Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSoD KERNEL_MODE_EXCEPTION_NOT_HANDLED BCC 0x1000008e BCP1 0xc0000005 win32k.sys


  • Please log in to reply
1 reply to this topic

#1 designables

designables

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nashville,TN
  • Local time:11:04 PM

Posted 29 May 2015 - 06:13 AM

Hello, my first post. This is someone else's Gateway laptop, Win Vista which I previously thought I'd cleaned of viruses, etc. They hadn't used in while. Had not security and hadn't been updated in forever. I had to turn off updates because they kept causing hang. Was working fine but very slow until encountered 4 BSoDs this week with automatic restart each time. Sorry, I could not complete the FRST download. Nortons would detect a different temp file each time and remove it and then the FRST.exe. So I give you what I have. I read that win32k.sys was malicious. http://www.bleepingcomputer.com/startups/win32k.sys_2-26944.html     and followed directions to make this post.  Hope you can instruct me how to safely remove or resolve. Thanks.
 
 
 
My BlueScreenView report ( also see attached Crashlist, Local/Temp and minidump files)
==================================================
Dump File         : Mini052915-01.dmp
Crash Time        : 5/29/2015 1:04:21 AM
Bug Check String  : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000008e
Parameter 1       : 0xc0000005
Parameter 2       : 0x9c904df8
Parameter 3       : 0xdf8dcae0
Parameter 4       : 0x00000000
Caused By Driver  : win32k.sys
Caused By Address : win32k.sys+94df8
File Description  : Multi-User Win32 Driver
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.0.6000.16386 (vista_rtm.061101-2205)
Processor         : 32-bit
Crash Address     : win32k.sys+94df8
Stack Address 1   : win32k.sys+128905
Stack Address 2   : win32k.sys+eaa65
Stack Address 3   : win32k.sys+eabe6
Computer Name     : 
Full Path         : C:\Windows\Minidump\Mini052915-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 6002
Dump File Size    : 143,224
Dump File Time    : 5/29/2015 1:06:04 AM
==================================================

Attached Files


Edited by hamluis, 30 May 2015 - 07:46 AM.
Moved from MRL to BSOD, Crashess - Hamluis.


BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 PM

Posted 31 May 2015 - 02:40 PM

Hi,

 

win32k.sys is a legit Windows file. The link you provided suggests that win32k.sys is in a different directory and uses an alternate data stream to disguise itself. This isn't the case with your computer so please do not worry about this!

 

0x8e dumps, all of them

 

Run memtest for 8 passes, let me know the number of errors (if any) were found.

Memtest86+:

Download Memtest86+ here:

Memtest86+ - Advanced Memory Diagnostic Tool

Which should I download?

You can either download the pre-compiled .ISO that you would burn to a CD and then boot from the CD, or you can download the auto-installer for the USB key. What this will do is format your USB drive, make it a bootable device, and then install the necessary files. Both do the same job, it's just up to you which you choose, or which you have available (whether it's CD or USB).

Do note that some older generation motherboards do not support USB-based booting, therefore your only option is CD (or Floppy if you really wanted to). 

How Memtest works (you don't need to read, it's only for those interested in the specifics):

Memtest uses algorithms (specifically two), namely moving inversion & what is deemed Modulo-X. Essentially, the first algorithm fills the memory with a pattern. Starting at the low address, it checks to see if the pattern was changed (it should not have been), writes the patterns complement, increments the address, and repeats. Starting at the highest address (as opposed to the lowest), it follows the same checklist.

The reason for the second algorithm is due to a few limitations, with the first being that not all adjacent cells are being tested for interaction due to modern chips being 4 to 16 bits wide regarding data storage. With that said, patterns are used to go ahead and ensure that all adjacent cells have at least been written with all possible one and zero combinations.

The second is that caching, buffering and out of order execution will interfere with the moving inversions algorithm. However, the second algorithm used is not affected by this. For starting offsets of 0-20, the algorithm will write every 20th location with a pattern, write all other locations with the patterns complement, repeat the previous one (or more) times, and then check every 20th location for the previously mentioned pattern.

Now that you know how Memtest actually works, it's important to know that the tests it goes through all mean something different. It goes from Test 0 through Test 12, many of which use either one or the other algorithm discussed above, among many other things.

Any other questions, they can most likely be answered by reading this great guide here: FAQ : please read before posting

 

 

___

{d1bdfa01-5a9a-448b-bb7a-b6dc6b34803d}Gt.sys   Thu Apr  9 18:26:36 2015 (55270AAC)

^ Adware related service and driver. -> http://www.herdprotect.com/d1bdfa01-5a9a-448b-bb7a-b6dc6b34803dgt.sys-7e8029f2983526e78b69a2934d229db3da2887bb.aspx

smw.sys                                        Tue Apr  7 05:21:21 2015 (5523AFA1)

^ and another one -> http://www.herdprotect.com/smw.sys-e2f5b02b848017ea246082d91e40eab17b90a0a0.aspx

 

Your primary problem could be RAM, but you should get cleaned up over at Am I infected? What do I do? or Virus, Trojan, Spyware, and Malware Removal Logs


Edited by thisisu, 31 May 2015 - 02:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users