BSOD 0x0000008E 0xC0000005... troubling for a month

Herbert2007 · May 14, 2007

hi, I'm new to this forum. Really million thx if any help is got.

Last month my computer was infected with a virus named Trojan.Spam.RUCrzy. It drops ndis.sys into system32\drivers and closes the internet connection in about 30 min's interval. I scanned with AVG and other spyware remover. This problem is solved now as no more those strange files are found an the internet connection is normal after the following weeks.

ok. the problem NOW is BSOD!!!!! I don't know if the BSOD is related to that virus or not. Since the BSOD appears everyday after the virus is cleaned, that's why I suspect so.

I searched for a number of forums, downloaded a number of registry cleaners but not success yet. Here I attached the minidumps generated today as today I've found some important clues. All the minidumps(today i get 4 BSODs) have the following lines:

\ D o s D e v i c e s \ p o o f p o o f
\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ K p r o f \ D r i v e r \ K p r o f \ B a s e N a m e d O b j e c t s \ S C _ A u t o S t a r t C o m p l e t e k o o s . e x e

Then I google koos.exe and poofpoof. The results say that it's malware. googling poofpoof only gives me a few search results. One of them is:

http://www.geocities.jp/kiskzo/poof.html

It just shows that these stuff are hidden registry and process and detected as virus... Then wot can I do now? How can I find a hidden registry?

BTW, I post here the minidump debug log generated few days ago. It doesn't show those regirsty entry.

I'd appreciated much like praying to God as the computer is at my office. It's so important to me.

Opened log file 'e:\debuglog.txt'
1: kd> .sympath srv*e:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*e:\symbols*http://msdl.microsoft.com/download/symbols
1: kd> .reload;!analyze -v;r;kv;lmnt;logclose;q
Loading Kernel Symbols
........................................................................... ...........................................
Loading User Symbols
Loading unloaded module list
.......................
*************************************************************************** ****
* *
* Bugcheck Analysis *
* *
*************************************************************************** ****

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f77e9c86, The address that the exception occurred at
Arg3: b84f5cb0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

FAULTING_IP:
+fffffffff77e9c86
f77e9c86 033e add edi,dword ptr [esi]

TRAP_FRAME: b84f5cb0 -- (.trap ffffffffb84f5cb0)
.trap ffffffffb84f5cb0
ErrCode = 00000000
eax=01d71b20 ebx=00000000 ecx=f77e9b6d edx=00000000 esi=023b260a edi=00640aea
eip=f77e9c86 esp=b84f5d24 ebp=b84f5d30 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
f77e9c86 033e add edi,dword ptr [esi] ds:0023:023b260a=????????
.trap
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: svchost.exe

LAST_CONTROL_TRANSFER: from 8054060c to f77e9c86

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
b84f5d30 8054060c 00001164 00000000 00000000 0xf77e9c86
b84f5d30 7c90eb94 00001164 00000000 00000000 nt!KiFastCallEntry+0xfc
0087fb00 00000000 00000000 00000000 00000000 0x7c90eb94

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiFastCallEntry+fc
8054060c 8be5 mov esp,ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!KiFastCallEntry+fc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250a1e

FAILURE_BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

BUCKET_ID: 0x8E_nt!KiFastCallEntry+fc

Followup: MachineOwner
---------

eax=01d71b20 ebx=00000000 ecx=f77e9b6d edx=00000000 esi=023b260a edi=00640aea
eip=f77e9c86 esp=b84f5d24 ebp=b84f5d30 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
f77e9c86 033e add edi,dword ptr [esi] ds:0023:023b260a=????????
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
b84f5d30 8054060c 00001164 00000000 00000000 0xf77e9c86
b84f5d30 7c90eb94 00001164 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b84f5d64)
0087fb00 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806e2000 nt ntkrpamp.exe Wed Mar 02 08:34:38 2005 (42250A1E)
806e2000 80702d00 hal halmacpi.dll Wed Aug 04 13:59:09 2004 (41107B2D)
b7802000 b782bf00 kmixer kmixer.sys Wed Aug 04 14:07:46 2004 (41107D32)
b7c40000 b7c57480 dump_atapi dump_atapi.sys Wed Aug 04 13:59:41 2004 (41107B4D)
b7ea2000 b7ee2100 HTTP HTTP.sys Sat Oct 09 07:48:20 2004 (41672744)
b836b000 b83856e0 naiavf5x naiavf5x.sys Fri Aug 20 19:42:57 2004 (4125E3C1)
b83a2000 b83a4080 EntDrv51 EntDrv51.sys Wed Jul 28 15:16:16 2004 (410752C0)
b84fa000 b84fcbc0 secdrv secdrv.sys Mon Jul 01 16:46:43 2002 (3D2016F3)
b8abb000 b8acf400 wdmaud wdmaud.sys Wed Aug 04 14:15:03 2004 (41107EE7)
b8be8000 b8c3a180 srv srv.sys Wed Aug 04 14:14:44 2004 (41107ED4)
b8d53000 b8d7f400 mrxdav mrxdav.sys Wed Aug 04 14:00:49 2004 (41107B91)
b8f68000 b8f76d80 sysaudio sysaudio.sys Wed Aug 04 14:15:54 2004 (41107F1A)
bf800000 bf9c0500 win32k win32k.sys Wed Mar 02 09:06:42 2005 (422511A2)
bf9c1000 bf9d2580 dxg dxg.sys Wed Aug 04 14:00:51 2004 (41107B93)
bf9d3000 bfa0e000 ati2dvag ati2dvag.dll Wed Mar 23 11:01:17 2005 (4240DBFD)
bfa0e000 bfa40000 ati2cqag ati2cqag.dll Wed Mar 23 10:23:43 2005 (4240D32F)
bfa40000 bfa72000 atikvmag atikvmag.dll Wed Mar 23 10:29:47 2005 (4240D49B)
bfa72000 bfca2440 ati3duag ati3duag.dll Wed Mar 23 10:47:12 2005 (4240D8B0)
bfca3000 bfd37ba0 ativvaxx ativvaxx.dll Wed Mar 23 10:41:05 2005 (4240D741)
bffa0000 bffe5c00 ATMFD ATMFD.DLL Wed Aug 04 15:56:56 2004 (411096C8)
eec19000 eec87400 mrxsmb mrxsmb.sys Wed Jan 19 12:26:50 2005 (41EDE18A)
eecb0000 eecdaa00 rdbss rdbss.sys Thu Oct 28 09:13:57 2004 (418047D5)
eecdb000 eecfcd00 afd afd.sys Wed Aug 04 14:14:13 2004 (41107EB5)
eecfd000 eed24c00 netbt netbt.sys Wed Aug 04 14:14:36 2004 (41107ECC)
eed25000 eed7cd80 tcpip tcpip.sys Mon Mar 14 08:55:05 2005 (4234E0E9)
eed7d000 eed8f400 ipsec ipsec.sys Wed Aug 04 14:14:27 2004 (41107EC3)
f6e98000 f6ecb200 update update.sys Wed Aug 04 13:58:32 2004 (41107B08)
f6ecc000 f6ece900 Dxapi Dxapi.sys Sat Aug 18 04:53:19 2001 (3B7D843F)
f6ee8000 f6eeaf80 mouhid mouhid.sys Sat Aug 18 04:47:57 2001 (3B7D82FD)
f6ef0000 f6ef2580 hidusb hidusb.sys Sat Aug 18 05:02:16 2001 (3B7D8658)
f6ef4000 f6f24100 rdpdr rdpdr.sys Wed Aug 04 14:01:10 2004 (41107BA6)
f6f25000 f6f35e00 psched psched.sys Wed Aug 04 14:04:16 2004 (41107C60)
f6f36000 f6f4c680 ndiswan ndiswan.sys Wed Aug 04 14:14:30 2004 (41107EC6)
f6f4d000 f6f60900 parport parport.sys Wed Aug 04 13:59:04 2004 (41107B28)
f6f61000 f6f83680 ks ks.sys Wed Aug 04 14:15:20 2004 (41107EF8)
f6f84000 f6fa7980 portcls portcls.sys Wed Aug 04 14:15:47 2004 (41107F13)
f6fa8000 f703d800 smwdm smwdm.sys Sat Apr 10 00:41:29 2004 (4076D239)
f703e000 f705a000 b57xp32 b57xp32.sys Fri May 07 07:12:09 2004 (409AC649)
f705a000 f707ce80 USBPORT USBPORT.SYS Wed Aug 04 14:08:34 2004 (41107D62)
f707d000 f7090780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 14:07:04 2004 (41107D08)
f7091000 f7197000 ati2mtag ati2mtag.sys Wed Mar 23 11:00:57 2005 (4240DBE9)
f71b7000 f71b9580 ndistapi ndistapi.sys Sat Aug 18 04:55:29 2001 (3B7D84C1)
f71d0000 f71d2f80 fsvga fsvga.sys Sat Aug 18 04:57:21 2001 (3B7D8531)
f71dc000 f71df580 NscTpmDD NscTpmDD.sys Wed May 19 18:41:25 2004 (40AB39D5)
f71e8000 f71ebc80 serenum serenum.sys Wed Aug 04 13:59:06 2004 (41107B2A)
f7218000 f7232580 Mup Mup.sys Wed Aug 04 14:15:20 2004 (41107EF8)
f7233000 f725fa80 NDIS NDIS.sys Wed Aug 04 14:14:27 2004 (41107EC3)
f7260000 f72ec480 Ntfs Ntfs.sys Wed Aug 04 14:15:06 2004 (41107EEA)
f72ed000 f7303780 KSecDD KSecDD.sys Wed Aug 04 13:59:45 2004 (41107B51)
f7304000 f7315f00 sr sr.sys Wed Aug 04 14:06:22 2004 (41107CDE)
f7316000 f7334780 fltmgr fltmgr.sys Wed Aug 04 14:01:17 2004 (41107BAD)
f7335000 f734c800 SCSIPORT SCSIPORT.SYS Wed Aug 04 13:59:39 2004 (41107B4B)
f734d000 f7364480 atapi atapi.sys Wed Aug 04 13:59:41 2004 (41107B4D)
f7365000 f738a700 dmio dmio.sys Wed Aug 04 14:07:13 2004 (41107D11)
f738b000 f73a9880 ftdisk ftdisk.sys Sat Aug 18 04:52:41 2001 (3B7D8419)
f73aa000 f73baa80 pci pci.sys Wed Aug 04 14:07:45 2004 (41107D31)
f73bb000 f73e8d80 ACPI ACPI.sys Wed Aug 04 14:07:35 2004 (41107D27)
f73e9000 f740ee00 d347bus d347bus.sys Sun Aug 22 21:31:09 2004 (4128A01D)
f7510000 f7518c00 isapnp isapnp.sys Sat Aug 18 04:58:01 2001 (3B7D8559)
f7520000 f752a500 MountMgr MountMgr.sys Wed Aug 04 13:58:29 2004 (41107B05)
f7530000 f753cc80 VolSnap VolSnap.sys Wed Aug 04 14:00:14 2004 (41107B6E)
f7540000 f7548e00 disk disk.sys Wed Aug 04 13:59:53 2004 (41107B59)
f7550000 f755c200 CLASSPNP CLASSPNP.SYS Wed Aug 04 14:14:26 2004 (41107EC2)
f7570000 f757a200 raspppoe raspppoe.sys Wed Aug 04 14:05:06 2004 (41107C92)
f7580000 f758bd00 raspptp raspptp.sys Wed Aug 04 14:14:26 2004 (41107EC2)
f7590000 f7598900 msgpc msgpc.sys Wed Aug 04 14:04:11 2004 (41107C5B)
f75a0000 f75a9f00 termdd termdd.sys Wed Aug 04 13:58:52 2004 (41107B1C)
f75b0000 f75b9480 NDProxy NDProxy.SYS Sat Aug 18 04:55:30 2001 (3B7D84C2)
f75e0000 f75ee100 usbhub usbhub.sys Wed Aug 04 14:08:40 2004 (41107D68)
f7610000 f7618700 wanarp wanarp.sys Wed Aug 04 14:04:57 2004 (41107C89)
f7620000 f7628700 netbios netbios.sys Wed Aug 04 14:03:19 2004 (41107C27)
f7640000 f7648880 Fips Fips.SYS Sat Aug 18 09:31:49 2001 (3B7DC585)
f7660000 f7668d80 HIDCLASS HIDCLASS.SYS Wed Aug 04 14:08:18 2004 (41107D52)
f7670000 f767f900 Cdfs Cdfs.SYS Wed Aug 04 14:14:09 2004 (41107EB1)
f7710000 f7718d00 intelppm intelppm.sys Wed Aug 04 13:59:19 2004 (41107B37)
f7720000 f772eb80 drmk drmk.sys Wed Aug 04 14:07:54 2004 (41107D3A)
f7730000 f773ce00 i8042prt i8042prt.sys Wed Aug 04 14:14:36 2004 (41107ECC)
f7740000 f774fd80 serial serial.sys Wed Aug 04 14:15:51 2004 (41107F17)
f7750000 f775a380 imapi imapi.sys Wed Aug 04 14:00:12 2004 (41107B6C)
f7760000 f776c180 cdrom cdrom.sys Wed Aug 04 13:59:52 2004 (41107B58)
f7770000 f777e080 redbook redbook.sys Wed Aug 04 13:59:34 2004 (41107B46)
f7780000 f778c880 rasl2tp rasl2tp.sys Wed Aug 04 14:14:21 2004 (41107EBD)
f7790000 f7796200 PCIIDEX PCIIDEX.SYS Wed Aug 04 13:59:40 2004 (41107B4C)
f7798000 f779c900 PartMgr PartMgr.sys Sat Aug 18 09:32:23 2001 (3B7DC5A7)
f77a0000 f77a4e20 PxHelp20 PxHelp20.sys Wed Feb 02 07:23:42 2005 (42000F7E)
f77e0000 f77e5200 vga vga.sys Wed Aug 04 14:07:06 2004 (41107D0A)
f77f0000 f77f4a80 Msfs Msfs.SYS Wed Aug 04 14:00:37 2004 (41107B85)
f7800000 f7807880 Npfs Npfs.SYS Wed Aug 04 14:00:38 2004 (41107B86)
f7820000 f7826180 HIDPARSE HIDPARSE.SYS Wed Aug 04 14:08:15 2004 (41107D4F)
f7840000 f7844500 watchdog watchdog.sys Wed Aug 04 14:07:32 2004 (41107D24)
f7880000 f7885000 usbuhci usbuhci.sys Wed Aug 04 14:08:34 2004 (41107D62)
f7888000 f788e800 usbehci usbehci.sys Wed Aug 04 14:08:34 2004 (41107D62)
f7898000 f789e000 kbdclass kbdclass.sys Wed Aug 04 13:58:32 2004 (41107B08)
f78a8000 f78aeb00 fdc fdc.sys Wed Aug 04 13:59:25 2004 (41107B3D)
f78e0000 f78e4880 TDI TDI.SYS Wed Aug 04 14:07:47 2004 (41107D33)
f78f0000 f78f4580 ptilink ptilink.sys Sat Aug 18 04:49:53 2001 (3B7D8371)
f7900000 f7904080 raspti raspti.sys Sat Aug 18 04:55:32 2001 (3B7D84C4)
f7908000 f790da00 mouclass mouclass.sys Wed Aug 04 13:58:32 2004 (41107B08)
f7918000 f791d000 flpydisk flpydisk.sys Wed Aug 04 13:59:24 2004 (41107B3C)
f7920000 f7923000 BOOTVID BOOTVID.dll Sat Aug 18 04:49:09 2001 (3B7D8345)
f79c8000 f79cbc80 mssmbios mssmbios.sys Wed Aug 04 14:07:47 2004 (41107D33)
f7a08000 f7a0a280 rasacd rasacd.sys Sat Aug 18 04:55:39 2001 (3B7D84CB)
f7a10000 f7a11b80 kdcom kdcom.dll Sat Aug 18 04:49:10 2001 (3B7D8346)
f7a12000 f7a13100 WMILIB WMILIB.SYS Sat Aug 18 05:07:23 2001 (3B7D878B)
f7a14000 f7a15580 intelide intelide.sys Wed Aug 04 13:59:40 2004 (41107B4C)
f7a16000 f7a17700 dmload dmload.sys Sat Aug 18 04:58:15 2001 (3B7D8567)
f7a18000 f7a19480 d347prt d347prt.sys Sun Aug 22 21:31:48 2004 (4128A044)
f7a2e000 f7a2f120 aeaudio aeaudio.sys Mon Apr 01 22:39:14 2002 (3CA87112)
f7a34000 f7a35100 swenum swenum.sys Wed Aug 04 13:58:41 2004 (41107B11)
f7a3a000 f7a3b280 USBD USBD.SYS Sat Aug 18 05:02:58 2001 (3B7D8682)
f7a3e000 f7a3ff00 Fs_Rec Fs_Rec.SYS Sat Aug 18 04:49:37 2001 (3B7D8361)
f7a42000 f7a43080 Beep Beep.SYS Sat Aug 18 04:47:33 2001 (3B7D82E5)
f7a46000 f7a47080 mnmdd mnmdd.SYS Sat Aug 18 04:57:28 2001 (3B7D8538)
f7a4a000 f7a4b080 RDPCDD RDPCDD.sys Sat Aug 18 04:46:56 2001 (3B7D82C0)
f7a52000 f7a53100 dump_WMILIB dump_WMILIB.SYS Sat Aug 18 05:07:23 2001 (3B7D878B)
f7ad8000 f7ad8d00 pciide pciide.sys Sat Aug 18 04:51:49 2001 (3B7D83E5)
f7b2d000 f7b2dd00 dxgthk dxgthk.sys Sat Aug 18 04:53:12 2001 (3B7D8438)
f7bdb000 f7bdbc00 audstub audstub.sys Sat Aug 18 04:59:40 2001 (3B7D85BC)
f7c18000 f7c18b80 Null Null.SYS Sat Aug 18 04:47:39 2001 (3B7D82EB)

Unloaded modules:
b7802000 b782c000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7802000 b782c000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7802000 b782c000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7a0c000 b7a36000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7c16000 b7c40000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b7c40000 b7c58000 dump_atapi.s
Timestamp: unavailable (00000000)
Checksum: 00000000
b7d9a000 b7db2000 dump_atapi.s
Timestamp: unavailable (00000000)
Checksum: 00000000
b7d48000 b7d72000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b89ce000 b89f8000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
eec01000 eec19000 dump_atapi.s
Timestamp: unavailable (00000000)
Checksum: 00000000
f7bd1000 f7bd2000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b8e38000 b8e45000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b8a98000 b8abb000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f6dd8000 f6de6000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7ad6000 f7ad8000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7630000 f7639000 processr.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f77d8000 f77dd000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7a00000 f7a03000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000

it says that svchost.exe is the process and it's a driver fault. So I try to narrow down the causes of errors, eliminating that it's a hardware issue and temperature (actually it's really very cold at my office, sometimes it's 15 degree or even lower)

chaslang · May 14, 2007

Welcome to Majorgeeks!

Due to the infection that you said you had, it would be best if you ran through are full standard cleaning procedure given below and then attach the requested. Logs. The infection you mentioned can deposit a bunch of bad files on your system. We need to make sure all of them are gone.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy - only for Windows XP, 2K, & NT users

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

Log in or Sign up

BSOD 0x0000008E 0xC0000005... troubling for a month

Herbert2007 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member