Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Minidump reports


  • Please log in to reply
13 replies to this topic

#1 Valdr

Valdr

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 15 December 2008 - 11:54 PM

Hi,
I have been having trouble with malware, rootkits, & trojans and started a topic about it in that section of the forums and
as per instructions from my topic Here
I am posting my minidump reports in this section to attempt to figure out whats causing my BSOD rootkit or otherwise.

However I seem to be unable to upload the file. the website tells me
"upload failed. You are not permitted to upload this type of file"

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 09:04 AM

Step 8 in this link: http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/
describes a method to paste your report into your next post.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 12:51 PM

I am in safemode w/ networking, on the Admin account (the only account on the computer) however when I attempt to install the debugging tools I get an error "the system administrator has set policies to prevent this installation"

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 01:50 PM

That's likely a result of the infection - hang on a sec while I hunt down the steps to (hopefully) fix that.....
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 01:56 PM

First, do a couple of free, online scans to ensure you're not still infected: http://www.bleepingcomputer.com/blogs/usas...?showentry=1252

Then, if you come up clean, try this: http://www.bleepingcomputer.com/blogs/usas...?showentry=1415
Another nifty tool that I've just seen (but haven't used): http://www.bleepingcomputer.com/blogs/usas...?showentry=1378
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 01:58 PM

I sent the minidumps to another computer and ran the windbg.

Here is the First mini dump from when the trouble first started:


Microsoft Windows Debugger Version 6.10.0003.233 X86
Copyright Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\XZ66BC\Desktop\New Folder\Mini121408-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Dec 14 23:46:21.484 2008 (GMT-5)
System Uptime: 0 days 11:06:07.200
Loading Kernel Symbols
...............................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
.................
Unable to load image atkdisp.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for atkdisp.dll
*** ERROR: Module load completed but symbols could not be loaded for atkdisp.dll
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, bf01592b, 9ee7c868, 0}

Probably caused by : atkdisp.dll ( atkdisp+392b )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf01592b, The address that the exception occurred at
Arg3: 9ee7c868, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
atkdisp+392b
bf01592b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

TRAP_FRAME: 9ee7c868 -- (.trap 0xffffffff9ee7c868)
ErrCode = 00000000
eax=00078000 ebx=e163e3a4 ecx=0001e000 edx=000000ec esi=00000000 edi=a32c2000
eip=bf01592b esp=9ee7c8dc ebp=9ee7cc88 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
atkdisp+0x392b:
bf01592b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: firefox.exe

LAST_CONTROL_TRANSFER: from bf8ec141 to bf01592b

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9ee7cc88 bf8ec141 9ee7ccd4 e1a7f714 e5936018 atkdisp+0x392b
9ee7ccc0 bf003d57 9ee7ccd4 e59360ec e5936018 win32k!WatchdogDdUnlock+0x38
9ee7cce4 bf009e55 e1a7f714 e5936018 9ee7cd34 dxg!vDdRelinquishSurfaceOrBufferLock+0x4d
9ee7cd0c bf00affe e1a7f008 9ee7cd64 0397fd68 dxg!bDdUnlockSurfaceOrBuffer+0x99
9ee7cd54 8054162c 13407c20 0397fd80 0397fd68 dxg!DxDdUnlock+0x4c
9ee7cd54 7c90e4f4 13407c20 0397fd80 0397fd68 nt!KiFastCallEntry+0xfc
0397fd68 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND: kb

FOLLOWUP_IP:
atkdisp+392b
bf01592b f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: atkdisp+392b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: atkdisp

IMAGE_NAME: atkdisp.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 47e32a6b

FAILURE_BUCKET_ID: 0x8E_atkdisp+392b

BUCKET_ID: 0x8E_atkdisp+392b

Followup: MachineOwner
---------



Here is the most recent minidump:

Microsoft Windows Debugger Version 6.10.0003.233 X86
Copyright Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\XZ66BC\Desktop\New Folder\Mini121508-09.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Dec 15 22:27:19.594 2008 (GMT-5)
System Uptime: 0 days 0:01:17.308
Loading Kernel Symbols
...............................................................
................................................................
.....................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, a21afb75, 9fc2a7e8, 0}

Probably caused by : ntkrpamp.exe ( nt!PsCallImageNotifyRoutines+36 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: a21afb75, The address that the exception occurred at
Arg3: 9fc2a7e8, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
+ffffffffa21afb75
a21afb75 0fb611 movzx edx,byte ptr [ecx]

TRAP_FRAME: 9fc2a7e8 -- (.trap 0xffffffff9fc2a7e8)
ErrCode = 00000000
eax=53772921 ebx=f5aaa25e ecx=52a6b000 edx=000000f2 esi=52a00080 edi=00070000
eip=a21afb75 esp=9fc2a85c ebp=9fc2abe0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
a21afb75 0fb611 movzx edx,byte ptr [ecx] ds:0023:52a6b000=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 9

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: CCC.exe

LAST_CONTROL_TRANSFER: from 805d00bc to a21afb75

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
9fc2abe0 805d00bc 8a0015d0 00000c24 9fc2ac20 0xa21afb75
9fc2ac00 805b1421 8a0015d0 00000c24 9fc2ac20 nt!PsCallImageNotifyRoutines+0x36
9fc2ac48 805b1efe 872198d8 52a00000 9fc2ad18 nt!MiMapViewOfImageSection+0x4c1
9fc2aca4 805b22c3 00000018 873604d0 9fc2ad18 nt!MmMapViewOfSection+0x13c
9fc2ad34 8054162c 00000860 ffffffff 05e9dd30 nt!NtMapViewOfSection+0x2bd
9fc2ad34 7c90e4f4 00000860 ffffffff 05e9dd30 nt!KiFastCallEntry+0xfc
05e9dd1c 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!PsCallImageNotifyRoutines+36
805d00bc 56 push esi

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!PsCallImageNotifyRoutines+36

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9

FAILURE_BUCKET_ID: 0x8E_nt!PsCallImageNotifyRoutines+36

BUCKET_ID: 0x8E_nt!PsCallImageNotifyRoutines+36

Followup: MachineOwner
---------

Edited by Valdr, 16 December 2008 - 01:59 PM.


#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 02:21 PM

atkdisp.dll is most often associated with an Asus video card - most that I've seen are nVidia based.
CCC.exe is associated with the Catalyst Control Center for ATI based video cards.

What video chipset/video card are you using? Do you have both nVidia and ATI cards installed on the system?
I'd suggest uninstalling the video drivers, rebooting, running the appropriate driver removal tool, rebooting, then downloading and installing the latest version of the ATI/nVidia video drivers.

All of this may be for naught if the system is still infected - please let us know the results of the online scan(s)
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 02:43 PM

I am running a ASUS EAH3870 2X 1GB ATI card.
Video card

I've have the latest drivers, and have made no changes to drivers recently, and have made no changes to hardware.

I have run the first & second scan and it found nothing. I am still running the others.

Edited by Valdr, 16 December 2008 - 02:48 PM.


#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 03:15 PM

Some of the posts that I read referred to issues with the Asus software that comes with the card. Have you uninstalled all of that stuff? I'm not familiar with it, but wonder if it hooks into the video drivers. If so, then uninstalling it may not remove everything - so you'd have to do the uninstall the drivers, run the removal tool, install new drivers again (after uninstalling the Asus stuff).

No need to run all of the scans - as long as a couple come back clean you can assume you're clean.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#10 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 03:21 PM

I'm not sure which software your talking about, however I have not uninstalled anything having to do with the video card.

I just want to ask to make sure I have it correct...

so I uninstall the drivers using the device manager.
Then I use the removal tool.(what removal tool are you talking about?)

Then I would need to install the drivers from my cd that came with the card
then update from the asus website?

Edited by Valdr, 16 December 2008 - 03:47 PM.


#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 04:00 PM

The Asus stuff that I was referring to is in this thread: http://www.techsupportforum.com/hardware-s...lue-screen.html

You'll have to remove all the Asus stuff (to include any Asus Enhanced drivers) before you can start working on the actual drivers. Once all the Asus stuff is uninstalled:

- uninstall the video drivers (using Add/Remove Programs - not the Device Manager). If it's not listed there, move on to the Catalyst uninstaller.
- reboot
- run the Catalyst uninstaller located here: http://support.ati.com/ics/support/default...questionID=1447
- reboot
- install the latest Display Driver from here: http://game.amd.com/us-en/drivers_catalyst...p=xp/radeonx-xp
- reboot and test.

Edited by usasma, 16 December 2008 - 04:01 PM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 05:04 PM

prior to being able to try what you said My scanners found that all the rootkits were back, and they come back everytime I reboot. I searched the web and was told to use the windows recovery console(as I could not see the files in safe mode) Using the windows recovery console I went in and deleted all the TDSS files (or all that I can find). in the system32 and system32/drivers folder.

I now have rebooted into windows and have not has a BSOD yet. but it has only been running for about 4 minutes. I will update in about an hour if I have not had a crash.

#13 Valdr

Valdr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:06 AM

Posted 16 December 2008 - 05:22 PM

everything seems to be working just fine now.

TY for your help.

#14 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:02:06 AM

Posted 16 December 2008 - 05:59 PM

I'd suggest running a rootkit scanner such as the free GMER (available here: http://www.gmer.net/index.php )
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users