Microsoft KB Archive/294728

= Error Message: STOP 0x00000001e KMODE_EXCEPTION_NOT_HANDLED in Win32k.sys =

Article ID: 294728

Article Last Modified on 3/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT version 4.0 Option Pack

-



This article was previously published under Q294728



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you restart your computer, you may receive the following error message:

STOP 0x0000001e KMODE_EXCEPTION_NOT_HANDLED in win32k.sys

or

STOP 0xC000021A {Fatal System Error} The Windows Logon Process terminated unexpectedly.



CAUSE
This behavior can occur if you downloaded the Backdoor.NTHack virus from a remote host into your computer. This virus is initiated by the Dl.bat file in the InetPub\Scripts folder.

As a result, both the Firedaemon.exe and Sud.exe files are installed on the computer as well as the Os2srv.exe and Mmtask.exe files, which along with the Sud.exe and Index.exe files are run as services.



RESOLUTION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this behavior, you must perform a parallel install of Windows NT 4.0 or Windows 2000 and/or make the following changes by using the Windows 2000 Recovery Console.

The Newgina.dll file is specified under the following registry key when you access the original software hive from a parallel install:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value = GinaDLL REG_SZ

Gina.dll = Newgina.dll

Original Gina.dll = Msgina.dll (or Awgina.dll)
 * 1) From the parallel install or in the Recovery Console, rename the Newgina.dll file to &quot;Newgina.old&quot;.
 * 2) Rename the original Gina file, for example, the Msgina.dll file to &quot;Newgina.dll&quot;. This renaming enables the original Gina file to be loaded under the name &quot;Newgina.dll&quot; which is specified in the registry.

If you cannot locate the Newgina.dll file in Windows Explorer, you can delete or replace the newgina.dll value in GinaDLL (REG_SZ) with msgina.dll (or awgina.dll) under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

This change enables the original Gina.dll file to be loaded from the cache.

You must also disable and delete the services that are associated with the virus as well as the files that are installed in the C:\Winnt\System32\Os2\New folder.

The Dl.bat file in the InetPub\Scripts folder must also be deleted.



MORE INFORMATION
This virus downloads the Dl.exe file from the remote host, runs the program, and then runs an install routine that installs files under the C:\Winnt\System32\Os2\ folder in a hidden folder called &quot;New&quot;.

This hidden folder contains the following files: Firedaemon.exe, Dir.txt, Login.txt, Remscan.txt, Sud.exe, and Sud.bak.

NOTE: The following processes may also be running on your computer: Sud.exe, Firedaemon.exe, Mmtask.exe, and Os2serv.exe. If you attempt to end a task on any of these processes, you may receive an &quot;Access is denied&quot; error message. In Task Manager, these processes are listed in all capital letters.

In addition, the Msgina.dll (or Awgina.dll) file is replaced with the Newgina.dll file.

The Newgina.dll file captures password information when someone logs on to the computer.

The passwords that are captured are then stored in a .tmp file in the root of drive C. A new File Transfer Protocol (FTP) server is also installed called &quot;UServ&quot;. These files and folders must also be deleted.

For additional information about a security fix for Microsoft Internet Information Server (IIS) to block this type of virus, click the article number below to view the article in the Microsoft Knowledge Base:

269862 Patch Released for Canonicalization Error Issue

For more information regarding the Backdoor.NTHack virus, refer to the following Symantec and Network Associates Web sites:

Symantec related information

Network Associates McAfee related information

Additional query words: firedaemon winlogon virus newgina

Keywords: kberrmsg kbprb KB294728

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.