for the net stop command. After all is said and done, recommend changing the startup type for that service back to 'Automatic.'.

Cheers,
Gopal Krishna K

0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18051304
Hi,

The problem maybe related to Windows AutoUpdate. Disable Windows AutoUpdate may resolve the blue screen problem. Refer the following case

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_22069100.html
0
 
LVL 1

Author Comment

by:jb1013
ID: 18051509
Thanks for the suggestions.  I've tried these to no avail.   And yes there is no BSOD unless I try to install the updates.  Doesn't matter if I use Windows Update or try to install the updates locally.  Also doesn't seem to matter if they AutoUpdate is on or off.
0
 
LVL 20

Assisted Solution

by:cpc2004
cpc2004 earned 200 total points
ID: 18051716
The stack trace of your problem matches with the problem crashing at windowsxp-kb922. I believe that it is the same problem.

Stack trace of windows crash at windowsxp-kb922  
f98f3aa0 fb26670a 0101c000 0000001e fb26a3d6 0xfb26480e
f98f3b78 805f9351 00000608 8b7c0da0 00000001 0xfb26670a
f98f3b58 fb266913 8b7c0da0 e1c135d0 811ba560 nt!PspCreateThread+0x3e3
f98f3b78 805f9351 00000608 8b7c0da0 00000001 0xfb266913
f98f3cc4 8057b2a3 00beecbc 001f03ff 00000000 nt!PspCreateThread+0x3e3
f98f3d3c 804de7ec 00beecbc 001f03ff 00000000 nt!NtCreateThread+0x118
f98f3d3c 7c90eb94 00beecbc 001f03ff 00000000 nt!KiFastCallEntry+0xf8
00bef338 00000000 00000000 00000000 00000000 0x7c90eb94

Your stack trace  
ebdf7aa0 eea4370a 0101c000 0000001e eea473d6 0xeea4180e
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea4370a
ebdf7b58 eea43913 81f98020 e15b0bd0 81fb0608 nt!PspCreateThread+0x3e3
ebdf7b78 805c4f51 00000c8c 81f98020 00000001 0xeea43913
ebdf7cc4 805c5baa 00e3f868 001f03ff 00000000 nt!PspCreateThread+0x3e3
ebdf7d3c 8053c808 00e3f868 001f03ff 00000000 nt!NtCreateThread+0xfc
ebdf7d3c 7c90eb94 00e3f868 001f03ff 00000000 nt!KiFastCallEntry+0xf8
00e3fee4 00000000 00000000 00000000 00000000 0x7c90eb94
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18051735
Refer the last comment of http://www.experts-exchange.com/Operating_Systems/WinXP/Q_22069100.html.  Maybe your windows is infected with spyware or virus.
0
 
LVL 1

Author Comment

by:jb1013
ID: 18051771
The last comment that redirects to Google groups?

Yes, I actually found that thread before I posted.  This computer has been thouroghly cleaned of Malware including the steps taken in that post and more.  Its been scanned with and for everything under the sun, including rootkits.  I'm 99% sure that the Malware is off.  I think the registry hive is corrupted.  I found another post about repairing the hive, but I'm hesitant to do that.  Although, it will be getting a format and reinstall if I don't get this sorted.  I suppose then I'll that as a last ditch effort.

Thanks for your responses.
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18052005
If the registry is corrupted, the stack trace will have the footprint of reading the software hive (for example nt!HvpGetCellMapped+d0 ).  For your case, I can't find any footprint relating to reading or writing registry.
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18052083
Refer the following case and it is infected with virus. The stack trace of this problem matches your problem.
http://www.windowsbbs.com/showthread.php?t=59210

Can you post HJT log here?
0
 
LVL 1

Author Comment

by:jb1013
ID: 18052141
Logfile of HijackThis v1.99.1
Scan saved at 12:32:39 AM, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127748015\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\gotomypc_370.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\G2_370\g2viewer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\search.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127748015\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1161012846140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161018759234
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 18053445
From the suggestion by cpc2004, here is your HijackThis log analysis >
http://www.hijackthis.de/logfiles/767af20510c9e84f03cc05edac8dc664.html

C:\Documents and Settings\Owner\Desktop\HijackThis\search.exe

Some information below on this 'Nasty' entry, which you could 'Fix'.   You could also see if you recognise any of the 'Unknown' entries using this same "liutilities" link, and fix them if you don't.  
Just in case you haven't used HJT before, the technique is to create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.

"search - search.exe":
http://www.liutilities.com/products/wintaskspro/processlibrary/search/
0
 
LVL 1

Author Comment

by:jb1013
ID: 18054637
Actually search.exe IS HJT renamed, so that some variants of malware can't hide from it.

I'm pretty familiar with HJT, and have parsed the logfile and gone over it a dozen times.  I can't find anything that is suspect.  I've scanned with everything I can think of.  Although, I just did a scan Panda Active scan an it did find a spyware variant that the others missed.
0
 
LVL 1

Author Comment

by:jb1013
ID: 18054913
I removed the other spyware variant, found by Panda Scan, it was just a remnant .dat file.  

I did just find a bunch of strange folders under the roots of the C:\ drive.  Like "ca40a3b1422e3eee8e70fd" there was about half a dozen of them with different alpha numeric strings.  They appear to be temp directories from failed IE7 installations.  I was able to just manually delete all but two of them.  The others I'm working on now.  The files inside these are deleting EXTREMELY slow, and some have ownership that won't allow deletion, like the "Update" folder in each of these.  Taking ownership, seems to work, but like I said its just deleting one file at a time very slowly.  Weird.  

Well I managed to delete all those, and tried the IE7 installation again.  Same issue.  BSOD!!!  This is really annoying.  ;(
0
 
LVL 1

Author Comment

by:jb1013
ID: 18055037
Those folders are definately temp folders for IE7 installation.  Its the extraction location.  The BSOD comes after the validation, and update portion of the installation, then it starts the Malicious software removal tool and towards the end of it, or when it switchs to the next step is crashes.

With WMP11, it validates, you accept the EULA, then click next and crash.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 27

Expert Comment

by:Jonvee
ID: 18055431
Thanks for the report.   Maybe this previous thread will help in temporarily removing IE 7.   Look for the various comments by Merete:

"Unable to uninstall IE7 per MS instructions":
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_22078766.html#a18055037

Have you tried these two >>
http://housecall.trendmicro.com
and ...
http://www.ewido.net/en/download/                 <... update first, then scan in Safe mode:  
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 18055455
Apologies ... that should be >>
"Unable to uninstall IE7 per MS instructions":
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_22044611.html
0
 
LVL 1

Author Comment

by:jb1013
ID: 18058104
Yes I've scanned with Ewido in Safe mode, i've done Kapersky online, Trend Micro online, Bitdefender online, Panda Active Scan, AVG, Spybot, Adaware, Look2MeDestrorer, Vundofix, Blacklight,  and probably a few I'm forgetting.

If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it.  I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.

FYI, the problem is not with removing IE7 its with installing it.  
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18058486
Can you attach the minidump at webspace. I want to analyse your minidump to find out the root cause of the problem. There have several open cases for similar problem at any other forums.

 
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18058693
Unistall Windows patch KB922582 and reinstall in safe mode.
0
 
LVL 1

Author Comment

by:jb1013
ID: 18059000
Yes I've scanned with Ewido in Safe mode, i've done Kapersky online, Trend Micro online, Bitdefender online, Panda Active Scan, AVG, Spybot, Adaware, Look2MeDestrorer, Vundofix, Blacklight,  and probably a few I'm forgetting.

If anyone is still thinking its malware related, I'm not arguing, but I'd need a suggestion on how to approach it.  I bought another day from the End User, but this is getting formatted tomorrow if I don't come up with a solution tonight.

FYI, the problem is not with removing IE7 its with installing it.  
0
 
LVL 1

Author Comment

by:jb1013
ID: 18059013
Quote cpc2004 "Can you attach the minidump at webspace."  

Can you elaborate on what you mean by this.  This for the explanation.
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18059563
Upload the minidumps at webspace. If you don't have your webspace and you can get a public webspace.  For example http://www.rapidshare.de/ is a public webspace.  After you upload the mimidump, post the url link of the minidump here. You can delete the upload dump files at any time.
0
 
LVL 20

Expert Comment

by:cpc2004
ID: 18060283
Probably your windows auto update module is screwed up. Someone at another forum uninstall KB922582  and re-install it at safe mode. Then the problem is resolved.
0
 
LVL 1

Author Comment

by:jb1013
ID: 18060484
Uninstalling and reinstalling in safe mode did not work.  BSOD when attempting to reinstall.  The only way I was able to install KB922592 was to extract it using another computer then install it from the Update.exe manually.  It seems to crash on the extraction process on this update.  Also I suppose of note.  Its very strange.  When I attempted to redownload the this update from the Administrative section of Windows update, the download just hangs and wont come down on the problem computer.  The PopUp comes up but it just hangs.  So I downloaded it from another computer.

http://www.axiscc.com/temp/Mini120106-01.dmp
http://www.axiscc.com/temp/Mini120106-02.dmp
http://www.axiscc.com/temp/Mini120106-03.dmp

I have to run out for a bit, but when I get back the system is getting formatted.  :(
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 18060591
Before you actually format you could take a quick look at this next thread.  You may decide it's worth re-registering the files as shown.  If no good there's nothing lost ...

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21823354.html
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 18060614
In particular, note all comments in the "Accepted Answer" by moh10ly
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 300 total points
ID: 18060706
I too had to go out for a while, however, continung thru that same thread ...

Quote:   when I booted into safe mode and renamed the SoftwareDistrib folder...a brand new folder was created. This forced a re-download of the update.exe program, plus a CLEAN history log.  UnQ.

If you're 'lucky' & also get an  0xD0000006 error, follow it up with ...

Quote:  this was exactly my problem too. A normal 'chkdsk' didn't reveal any problems, but rebooting to safe-mode command-line-only mode and running chkdsk /r from the commandline DID find some low-level block errors and fix them, after which the update finally completed successfully.  UnQ.  
But maybe you've already begun the format ...
0
 
LVL 1

Author Comment

by:jb1013
ID: 18064227
Thanks to all of you that provided assistance.

Jonvee, I really appreciate the Chsdsk /r suggestion.  I had run a memory check, and Drive Fitness Test, but I hadn't done the chkdsk, which was the correct solution.

cpc2004, thank you for looking over my minidumps, and helping me out.

Again, Experts-Exchange has come through for me!!!  
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 18064298
jb1013   ...  we aim to please  :)

Glad you were able to avoid that format  ...  and thank you!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
XSLT 5 37
different catridges 8 86
Contact Forms for Website 6 67
Create 4 <div> below each other in php 2 47
This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now