Hello,

I'm new to this forum and hope somebody will help me.
We have on our HP server for the last 2 weeks a lot of BSOD.
Never occured before. (We run terminal server applications on this server.)

No hardware nor software changes made prior to these problems.

The dumpfiles are all the same and :


Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini073007-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8
Debug session time: Mon Jul 30 18:38:19.796 2007 (GMT+2)
System Uptime: 0 days 3:55:05.805
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...................................................................................................................
Loading User Symbols
Loading unloaded module list
.......
Unable to load image \??\C:\WINDOWS\system32\vdo_1040-78f4.sys, Win32 error 0n2
*** ERROR: Module load completed but symbols could not be loaded for vdo_1040-78f4.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 8081bbd5, f3cb3c98, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***

***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : vdo_1040-78f4.sys ( vdo_1040_78f4+641 )

Followup: MachineOwner
---------


What is this vdo...sys

I have read somewhere this is an infection.

On the other hand I have found in the windows observer one error linked to the driver/ATI2MPAD.

What can be the problem ?
Wa have changed our ram, put a new motheboard, downladed servicepack 2.

The problems subsits?

Anyone ?

Thnaks,

But

Vdo_1040-78f4.sys is an infection. You can find the same problem HERE. They didn't say which program found it (post #10).

vdo_1040-78f4.sys

Thanks for the info.
The link is not much help since it does not explain how to remove the infection.
Our AVG Anti spyware can not find anything.
Sophor antiroot kit did find some hidden files inregistrey keys : vdo* and vdo_g.ini.
My question is if I may remove these files :

c:\windows\system32\vdo_g.ini
c:\windows\system32\vdo_1040-78f4.sys

Sophomor does not recognise these and therefor does not recommend to delete.
Or what other things should I precisely do ?

Thanks for the help !

I think they are safe to delete. As spyware isn't my thing, you can always ask in the security forum. I also found THIS, which pretty much confirms it's a rootkit.

Thanks for the reply.
I have deleted them, rebooted the computer without problem.
I will post the outcome later.
Thanks,