this is the latest dump anaalysis to go with the event viewer
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini122107-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
srv*c:\symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Fri Dec 21 02:36:31.843 2007 (GMT-5)
System Uptime: 0 days 7:58:40.554
Loading Kernel Symbols
...........................................................................................................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 80550320, a467aae8, 0}
Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80550320, The address that the exception occurred at
Arg3: a467aae8, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!ExFreePoolWithTag+471
80550320 813e80000000 cmp dword ptr [esi],80h
TRAP_FRAME: a467aae8 -- (.trap 0xffffffffa467aae8)
ErrCode = 00000000
eax=ffdf0004 ebx=89bb4b80 ecx=8055c600 edx=00000060 esi=00000024 edi=00000000
eip=80550320 esp=a467ab5c ebp=a467ab90 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x471:
80550320 813e80000000 cmp dword ptr [esi],80h
ds:0023:00000024=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: hpqste08.exe
LAST_CONTROL_TRANSFER: from bf802a9b to 80550320
STACK_TEXT:
a467ab90 bf802a9b e3b89b20 88f876c8 a467abb8 nt!ExFreePoolWithTag+0x471
a467aba0 bf80e88f e3b89b20 bf9ab0e8 e3b89b20 win32k!HeavyFreePool+0xbb
a467abb8 bf838fac e3b89b20 e3b89b20 a467abe0 win32k!HMFreeObject+0xa0
a467abc8 bf838f72 e3b89b20 e3a82430 bc513f0c
win32k!DestroyEmptyCursorObject+0x1b
a467abe0 bf84ac19 e3a82430 00000002 a467abfc win32k!_DestroyCursor+0x105
a467abf0 bf84ac01 e3b89b20 a467ac14 bf8c09a6 win32k!DestroyUnlockedCursor+0xf
a467abfc bf8c09a6 bc5127e4 8905dde0 e3b3a820
win32k!HMDestroyUnlockedObject+0x1c
a467ac14 bf8209f9 00000000 88d5fda8 00000000
win32k!DestroyProcessesObjects+0x70
a467ac3c bf819e30 00000001 a467ac64 bf819ef4 win32k!xxxDestroyThreadInfo+0x22c
a467ac48 bf819ef4 88d5fda8 00000001 00000000 win32k!UserThreadCallout+0x4b
a467ac64 8056fc07 88d5fda8 00000001 88e3f968 win32k!W32pThreadCallout+0x3d
a467acf0 8058c841 40010004 a467ad4c 804e74b8 nt!PspExitThread+0x3cc
a467acfc 804e74b8 88e3f968 a467ad48 a467ad3c nt!PsExitSpecialApc+0x22
a467ad4c 804de263 00000001 00000000 a467ad64 nt!KiDeliverApc+0x1af
a467ad4c 7df7bd1b 00000001 00000000 a467ad64 nt!Kei386EoiHelper+0x3a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fd34 00000000 00000000 00000000 00000000 0x7df7bd1b
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf802a9b 5d pop ebp
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: win32k!HeavyFreePool+bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6
FAILURE_BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
Followup: MachineOwner
---------
"Dominiccoombe" wrote:
> All,
>
> I did verifer and chkdsk /r which ran for about 2 hours on my 250gb HDD
>
> reinstalled the latest version of spysweeper.
>
> Will see how it goes.
>
> Dom
>
> in meantime I will check out the malware
>
> "Gerry" wrote:
>
> > Dominic
> >
> > What Warning and Error Reports appear in Event Viewer since it's
> > removal? Can you please post copies.
> >
> > If you have had a malware infestation one holds the door open to let
> > it's friends in.
> >
> > Can you please post a copy of the latest Stop error report.
> >
> >
> > --
> >
> >
> >
> > Hope this helps.
> >
> > Gerry
> > ~~~~
> > FCA
> > Stourport, England
> > Enquire, plan and execute
> > ~~~~~~~~~~~~~~~~~~~
> >
> >
> >
> > Dominiccoombe wrote:
> > > Gerry,
> > >
> > > SSFS0BB8.SYS - does not exist on the machine after the uninstall of
> > > webroot.
> > >
> > >
> > > I will follow your spyware suggestions after I do the verifier and
> > > chkdsk /r
> > >
> > > Dominic
> > >
> > > "Gerry" wrote:
> > >
> > >> Dominic
> > >>
> > >> Background information on Stop Error message
> > >> http://msdn2.microsoft.com/en-us/library/ms793989.aspx
> > >>
> > >> http://aumha.org/a/stop.htm
> > >>
> > >> SSFS0BB8.SYS -This file concerns me as I cannot ascertain what it is
> > >> but it has often cropped up in HijackThis files where the user is
> > >> seeking to remove malware.
> > >>
> > >> Can you locate the file in Windows Explorer and examine it's
> > >> properties by right clicking on the file. Instructions on how to
> > >> Show hidden files are in the next paragraph.
> > >>
> > >> Go to Start, Control Panel, Folder Options, View, Advanced Settings
> > >> and verify that the box before "Show hidden files and folders" is
> > >> checked and "Hide protected operating system files " is unchecked.
> > >> You may need to scroll down to see the second item. You should also
> > >> make certain that the box before "Hide extensions for known file
> > >> types" is not checked. Next in Windows Explorer make sure View,
> > >> Details is selected and then select View, Choose Details and check
> > >> before Name, Type, Total Size, and Free Space.
> > >>
> > >>
> > >> What are your anti-virus and anti-spyware arrangements?
> > >> http://www.elephantboycomputers.com/page2.html#Removing_Malware
> > >>
> > >> I do not think it is is worth pursuing other avenues of enquiry until
> > >> the situation regarding malware is clearer.
> > >>
> > >> --
> > >>
> > >>
> > >>
> > >> Hope this helps.
> > >>
> > >> Gerry
> > >> ~~~~
> > >> FCA
> > >> Stourport, England
> > >> Enquire, plan and execute
> > >> ~~~~~~~~~~~~~~~~~~~
> > >>
> > >> Dominiccoombe wrote:
> > >>> Gerry,
> > >>>
> > >>> The last line of the minidump says
> > >>> "Probably caused by : SSFS0BB8.SYS ( SSFS0BB8+2dd1 )"
> > >>>
> > >>> Event Viewer
> > >>> Date 12/18/07
> > >>> Event Save Dump
> > >>> Time 5:05:31
> > >>> event id 1001
> > >>>
> > >>> The computer has rebooted from a bugcheck. The bugcheck was:
> > >>> 0x0000007a (0x00000003, 0xc0000005, 0x0000005c, 0x00000000). A dump
> > >>> was saved in: C:\WINDOWS\Minidump\Mini121807-01.dmp.
> > >>>
> > >>> For more information, see Help and Support Center at
> > >>> http://go.microsoft.com/fwlink/events.asp.
> > >>>
> > >>> Does any of that help??
> > >>>
> > >>> dominic
> > >>>
> > >>> "Gerry" wrote:
> > >>>
> > >>>> Dominic
> > >>>>
> > >>>> Something like this:
> > >>>>
> > >>>> Stop 0x0000000E (0xc0000005, 0xB84B23E9, 0xB6A7894, 0xB5A786D0)
> > >>>>
> > >>>> VETEFILE.SYS Address B84B23E9 Datestamp 468DE154
> > >>>>
> > >>>> Examining dump files is a skilled art that few posting here are
> > >>>> able to undertake. Given your question I doubt you will be able to
> > >>>> deduce their meaning.
> > >>>>
> > >>>> I suggest you also post copies of Reports from Event Viewer.
> > >>>>
> > >>>> Please post copies of all Error and Warning Reports appearing in
> > >>>> the System and Application logs in Event Viewer for the last boot.
> > >>>> No Information Reports or Duplicates please. Indicate which also
> > >>>> appear in a previous boot.
> > >>>>
> > >>>> You can access Event Viewer by selecting Start, Control Panel,
> > >>>> Administrative Tools, and Event Viewer. When researching the
> > >>>> meaning of the error, information regarding Event ID, Source and
> > >>>> Description are important.
> > >>>>
> > >>>> A tip for posting copies of Error Reports! Run Event Viewer and
> > >>>> double click on the error you want to copy. In the window, which
> > >>>> appears is a button resembling two pages. Click the button and
> > >>>> close Event Viewer.Now start your message (email) and do a paste
> > >>>> into the body of the message. Make sure this is the first paste
> > >>>> after exiting from Event Viewer.
> > >>>>
> > >>>>
> > >>>> --
> > >>>>
> > >>>>
> > >>>>
> > >>>> Hope this helps.
> > >>>>
> > >>>> Gerry
> > >>>> ~~~~
> > >>>> FCA
> > >>>> Stourport, England
> > >>>> Enquire, plan and execute
> > >>>> ~~~~~~~~~~~~~~~~~~~
> > >>>>
> > >>>>
> > >>>> Dominiccoombe wrote:
> > >>>>> Hi Gerry,
> > >>>>>
> > >>>>> Thanks for your reply.
> > >>>>>
> > >>>>> Yes I have backed up important files. do that every night but will
> > >>>>> make an extra copy now.
> > >>>>>
> > >>>>> i already have the automatic restart turned off.
> > >>>>>
> > >>>>> I am not sure what info you want off the blue screen.
> > >>>>>
> > >>>>> The last one I had said:
> > >>>>> "a process / crucial thread to the system has unexpectedly exited
> > >>>>> or stopped"
> > >>>>>
> > >>>>> Can I find a please to look at the dumps? will they help me?
> > >>>>>
> > >>>>> Dominic
> > >>>>> "Gerry" wrote:
> > >>>>>
> > >>>>>> Dominic
> > >>>>>>
> > >>>>>> Have you backed up important data files?
> > >>>>>>
> > >>>>>> Please post a copy of the Stop Error Report.
> > >>>>>>
> > >>>>>> Disable automatic restart on system failure. This should help by
> > >>>>>> allowing time to write down the STOP code properly. Right click
> > >>>>>> on the My Computer icon on the Desktop and select Properties,
> > >>>>>> Advanced, Start-Up and Recovery, System Failure and uncheck box
> > >>>>>> before Automatically Restart.
> > >>>>>>
> > >>>>>> Do not re-enable automatic restart on system failure until you
> > >>>>>> have resolved the problem. Check for variants of the Stop Error
> > >>>>>> message.
> > >>>>>>
> > >>>>>> An alternative is to keep pressing the F8 key during Start-Up and
> > >>>>>> select option - Disable automatic restart on system failure.
> > >>>>>>
> > >>>>>> If you are using a wireless keyboard and the F8 key does not work
> > >>>>>> substitute a wired keyboard and mouse for this exercise only.
> > >>>>>>
> > >>>>>> --
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> Hope this helps.
> > >>>>>>
> > >>>>>> Gerry
> > >>>>>> ~~~~
> > >>>>>> FCA
> > >>>>>> Stourport, England
> > >>>>>> Enquire, plan and execute
> > >>>>>> ~~~~~~~~~~~~~~~~~~~
> > >>>>>>
> > >>>>>> Dominiccoombe wrote:
> > >>>>>>> hi all,
> > >>>>>>>
> > >>>>>>> my xp pro machine has progresses from crashing nearly every
> > >>>>>>> program and having the odd unexplained reboot to now having blue
> > >>>>>>> screen crashes.
> > >>>>>>>
> > >>>>>>> I look at the blue screen but there is nothing that stands out
> > >>>>>>> as a problem.
> > >>>>>>>
> > >>>>>>> Usually blue screens are either drivers or hardware failure.
> > >>>>>>>
> > >>>>>>> Could someone help me through this mess.
> > >>>>>>>
> > >>>>>>> thanks
> > >>>>>>>
> > >>>>>>> Dominic
> >
> >
> >