BSOD debugged but what is vdo_5d8a-37c8.sys

Hi Guys,
Forgive me if I am in the wrong forum section. I am assuming that this is a software issue?? I have been getting the BSOD for quite a while now and cant remember it starting after installing anything. I am always putting things on my system and removing them later on. This maybe self inflicted :confused

Anyway, I have installed the tools and analysed the mini dump.

Here it is below

icrosoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini111607-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Fri Nov 16 13:33:33.218 2007 (GMT+0)
System Uptime: 0 days 0:07:16.231
Loading Kernel Symbols
......................................................................................................................................
Loading User Symbols
Loading unloaded module list
..
Unable to load image vdo_5d8a-37c8.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vdo_5d8a-37c8.sys
*** ERROR: Module load completed but symbols could not be loaded for vdo_5d8a-37c8.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {e391c000, 0, 804fb799, 1}


Could not read faulting driver name


Probably caused by : vdo_5d8a-37c8.sys ( vdo_5d8a_37c8+99b )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e391c000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 804fb799, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name



READ_ADDRESS: e391c000

FAULTING_IP:
nt!wcsncpy+16
804fb799 668b02 mov ax,word ptr [edx]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

LOCK_ADDRESS: 805604e0 -- (!locks 805604e0)

Resource @ nt!PiEngineLock (0x805604e0) Available

WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted.


WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted.

1 total locks

PNP_TRIAGE:
Lock address : 0x805604e0
Thread Count : 0
Thread address: 0x00000000
Thread wait : 0x0

LAST_CONTROL_TRANSFER: from baa6599b to 804fb799

STACK_TEXT:
f7b94874 baa6599b f7b94898 e391be10 000000ff nt!wcsncpy+0x16
WARNING: Stack unwind information not available. Following frames may be wrong.
f7b94a9c 804dd99f 80000c10 00000000 00000000 vdo_5d8a_37c8+0x99b
f7b94a9c 804e381f 80000c10 00000000 00000000 nt!KiFastCallEntry+0xfc
f7b94b2c 80599eff 80000c10 00000000 00000000 nt!ZwEnumerateKey+0x11
f7b94bd4 805b7c0c 00000084 8647adec 00000000 nt!IopGetDeviceInterfaces+0x5bb
f7b94c48 805b7ae8 8647adec e2766b60 00000000 nt!IopDisableDeviceInterfaces+0xf1
f7b94c60 805b7d01 00000308 e2766b60 00000000 nt!IopSurpriseRemoveLockedDeviceNode+0xb6
f7b94c74 805b7d2c 8647ad58 00000003 e2766b60 nt!IopDeleteLockedDeviceNode+0x50
f7b94ca8 805b7fb5 86ad3030 02766b60 00000003 nt!IopDeleteLockedDeviceNodes+0x3f
f7b94d3c 805b8089 f7b94d78 806ff974 e2a16750 nt!PiProcessQueryRemoveAndEject+0x4d2
f7b94d58 8059e83e f7b94d78 8681c168 805694fc nt!PiProcessTargetDeviceEvent+0x2a
f7b94d7c 804e23b5 8681c168 00000000 86bc2640 nt!PiWalkDeviceList+0x122
f7b94dac 80574128 8681c168 00000000 00000000 nt!ExpWorkerThread+0xef
f7b94ddc 804ec781 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
vdo_5d8a_37c8+99b
baa6599b ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: vdo_5d8a_37c8+99b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: vdo_5d8a_37c8

IMAGE_NAME: vdo_5d8a-37c8.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4698905b

FAILURE_BUCKET_ID: 0x50_vdo_5d8a_37c8+99b

BUCKET_ID: 0x50_vdo_5d8a_37c8+99b

Followup: MachineOwner
---------

3: kd> lmvm vdo_5d8a_37c8
start end module name
baa65000 baa8ba00 vdo_5d8a_37c8 T (no symbols)
Loaded symbol image file: vdo_5d8a-37c8.sys
Image path: vdo_5d8a-37c8.sys
Image name: vdo_5d8a-37c8.sys
Timestamp: Sat Jul 14 09:59:07 2007 (4698905B)
CheckSum: 00033325
ImageSize: 00026A00
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
----------------------------------------------


the offending program looks like vdo_5d8a-37c8.sys.

My question is who, or what, is this???? I searched in google under vdo_5d8a-37c8.sys & vdo_5d8a-37c8 and I havent been able to find any sort of reference to it?

Any help on what this is would be apreciated


Kev

 

If you can boot into Windows, search your system for this file. Make sure ytou have search options endabled for hidden and system files.

If you find it, right click it and choose properties. Click on the version tab, which 'should' give some sort of description.

 

Hi Adrynalyne,
Many thanks for your reply, I hadn't thought of that for some reason.
I have just done a full system search on all drives etc. I did make sure that it was searching in hidden/system files etc.
Unfortunately it turned up nothing :confused

Is there any way that I can find out what is causing this??
The computer has blue screened once this morning already and came up with the same log in the minidump.
Whatever this vdo_5d8a-37c8.sys is??? it is definitely causing my problems.

Any help appreciated

Kev

 

Some rootkits install a file called vdo_random number.sys.

Head for the MG malware forum or download (free) reanimator from

http://www.greatis.com/security/

 

Hi,
Just a quick update.
As you said I went on over to http://www.greatis.com/security and downloaded the free reanimator.

When it was running it did find the vdo_5d8a-37c8.sys file in the windows/system32 file. It also recognised it as a problem. Couldn't find anymore info on the file but it seems to be gone.
I will have to see how the pc goes for the next few days, as normally it blue screens at least 4 times per day.
Just goes to show that some of the spyware/malware tools are useless!!! they didn't pick it up at all???
I suppose these infections and problems are getting quite advanced now

MANY THANKS for your help so far as I am usually quite good with these things after building pc's since 1995.

thanks again

Kev

 

If you did have a rootkit, glad that reanimator disposed of it.

However I would heartily recommend heading over to the malware forum and performing the scans to provide peace of mind.

http://forums.majorgeeks.com/showthread.php?t=35407