Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stop 0X0000008E (Driver issue or rootkit?)


  • Please log in to reply
4 replies to this topic

#1 adamsmb

adamsmb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 09 April 2009 - 11:00 AM

Hello all,

I just worked through fixing a malware issue on my desktop (thanks, boopme), and am now getting some errors that may have been caused by the trojan. I'm regularly getting a bluescreen stop message: 0X0000008E (0XC0000005,0X805844E7,0XB91C0BDC,0X00000000). I've done some searching, and it appears that this can be caused by everything from driver issues to malicious rootkit issues. I'm obviously hoping that I just need to repair some drivers, but I'm not sure how to tell that. Any advice would be very appreciated.


Link to previous malware thread: http://www.bleepingcomputer.com/forums/t/217678/trojan-trdroppergen-or-malsinowa-a/

Thanks,

Matt

BC AdBot (Login to Remove)

 


#2 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 13 April 2009 - 08:02 AM

I'll play with Event Viewer tonight to see if I can figure anything out. If anyone has tips on using it, please let me know or post a link to useful info.

Thanks

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:49 PM

Posted 13 April 2009 - 09:54 AM

How To Use Event Viewer - http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

Louis

#4 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 13 April 2009 - 08:18 PM

Thanks for the link. I actually used the Windows Debugger mentioned there, and got the following results. Can anyone help me interpret this, or is using Event Viewer going to be a better option for me?

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini040409-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.080814-1233
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Fri Apr 3 23:30:49.625 2009 (GMT-5)
System Uptime: 0 days 2:39:02.375
Loading Kernel Symbols
...............................................................
................................................................
.....................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 805844e7, f2f19bdc, 0}

Probably caused by : memory_corruption ( nt!MmDeleteTeb+2e )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805844e7, The address that the exception occurred at
Arg3: f2f19bdc, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!MmDeleteTeb+2e
805844e7 f6472702 test byte ptr [edi+27h],2

TRAP_FRAME: f2f19bdc -- (.trap 0xfffffffff2f19bdc)
ErrCode = 00000000
eax=00000000 ebx=869af4d8 ecx=0007ffac edx=869af504 esi=869af3e8 edi=00000000
eip=805844e7 esp=f2f19c50 ebp=f2f19c64 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!MmDeleteTeb+0x2e:
805844e7 f6472702 test byte ptr [edi+27h],2 ds:0023:00000027=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: svchost.exe

LAST_CONTROL_TRANSFER: from 805845b1 to 805844e7

STACK_TEXT:
f2f19c64 805845b1 869af3e8 7ffac000 84683408 nt!MmDeleteTeb+0x2e
f2f19cf0 8058c845 c0000005 f2f19d4c 804e74b8 nt!PspExitThread+0x517
f2f19cfc 804e74b8 84683408 f2f19d48 f2f19d3c nt!PsExitSpecialApc+0x22
f2f19d4c 804dda0a 00000001 00000000 f2f19d64 nt!KiDeliverApc+0x1af
f2f19d4c 7c90eb94 00000001 00000000 f2f19d64 nt!KiServiceExit+0x59
WARNING: Frame IP not in any known module. Following frames may be wrong.
0124ff80 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MmDeleteTeb+2e
805844e7 f6472702 test byte ptr [edi+27h],2

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!MmDeleteTeb+2e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48a401b1

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x8E_nt!MmDeleteTeb+2e

BUCKET_ID: 0x8E_nt!MmDeleteTeb+2e

Followup: MachineOwner
---------

#5 adamsmb

adamsmb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 13 April 2009 - 08:20 PM

One other thing - I poked around Event Viewer a little bit, and found several errors associated with svchost.exe. Not sure if this is helpful on its own or not.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users