GX1_Man,
Thanks, you got more relevant hits than I did. I'm going to start with this one.
10-19-2006, 04:23 AM #1
troll
New to the neighborhood
troll's Avatar
Location: Windsor, Nova Scotia
Exclamation My Fix for the STOP: 0x0000008E (0xC0000005... BSOD / REBOOT
Greetings & Salutations!
For the past two days I have worked on two machines at the shop that would just reboot on thier own, after shutting off the Automatic Restart option. That wonderful STOP: 0x0000008E (0xC0000005... BSOD appeared on the screen.
(Both machines worked fine till the users "Opened a file they received through msn messenger" )
Safe Mode works fine, just reboots in Normal Mode.
From safe mode cmd prompt only I scanned with F-Prot, Ad-Aware, SpyBot & HijackThis... All things cleaned up or shutoff...
(Norton was on one of the machines but it was not working and you didn't have enough time to check anything in Normal mode.)
Rebooted and within a few minutes... STOP: 0x0000008E again... rebooted in safe mode again shut everything off in MSConfig, ran Rootkit Revealer from sysinternals which found nothing... rebooted and same BSOD again...
Searched Google for 0x0000008E errors and got the standard, "Ram problem, Driver Problem, PS Weak... Tested Ram with memtest, changed the power supply and still no go...
Another site was talking about posting minidumps for them to look at, so I looked into one of the minidumps and found:
Rustock rootkit v 1.2
Z:\NewProjects\spambot\new\driver\objfre\i386\driv er.pdb
A little more Google revealed that this Rootkit, once installed is undetectable by anything, quite the amazing little piece of code...
Symantec's info on the Rustock Rootkit
This was it the B version... I followed the directions on Symantec's site to remove it by booting into recovery console from an XP CD. (You cannot detect it in Safe Mode)
Once there I used "Disable pe386" to shut off the rootkit... I looked while in safe mode for this service and it WAS NOT there... Since it loads with kernel / driver data, it hides everything about itself...
Symantec's Cleanup Instructions...
Rebooted in Normal mode and no more BSOD, reinstalled NAV and started it scanning when I left the shop... I will run ADSSpy again and see if it finds the alternate data stream now...
I realize that this is not the only cause of 0x8e errors but this was my problem, and since there were two machines in the shop with the same problem, I can see more of these coming in for repair...
Hope this helps those who have just recently developed STOP: 0x0000008E errors.
troll