Over 1 million tech questions and answers.

Problem with rootkit win32k.sys

Q: Problem with rootkit win32k.sys

I seem to be having this problem with a rootkit. The rootkit in question is actually a file that AVG claims is "hidden". avast!, SUPERAntispyware and malwarebytes do not seem to detect it. I have tried formatting the disc using the TOSHIBA recovery disc I created. the rootkit is still there.

Attatched is the AVG scan log.

However I don't understand how I got it. I have COMODO Free Firewall, AVG Free, avast! Free, SUPERAntispyware Free, Malwarebytes Anti Malware and IObit Malware Fighter Free.

Thanks in advance


Preferred Solution: Problem with rootkit win32k.sys

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Problem with rootkit win32k.sys

Quote: Originally Posted by stupot65

I seem to be having this problem with a rootkit. The rootkit in question is actually a file that AVG claims is "hidden". avast!, SUPERAntispyware and malwarebytes do not seem to detect it. I have tried formatting the disc using the TOSHIBA recovery disc I created. the rootkit is still there.

Attatched is the AVG scan log.

However I don't understand how I got it. I have COMODO Free Firewall, AVG Free, avast! Free, SUPERAntispyware Free, Malwarebytes Anti Malware and IObit Malware Fighter Free.

Thanks in advance


Keep and run 1 A/V only ( even A/Vs which are not running real time can cause conflicts)
Run either a HIPPS or a BB, but not both for the same reason.
You can have a few on demand only malware scanners, but not active.
Surf from a SUA account only.
Sandboxie is your friend.
I think that file is a part of windows ( not bad )

Read other 7 answers

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,I am and I am here to help you!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received and do not proceed if you need clarification.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!==========Lets confirm the diagnosis.Please do this...Download and run Win32kDiag: Download Win32kDiag from any of the following locations and save it to you... Read more

A:win32k.sys Rootkit

Thank you T for taking time out of your weekend to help me! It's ok if it takes a while to get a response as I am just grateful my computer works enough to be here in the first place. Other than following the advice here, this computer is officially quarantined from being used at my house!!!

Here is the log from Win32 as requested.

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\windows'...

Found mount point : C:\windows\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\windows\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found moun... Read more

Read other 68 answers

Alright i was told to post a srenglog after here from this post http://www.bleepingcomputer.com/forums/t/255814/help/its like a win32k rootkit my log is in the attachements. Thanks for helpingEDIT: I think this is the rootkit I have

A:Nasty rootkit need help win32k

Please save this file to your Desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Read other 23 answers

To whomever answers this distress call,I believe I have the rootkit described in topic 253639 entry 1405644 Click me! or else one very similar to it. I don't have any doubt about being infected, so I skipped the AII part of the procedure. Of course I will be glad to go back to it if you require, but I am pretty confident you will waive it for me.Win XP HE SP3 Pentium 4 @ 3GHz with 512MB RAM. I don't know what kind of RAM it is, though. The machine is an eMachines T5010 bought about 3 years ago. It came with the OS preinstalled with a restore "disk" ( D: ) residing in an NTFS partition on the same hard drive as C:. Did not get any actual CD's, floppies, or anything else to restore from that is external.////////////////Just to give you a general idea of the state of my system here are some things that DON'T work or that I can't get to, or that I no longer have permission for:explorer - unavailable start-up taskbar - unavailable start-up taskbar - unavailable systray (therefore) - unavailable drag/drop - unavailable Write to CD - unavailable cmd - unavailable search - unavailable run - unavailable control panel - unavailableNow for the good news...Administrator tools are OK command.com works System configuration utility works Many exe's in \sys32\ and \WINDOWS\ worka, b, c, and d.exe are at least part of the rootkitI can use sysconfig to access windows firewall and stuff like SYSTEM.INI, WIN.INI, BOOT.INI, and a few of the control panel aps. I... Read more

A:Probable Win32k.sys Rootkit

Sorry for the delay. Do you still desire help?
Kind regards,

Read other 62 answers

Anyother Info I'm missing can be found HereDDS and other scanning are disabled but here is the root kit repeal log and a log generated by Win32kdiag.exeI'll paste the following and send as attachment just in case. (To avoid confusion) ROOTREPEAL ? AD, 2007-2009==================================================Scan Start Time: 2009/09/01 08:11Program Version: Version Version: Windows XP SP3==================================================Drivers-------------------Name: 1394BUS.SYSImage Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYSAddress: 0xF84D5000 Size: 57344 File Visible: - Signed: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF8466000 Size: 187776 File Visible: - Signed: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2260992 File Visible: - Signed: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF7EC3000 Size: 138496 File Visible: - Signed: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0xF83F8000 Size: 96512 File Visible: - Signed: -Status: -Name: ATMFD.DLLImage Path: C:\WINDOWS\System32\ATMFD.DLLAddress: 0xBFFA0000 Size: 286720 File Visible: - Signed: -Status: -Name: avgrkx86.sysImage Path: avgrkx86.sysAddress: 0xF89BD000 Size: 5888 File Visible: - Signed: -Status: -Name: avgtdix.sysImage Path: C:\WINDOWS\System32\Drivers\avgtdix.sysAddress: 0xF7F0D000 Size: 101888 File Visible: - Signed: -Status: -Name: Beep.SYSImage Path: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xF8... Read more

A:Infected with Active Rootkit- Win32k.sys 1 and 2 No Signed

Hello Ninjuhboyblu,Sorry for the delay. We have many logs backed up. We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!Let's begin....==========Step 1Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. "%userprofile%\desktop\win32kdiag.exe" -f -r==========Step 2Please do this: Click on the Start button, then click on Run... In the empty "Open:" box provided, type cmd and press EnterThis will launch a Command Prompt window (looks like DOS). Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
In the Command Prompt window, paste the copied text by right-clicking and selecting Paste. Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful. Exit the Command Prompt window.==========Step 3 Warning to others reading this thread!... Read more

Read other 67 answers

Using a Windows 7 computer.
About two weeks ago, sometimes I would not be able to access certain websites in my web browser, google chrome, and it says "This webpage is not available." I ran a diagnostic with windows which said that my DNS server is not responding so I tried some things to make sure that it would work. After that didn't work, I ran a virus scan with AVG and Avast. Avast found nothing while AVG found two things. They were:
"";"Inline hook win32k.sys EngSetPointerTag+0x190 -> 0xFFFFF95F8023D132, <unknown>";"Infected"
"";"Inline hook win32k.sys EngFntCacheLookUp+0xFFFFF95F8012A981, <unknown>";"Infected"
So then I downloaded malwarebytes and mbar, started my computer in safe mode while disconnected from the internet, scanned with both of those, avast, and AVG, and deleted everything that they found. I started my computer again and it still had the problem. I then started to search for this problem on the internet and apparently no one can really fix this. Someone even used nuke.bat in the Avenger, and it didn't get rid of it. I am at a complete loss at what to do. Please help.

A:Inline hook win32k.sys (rootkit maybe?), Impossible to Remove?

I ran a virus scan with AVG and Avast

I believe your problem is that you have two antivirus applications running at one time.
I suggest that you uninstall both of them.
Then run the removal tools and reboot after each.
After the reboot then Choose only one of them and re-install it.
Then follow the steps below to make sure that there is not something lurking on your machine.

Please download MINITOOLBOX and run it.Checkmark following boxes:Flush DNSReset FF proxy SettingsReset Ie Proxy SettingsReport IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory sizeList Devices (problems only)Click Go and post the result.

Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Download Autoruns and Autorunsc Unzip it to your desktop and then double click autoruns.exe After the scan is finished then click on File>>>>>>>>>>>Save The default name will be autoruns.arn make sure to save it as Autoruns... Read more

Read other 5 answers

 It started with a zip file that has since been deleted. But it sat in a folder(downloads) on my win7 hp laptop for almost two before i opened it and started going through it to make web pages out of it. I had free avg with malwarebytes at the time. I wanted to move away from avg because i wanted to try a free trial of trend micro, did that and TM picked up an exploit and a backdoor. Rebooted, all was well. Didnt realize where they came from so I started working with the same zipfile. After the laptop started getting to slow to allow for regular usage I started delving around and realized the really high latency was from ADS. So after going through  about 5-6 (??lost count) antimalware/spyare prog's trying to unsuccesfully find a rootkit i used sysinternal, gmer and a few others and they all crashed, in safe mode crashes occured also. I used defogger to disable emulation, disabled several services that were persistantly being started from manual/ disable mode (remote reg is always disabled as is a few others like that.) There was also the problem of active UnP activity whereas i always disabled  that. The print spooler, waking up from disable. A few other serious things like that letting me know i had an active infection. So i decided that i wanted an interactive firewall to try and find the culprit. Man a MISTAKE  i uninstalled MSE and disabled windows firewall and installed COMODO and knew immediately i messed up even before it was finished installing. A... Read more

A:backdoor/exploit/win32k/rootkit/bootkit I'm all messed up, please help!

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===You are presently running the Farbar Recovery Scan Tool from the folder in bold.C:\Users\owner\DownloadsPlace this fixlist.txt that you will create in the same folder.I feel confident that if you are able to run the fix from your Download folder you will be able to restart the computer in normal mode.Run the fix as suggested below.====Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. start

HKLM\...\Winlogon: [Shell] Explorer.exe [2871808 2011-02-25] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Shell] explorer.exe [2616320 2011-02-25] (Microsoft Corporation)
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
SSODL-x32: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL... Read more

Read other 32 answers

Hi, I have been updating my drivers and doing routine virus checks. When I run  msconfig I check for new and unexplaned startup items, Recently I have a startup item with no name or command listed just location           [                        ][                      ]HLK\SOFTWARE\Microsoft\windows\currentVer...
When I uncheck the box for it I get
An Access Denied error was returned while attempting to change a service . Tou may need to log using an Administrator account to make the specified changes.
This is enough to make me suspicious. I ran your Win32kdiag and got
Running from: C:\Documents and Settings\jerry\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\jerry\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Cannot access: C:\WINDOWS\Temp\IswTmp\Logs\ISWSHEX.swl
[1] 2013-06-28 15:56:02 284 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\IswTmp\Logs\ISWSHEX.swl ()
[1] 2013-06-28 16:27:46 92 C:\WINDOWS\Temp\IswTmp\Logs\ISWSHEX.swl ()
Which is not nearly as bad as some scans I read elsewhere, but this item does appear to be " hiding " from scans.
I have run my zone alarm virus scan, malwareb... Read more

A:suspected win32k , zeroaccess type of rootkit infection

Hello can you submit that file for a second look??
Please visit the online Jotti Virus Scanner <--link
Browse to the following filepath:
---------put the filepath here -------
Click on the button.
The scanner will check the file with various AV companies.
Copy and paste the results box into a reply to this thread.
You can also use VirusTotal

Read other 14 answers

Hello, I believe I'm infected with the subject rootkit/virus/etc and possibly others. I have received blue memory dump screens several times after first trying to run gmer until I changed the name. I've been receiving pop-ups that I never used to get, and when I checked my event viewer, under windows security it's showing a lot of system integrity and other audit failures, suspicious logon events with processes by Advapi to services.exe, and security state changes. I have already reviewed and done some of the stuff in this thread: http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/ because at first it was running noticeably slow.Please see examples:- Anonymous logons to the account domain NT Authority through NtLmSsp- Audit policy changes to many of my c:/windows/system32 files (.dll's, .exe's, and others) and registry through a process named C:\Windows\servicing\TrustedInstaller.exe with a New Security Descriptor listed as: S:ARAI(AU;FA;KA;;;WD) OR S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD). I searched this security descriptor on the internet and it seems foreign it nature.- Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Users\Konita\AppData\Local\Temp\fwryqkoc.sys- Code integrity determined that the image hash of a file is not valid. ... Read more

A:Infected With win32k.sys Rootkit & Possibly Other Leftover Infection Traces

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 34 answers

Hello there!
I am posting this from an infected machine as I have no more 100% un-compromised ones.
I had Windows 7 x64 (not up to date with patches) and AVG Free, Windows Firewall on but not really configured with care - henceforth referred to as Desktop. I ran some shady software and although in it's packed form it was detected as virus-free, when I fired it up AVG detected an executable "sniffer_gpu.exe" as infected. It didn't know with what, and it prompted me to restart. Since that restart, it's been infected and it has infected all other computers in the house. Even those that only connected to the net without any previously infected machines running at the same time! So from the outside somehow?!
My Internet goes like this: The ISP assigns Dynamic IP, you connect through PPPOE. It goes into an old wired router that's always on and then by cables to all the PCs in the house: The Desktop, 2 laptops + 1 netbook occasionally.
Initial symptoms on Desktop: 
Antivirus log of the infection event gone. No scans ever revealed anything
Wireshark revealed suspicious traffic. Initially the capture lit up like a Christmas tree, then it mellowed. The IPs turn out to be mostly home users, from around the globe: Russia (I know, stereotype), Ecuador, Italy, some proxies.

93-39-6-42.ip73.fastwebnet.it,, host-2-60-220-94.pppoe.omsknet.ru, 37-146-226-142.broadband.corbina.ru,,... Read more

A:Seriously sneaky rootkit infection. Hooks in win32k.sys, ntdll.dll, wow64cpu.dll

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully.First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with DDSDownload DDS and save it to your desktop from here or here orhere.Disable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logsDDS.txt: save to your desktop then post its contents in your topicAttach.txt: save to your d... Read more

Read other 6 answers

Hello. Good Day to all. Permission to post. I just search for my problem and i didn't find any answers yet.

I'm receiving a BSOD several times i keep getting BSOD mostly when browsing with google chrome.

What i did so far :

-I just installed whocrashed and found an error (you can see it in the bottom).

-Reformat my PC (still no luck)

-Run memtest in 12 hrs and didn't find any error

-Update my video driver and fix 1 BSOD problem while playing games!

UPDATE: I just attached the sf diagnostic result.

My PC Specs :

-AMD FX-8320

*Please help me fix the BSOD it's really annoying my PC is one month old and i'm keep getting this

Thanks in advance!
Here's some result of Whocrashed :

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.

On Sat 1/18/2014 6:29:05 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\011714-17971-01.dmp
This was probably caused by the following module: cdd.dll (cdd+0x6CF9)
Bugcheck code: 0x3B (0xC0000005, 0xFFFFF96000676CF9, 0xFFFFF88008AA0110, 0x0)
file path: C:\Windows\system32\cdd.dll
product: Microsoft? Windows? Operating System
company: Microsoft Corporation
description: Canonical Display Driver
Bug check description: This indicates that an exception happened while executing ... Read more

A:Randomly BSOD on my new PC - win32k.sys (win32k+0xC4283)

Bump. I just attach the sf diagnostic result thanks.

Read other 3 answers

Application Wow.exe locked the primary surface 2 time(s).


- System

- Provider

[ Name] Win32k

- EventID 245

[ Qualifiers] 16384

Level 4

Task 0

Keywords 0x80000000000000

- TimeCreated

[ SystemTime] 2010-07-14T18:25:08.281125200Z

EventRecordID 41040

Channel System

Computer Owner-PC


- EventData



Binary data:

In Words

0000: 00000000 00280003 00000000 400000F5
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000

In Bytes

0000: 00 00 00 00 03 00 28 00 ......(.
0008: 00 00 00 00 F5 00 00 40 [email protected]
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

What exactly is this error an indicator of? I've been getting this, and when it happens, the screen freezes for about 1-2 seconds. It is completely irregular, and sometimes I can go 30-40 mins without it happening, just to have it happen twice in 5 mins.

A:Event ID 245, Source: Win32k (Win32k)

Have you tried uninstalling WoW and then installing a fresh copy?

Read other 10 answers

heres the file from TSF_XP_Support http://www.mediafire.com/download/xdn0b05sgsbbaao/Sys_XP_Support.zip
and installed programs using minitools
=========================== Installed Programs ============================
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: - Adobe Systems, Inc.)
Learning Essentials for Microsoft Office (HKLM\...\{75F3A4B2-F6E8-434D-A2EF-DBBC016C6CB2}) (Version: 2.0 - Microsoft)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Math (HKLM\...\{07043840-959A-4B0D-8825-2C533F0DDB19}) (Version: 2007 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4... Read more

A:Problem with BSOD win32k

Good morning .
Please download MiniToolBox  , save it to your desktop and run it.
 Checkmark the following checkboxes:  List last 10 Event Viewer log  List Installed Programs  List Users, Partitions and Memory size.
 Click Go and paste the content into your next post.
 Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.

Read other 10 answers

I just received a BSOD with error code 0x0000007A for the file win32k.sys. I was just surfing thenet when this happened. I have attached the minidump file.

Any help is appreciated

A:win32k.sys BSOD Problem.

Read other 6 answers

I'm having a lot of BSOD's recently. I ran the blue screen view app & here is the screenshot of it. 

What is the problem? 

A:Win32k.sys BSOD Problem. Please help.


Read other 3 answers

I am having an issue with my home desktop. It has Windows XP Professional sp2 or sp3 loaded (I can't remember exactly). The computer will not load properly. When it boots up, it automatically goes to the Windows Advanced Startup mode screen and displays the following message:

"We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change might have caused this.

If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

If a previous startup attempt was interrupted due to a power failure or because the Power or Reset button was pressed, or if you aren't sure what caused the problem, choose Start Windows Normally"

I tried to load Windows in each of the options but when I do so, the Windows load screen will come up followed by a blue error screen and then the PC will reboot. The blue error screen says the following:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following file: win32k.sys


If this is the first time you've seen this stop error screen, restart you computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask you... Read more

A:Windows XP Pro will not boot - win32k.sys problem


As you can see, STOP 50 errors are difficult to troubleshoot.

I tend to associate this type of error message with malware, but that's just my personal quirk...it's not documentad by anything .

System manufacturer and model?


Read other 36 answers

I got BSOD when I install windows, , thinking it might be a ram problem I ran memtest for 5 hours and it doesn't shows any sign of error. Made a hdd utility chk no problem found as well.

So i kept on reinstalling all the drivers I got, the computer shows BSOD when it is in very heavy usage. Recently I ran 3Dmark05 on my computer it shows BSOD as well but without any minidump.

Also I am using a logitech MX 500 mouse with the latest driver installed when I turn the wheel it crashes also, this makes me wondering is there problem with my USB port.

this is my computer configuration
I'm dual booting linux and windows as welll
athlon xp 2600+
motherboard: a7v266-e (FSB 266)
ram:2x samsung ddr333 512MB
graphics card: x800gto agp
hdd: hitachi 7k250 120G (installed windows)
IBM deskstar (installed linux)
SPI 350W

below is my minidump, 1st is the latest

A:BSOD by win32k.sys & ati2cqag.dll ram problem ?


Your windows is crashed with various bugcheck code. I believe that it is hardware error. Probably it is faulty memory such as memory modules, Level 2 (L2) SRAM cache, or video adapter RAM.

1. Some faulty can pass memtest. Try reseat the ram. Downclock the ram
2. Downclock the CPU
3. Faulty m/b or video card
4. Make sure your PSU has adequate power to support all the peripheral including USB device.
5. Upgrade BIOS

Your debug report
Mini011806-07.dmp BugCheck 1000007F, {8, 80042000, 0, 0}

Mini011906-01.dmp BugCheck D1, {a41ffcc, 2, 0, f732cd5b}
Probably caused by : USBPORT.SYS ( USBPORT!USBPORT_DmaEndpointActive+f9 )

Mini011906-02.dmp BugCheck 10000050, {e3870490, 0, bf8076b5, 0}
Probably caused by : kmixer.sys ( kmixer+29d98 )

Mini011906-03.dmp BugCheck 100000D1, {8726ecb0, 2, 1, f712507c}
Probably caused by : wg311nd5.sys ( wg311nd5+2907c )

Mini011906-04.dmp BugCheck 1000008E, {c0000005, bfa3c737, ebe9b8c8, 0}
Probably caused by : ati2cqag.dll ( ati2cqag+26737 )

Mini012006-01.dmp BugCheck 1000000A, {0, 2, 0, 804dc25d}
Probably caused by : win32k.sys ( win32k!xxxStarterQueueTerminateProcessAndWait+45 )

Mini012106-01.dmp BugCheck 1000008E, {c0000005, bf814c00, eb9ca520, 0}
Probably caused by : win32k.sys ( win32k!pCreateXlate+b )

Mini012106-02.dmp BugCheck 1000008E, {c000001d, bf813bef, ebc7b608, 0}
Probably caused by : hardware ( win32k!GreBatchTextOut+26a )

Mini012106-03.dmp BugCheck 1000008E, {c0000005, bf801a0b, ... Read more

Read other 4 answers

Hello everyone, if you do not mind, i go straight to the point

As the title says i have a serious issue with BSoDs and freezing. First i'll go into detail about bluescreens

These ones happen whenever i play any games with my computer. They're mostly random, and i have not seen any kind of pattern or spesific times when they happen. Computer doesn't overheat (i've checked the temperatures when in game using RealTemp) and any kind of lag is not present. I got completely new GPU from warranty yet these problems still exist.

Now about freezing problem. This issue is new and came along with the new graphics card. Like the BSoDs, these also happen completely random times. Sometimes whole computer simply freezes, sometimes i am able to move mouse around after few seconds. Other things include sudden screen shut down and recovery, along with a notice "Windows Kernel driver 320.somehing has stopped working and recovered". I don't remember correctly. There is an occasion when my computer freezes for few seconds and then works almost properly. The cursor, you see, is all screwed up. I've added photos of the cursor (although they are pretty bad)

Strange thing is that BSoDs only happens in games, and freezing only happens in normal use

Any suggestions and help is welcome

A:dxgmms1.sys, ntoskrnl.exe and win32k.sys BSOD and freezing problem

eliminaattori welcome to SevenForums

Have you tried to upgrade the Graphics Driver ?

Read other 9 answers

Have Windows 10 AU UPDATE. When i am clicking close system ( turn off pc ) , system closing fine, pc closing fine. But after that when i boot to Windows 10 it boots fine but event log register livekernelevent: win32k.sys.There was not bluescreen i dont saw a bluescreen. So question. It is related to my hardware or system?

LivekernelEvent - win32k.sys - it is related to hardware issue?

But why i dont saw a bluescreen and windows only report this.

Memtest86 no errors. Games are not crashing.No Bsods,no freezing etc.

Windows 10 ,newest Anniversary update.

PC:6700k stock

Asus Z170-P

Corsair 750

16GB DDR4 Kingston

Gtx 1080 Ti Fe

Maybe a BUG? because it does not display any BSODs or works strange.

A:I have hardware problem? LivekernelEvent - win32k.sys log,when closing system.

win32k.sys = graphics subsystem.

Where are the links for the other topics about this?

Read other 2 answers

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers

AVG had been detecting several threats and there were numerous browser redirects in Firefox for a while (not sure about IE, because I don't like using it). Afterwards, AVG had been disabled for a few days and there were still numerous browser redirects in Firefox, which lead me to download Avira, and a complete system scan from it in Safe Mode resulted in detections of the Zero Access Rootkit (tdx.sys). After removing everything that Avira detected (a couple of the other files detected were Seaport.exe, Avira's own scheduler file, SupServ.exe, and other files detected as FakeRean. I cannot really remember everything else.) I found that I could no longer connect to the internet because of tdx.sys having been removed. I shut the laptop down and hit the F8 key and used System Restore to restore to an earlier point. AVG was still disabled although I remember AVG being functional at that point, but I could connect to the internet now. I have not seen any more browser redirects. I have logs for DDS and GMER below.


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_22
Run by Brian at 12:33:15 on 2011-09-04
Microsoft Windows 7 Professional 6.1.7601.1.950.852.1033.18.2039.932 [GMT -6:00]
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1AC... Read more

A:TDSS Rootkit or some other rootkit problem

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. P2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete. Download TDSSKiller.zip and extract TDSSKiller.exe to your desktopExecute TDSSKiller.exe by doubleclicking on it.Press Start Scan
If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"Then click Continue > Reboot now
Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller. Read more

Read other 30 answers

Hello all. One of my co-workers tried to boot up their comp. yesterday morning and got a blue screen with an error message. It read:

stop: 0X0000008E (0XC0000005, 0XBF803EC6, 0XF86E6C94, 0X00000000)

WIN32K.sys Address BF803EC6 base at BF800000, Datestamp 45F013F6

WTH does this mean? From some other threads I've read on this site, it seems like I have a hardware prob., but I'm not able to get passed this screen. I've gone into the settings to check the drives, but I dont see and error message on any of them.
She has a DIM5100 P4 CPU 2.80GHz 2.79GHz, 512MB and is running MS XP Pro 2002 SP2.

Like I said, i cant get passed the blue screen, so I'm not sure if i need a technician to come in or what other options i may have. TIA for any help whatsoever!



I've been getting a blue screen of death as well...

I just installed a Pentium D 915 on my board as well as a second G of RAM...

Then the problems began...

I first flashed my BIOS to make sure it was compatible with my new PROC.Then, during the windows xp installation, I was getting an SXS.dll error and setup would not complete... after stripping my Rig down... it only worked when I left My kingston ram in as long as my generic 1G stick wasn't installed...

So the rig was working fine at that point... XP installed, I got all my software and hardware drivers to intall and I was in LALA land...


All of a sudden I keep getting a Blue Screen of Death giving me either or message...
I got this one before I uninstalled my video drivers...


When I uninstalled my video drivers I started getting this one...


Another weird thing is that everytime I download x1600 drivers and install them... my card then becomes an x1650...

Could this have anything to do with my problems?

Cheers and thanks in advance...


Read other 1 answers

Dear Security Team

When I run a scan with Adaware Total Security it finds this virus:

Object: win32k.sys
Path: C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.1.7601.18105_none_bb06957bf8c00536
Status: File deleted. Restart required.
Virus: Win32.Trojan.Agent

I have not been able to quarantine or delete the object. Is it serious? and how do I remove it? thank you very much for your help. I should have the windows 7 installation dvd

Please find dds to follow:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7600.17267 BrowserJavaVersion: 10.25.2
Run by Jake at 17:02:24 on 2013-08-24
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3071.1718 [GMT 10:00]
AV: Ad-Aware Total Security *Enabled/Updated* {54ACC2FC-837E-E665-7A92-5352D560D5EF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Ad-Aware Total Security *Enabled/Updated* {EFCD2318-A544-E9EB-4022-6820AEE79F52}
FW: Ad-Aware Personal Firewall *Enabled* {6C9743D9-C911-E73D-51CD-FA672BB39294}
============== Running Processes ================
C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe
C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0... Read more


Hello, j.spite

This seems like it could be a false positive.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:



Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Please go to: VirusTotalOn the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.


Next, click the Open button.
Then click the "Scan It! " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

Read other 5 answers

Following this advice I'm now posting here. I can't run the DDS program. It opens, sits there for a split second, then closes. Or it sits there for a few seconds, then closes. So all I have is the rootrepeal log and the win32kdiag log. I will attach them in the interest of space. I can paste it here if you want though... is there a "cut" type deal here? Where I can paste it expandable style? Anyway the two logs are attached. I had the windows antivirus pro thing that seemed to be brand new (ad-aware even asked me to send them one of the files that was "suspicious") I fought off a lot of it but it is still stealing my Google searches. What am I supposed to do, use Bing? I don't think so.See attachments.

A:win32k.sys:1 and win32k.sys:2

Hello and welcome to the BleepingComputer.com! I will be helping you today. In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please give me some time to analyse your logs, I will be back shortly.

Read other 14 answers

I got 2 BSOD errors 0x0000000a (0x00000020, 0x00000002, 0x00000001, 0x804ea07b) and 0x10000050 (0xffffff88, 0x00000000, 0xbf8229c9, 0x00000000. One of them said the faulty driver was win32k.sys. Does anyone know how to fix it?


what did you previously install? driver, database, any language options etc...? will it boot to safe mode? have you tried a system restore from a known good point if the options available?

Read other 7 answers


For apparently no reason a blue screen appeared saying that there is a problem with the computer related to win32k.sys, and that it might be due to hardware problems or to new software installation. If it was the first time (as it was) just try to restart the computer.

Since it was I just restarted it and apparently it is working well. I haven't installed anything lately so how could I see what is the problem with the computer?

thanks in advance


I was going to tell you that you are out of luck as microsoft had a support article that recognzied the problem but had no solution. Now, apparently they have a hotfix


Read other 2 answers

hi to all

im using vista home basic, i got BSOD at booting, please can anyone help me what is causing this. minidump is attached.

please help me


Your error is 0x8E and these are almost always caused by hardware issues. Because it cited win32k.sys which is a core Windows driver that is even further indication of a hardware problem.


1. Run MemTest on your RAM www.memtest.org for a minimum of 7 passes. Any errors and you have corrupted memory that must be replaced.

2. Run a full harddrive diagnostics on your harddrive. Your harddrive manufacturer will have a free utility that you can download and run.

* Your crash may be due to other issues but with only one minidump we don't have much else to go on.

Read other 3 answers

Been having this problem for some time now. Thought I would come on here and see if anyone can help me with this older desktop computer.

Dell Dimension 4600
Windows XP Home
Pentium 4 CPU 2.40 Ghz
Memory 2.00 GB

BSOD comes up every day :
Problem has been detected and Windows has been shut down to prevent damage to your computer.
Stop 0x00000050, (0XE38C901C, 0X00000000, 0XBF84CA7C, 0X00000001,
Win 32K.sys - Address BF84CA7C base at
BF800000, Date Stamp 52F43E77
Beginning dump of physical memory to disk
I have to shut the computer down and restart and after awhile I get the BSOD again. Any help would be greatly appreciated.


Read other 6 answers

I bought a new system
Tech Support Guy System Info Utility version
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: Intel Pentium III Xeon processor, x86 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 2012 Mb
Graphics Card: Intel(R) G41 Express Chipset, 1024 Mb
Hard Drives: C: Total - 39997 MB, Free - 32645 MB; D: Total - 436931 MB, Free - 408527 MB;
Motherboard: Gigabyte Technology Co., Ltd., G41MT-ES2L, x.x,
Antivirus: Norton Internet Security, Updated: Yes, On-Demand Scanner: Enabled
and I have a problem i.e it shows a error report win32k.sys when i open a game......apart from this it works fine............any game like FIFA08,GTA san andreasetc........(a blue screen with stop bla bla bla appears wat to do)plz plz help me .........................



Please do not start more than one thread for the same issue.

Closing duplicate.

Read other 1 answers

I accidentally (on purpose ) renamed my win32k.sys file and now....my computer won't start

I don't have my original xp installation discs so I can't reinstall it so....is there any other way to get this file back? I did go to the microsoft site and I did buy this file (a zip download) but I haven't got it yet. Will it be easy to reinstall? Probably not, knowing my luck..... but, is there hope??

I'm slowly losing the will to live so, some positive feedback would be appreciated! Thank you.

Read other answers

hi to all

im using vista home basic, i got BSOD during boot. minidump is attached. please can any one tell me what could be the problem.



no one there to help out..

Read other 1 answers

I recently built a PC for my friend, but he kept getting crashes on windows vista, so upgraded to windows 7.

I installed the latest gfx card drivers, but none for the mobo (win7 doesnt need them?)

Anyway, so far he has had to bluescreens, which both point at win32k.sys, but other than knowing that, I dont know what to do.

Could anyone extract more info from the dumps that may help?

Thanks in advance


Also, his monitor is blurry on any resoloutions.
He's using a sharp aquos (tv and monitor), but the only 2 resoloutions it seems to support is 800x600 and 1024x768. Both of these are blurry, and text is really hard to read. The thing is, the res SHOULD be right, and the refresh rate is also set right...

We tried it with my 22" monitor, and it ran flawlessly, which makes us think its the actual monitor. Could this be contributing to the bluescreens?

Read other 8 answers

OK- I am not extremely computer savvy... I may have destroyed the computer beyond repair, but my files are not backed up and all of the videos of my son when he was a baby are on there and only there. So, HELP!!!! I had a bad virus that started as pop ups for fake virus protection- I can't even remember what it said. I gave it to my brother in law to fix and it took him a month to tell me I needed to backup my files cause he was going to dump the whole thing. Last night after plugging in the USB and having it fill up without even getting through a 1/4 of our pictures, I decided to try to get rid of the virus myself. I ran malwarebytes which found some items and told me to shut down to complete. I did, got the blue screen- started in safe mode w/ networking (got a pop up that said malwarebytes could not be located). After some more searching, I downloaded Hitman that was made for the DNS virus- I know whatever it is on my computer is really bad. The local connection icon was completely removed. Ethernet driver gone and microsoft system tools like firewall and security all gone. Here is a what hitman said before it told me to reboot to complete the deletion of the virus (s). Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.graftor.13001 (engine A), backdoor.maxplus, trojan-dropper.win32.sirefeflIK... and 57 items in tempfiles..... HELP PLEASE!

A:. Rootkit rootkit.mbr.pihar.d (boot image) ,trojan.tdlphaze.1, rootkit.win32.pihar!Ik, Win32/bootkit, Malware gen:variant.g...

Copy this tool to the infected PC FSS Checkmark all the boxesClick on "Scan".Please copy and paste the log to your reply.

Read other 1 answers

Hopefully I can detail this out as much as possible.

Recently, my virus scanner told me that win32k.sys had a virus, and it cleaned it out. Now, my computer shuts down randomly, and whenI boot up, I get the BSOD sayong there's an error with win32k.sys. This only happens when I boot up normally, but in safe mode I run fine. Is there a way to run a diagnostic on the file or such? I might be able to retreive the exact error codes if needed.

A:Win32k.sys BSOD

It would help if you had the error number, probably 0x0000008E.

Have you tried replacing the driver from the XP CD? Do you have an XP CD?

Read other 1 answers

I have a terminal server and for some reason, it restarts on trying to print some specific documents from CrystalReports XI.

The minidump blames win32k.sys (tho im not expert on reading it), but i don't beleave it... i think its a printer driver - jet i cannot test it because sometimes it prints fine and i have many printers.

It's this MS KB: h t t p://support.microsoft.com/kb/911028/en-us
But i already have the SP2 on my Win 2003 x64 R2 - so i have no clue how to fix the issue.

A:Need help with win32k.sys & minidump

I have the same problem:
Terminal Server Windows 2003 Std. R2 x64 with SP2.
Randomly crashes with crash:

STOP 0x00000050 (parameter1, parameter2, parameter3, parameter4)

The crash blames win32k.sys.
I performed a crash debug using windbg and I see also Winword.exe being referenced under "PROCESS_NAME". I think there might a problem with win32 applications running on a x64 Windows Server with Terminal Services enabled.
Did you try to analyse the minidump?
Good bye, let me know

Read other 1 answers

I need some help, please.
My laptop keep getting BSOD when opening Firefox, Wordpad, and Fonts in Control Panel.
I am using Windows 7 Ultimate x64 SP1.

changed system locale back to Japanese -> stop bsod for now
checked fonts folder with Fix Fonts Folder 2.0 and got dozens of corrupts fonts >.<
now trying to get some replacement fonts from other computer

A:BSOD Win32k.sys

Welcome aboard.

* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, fffff900c37579b0, fffff900c3757a00, 2505000f}

Probably caused by : win32k.sys ( win32k!EngFreeMem+21 )

Followup: MachineOwner

2: kd> !analyze -v
* *
* Bugcheck Analysis *
* *

The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffff900c37579b0, The pool entry we were looking f... Read more

Read other 1 answers

I have been getting a blue screen on a regular basis recently.

I included a screen shot as an attachment.

I have recently juggled between AMD Catalyst drivers. I have used the latest and beta and they are all causing issues.

Is there anything I can do to fix this?


A:System_service_exception (win32k.sys)

Please follow these directions in your post: Blue Screen of Death (BSOD) Posting Instructions

Read other 3 answers


I have quite suddenly been getting frequent BSOD's. It only flashes for a moment but one of the more recent times I did catch the win32k.sys referenced in it. The only thing out of the normal that has started in concurrence with this is Mozilla Firefox is crashing all the time now. Any help would be appreciated. I have attached the requested TSF_Vista_Support Folder but the Performance Monitor would not generate a report for me. After running the tests, it stated Error: An error occured while attempting to generate the report. The wait for the report generation tool to finish has timed out.


Windows 7 Ultimate x64
System is about 2 years old
OS installed 10/2009
Intel E8400 3.0 ghz (3.6 ghz)
2x nvidia 8800gts 512
1x nvidia gt220
Asus Striker II Formula
Corsair 750 Watt

A:BSOD win32k.sys

Hi -

There were no dump files in the attached zip. Please check \windows\minidump - copy all out to TSF_Vista, zip & attach to next post.

I did look through the other files and see many "Live Kernel Events", which are just 1 step below an actual BSOD. Live Kernel Events + win32k.sys usually are indicative of an issue with video transitioning from user mode (win32k) into kernel code territory.

I also noticed in WERCON the repeated crashing of this app since November 2009 -

11/1/2009 5:02 PM Application Error Faulting application name: unace32.exe, version:,
time stamp: 0x3a76026a&#x000d;&#x000a;Faulting module name: unace32.exe, version:,
time stamp: 0x3a76026a&#x000d;&#x000a;Exception code: 0xc0000005&#x000d;&#x000a;Fault offset: 0x00006658&#x000d;&#x000a;Faulting process id: 0xd70&#x000d;&#x000a;Faulting application start time: 0x01ca5b150da4b7a0&#x000d;&#x000a;Faulting application path: C:\Users\David T Lewis\Downloads\!RnE - 2009.11.01 11.56.31 - blhtlg01\blhtlg01\unace32.exe&#x000d;&#x000a;Faulting module path: C:\Users\David T Lewis\Downloads\!RnE - 2009.11.01 11.56.31 - blhtlg01\blhtlg01\unace32.exe&#x000d;&#x000a;Report Id: 4b55e600-c708-11de-88ed-001fc63e3180
The timestamp 0x3a76026a translates to Mon Jan 29 18:53:14 2001

Too old for a 2010 upated Windows 7 x64 system.

Regards. . .



Read other 3 answers

I had a BSOD which suggested it was caused by Win32k.sys, I looked up the web and it appears I am not alone. There was one suggestion it could be a corrupt Win32k.sys file and said to re-name the file to Win32k.old, then close the window, then go back to the system32 folder and you will have a new and non-corrupt Win32k,sys file.
I am loathe to do this without having a word with you good people My system is an OEM XP Media Center Edition and do not have an installation disc if something goes wrong.
Advice would be welcome, thank you.

A:[SOLVED] Win32k.sys

Run this program BSOD_XP_v1.3_jcgriff2_PROD.exe. after it is done, go to My Documents and zip the file TSF_XP_Support and attach it to your next post. This will tell us more about the BSOD message and your computer setup.

Read other 5 answers

Hello, I am a novice when it comes to computers, but know enough to be dangerous. With that said, for the past several weeks I have been getting BSOD's when using my laptop and they seem associated with the win32k.sys driver. Attached are the DMP files of the two most recent crashes.

Dump File : 091515-28719-01.dmp
Crash Time : 9/15/2015 1:41:44 PM
Bug Check Code : 0x1000007f
Parameter 1 : 0x00000008
Parameter 2 : 0x8e139750
Parameter 3 : 0x00000000
Parameter 4 : 0x00000000
Caused By Driver : win32k.sys
Caused By Address : win32k.sys+d1b5e
File Description : Multi-User Win32 Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Processor : 32-bit
Crash Address : win32k.sys+d1b5e
Stack Address 1 : win32k.sys+981a9
Stack Address 2 : win32k.sys+9515f
Stack Address 3 : win32k.sys+85e36
Computer Name :
Full Path : C:\windows\Minidump\091515-28719-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 7601
Dump File Size : 131,072
Dump File Time : 9/15/2015 1:42:57 PM

Dump File : 091615-39187-01.dmp
Crash Time : 9/16/2015 11:53:26 AM
Bug Check Code : 0x1000007f
Parameter 1 : 0x00000008
Parameter 2 : 0x807c9750
Parameter 3 : 0x00000000... Read more

A:BSOD - win32k.sys

Someone else can address your blue screen issues and dump files, but I do have a question for you.


Why are you running Windows 7 Professional SP1 32-bit in your computer with 8 GB of RAM?

A 32-bit version of Windows won't make use of more than 3.25 - 3.5 GB, so there's no point in having more than 4 GB in the computer.

In some cases, having more than 4 GB in the computer will cause a 32-bit operating system to make use of less RAM.

That appears to be the case in your computer because your log shows it's making use of only 2.92 GB.


Read other 5 answers

Friend of mine is getting BSOD at regular intervals and I do not have much Idea how to fix it because never came across with this error before. did some basic troubleshooting like changing RAM, Updating windows but not good.When I ran Bluescreen view found win32k.sys was causing it. I am attaching the image of the same and the .dmp file with this..
Counting on experts help..

A:BSOD win32k.sys

Hi mangarkevin.

You supplied a stray crash dump only. Nothing very precise can be said based on it. But your display driver is very old.

9aa0a000 9b3f9000 nvlddmkm T (no symbols)
Loaded symbol image file: nvlddmkm.sys
Image path: \SystemRoot\system32\DRIVERS\nvlddmkm.sys
Image name: nvlddmkm.sys
Timestamp: Sat Oct 15 12:04:27 2011 (4E992973)
CheckSum: 009DBCBF
ImageSize: 009EF000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Try to update it: Drivers - Download NVIDIA Drivers

Let us know the situation after doing it. Post it following the Blue Screen of Death (BSOD) Posting Instructions.

Read other 3 answers

hi all,my computer BSOD at random time, im not sure what caused that, hope the dump helps

A:BSOD win32k.sys

OK a quick glance at the files you provided, and a couple of things:

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image \SystemRoot\system32\ntkrnlpx.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpx.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpx.exe
Windows 7 Kernel Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16905.x86fre.win7_gdr.111025-1503
Machine Name:
Kernel base = 0x82643000 PsLoadedModuleList = 0x8278b810
Debug session time: Sat Jun 8 00:51:19.723 2013 (UTC - 4:00)
System Uptime: 4 days 10:34:53.613
Unable to load image \SystemRoot\system32\ntkrnlpx.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpx.exe
*** ERROR: Module load completed but symbols could not be loaded for ntkrnlpx.exe
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
ERROR: FindPlugIns 80070005
ERROR: Some plugins may not be available [80070005]
* *
* Bugcheck Analysis ... Read more

Read other 1 answers

Hi there,

I'm a Video editor who is now constantly being interrupted by BSOD's with the following codes:
0x0000008E (0xC0000005, 0xBF8E5F91, 0xB580D868, 0x00000000)

I've run the latest memtest for about 14 hours (didn't realise it kept going until you stop it) and it didn't find any faults.

Another point is that it always happens whilst I'm editing, I use the computer for a lot of other demanding tasks, effects creation etc and sometimes games and it never happens during those.
There seem to be a lot of 08E errors around and I don't know if theyre all the same or what so I thought I'd better get some direct advice.

Any help would be greatly appreciated


Paul Hawkridge

Mesh Elite, XP MCE
Asus P5N-E SLI Motherboard
Core2Duo E6700 @ 2.66GHZ
Nvidia Geforce 7950GT 512mb
4x1GB Ram @ 533mhz
Creative X-Fi

A:BSOD - Win32k.sys

Read other 7 answers

Well, I keep getting this bsod.. I have no idea how to read into these minidump files but I know its win32k.sys that is causing the crash.

Could someone please give me some insight as to what is causing these BSOD's
Frequency is every 2-4 days. I tried to upload the actual .dmp file but it's not letting me.

XP 64 pro
Microsoft ® Windows Debugger Version 6.7.0005.1
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini120907-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140
Debug session time: Sun Dec 9 22:36:44.640 2007 (GMT-5)
System Uptime: 1 days 9:26:46.553
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
********************... Read more

A:Win32k.sys Bsod Help

Does this ring any bells? PROCESS_NAME: ???????AAlso, the stack text appears a bit messed up (too many of the same addresses). Did you use the 64 bit version of the debugger to analyze the dump file? Or it could just be my lack of experience with 64 bit dump files Since it refers to win32k.sys - does this belong to a process on the system that's emulating a 32 bit OS? Although I don't know, I wonder if the 64 bit versions use win32k.sys - shouldn't it be win64k.sys? (just guessing on my part - don't have a 64 bit OS to look at)FWIW - this link http://aumha.org/a/stop.php#0x50 states that it's usually a memory problem, although other things (such as drivers) can cause it. I'd try running Memtest86 - http://www.memtest86.com/

Read other 7 answers

Hello everybody,

I am getting random blue screens all the time for different errors including win32k.sys and memory management. BSODs also randomly occur on bootup as well. I have a Dell Studio Laptop 1535 with 4 gigs of ram: Radeon HD 4300 Series graphics card
Dual Intel 5750 2.0 GHz processor
Windows 7 Ultimate 32bit
This is not the original OS installed (Windows Vista 32bit was the original OS)
The age of my system is a little over 2 years old
The current OS installation is a few weeks old
Thanks for your help.

A:win32k.sys BSOD

Uninstall Kaspersky with this tool:

Removal tool for Kaspersky Lab products

Uninstall SUPERAntiSpyware.

Install MSE as the replacement:


Update drivers:

rixdptsk.sys Tue Nov 14 20:35:19 2006

Broadcom NetLink (TM) Gigabit Ethernet NDIS6.x
k57nd60x.sys Sun Apr 26 07:23:19 2009

PerfectDisk Raxco Software
DefragFS.SYS Wed Aug 19 13:31:36 2009

Broadcom 802.11 Network Adapter wireless
bcmwl6.sys Tue Jul 07 20:44:47 2009

Crash Dumps:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [F:\a\Minidump\D M P\122310-25802-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.x86fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0x82a39000 PsLoadedModuleList = 0x82b81810
Debug session time: Thu Dec 23 00:49:26.915 2010 (UTC - 5:00)
System Uptime: 0 days 0:01:13.881
Loading Kernel Symbols
Loading User Symbols
Loading unloaded... Read more

Read other 3 answers

I just had a very random BSOD while just using the computer for browsing the web. It was related to win32k.sys. I have attached the dump files to this post. Any help would be much appreciated.

EDIT: I'm running Windows 7 Home Premium 64bit with SP1 and have an i5 760 processor and a GT240 graphics card.

A:Win32k.sys BSOD

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Mike\Documents\Kingston\BSODDmpFiles\Bankai\Windows_NT6_BSOD_jcgriff2\021812-14508-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`03055000 PsLoadedModuleList = 0xfffff800`0329a670
Debug session time: Fri Feb 17 14:41:05.842 2012 (GMT-7)
System Uptime: 0 days 1:36:05.216
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fff... Read more

Read other 1 answers