Re: Blue screen crashes

this is the latest dump anaalysis to go with the event viewer


Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini122107-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Fri Dec 21 02:36:31.843 2007 (GMT-5)
System Uptime: 0 days 7:58:40.554
Loading Kernel Symbols
...........................................................................................................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80550320, a467aae8, 0}



Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80550320, The address that the exception occurred at
Arg3: a467aae8, Trap Frame
Arg4: 00000000

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ExFreePoolWithTag+471
80550320 813e80000000 cmp dword ptr [esi],80h

TRAP_FRAME: a467aae8 -- (.trap 0xffffffffa467aae8)
ErrCode = 00000000
eax=ffdf0004 ebx=89bb4b80 ecx=8055c600 edx=00000060 esi=00000024 edi=00000000
eip=80550320 esp=a467ab5c ebp=a467ab90 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x471:
80550320 813e80000000 cmp dword ptr [esi],80h
ds:0023:00000024=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: hpqste08.exe

LAST_CONTROL_TRANSFER: from bf802a9b to 80550320

STACK_TEXT:
a467ab90 bf802a9b e3b89b20 88f876c8 a467abb8 nt!ExFreePoolWithTag+0x471
a467aba0 bf80e88f e3b89b20 bf9ab0e8 e3b89b20 win32k!HeavyFreePool+0xbb
a467abb8 bf838fac e3b89b20 e3b89b20 a467abe0 win32k!HMFreeObject+0xa0
a467abc8 bf838f72 e3b89b20 e3a82430 bc513f0c
win32k!DestroyEmptyCursorObject+0x1b
a467abe0 bf84ac19 e3a82430 00000002 a467abfc win32k!_DestroyCursor+0x105
a467abf0 bf84ac01 e3b89b20 a467ac14 bf8c09a6 win32k!DestroyUnlockedCursor+0xf
a467abfc bf8c09a6 bc5127e4 8905dde0 e3b3a820
win32k!HMDestroyUnlockedObject+0x1c
a467ac14 bf8209f9 00000000 88d5fda8 00000000
win32k!DestroyProcessesObjects+0x70
a467ac3c bf819e30 00000001 a467ac64 bf819ef4 win32k!xxxDestroyThreadInfo+0x22c
a467ac48 bf819ef4 88d5fda8 00000001 00000000 win32k!UserThreadCallout+0x4b
a467ac64 8056fc07 88d5fda8 00000001 88e3f968 win32k!W32pThreadCallout+0x3d
a467acf0 8058c841 40010004 a467ad4c 804e74b8 nt!PspExitThread+0x3cc
a467acfc 804e74b8 88e3f968 a467ad48 a467ad3c nt!PsExitSpecialApc+0x22
a467ad4c 804de263 00000001 00000000 a467ad64 nt!KiDeliverApc+0x1af
a467ad4c 7df7bd1b 00000001 00000000 a467ad64 nt!Kei386EoiHelper+0x3a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fd34 00000000 00000000 00000000 00000000 0x7df7bd1b


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf802a9b 5d pop ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: win32k!HeavyFreePool+bb

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6

FAILURE_BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb

BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb

Followup: MachineOwner
---------



"Dominiccoombe" wrote:

All,

I did verifer and chkdsk /r which ran for about 2 hours on my 250gb HDD

reinstalled the latest version of spysweeper.

Will see how it goes.

Dom

in meantime I will check out the malware

"Gerry" wrote:

Dominic

What Warning and Error Reports appear in Event Viewer since it's
removal? Can you please post copies.

If you have had a malware infestation one holds the door open to let
it's friends in.

Can you please post a copy of the latest Stop error report.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~



Dominiccoombe wrote:
Gerry,

SSFS0BB8.SYS - does not exist on the machine after the uninstall of
webroot.


I will follow your spyware suggestions after I do the verifier and
chkdsk /r

Dominic

"Gerry" wrote:

Dominic

Background information on Stop Error message
http://msdn2.microsoft.com/en-us/library/ms793989.aspx

http://aumha.org/a/stop.htm

SSFS0BB8.SYS -This file concerns me as I cannot ascertain what it is
but it has often cropped up in HijackThis files where the user is
seeking to remove malware.

Can you locate the file in Windows Explorer and examine it's
properties by right clicking on the file. Instructions on how to
Show hidden files are in the next paragraph.

Go to Start, Control Panel, Folder Options, View, Advanced Settings
and verify that the box before "Show hidden files and folders" is
checked and "Hide protected operating system files " is unchecked.
You may need to scroll down to see the second item. You should also
make certain that the box before "Hide extensions for known file
types" is not checked. Next in Windows Explorer make sure View,
Details is selected and then select View, Choose Details and check
before Name, Type, Total Size, and Free Space.


What are your anti-virus and anti-spyware arrangements?
http://www.elephantboycomputers.com/page2.html#Removing_Malware

I do not think it is is worth pursuing other avenues of enquiry until
the situation regarding malware is clearer.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Dominiccoombe wrote:
Gerry,

The last line of the minidump says
"Probably caused by : SSFS0BB8.SYS ( SSFS0BB8+2dd1 )"

Event Viewer
Date 12/18/07
Event Save Dump
Time 5:05:31
event id 1001

The computer has rebooted from a bugcheck. The bugcheck was:
0x0000007a (0x00000003, 0xc0000005, 0x0000005c, 0x00000000). A dump
was saved in: C:\WINDOWS\Minidump\Mini121807-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Does any of that help??

dominic

"Gerry" wrote:

Dominic

Something like this:

Stop 0x0000000E (0xc0000005, 0xB84B23E9, 0xB6A7894, 0xB5A786D0)

VETEFILE.SYS Address B84B23E9 Datestamp 468DE154

Examining dump files is a skilled art that few posting here are
able to undertake. Given your question I doubt you will be able to
deduce their meaning.

I suggest you also post copies of Reports from Event Viewer.

Please post copies of all Error and Warning Reports appearing in
the System and Application logs in Event Viewer for the last boot.
No Information Reports or Duplicates please. Indicate which also
appear in a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the
meaning of the error, information regarding Event ID, Source and
Description are important.

A tip for posting copies of Error Reports! Run Event Viewer and
double click on the error you want to copy. In the window, which
appears is a button resembling two pages. Click the button and
close Event Viewer.Now start your message (email) and do a paste
into the body of the message. Make sure this is the first paste
after exiting from Event Viewer.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~


Dominiccoombe wrote:
Hi Gerry,

Thanks for your reply.

Yes I have backed up important files. do that every night but will
make an extra copy now.

i already have the automatic restart turned off.

I am not sure what info you want off the blue screen.

The last one I had said:
"a process / crucial thread to the system has unexpectedly exited
or stopped"

Can I find a please to look at the dumps? will they help me?

Dominic
"Gerry" wrote:

Dominic

Have you backed up important data files?

Please post a copy of the Stop Error Report.

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Right click
on the My Computer icon on the Desktop and select Properties,
Advanced, Start-Up and Recovery, System Failure and uncheck box
before Automatically Restart.

Do not re-enable automatic restart on system failure until you
have resolved the problem. Check for variants of the Stop Error
message.

An alternative is to keep pressing the F8 key during Start-Up and
select option - Disable automatic restart on system failure.

If you are using a wireless keyboard and the F8 key does not work
substitute a wired keyboard and mouse for this exercise only.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Dominiccoombe wrote:
hi all,

my xp pro machine has progresses from crashing nearly every
program and having the odd unexplained reboot to now having blue
screen crashes.

I look at the blue screen but there is nothing that stands out
as a problem.

Usually blue screens are either drivers or hardware failure.

Could someone help me through this mess.

thanks

Dominic



.

Loading