Windows XP Stop 7E & minidump

By mcarthey
May 11, 2007
Topic Status:
Not open for further replies.
  1. Hey all,
    I was just working on the computer a few days back and it rebooted. I am using Windows XP and am up to date with all updates. I was in the middle of typing a document so there wasn't anything unusual I was doing. Also, I haven't recently added any new hardware.
    After rebooting, I select the user I would like to log in as.. the standard Windows login music plays and it reboots. I set it so it wouldn't reboot so I can see the message. I am getting
    STOP: 0x0000007E (0xC0000005, 0x804EA461, 0xF7CB6B04, 0xF7CB68D0).

    I checked the event viewer and it didn't tell me much else, but I loaded the minidump file and it reports the following:


    Microsoft (R) Windows Debugger Version 6.7.0005.0
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Documents and Settings\Mark\Desktop\Minidump\Mini050107-09.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp2_gdr.070227-2254
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
    Debug session time: Tue May 1 19:52:01.234 2007 (GMT-5)
    System Uptime: 0 days 0:02:19.078
    Loading Kernel Symbols
    ..........................................................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ..
    Unable to load image kgdtrdom.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for kgdtrdom.sys
    *** ERROR: Module load completed but symbols could not be loaded for kgdtrdom.sys
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000007E, {c0000005, 804ea461, f7cbebd4, f7cbe8d0}

    Probably caused by : kgdtrdom.sys ( kgdtrdom+1b95 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG. This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 804ea461, The address that the exception occurred at
    Arg3: f7cbebd4, Exception Record Address
    Arg4: f7cbe8d0, Context Record Address

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP:
    nt!wcslen+8
    804ea461 668b08 mov cx,word ptr [eax]

    EXCEPTION_RECORD: f7cbebd4 -- (.exr 0xfffffffff7cbebd4)
    ExceptionAddress: 804ea461 (nt!wcslen+0x00000008)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000000
    Attempt to read from address 00000000

    CONTEXT: f7cbe8d0 -- (.cxr 0xfffffffff7cbe8d0)
    eax=00000000 ebx=867c1020 ecx=00bb00c0 edx=00000000 esi=f6c48010 edi=864d02d8
    eip=804ea461 esp=f7cbec9c ebp=f7cbec9c iopl=0 nv up ei pl zr na pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
    nt!wcslen+0x8:
    804ea461 668b08 mov cx,word ptr [eax] ds:0023:00000000=????
    Resetting default scope

    CUSTOMER_CRASH_COUNT: 9

    DEFAULT_BUCKET_ID: NULL_DEREFERENCE

    PROCESS_NAME: explorer.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    READ_ADDRESS: 00000000

    BUGCHECK_STR: 0x7E

    LAST_CONTROL_TRANSFER: from f6c47b95 to 804ea461

    STACK_TEXT:
    f7cbec9c f6c47b95 00000000 86541128 85f0fcf0 nt!wcslen+0x8
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f7cbed48 f6c5ce6f 00000000 f6c5cdf4 867c1020 kgdtrdom+0x1b95
    f7cbed68 8056d03c 85f0fcf0 86541128 805694fc kgdtrdom+0x16e6f
    f7cbed7c 804e23b5 86541128 00000000 867c1020 nt!IopProcessWorkItem+0x13
    f7cbedac 80574128 86541128 00000000 00000000 nt!ExpWorkerThread+0xef
    f7cbeddc 804ec781 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    FOLLOWUP_IP:
    kgdtrdom+1b95
    f6c47b95 ?? ???

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: kgdtrdom+1b95

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: kgdtrdom

    IMAGE_NAME: kgdtrdom.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 45bf3224

    STACK_COMMAND: .cxr 0xfffffffff7cbe8d0 ; kb

    FAILURE_BUCKET_ID: 0x7E_kgdtrdom+1b95

    BUCKET_ID: 0x7E_kgdtrdom+1b95

    Followup: MachineOwner
    ---------


    I did a search (in Safe Mode) for kgdtrdom.sys but it is not found. Google doesn't show anything either.

    I'd be real grateful if someone could help me out with this because I'm stumped.

    Thanks much!
    Mark
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    The fact that there`s no hits on either Yahoo or Google for kgdtrdom.sys makes it very suspicious.

    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path" Do not fix anything yet. Let me know what is found in your reply and I`ll instruct you on how to proceed. Reconnect to the net.

    Also, go and read this thread HERE and post a HJT log as an attachment.

    Regards Howard :wave: :wave:
  3. mcarthey

    mcarthey Newcomer, in training Topic Starter

    I am unable to run AVG Anti-Rootkit. I am only able to start in Safe Mode, so I had to install it there. After the requested reboot, I try to start the scan and it says, "Please restart the computer before using AVG Anti-Rootkit" despite having just rebooted. I have tried booting/installing in the various Safe Modes with no luck. If it's any consolation I do own AVG Internet Suite and I believe it has the Rootkit included already.
    I have attached my HiJackThis log.
    Thanks for your help,
    Mark
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Do a search of your system for kgdtrdom.sys and let me know the full filepath to that file.

    Also, please go HERE and follow the instructions for Combofix in step12. Post the Combofix log.

    Regards Howard :)
  5. mcarthey

    mcarthey Newcomer, in training Topic Starter

    Results of find:
    C:\WINDOWS\system32\drivers\kgdtrdom.sys
    236 KB (241,664 bytes)
    Created: Tuesday, January 30, 2007, 1:55:16 PM

    The combofix log is attached.

    Thanks again for your help,
    Mark
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt.

    Let me know how things are running.

    Regards Howard :)

    Attached Files:

  7. mcarthey

    mcarthey Newcomer, in training Topic Starter

    I'm posting the results of the avenger script. I see there was nothing in the registry for the .sys file, but it did move it out of system32. I'll try to boot the machine now. I just wanted to post the results before I booted into normal mode in case I didn't come back for a while. ;)
    Thanks for the detailed descriptions and the help,
    Mark
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    According to your Avenger log, the files have been removed.

    Boot into normal mode and let me know the results.

    Regards Howard :)
  9. mcarthey

    mcarthey Newcomer, in training Topic Starter

    The system booted fine into normal mode! Strangely, it seems like some settings were set back to default. The volume was muted, I had to install some updates, Windows firewall was turned on again, firefox was no longer my default browser, etc. I'm guessing there's going to be more, but it's running!
    Why the removal of the Clifford uninstall, though? Was that somehow significant?
    Thanks again for the huge help. I don't know that I would have figured this out for a while. I just have to see if I can find out what caused the problem in the first place.
    Thanks a million, again,
    Mark
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That`s excellent news. The reason I wanted the Clifford Uninstall.exe deleting is it is known to be infected with a trojan.

    Since your problem was caused by malware, I have moved this thread to our Security and the web forum.

    I`d now like you to run a complete check on your system to make sure there are no other baddies.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of mcarthey only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.