Strange Blue Screen

Claudia · #1 (**permalink**) 05-02-2005, 12:15 AM

I am quite unexperienced with complicated computer problems, that's why I am asking for your help

Basically, I often get blue screens, with various error stop messages...sometimes they are starting with 0x000000A, other times they are 0x00000C5 or D1...I had this problem once in the past too and by reinstalling the Firewall I got rid of it.

My blue screen appears either when I run Nod32, either when I ask the PC to do two processes or more at one time (like read email and open some other program)...or simply without a logical explaination .

On this blue screen appears IRQL_NOT_LESS_OR_EQUAL...is that what you wanted to know? Because the numbers after STOP ERROR are different each time, as I said: 0x0A, or 0xC5, 0xD1, 0x7F...God knows why they change if the cause is the same...
I tried to run my Nod32 antivirus to check for viruses and it always gives the Blue Screen during this procedure, so I don't know what the outcome of the scan would be. Neither can I can my PC online because the Blue Screen appears in the middle of that scan too.

Anyway, I suspect that it may have something to do with an external intervention upon my PC...I mean this thing started just yesterday when I allowed (by mistake) the firewall to let the Windows Messenger (which I DIDN'T REQUEST OPENING, it opened itself out of the blue!!! ) out. When I realized this, I blocked it from the firewall and even reinstalled the firewall, but the problem won't go...

Hmmm...could it also have to do with heating? My components are quite crowded in there, but on the other hand...they've been until now as well and there was no trouble with that...only after the Messenger little trick it all started.

Logfile of HijackThis v1.99.0
Scan saved at 12:14:11, on 04.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YHsmiles\YHsmiles.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YHsmiles] C:\Program Files\YHsmiles\YHsmiles.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102799206501
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE69A06-2016-4D8D-842B-1167867DA1C9}: NameServer = 80.96.70.1,80.96.70.2
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Registry Management Service - Unknown - C:\Program Files\Advanced Registry Doctor\RegManServ.exe

owen · #2 (**permalink**) 05-02-2005, 08:18 PM

Do you know what YHsmiles is, its in your log. I can't find any reference to it.

If you don't know what it is:

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

O4 - HKCU\..\Run: [YHsmiles] C:\Program Files\YHsmiles\YHsmiles.exe

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\Program Files\YHsmiles

Reboot and post a fresh log

Are you running Outpost Pro or Outpost Free? When I run Outpost Free on XP, I had constand issues with Blue Screens and errors when shutting down and starting up and at odd occasions.

Claudia · #3 (**permalink**) 07-02-2005, 10:11 AM

No, YHSmiles are perfectly harmless, it's a program that adds some smileys to the yahoo messenger.

And the firewall is Outpost Pro, so I am sure it's ok...I suspect that it is a virus the whole story...but I can't take it out since I can't even scan my PC.

Another strange thing is that the error on the blue screen changes every time...once it's IRQL_NOT_LESS_OR_EQUAL, other times is NO_MORE_IRP_STACK_LOCATIONS, or PAGE_FAULT_IN_NON_PAGED_AREA, and also the number after STOP ERROR is always different...

By the way, I noticed that no matter how I scan for viruses (meaning online scan or Nod32) it works until it get to scaning the Windows files. There, exactly there, it always crashes...is that a confirmation of the fact that it is a virus?? Is there a virus that could pretend to be Windows Messenger and enter my PC like this? Because I did allow the windows messenger to open BY MISTAKE just the day before this whole misery started, as I said in my first post too.

owen · #4 (**permalink**) 07-02-2005, 11:42 PM

There are no viral processes in your Windows Running Processes.

Viruses can do a whole matter of things (or spyware). They can be made to mimic other programs, trick the user, shut down programs, shut down your PC and other annoyances. I'm not sure I've heard of one that disguises itself as Windows Messenger.

Have you tried running a scan in Safe Mode?

Claudia · #5 (**permalink**) 08-02-2005, 11:57 AM

I did try to scan in safe mode too, but it still shows the blue screen during this. Jephree told me to scan disk and post a fresh new log after this here. Which I am now doing:

Logfile of HijackThis v1.99.0
Scan saved at 12:53:31, on 08.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YHsmiles\YHsmiles.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\Program Files\Advanced Registry Doctor\RegManServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Private kits\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YHsmiles] C:\Program Files\YHsmiles\YHsmiles.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1\TRASH.EXE (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102799206501
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE69A06-2016-4D8D-842B-1167867DA1C9}: NameServer = 80.96.70.1,80.96.70.2
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: Registry Management Service - Unknown - C:\Program Files\Advanced Registry Doctor\RegManServ.exe

Thank you for your time

Claudia.

owen · #6 (**permalink**) 09-02-2005, 10:19 PM

Theres is nothing in there that I can suggest for removal, perfectly clean log.

DJDK · #7 (**permalink**) 10-03-2005, 10:29 PM

there is a known blue screen problem with outpost

owen · #8 (**permalink**) 10-03-2005, 11:36 PM

I agree with DK, I mentioned this earlier.

DJDK · #9 (**permalink**) 11-03-2005, 12:08 AM

sorry i didnt read that