|W2K Blue Screen|
exception not handled
| 12:23 pm on Mar 28, 2007 (gmt 0)|
I'm getting a KMODE_EXCEPTION_NOT_HANDLED in Win32k.sys. It ONLY happens when using CRTL-P on the Netscape browser.
(I know, then don't do that)
I wrote down the specifics and found the problem in the MS database, but... the indications reported there don't match what I see here. They do indicate a virus (Backdoor.NTHack), but the specifics just don't show up on my machine, so I'm hesitant to start tinkering with my registry.
Additionally, I've run two complete virus scans and nothing turns up. I'm beginning to think Netscape is the real culprit. Any thoughts about that before I continue? My next step will be to remove and re-install Netscape.
| 1:34 pm on Mar 28, 2007 (gmt 0)|
I have no idea about the technical stuff, but have you tried Nod32? Its not a free one tho.
| 1:47 pm on Mar 28, 2007 (gmt 0)|
No, I use Kaspersky, which has been good to me so far. Two nights ago (the day before the problem surfaced) I experienced a few problems with my FTP program that were new. I'm taking a wild guess that something may have piggybacked its way in at that time. The firewall is always up, but I've allowed some programs, including FTP, to run as safe since I'm the only one to use them. I any event, virus scans revealed no problems, so I'm exploring other possibilities. I haven't ruled out a virus, I just don't see any real evidence of one.
| 6:04 am on Mar 29, 2007 (gmt 0)|
Well, the first things a lot of the good virii do today is to target your AV. However, Kapersky isn't really among the mainstream. I wouldn't discount the virus possibility.
Have you tried reverting to an earlier system backup?
| 11:47 am on Mar 29, 2007 (gmt 0)|
Sounds like it may be a faulty key logger (not a virus).
In order to set up a system-wide keyboard hook, a DLL must have been installed or modified.
1) DO NOT DO ANYTHING THAT REQUIRES A PASSWORD.
2) Go through the task list and close down everything non-essential (write down the names of each and ignore svchost.exe). You can Google process names for info.
3) Try Netscape again. If it's ok, the theory must be assumed correct.
At this point, what to do depends on your knowledge, you may try anti-spyware.
CTRL-P is presumably used to print the page. I have assumed that selecting the menu item using the mouse is ok.
| 4:57 pm on Mar 29, 2007 (gmt 0)|
That is a correct assumption that Ctrl-P is to print, and that the print worked fine from the menu. I like the faulty keylogger idea, except, it only affected Netscape? Why not FF, or IE, or Opera? To answer my own question, NS was set as the default browser.
I've removed all traces of Netscape. I've checked some of my system DLL's for authenticity. There isn't a recent enough backup that I would consider using today - meaning the backup/restore solution was pretty much of a waste of time. I'm going to find a better solution for that.
Bottom line for this problem, I think NS was corrupted and the indications were similar to an infection. I'll be monitoring closely over the next several days, and I'm still digging thru the system.
| 5:56 pm on Mar 29, 2007 (gmt 0)|
Most browsers would install their own (local) keyboard hooks. Netscape might be unique in failing due a fault in its own keyboard hook handlers. I've never tried installing system-wide hooks for keyboards or anything else but it is normally necessary to pass the hooked message through to the next hook in the chain. This is likely to be where it goes wrong. It may be significant that you are using 2000 rather than XP - I believe hook handling was adjusted to avoid crashes.
| 6:09 pm on Mar 29, 2007 (gmt 0)|
Which version of Netscape are we talking about?
| 10:40 pm on Mar 29, 2007 (gmt 0)|
The Deleted Version :) I want to say 8.01 or was it 8.1.
I installed the 8.0 version, and followed up with their next day fix, no manual upgrades since that time.