Recently, after resuming my Vista laptop from hibernation, I was greeted with a rather strange wait, followed by a blue screen of death. Analysis of the dump yielded the following:

THREAD_STUCK_IN_DEVICE_DRIVER (ea)
The device driver is spinning in an infinite loop, most likely waiting for hardware to become idle. This usually indicates problem with the hardware itself or with the device driver programming the hardware incorrectly.
If the kernel debugger is connected and running when watchdog detects a timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()and detailed message including bugcheck arguments will be printed to the
debugger. This way we can identify an offending thread, set breakpoints in it, and hit go to return to the spinning code to debug it further. Because KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck
information in this case. The arguments are already printed out to the kernel debugger. You can also retrieve them from a global variable via
“dd watchdog!g_WdBugCheckData l5″ (use dq on NT64).
On MP machines (OS builds <= 3790) it is possible to hit a timeout when the spinning thread is interrupted by hardware interrupt and ISR or DPC routine is running at the time of the bugcheck (this is because the timeout’s work item can be delivered and handled on the second CPU and the same time). If this is the case you will have to look deeper at the offending thread’s stack (e.g. using dds) to determine spinning code which caused the timeout to occur.
Arguments:
Arg1: 870246b8, Pointer to a stuck thread object. Do .thread then kb on it to find the hung location.
Arg2: 00000000, Pointer to a DEFERRED_WATCHDOG object.
Arg3: 00000000, Pointer to offending driver name.
Arg4: 00000000, Number of times this error occurred. If a debugger is attached, this error is not always fatal — see DESCRIPTION below. On the blue screen, this will always equal 1.

Debugging Details:
——————

PEB is paged out (Peb.Ldr = 7ffd800c). Type “.hh dbgerr001″ for details

PEB is paged out (Peb.Ldr = 7ffd800c). Type “.hh dbgerr001″ for details

FAULTING_THREAD: 870246b8

DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_FAULT

BUGCHECK_STR: 0xEA

PROCESS_NAME: Ati2evxx.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 89c2a825 to 81cace97

STACK_TEXT:
a53d7704 89c2a825 000000ea 870246b8 00000000 nt!KeBugCheckEx+0×1e
a53d7748 89c22bfa a53d7794 00000000 89c1d786 dxgkrnl!TdrTimedOperationBugcheckOnTimeout+0×2b
a53d7770 8b5785dc a53d7794 00000000 00000000 dxgkrnl!TdrTimedOperationDelay+0xc9
WARNING: Stack unwind information not available. Following frames may be wrong.
a53d77c0 8b576468 8b670040 a53d785c ffffffff atikmdag+0×255dc
a53d77dc 8b66782c 861bd000 a53d77f8 00000014 atikmdag+0×23468
a53d7838 8b670101 86a58008 8b670040 a53d785c atikmdag+0×11482c
a53d7868 8b6cd9da 8685b0e8 00000000 00000001 atikmdag+0×11d101
a53d7888 8b59f159 88340000 00000000 00000001 atikmdag+0×17a9da
a53d78a8 8b59505c 86a58000 86a61974 00000000 atikmdag+0×4c159
a53d78dc 8b5973e3 00000000 86a611e0 00000001 atikmdag+0×4205c
a53d7904 8b5b3be0 00000001 00000001 00000001 atikmdag+0×443e3
a53d7960 8b5b80ab 86a58000 00000000 00000001 atikmdag+0×60be0
a53d7980 8b58e38d 86a58000 a53d799c a53d7ba0 atikmdag+0×650ab
a53d79b8 8b554e80 86a58000 a53d7ba0 00000030 atikmdag+0×3b38d
a53d79dc 8b55a7de a53d7ba0 00000030 a53d7bd4 atikmdag+0×1e80
a53d7a00 8b55af33 0011000e 00000030 a53d7bd4 atikmdag+0×77de
a53d7a24 8b56bdeb 00000030 a53d7ba0 00000000 atikmdag+0×7f33
a53d7a54 8b56bf8a 00000000 a53d7b1c a53d7ba0 atikmdag+0×18deb
a53d7a74 89c4a7b2 8640a648 a53d7ab4 000000b8 atikmdag+0×18f8a
a53d7a94 89c4a455 a53d7ab4 a5b4b811 0012e910 dxgkrnl!DXGADAPTER::DdiEscape+0×3b
a53d7d38 81c4607a 0012e910 0012e94c 77940f34 dxgkrnl!DxgkEscape+0×4af
a53d7d38 77940f34 0012e910 0012e94c 77940f34 nt!KiFastCallEntry+0×12a
0012e94c 00000000 00000000 00000000 00000000 0×77940f34

STACK_COMMAND: .thread 0xffffffff870246b8 ; kb

FOLLOWUP_IP:
dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b
89c2a825 cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: dxgkrnl

IMAGE_NAME: dxgkrnl.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 46899fd6

FAILURE_BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys

BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys

Followup: MachineOwner

Seems that the hardware was messed up, as I had to force the laptop to power down twice during subsequent boots, in order for Vista to make it to the logon prompt.

»

• TechBlog: Vista followup: Rethinking AVG
  Dwight plays around with cutting down his Vista startup times.
  (tags: Boot Performance )
• Simple guide to test Vista SP1 RC1 on a separate partition
  Long Zheng describes a nice way to test SP1 without affecting your current install.
  (tags: SP1 Partition )

Trojan.Win32.Obfuscated.gx (also know as Trojan.Win32 or Trojan.Win32.agent.akk) used to be a real virus, now fake anti-spyware software like IE Defender will display Trojan.Win32.Obfuscated.gx as their scan result to trick user to buy the fake anti-spyware program. The fake anti-spyware program usually get installed onto your PC without your permission, through Trojan, malware and virus (or you could get it by installing a fake video codec). fake anti-spyware will display the Trojan.Win32.Obfuscated.gx fake system alerts or fake security alerts to trick user to buy the Paid Version of the fake anti-spyware program.

The possible error messages are either “Your browser was hijacked by Trojan.Win32.Obfuscated.gx”, or “Your browser was hijacked by Trojan.Win32.Agent.akk”. As discussed previously, these messages are completely misleading. You can safely remove Trojan.Win32.Obfuscated.gx by following our manual removal instructions if you are familiar with regedit and dll files. Good luck!

Download SpyHunter* Spyware Detection Utility

Manual Trojan.Win32.Obfuscated.gx Removal Instructions:

Unregister Trojan.Win32.Obfuscated.gx DLL Files:
(Learn how to do this)
windivx.dll
ecxwp.dll
stream32a.dll
vipextqtr.dll

Find and Delete these Trojan.Win32.Obfuscated.gx Files:
(Learn how to do this)
windivx.dll
ecxwp.dll
stream32a.dll
vipextqtr.dll
gebca.dll
ddcdedd.dll
advpac.dll
tdlRMS.dll
lcxmehhg.dll
hdbxuqje.dll
mljge.dll
ddcbyvt.dll
advrepkon.dll
mlljh.dll
ibpmxtbv.dll
ljjhedc.dll
cabvie.dll
ddayv.dll
vkcxxfvi.dll
ssqpo.dll
ddccd.dll
sgqddvym.dll
pofwjina.dll
bkfgnqhm.dll
orkbobob.dll
tuvttrr.dll
cpwvehup.dll
enhtb.dll

Remove Trojan.Win32.Obfuscated.gx Registry Values:
(Learn how to do this)
bb5be1c92c299a1c6bcfe67655b0a0c7
9a9f57899a28547b04fc2da3700c95cf
7a329404de21925daacbbbee093ff6dc
7d4b39e4cab018496e2fe9bf9c3234b2
69c9be662f7f284aae171adeb136cb24
1bc5752bd72f44f004d9f061dd7f9e00
bcf3a381bbe26d9c1ec24bac8b18f567
1057a2dcd13130963be0a51c41dc4d1c
396955766b2e512bc3545a24bc485dbe
5f9523529ce2cac480acbda2b8bf4e1e
8266c79a434aed795a5f3f7abb0aff0d
696ce23305a35bb118afc42d58845791
7df5417b22988d88e8080a44392ade95
cbdc7b3033e82c2065a1b48061b2ca01
6d3c4dbecf4aaf1ae826a0a7edde5951
e05997f932f826f0271cf32d00bbd3be
c18c3b4771120703624baaf835feecd8
9ceecf911241c9890541167edf53739f
40613dee6ad5fec910606c25b25262fd
3ba096caa45ab117721e725079cc53a1
2982068d063848ddb0b8029750411a84
fe6e6a62a572e84e9eaee12eb3ee8a2b

Download SpyHunter* Spyware Detection Utility.

You can also download the free version of Avira Antivir to remove the spyware (update)

Trojan.Win32.Obfuscated.gx Variants: Trojan.Win32, Trojan.Win32.agent.akk and Trojan.Win32.Obfuscated.gx

Trojan.Win32.agent.akk (also know as Trojan.Win32 or Trojan.Win32.Obfuscated.gx) used to be a real virus, now fake anti-spyware software like IE Defender will display Trojan.Win32.agent.akk as their scan result to trick user to buy the fake anti-spyware program. The fake anti-spyware program usually get installed onto your PC without your permission, through Trojan, malware and virus (or you could get it by installing a fake video codec). fake anti-spyware will display the Trojan.Win32.agent.akk fake system alerts or fake security alerts to trick user to buy the Paid Version of the fake anti-spyware program.

Download SpyHunter* Spyware Detection Utility

Manual Trojan.Win32.agent.akk Removal Instructions:

Unregister Trojan.Win32.agent.akk DLL Files:
(Learn how to do this)
windivx.dll
stream32a.dll
vipextqtr.dll
ecxwp.dll

Find and Delete these Trojan.Win32.agent.akk Files:
(Learn how to do this)
windivx.dll
stream32a.dll
vipextqtr.dll
ecxwp.dll
awtqqpq.dll
tufxleqe.dll
sstts.dll
nsn2B.dll
argosqaf.dll
tuvurst.dll
pmnlk.dll
fcccdbc.dll
qbbrqqde.dll
Avipra.dll
jspubsbm.dll
bpingscm.dll
VSAdd-in.dll
blopenvtok.dll
werbetxdp.dll
werbetpql.dll
blopenvtlv.dll
wvuus.dll
xxyxxwv.dll
vtuuuuu.dll
ddabc.dll
ddccawv.dll
vipextqtr.dll
prosearchsite.dll

Remove Trojan.Win32.agent.akk Registry Values:
(Learn how to do this)
7a329404de21925daacbbbee093ff6dc
bb5be1c92c299a1c6bcfe67655b0a0c7
9a9f57899a28547b04fc2da3700c95cf
7d4b39e4cab018496e2fe9bf9c3234b2
93591057eb39ad5595a7c54dd5fd787c
e06e0cb0b3756a20f13ddb2d93169f22
03d7e175712a6eff950e451a18d9ee30
05c505be23642e3b1e47bb4ae46ceb37
92905c5ce0362c7bb9dfdb4cb43fc17f
9687aa2905b44b5408ad0a4f096c67be
5f38f4ae4b183ba77968253c0f3535ea
b63686b961dc9dfda5747a9be4c690f3
e8b5519049041fc5873011b0aead14a4
2126467f121c1ffe191bbe826b21b381
d156c98b1cb9a5cf6aff715560ecdef7
03386f07b805557af3fe10d2ae47e9da
ddc6494ca6f8a20b0a0437c943ef04bb
a7b78cdc5256e7bd5224357ff5e727a7
1992b9dd72fd15434a43763134d89c75
2482fb7608d53577a51772477bda458a
2482fb7608d53577a51772477bda458a
f51df1399d591f3b741518694f9f9345
39d36d9a908aa2073344c55fc40289fb
4aaa70b2d8990ff8c003d02c3450df58

Download SpyHunter* Spyware Detection Utility.

You can also download the free version of Avira Antivir to remove the spyware (update)

Variant: Trojan.Win32, Trojan.Win32.agent.akk and Trojan.Win32.Obfuscated.gx

A couple of people, dozen at max, have expressed interest in testing out the soon-to-be-public Windows Vista Service Pack 1 Release Candidate release. There are many ways of installing and testing operating systems and even more so service packs so it can be rather confusing and cumbersome experience for some people out there. Out of all the possibilities, I do myself and recommend everyone to always start fresh, but that doesn’t always mean from the command prompt.

Whilst release candidate will be a very good representation of the final product early next year, it still means you’ll have to forfeit this release sooner or later so it is not recommended you replace your existing Windows installation with it. Especially with all the problems people have been running into uninstalling their service pack betas which itself sounds like a really bad idea anyway, it’s ideal to set up a fresh install. And the most convenient fresh install is on a separate partition on existing disks.

Formerly the process of ’splitting’ a partition involved third-party software which is time-consuming and sometimes unreliable, however a less-known disk management function in Windows Vista will simplify all that.

Preparing your new partitions

From here, you can either install directly using the slipstreamed ISO which is the most convenient as you’ll be installing a fresh version of Windows with SP1 already embedded. Alternatively you can also install Vista RTM and apply the executable patch or Windows Update download that way.

When you’re done, packing up is even easier.

Removing your new partition and restoring your volumes

Once in a while, Windows gets into a terrible state and the Taskbar and its Start menu disappear. This is because the software that manages these, called the Windows Explorer shell, has crashed. To deal with this, without logging off and on the computer, you have to end any existing sessions of Explorer and run a new one.

To end existing Explorer sessions hold down the Ctrl and Alt keys and press the Delete key. On some versions of Windows this will open up the ‘Windows Security’ dialog box, if so then press the ‘Task Manager’ button; on other versions you will be taken straight to the ‘Task Manager’ program.

To stop the Explorer shell, go to the ‘Processes’ page and look for ‘explorer.exe’. You can sort the processes into alphabetical order by clicking on the Image Name heading. If you find an entry for ‘explorer.exe’, highlight it and click the End Process button and click Yes on the warning dialog. If you don’t find an entry for it you can go straight to the next step.

To restart the Explorer shell, click on the ‘File’ menu in Task Manager and select ‘New Task (Run…)’. This will open the Run dialog box, into which you can type ‘explorer’ and click OK. The Taskbar should now reappear.