Windows XP Stop 7E & minidump

[mcarthey]

Hey all,
I was just working on the computer a few days back and it rebooted. I am using Windows XP and am up to date with all updates. I was in the middle of typing a document so there wasn't anything unusual I was doing. Also, I haven't recently added any new hardware.
After rebooting, I select the user I would like to log in as.. the standard Windows login music plays and it reboots. I set it so it wouldn't reboot so I can see the message. I am getting
STOP: 0x0000007E (0xC0000005, 0x804EA461, 0xF7CB6B04, 0xF7CB68D0).

I checked the event viewer and it didn't tell me much else, but I loaded the minidump file and it reports the following:


Microsoft (R) Windows Debugger Version 6.7.0005.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Mark\Desktop\Minidump\Mini050107-09.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Tue May 1 19:52:01.234 2007 (GMT-5)
System Uptime: 0 days 0:02:19.078
Loading Kernel Symbols
..........................................................................................................................................................
Loading User Symbols
Loading unloaded module list
..
Unable to load image kgdtrdom.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for kgdtrdom.sys
*** ERROR: Module load completed but symbols could not be loaded for kgdtrdom.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 804ea461, f7cbebd4, f7cbe8d0}

Probably caused by : kgdtrdom.sys ( kgdtrdom+1b95 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ea461, The address that the exception occurred at
Arg3: f7cbebd4, Exception Record Address
Arg4: f7cbe8d0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!wcslen+8
804ea461 668b08 mov cx,word ptr [eax]

EXCEPTION_RECORD: f7cbebd4 -- (.exr 0xfffffffff7cbebd4)
ExceptionAddress: 804ea461 (nt!wcslen+0x00000008)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

CONTEXT: f7cbe8d0 -- (.cxr 0xfffffffff7cbe8d0)
eax=00000000 ebx=867c1020 ecx=00bb00c0 edx=00000000 esi=f6c48010 edi=864d02d8
eip=804ea461 esp=f7cbec9c ebp=f7cbec9c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!wcslen+0x8:
804ea461 668b08 mov cx,word ptr [eax] ds:0023:00000000=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 9

DEFAULT_BUCKET_ID: NULL_DEREFERENCE

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000000

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f6c47b95 to 804ea461

STACK_TEXT:
f7cbec9c f6c47b95 00000000 86541128 85f0fcf0 nt!wcslen+0x8
WARNING: Stack unwind information not available. Following frames may be wrong.
f7cbed48 f6c5ce6f 00000000 f6c5cdf4 867c1020 kgdtrdom+0x1b95
f7cbed68 8056d03c 85f0fcf0 86541128 805694fc kgdtrdom+0x16e6f
f7cbed7c 804e23b5 86541128 00000000 867c1020 nt!IopProcessWorkItem+0x13
f7cbedac 80574128 86541128 00000000 00000000 nt!ExpWorkerThread+0xef
f7cbeddc 804ec781 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
kgdtrdom+1b95
f6c47b95 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: kgdtrdom+1b95

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: kgdtrdom

IMAGE_NAME: kgdtrdom.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45bf3224

STACK_COMMAND: .cxr 0xfffffffff7cbe8d0 ; kb

FAILURE_BUCKET_ID: 0x7E_kgdtrdom+1b95

BUCKET_ID: 0x7E_kgdtrdom+1b95

Followup: MachineOwner
---------


I did a search (in Safe Mode) for kgdtrdom.sys but it is not found. Google doesn't show anything either.

I'd be real grateful if someone could help me out with this because I'm stumped.

Thanks much!
Mark

 

[howard_hopkinso]

Hello and welcome to Techspot.

The fact that there`s no hits on either Yahoo or Google for kgdtrdom.sys makes it very suspicious.

Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path" Do not fix anything yet. Let me know what is found in your reply and I`ll instruct you on how to proceed. Reconnect to the net.

Also, go and read this thread HERE and post a HJT log as an attachment.

Regards Howard :wave: :wave:

 

[mcarthey]

I am unable to run AVG Anti-Rootkit. I am only able to start in Safe Mode, so I had to install it there. After the requested reboot, I try to start the scan and it says, "Please restart the computer before using AVG Anti-Rootkit" despite having just rebooted. I have tried booting/installing in the various Safe Modes with no luck. If it's any consolation I do own AVG Internet Suite and I believe it has the Rootkit included already.
I have attached my HiJackThis log.
Thanks for your help,
Mark

 

[howard_hopkinso]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Do a search of your system for kgdtrdom.sys and let me know the full filepath to that file.

Also, please go HERE and follow the instructions for Combofix in step12. Post the Combofix log.

Regards Howard

 

[mcarthey]

Results of find:
C:\WINDOWS\system32\drivers\kgdtrdom.sys
236 KB (241,664 bytes)
Created: Tuesday, January 30, 2007, 1:55:16 PM

The combofix log is attached.

Thanks again for your help,
Mark

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt.

Let me know how things are running.

Regards Howard

 

[mcarthey]

I'm posting the results of the avenger script. I see there was nothing in the registry for the .sys file, but it did move it out of system32. I'll try to boot the machine now. I just wanted to post the results before I booted into normal mode in case I didn't come back for a while.
Thanks for the detailed descriptions and the help,
Mark

 

[howard_hopkinso]

According to your Avenger log, the files have been removed.

Boot into normal mode and let me know the results.

Regards Howard

 

[mcarthey]

The system booted fine into normal mode! Strangely, it seems like some settings were set back to default. The volume was muted, I had to install some updates, Windows firewall was turned on again, firefox was no longer my default browser, etc. I'm guessing there's going to be more, but it's running!
Why the removal of the Clifford uninstall, though? Was that somehow significant?
Thanks again for the huge help. I don't know that I would have figured this out for a while. I just have to see if I can find out what caused the problem in the first place.
Thanks a million, again,
Mark

 

[howard_hopkinso]

That`s excellent news. The reason I wanted the Clifford Uninstall.exe deleting is it is known to be infected with a trojan.

Since your problem was caused by malware, I have moved this thread to our Security and the web forum.

I`d now like you to run a complete check on your system to make sure there are no other baddies.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of mcarthey only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.