Blue screen crashes

[Dominiccoombe]

hi all,

my xp pro machine has progresses from crashing nearly every program and
having the odd unexplained reboot to now having blue screen crashes.

I look at the blue screen but there is nothing that stands out as a problem.

Usually blue screens are either drivers or hardware failure.

Could someone help me through this mess.

thanks

Dominic

 

[Gerry]

Dominic

Have you backed up important data files?

Please post a copy of the Stop Error Report.

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Right click on
the My Computer icon on the Desktop and select Properties, Advanced,
Start-Up and Recovery, System Failure and uncheck box before
Automatically Restart.

Do not re-enable automatic restart on system failure until you have
resolved the problem. Check for variants of the Stop Error message.

An alternative is to keep pressing the F8 key during Start-Up and select
option - Disable automatic restart on system failure.

If you are using a wireless keyboard and the F8 key does not work
substitute a wired keyboard and mouse for this exercise only.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

Hi Gerry,

Thanks for your reply.

Yes I have backed up important files. do that every night but will make an
extra copy now.

i already have the automatic restart turned off.

I am not sure what info you want off the blue screen.

The last one I had said:
"a process / crucial thread to the system has unexpectedly exited or stopped"

Can I find a please to look at the dumps? will they help me?

Dominic

 

[Gerry]

Dominic

Something like this:

Stop 0x0000000E (0xc0000005, 0xB84B23E9, 0xB6A7894, 0xB5A786D0)

VETEFILE.SYS Address B84B23E9 Datestamp 468DE154

Examining dump files is a skilled art that few posting here are able to
undertake. Given your question I doubt you will be able to deduce their
meaning.

I suggest you also post copies of Reports from Event Viewer.

Please post copies of all Error and Warning Reports appearing in
the System and Application logs in Event Viewer for the last boot. No
Information Reports or Duplicates please. Indicate which also appear in
a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

Gerry,

The last line of the minidump says
"Probably caused by : SSFS0BB8.SYS ( SSFS0BB8+2dd1 )"

Event Viewer
Date 12/18/07
Event Save Dump
Time 5:05:31
event id 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007a
(0x00000003, 0xc0000005, 0x0000005c, 0x00000000). A dump was saved in:
C:\WINDOWS\Minidump\Mini121807-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Does any of that help??

dominic

 

[nass]

Hi,
Please read all the info then execute:
This error indicate that a piece of Data is being tried to be accessed from
a bad Sector or the opposite a piece of data tried to be written to a bad
Sectors on a Hard rive or a RAM.
So first check your Hard drive and all the drivers are verified.

Any hardware/software or updates installed recently?, please state all if
any in your next post.
You can use this driver verifier command:
verifier.exe click [OK]
First try to eliminate hardware, by going to Device manager and check by
expanding the Plus [+] to see all devices listed, if there is a
malfunctioning device or conflicting device it will show in Device manager.

This always refer to a bad Hardware/driver installed.
Try the Last good known Configuration to log into the system, then open
Device manager and see if there is any malfunctioining Devices or conflict in
IRQ, also look in the Event Viewer for error message and post them back in
your next post.
Read this articles and see, but how did you get rid of the Contra?.

Open a run command and type in these commands to see if there is a conflict
in /among drivers :
pstat.exe click [OK]
dmpchck.exe click [OK]
What you get from running this commands?.

How to perform a clean boot in Windows XP
http://support.microsoft.com/?id=310353
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222/en-us

Try to use the Verifier.exe command to see which Drivers not Verified on
your system:
How to Use Driver Verifier to Troubleshoot Windows Drivers
http://support.microsoft.com/kb/244617/en-us

You may have a bad RAM try to test your RAM by running Memtest by
downloading this tool and unzip it and make a floppy or CD/DVD and run it on
Reboot.
http://www.memtest86.com/
You may need to reposition/reset the RAM sticks in their slots.
After that you could do a repair install, and then test.
http://www.michaelstevenstech.com/XPrepairinstall.htm

Use the command chkdsk /r with recovery console:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/326215

Error Message "Stop 0x0000007A" KERNEL_DATA_INPAGE_ERROR
http://support.microsoft.com/kb/275149
Stop 0x0000007A or KERNEL_DATA_INPAGE_ERROR
http://www.microsoft.com/technet/pr...serv/reskit/prork/prhd_exe_qofl.mspx?mfr=true


Common Causes of STOP Messages 0x00000077 and 0x0000007A
http://support.microsoft.com/kb/130801

More solutions for 0x0000007A
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=0x0000007A

This can Indicate a BHO is corrupted or damaged and causing the Shell error,
so try to Disable the Un-verified Add-Ons on your Browser and see if that
will help.

*Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Open a Notepad, customize or minimize to the taskbar as you will need it
later for this step to copy the error message on it.
Open a run command and type in:
eventvwr.msc click [OK] you will get the Event viewer control Panel.
click on each of these:
Application
System
Security
Look in the right Pane/window for error message with red (X) or Yellow
exclamation mark /!\ , double click each one to get more info about the
causer.
On the Event error properties message you will see:
Up Arrow
Down arrow
Two pages
Click on the two pages to copy the error message then bring up the Notepad
you opened earlier and right click on the first line and select Paste from
the list, this will paste the error message on a Notepad.
Please don't duplicate the error message one of each kind will be sufficient.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

Please we need just the error messages with Red (X) and don't repeat the
error, just one of each kind and post them back in your next post.

== SSFS0BB8.SYS is for webroot, do you have webroot installed?, if you do
try to uninstalll it and then run Disk clean up and reinstall it again, does
it help?.

HTH.
nass

 

[Gerry]

Dominic

Background information on Stop Error message
http://msdn2.microsoft.com/en-us/library/ms793989.aspx

http://aumha.org/a/stop.htm

SSFS0BB8.SYS -This file concerns me as I cannot ascertain what it is
but it has often cropped up in HijackThis files where the user is
seeking to remove malware.

Can you locate the file in Windows Explorer and examine it's properties
by right clicking on the file. Instructions on how to Show hidden files
are in the next paragraph.

Go to Start, Control Panel, Folder Options, View, Advanced Settings and
verify that the box before "Show hidden files and folders" is checked
and "Hide protected operating system files " is unchecked. You may need
to scroll down to see the second item. You should also make certain that
the box before "Hide extensions for known file types" is not checked.
Next in Windows Explorer make sure View, Details is selected and then
select View, Choose Details and check before Name, Type, Total Size, and
Free Space.


What are your anti-virus and anti-spyware arrangements?
http://www.elephantboycomputers.com/page2.html#Removing_Malware

I do not think it is is worth pursuing other avenues of enquiry until
the situation regarding malware is clearer.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

Yes I do have webroot installed.

I will work my way through all the suggestions.

Dominic

Hi,
Please read all the info then execute:
This error indicate that a piece of Data is being tried to be accessed from
a bad Sector or the opposite a piece of data tried to be written to a bad
Sectors on a Hard rive or a RAM.
So first check your Hard drive and all the drivers are verified.

Any hardware/software or updates installed recently?, please state all if
any in your next post.
You can use this driver verifier command:
verifier.exe click [OK]
First try to eliminate hardware, by going to Device manager and check by
expanding the Plus [+] to see all devices listed, if there is a
malfunctioning device or conflicting device it will show in Device manager.

This always refer to a bad Hardware/driver installed.
Try the Last good known Configuration to log into the system, then open
Device manager and see if there is any malfunctioining Devices or conflict in
IRQ, also look in the Event Viewer for error message and post them back in
your next post.
Read this articles and see, but how did you get rid of the Contra?.

Open a run command and type in these commands to see if there is a conflict
in /among drivers :
pstat.exe click [OK]
dmpchck.exe click [OK]
What you get from running this commands?.

How to perform a clean boot in Windows XP
http://support.microsoft.com/?id=310353
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/kb/315222/en-us

Try to use the Verifier.exe command to see which Drivers not Verified on
your system:
How to Use Driver Verifier to Troubleshoot Windows Drivers
http://support.microsoft.com/kb/244617/en-us

You may have a bad RAM try to test your RAM by running Memtest by
downloading this tool and unzip it and make a floppy or CD/DVD and run it on
Reboot.
http://www.memtest86.com/
You may need to reposition/reset the RAM sticks in their slots.
After that you could do a repair install, and then test.
http://www.michaelstevenstech.com/XPrepairinstall.htm

Use the command chkdsk /r with recovery console:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/326215

Error Message "Stop 0x0000007A" KERNEL_DATA_INPAGE_ERROR
http://support.microsoft.com/kb/275149
Stop 0x0000007A or KERNEL_DATA_INPAGE_ERROR
http://www.microsoft.com/technet/pr...serv/reskit/prork/prhd_exe_qofl.mspx?mfr=true


Common Causes of STOP Messages 0x00000077 and 0x0000007A
http://support.microsoft.com/kb/130801

More solutions for 0x0000007A
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=0x0000007A

This can Indicate a BHO is corrupted or damaged and causing the Shell error,
so try to Disable the Un-verified Add-Ons on your Browser and see if that
will help.

*Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Open a Notepad, customize or minimize to the taskbar as you will need it
later for this step to copy the error message on it.
Open a run command and type in:
eventvwr.msc click [OK] you will get the Event viewer control Panel.
click on each of these:
Application
System
Security
Look in the right Pane/window for error message with red (X) or Yellow
exclamation mark /!\ , double click each one to get more info about the
causer.
On the Event error properties message you will see:
Up Arrow
Down arrow
Two pages
Click on the two pages to copy the error message then bring up the Notepad
you opened earlier and right click on the first line and select Paste from
the list, this will paste the error message on a Notepad.
Please don't duplicate the error message one of each kind will be sufficient.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

Please we need just the error messages with Red (X) and don't repeat the
error, just one of each kind and post them back in your next post.

== SSFS0BB8.SYS is for webroot, do you have webroot installed?, if you do
try to uninstalll it and then run Disk clean up and reinstall it again, does
it help?.

HTH.
nass
-----
http://www.nasstec.co.uk

Gerry,

The last line of the minidump says
"Probably caused by : SSFS0BB8.SYS ( SSFS0BB8+2dd1 )"

Event Viewer
Date 12/18/07
Event Save Dump
Time 5:05:31
event id 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007a
(0x00000003, 0xc0000005, 0x0000005c, 0x00000000). A dump was saved in:
C:\WINDOWS\Minidump\Mini121807-01.dmp.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Does any of that help??

dominic

 

[nass]

Yes I do have webroot installed.

I will work my way through all the suggestions.

Dominic

Hi Dominic,
If you will go a head, try the easiest first, which:
Use the Verifier command then the Chkdsk /r command and Reboot your system,
monitor the activities, any good?.

Test the RAM with memtest, then uninstall the webroot and run disk clean up
and reinstall webroot after that and update its definitions.
If you still can you please tell us what your Anti-virus arrangements and
anti-malware, how many security programs are you running and are they
up2dates and current?.

 

[Dominiccoombe]

Morning,

I ran memtest+ all night and no crash or errors reported.

I skipped a few stages this morning and tried to uninstall webroot, and as
soon as I did the machine blue screened. I am now going to have to make sure
the uninstall finished then will do verifier and the chkdsk /r

I run avast home edition free anti virus. Other than that I run webroot
spyware and cloudmark anti spam. All recent updates are applied to these
programs

 

[Gerry]

Dominic

SSFS0BB8.SYS -This file concerns me as I cannot ascertain what it is
but it has often cropped up in HijackThis files where the user is
seeking to remove malware.

Can you locate the file in Windows Explorer and examine it's properties
by right clicking on the file. Instructions on how to Show hidden files
are in the next paragraph. What does it tell you?

Go to Start, Control Panel, Folder Options, View, Advanced Settings and
verify that the box before "Show hidden files and folders" is checked
and "Hide protected operating system files " is unchecked. You may need
to scroll down to see the second item. You should also make certain that
the box before "Hide extensions for known file types" is not checked.
Next in Windows Explorer make sure View, Details is selected and then
select View, Choose Details and check before Name, Type, Total Size, and
Free Space.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

Gerry,

SSFS0BB8.SYS - does not exist on the machine after the uninstall of webroot.


I will follow your spyware suggestions after I do the verifier and chkdsk /r

Dominic

 

[Gerry]

Dominic

What Warning and Error Reports appear in Event Viewer since it's
removal? Can you please post copies.

If you have had a malware infestation one holds the door open to let
it's friends in.

Can you please post a copy of the latest Stop error report.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

All,

I did verifer and chkdsk /r which ran for about 2 hours on my 250gb HDD

reinstalled the latest version of spysweeper.

Will see how it goes.

Dom

in meantime I will check out the malware

 

[Dominiccoombe]

24 hours and no blue screen.

Still need to check for malware.

Dominic

 

[Gerry]

That's great Dominic.



~~~~


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

hi all,

came home and found it had crashed again.

I have removed webroot spyware and have stopped a number of processes from
running at startup.

Apart from the malware which I should do today I am lost what to do.

Dominic

 

[Gerry]

Dominic

Always post copies of Error Reports!

Please post copies of all Error and Warning Reports appearing in
the System and Application logs in Event Viewer for the last boot. No
Information Reports or Duplicates please. Indicate which also appear in
a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Dominiccoombe]

Gerry,

there are no errors or warnings in the event viewer for application or system.

the only thing I could fine was an information included below

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 12/21/2007
Time: 12:56:44 AM
User: N/A
Computer: CUSTOM
Description:
The Pml Driver HPZ12 service entered the stopped state.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks for the tip on copying event viewer to the paste buffer

Dom

 

[Dominiccoombe]

this is the latest dump anaalysis to go with the event viewer


Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini122107-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Fri Dec 21 02:36:31.843 2007 (GMT-5)
System Uptime: 0 days 7:58:40.554
Loading Kernel Symbols
...........................................................................................................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80550320, a467aae8, 0}



Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80550320, The address that the exception occurred at
Arg3: a467aae8, Trap Frame
Arg4: 00000000

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ExFreePoolWithTag+471
80550320 813e80000000 cmp dword ptr [esi],80h

TRAP_FRAME: a467aae8 -- (.trap 0xffffffffa467aae8)
ErrCode = 00000000
eax=ffdf0004 ebx=89bb4b80 ecx=8055c600 edx=00000060 esi=00000024 edi=00000000
eip=80550320 esp=a467ab5c ebp=a467ab90 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x471:
80550320 813e80000000 cmp dword ptr [esi],80h
ds:0023:00000024=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: hpqste08.exe

LAST_CONTROL_TRANSFER: from bf802a9b to 80550320

STACK_TEXT:
a467ab90 bf802a9b e3b89b20 88f876c8 a467abb8 nt!ExFreePoolWithTag+0x471
a467aba0 bf80e88f e3b89b20 bf9ab0e8 e3b89b20 win32k!HeavyFreePool+0xbb
a467abb8 bf838fac e3b89b20 e3b89b20 a467abe0 win32k!HMFreeObject+0xa0
a467abc8 bf838f72 e3b89b20 e3a82430 bc513f0c
win32k!DestroyEmptyCursorObject+0x1b
a467abe0 bf84ac19 e3a82430 00000002 a467abfc win32k!_DestroyCursor+0x105
a467abf0 bf84ac01 e3b89b20 a467ac14 bf8c09a6 win32k!DestroyUnlockedCursor+0xf
a467abfc bf8c09a6 bc5127e4 8905dde0 e3b3a820
win32k!HMDestroyUnlockedObject+0x1c
a467ac14 bf8209f9 00000000 88d5fda8 00000000
win32k!DestroyProcessesObjects+0x70
a467ac3c bf819e30 00000001 a467ac64 bf819ef4 win32k!xxxDestroyThreadInfo+0x22c
a467ac48 bf819ef4 88d5fda8 00000001 00000000 win32k!UserThreadCallout+0x4b
a467ac64 8056fc07 88d5fda8 00000001 88e3f968 win32k!W32pThreadCallout+0x3d
a467acf0 8058c841 40010004 a467ad4c 804e74b8 nt!PspExitThread+0x3cc
a467acfc 804e74b8 88e3f968 a467ad48 a467ad3c nt!PsExitSpecialApc+0x22
a467ad4c 804de263 00000001 00000000 a467ad64 nt!KiDeliverApc+0x1af
a467ad4c 7df7bd1b 00000001 00000000 a467ad64 nt!Kei386EoiHelper+0x3a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fd34 00000000 00000000 00000000 00000000 0x7df7bd1b


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf802a9b 5d pop ebp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: win32k!HeavyFreePool+bb

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6

FAILURE_BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb

BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb

Followup: MachineOwner