Active BugCheck 1000008E

ez22 · 2009/08/27

[Active] BugCheck 1000008E

Hi all,
i have a windows 2003 server standard on VMware ESX 3.5
When users other than Administrator log in via RDP the server crashes with BugCheck 1000008E.
Dump is below.

Terminal services is in Admin mode NOT application mode.

thanks for your help.

EZ.

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini082709-15.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x8089ffa8
Debug session time: Thu Aug 27 13:09:54.344 2009 (GMT+3)
System Uptime: 0 days 0:03:57.746
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
...............................................................
........................................
Loading User Symbols
Loading unloaded module list
...
Unable to load image \SystemRoot\System32\drivers\afd.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for afd.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, ba5514a9, ba0c4ac0, 0}

*** WARNING: Unable to verify timestamp for 111wfs1intwq.sys
*** ERROR: Module load completed but symbols could not be loaded for 111wfs1intwq.sys
Probably caused by : 111wfs1intwq.sys ( 111wfs1intwq+176a6 )

Followup: MachineOwner
---------

----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000ece
KdSecondaryVersion 00000000
DirectoryTableBase 75205680
PfnDataBase 808958f0
PsLoadedModuleList 8089ffa8
PsActiveProcessHead 808a61c8
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 1000008e
BugCheckParameter1 c0000005
BugCheckParameter2 ba5514a9
BugCheckParameter3 ba0c4ac0
BugCheckParameter4 00000000
PaeEnabled 00000001
KdDebuggerDataBlock 8088e3e0
ProductType 00000003
SuiteMask 00000110
WriterStatus 00000000
MiniDumpFields 00000cff

TRIAGE_DUMP32:
ServicePackBuild 00000200
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 00002738
ThreadOffset 000029b0
CallStackOffset 00002c00
SizeOfCallStack 00004000
DriverListOffset 00006f18
DriverCount 00000068
StringPoolOffset 00008df8
StringPoolSize 00001e28
BrokenDriverOffset 00000000
TriageOptions ffffffff
TopOfStack ba0c4b34
DebuggerDataOffset 00006c00
DebuggerDataSize 00000318
DataBlocksOffset 0000ac20
DataBlocksCount 00000003
ba0c4000 - ba0c4fff at offset 0000ac50
89513000 - 89513fff at offset 0000bc50
ba551000 - ba551fff at offset 0000cc50
Max offset dc50, 3a78 from end of file

Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Machine Name:*** WARNING: Unable to verify timestamp for srv.sys

Kernel base = 0x80800000 PsLoadedModuleList = 0x8089ffa8
Debug session time: Thu Aug 27 13:09:54.344 2009 (GMT+3)
System Uptime: 0 days 0:03:57.746
start end module name
80800000 80a50000 nt Thu Mar 19 12:29:18 2009 (49C21E7E)
80a50000 80a7c000 hal Sat Feb 17 07:48:25 2007 (45D69729)
b944f000 b945d000 ipfltdrv Sat Feb 17 07:59:05 2007 (45D699A9)
b95b7000 b95e2000 RDPWD Sat Feb 17 07:44:38 2007 (45D69646)
b9612000 b961d000 TDTCP Sat Feb 17 07:44:32 2007 (45D69640)
b9e02000 b9e60000 srv Thu Dec 11 13:35:59 2008 (4940FB1F)
b9f50000 b9fa0000 HTTP Sat Feb 17 08:28:12 2007 (45D6A07C)
ba018000 ba02cc00 SENTINEL Sun May 07 10:46:44 2006 (445DA5E4)
ba30d000 ba314000 parvdm Tue Mar 25 09:03:49 2003 (3E7FFF55)
ba31d000 ba324400 lgtosync Fri Mar 10 03:47:08 2006 (4410DA9C)
ba3ed000 ba3fe000 dump_symmpi Mon Dec 13 23:03:14 2004 (41BE0392)
ba3fe000 ba413000 Cdfs Sat Feb 17 08:27:08 2007 (45D6A03C)
ba47b000 ba498b3a 111wfs1intwq Thu Aug 13 11:06:16 2009 (4A83C978)
ba499000 ba4aa000 Fips Sat Feb 17 08:26:33 2007 (45D6A019)
ba4aa000 ba520000 mrxsmb Fri Sep 05 18:26:52 2008 (48C14FBC)
ba520000 ba550000 rdbss Sat Feb 17 08:27:37 2007 (45D6A059)
ba550000 ba57a000 afd Thu Aug 14 13:46:56 2008 (48A40D20)
ba57a000 ba5ab000 netbt Sat Feb 17 08:28:57 2007 (45D6A0A9)
ba5ab000 ba63b000 tcpip Fri Jun 20 17:20:25 2008 (485BBCA9)
ba63b000 ba654000 ipsec Sat Feb 17 08:29:28 2007 (45D6A0C8)
ba77c000 ba7db000 update Mon May 28 15:15:16 2007 (465AC7D4)
ba803000 ba83a000 rdpdr Sat Feb 17 07:51:00 2007 (45D697C4)
ba83a000 ba84c000 raspptp Sat Feb 17 08:29:20 2007 (45D6A0C0)
ba84c000 ba865000 ndiswan Sat Feb 17 08:29:22 2007 (45D6A0C2)
ba8d5000 ba8df000 Dxapi Tue Mar 25 09:06:01 2003 (3E7FFFD9)
ba8e5000 ba8ef000 dump_diskdump Sat Feb 17 08:07:44 2007 (45D69BB0)
ba905000 ba919000 rasl2tp Sat Feb 17 08:29:02 2007 (45D6A0AE)
ba919000 ba935000 VIDEOPRT Sat Feb 17 08:10:30 2007 (45D69C56)
ba935000 ba95c000 ks Sat Feb 17 08:30:40 2007 (45D6A110)
ba95c000 ba970000 redbook Sat Feb 17 08:07:26 2007 (45D69B9E)
ba970000 ba985000 cdrom Sat Feb 17 08:07:48 2007 (45D69BB4)
ba985000 ba99a000 serial Sat Feb 17 08:06:46 2007 (45D69B76)
ba99a000 ba9b2000 parport Sat Feb 17 08:06:42 2007 (45D69B72)
ba9b2000 ba9c5000 i8042prt Sat Feb 17 08:30:40 2007 (45D6A110)
bafb0000 bafb3700 CmBatt Sat Feb 17 07:58:51 2007 (45D6999B)
bf800000 bf9d0000 win32k Fri Apr 17 14:28:53 2009 (49E867F5)
bf9d0000 bf9e7000 dxg Sat Feb 17 08:14:39 2007 (45D69D4F)
bf9e7000 bfa0da00 vmx_fb Tue Jul 29 21:23:30 2008 (488F6022)
bff60000 bff7e000 RDPDD Sat Feb 17 16:01:19 2007 (45D70AAF)
bffa0000 bffea000 ATMFD Sat Feb 17 15:59:31 2007 (45D70A43)
f7214000 f723a000 KSecDD Mon Jun 15 20:45:11 2009 (4A3688A7)
f723a000 f725f000 fltMgr Sat Feb 17 07:51:08 2007 (45D697CC)
f725f000 f7272000 CLASSPNP Sat Feb 17 08:28:16 2007 (45D6A080)
f7272000 f7291000 SCSIPORT Sat Feb 17 08:28:41 2007 (45D6A099)
f7291000 f72a2000 symmpi Mon Dec 13 23:03:14 2004 (41BE0392)
f72a2000 f72bf000 atapi Sat Feb 17 08:07:34 2007 (45D69BA6)
f72bf000 f72e9000 volsnap Sat Feb 17 08:08:23 2007 (45D69BD7)
f72e9000 f7315000 dmio Sat Feb 17 08:10:44 2007 (45D69C64)
f7315000 f733c000 ftdisk Sat Feb 17 08:08:05 2007 (45D69BC5)
f733c000 f7352000 pci Sat Feb 17 07:59:03 2007 (45D699A7)
f7352000 f7386000 ACPI Sat Feb 17 07:58:47 2007 (45D69997)
f7487000 f7490000 WMILIB Tue Mar 25 09:13:00 2003 (3E80017C)
f7497000 f74a6000 isapnp Sat Feb 17 07:58:57 2007 (45D699A1)
f74a7000 f74b4000 PCIIDEX Sat Feb 17 08:07:32 2007 (45D69BA4)
f74b7000 f74c7000 MountMgr Sat Feb 17 08:05:35 2007 (45D69B2F)
f74c7000 f74d2000 PartMgr Sat Feb 17 08:29:25 2007 (45D6A0C5)
f74d7000 f74e7000 disk Sat Feb 17 08:07:51 2007 (45D69BB7)
f74e7000 f74f3000 Dfs Sat Feb 17 07:51:17 2007 (45D697D5)
f74f7000 f7507000 agp440 Sat Feb 17 07:58:53 2007 (45D6999D)
f7507000 f7511000 crcdisk Sat Feb 17 08:09:50 2007 (45D69C2E)
f7517000 f7523000 vga Sat Feb 17 08:10:30 2007 (45D69C56)
f7527000 f7532000 Msfs Sat Feb 17 07:50:33 2007 (45D697A9)
f7537000 f7544000 Npfs Sat Feb 17 07:50:36 2007 (45D697AC)
f7547000 f7555000 msgpc Sat Feb 17 07:58:37 2007 (45D6998D)
f7557000 f7560000 ws2ifsl Sat Feb 17 07:59:56 2007 (45D699DC)
f7567000 f7574000 netbios Sat Feb 17 07:58:29 2007 (45D69985)
f7597000 f75a4000 wanarp Sat Feb 17 07:59:17 2007 (45D699B5)
f75b7000 f75c2000 kbdclass Sat Feb 17 08:05:39 2007 (45D69B33)
f75c7000 f75d1000 mouclass Tue Mar 25 09:03:09 2003 (3E7FFF2D)
f75d7000 f75e1000 serenum Sat Feb 17 08:06:44 2007 (45D69B74)
f75e7000 f75f2000 fdc Sat Feb 17 08:07:16 2007 (45D69B94)
f75f7000 f7604f80 vmx_svga Tue Jul 29 21:21:34 2008 (488F5FAE)
f7607000 f7610000 watchdog Sat Feb 17 08:11:45 2007 (45D69CA1)
f7617000 f7626000 intelppm Sat Feb 17 07:48:30 2007 (45D6972E)
f7627000 f7630000 ndistapi Sat Feb 17 07:59:19 2007 (45D699B7)
f7637000 f7646000 raspppoe Sat Feb 17 07:59:23 2007 (45D699BB)
f7647000 f7652000 TDI Sat Feb 17 08:01:19 2007 (45D69A2F)
f7657000 f7662000 ptilink Sat Feb 17 08:06:38 2007 (45D69B6E)
f7667000 f7670000 raspti Sat Feb 17 07:59:23 2007 (45D699BB)
f7677000 f7686000 termdd Sat Feb 17 07:44:32 2007 (45D69640)
f7687000 f7690000 mssmbios Sat Feb 17 07:59:12 2007 (45D699B0)
f7697000 f76a5000 NDProxy Sat Feb 17 07:59:21 2007 (45D699B9)
f76b7000 f76c1000 flpydisk Tue Mar 25 09:04:32 2003 (3E7FFF80)
f76c8000 f7707000 NDIS Sat Feb 17 08:28:49 2007 (45D6A0A1)
f7707000 f770f000 kdcom Tue Mar 25 09:08:00 2003 (3E800050)
f770f000 f7717000 BOOTVID Tue Mar 25 09:07:58 2003 (3E80004E)
f7717000 f771e000 intelide Sat Feb 17 08:07:32 2007 (45D69BA4)
f771f000 f7726000 dmload Tue Mar 25 09:08:08 2003 (3E800058)
f776f000 f7776000 dxgthk Tue Mar 25 09:05:52 2003 (3E7FFFD0)
f77b7000 f77be600 vmxnet Fri Jan 23 04:17:16 2009 (497928AC)
f77bf000 f77c7000 audstub Tue Mar 25 09:09:12 2003 (3E800098)
f77cf000 f77d7000 Fs_Rec Tue Mar 25 09:08:36 2003 (3E800074)
f77d7000 f77de000 Null Tue Mar 25 09:03:05 2003 (3E7FFF29)
f77df000 f77e6000 Beep Tue Mar 25 09:03:04 2003 (3E7FFF28)
f77e7000 f77ef000 mnmdd Tue Mar 25 09:07:53 2003 (3E800049)
f77ef000 f77f7000 RDPCDD Tue Mar 25 09:03:05 2003 (3E7FFF29)
f77f7000 f77ff000 rasacd Tue Mar 25 09:11:50 2003 (3E800136)
f7878000 f7897000 Mup Sat Feb 17 08:27:41 2007 (45D6A05D)
f7897000 f7899980 compbatt Sat Feb 17 07:58:51 2007 (45D6999B)
f789b000 f789e900 BATTC Sat Feb 17 07:58:46 2007 (45D69996)
f79bd000 f79be280 vmmouse Mon Sep 29 08:49:38 2008 (48E07A82)
f79bf000 f79c0280 swenum Sat Feb 17 08:05:56 2007 (45D69B44)
f79f3000 f79f4e00 vmmemctl Fri May 01 02:26:35 2009 (49FA33AB)
f7b4a000 f7bdf000 Ntfs Sat Feb 17 08:27:23 2007 (45D6A04B)

Unloaded modules:
f7577000 f7580000 vmdebug.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f7587000 f7595000 imapi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f77c7000 f77cf000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, ba5514a9, ba0c4ac0, 0}

Probably caused by : 111wfs1intwq.sys ( 111wfs1intwq+176a6 )

Followup: MachineOwner
---------

Finished dump check

Admin. · 2009/08/27

"ez22 said: ↑

Probably caused by : 111wfs1intwq.sys ( 111wfs1intwq+176a6 )
Click to expand...

That's a trojan backdoor!

Read this post, then post the requested log(s) in the Malware and Virus Removal forum.

ez22 · 2009/08/27

It tells me that it is not compatible with my OS.

Admin. · 2009/08/27

Moved to the Malware forum. Please wait for advise from a Malware expert.

broni · 2009/08/27

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Log in or Sign up

Active BugCheck 1000008E

ez22 Inactive Thread Starter

Admin. Administrator Administrator Staff

ez22 Inactive Thread Starter

Admin. Administrator Administrator Staff

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active BugCheck 1000008E

ez22 Inactive Thread Starter

Admin. Administrator Administrator Staff

ez22 Inactive Thread Starter

Admin. Administrator Administrator Staff

broni Moderator Malware Analyst

Share This Page

Useful Searches