Hi LostOne,

> But what if I had just recieved/loaded.downloaded the malicious file
> while I was still using v8, immediately before upgrading to WMP9?
> Wouldn't the malicious code still be somewhere on my computer?

Quite possible, but whether it's (in any way) related to getting blue
screens is an other matter...

> Please do not take offense, or think I am being a smartass. I
> absolutely respect your technical expertise. But...
>
> I really cannot understand most of what you just said, and what I do
> understand has not led me to a solution.

He's explaining what causes blue screens, and appears to understand it
better than most PSS staff!

> By "blue screen traceback" do you mean the response from Microsoft to
> the error report?

No, I think he means dumping the memory to disk, and loading it up in a
debugger and then looking at the assembly code! Lots of fun, but perhaps
not practical in your own situation:)

> That is very generic, and not in any way helpful. It
> just says it is likely a driver problem,

I agree with you here. Some of these KB articles are very silly; it's
not that what they say is incorrect, but they are designed to be as
unhelpful as possible in cases where the "solution" is simply to
horrible and complicated to contemplate.

It's still worth writing down all the numbers and text, and doing a KB
search though or posting on the "hardware" newsgroup for your O/S. Check
your event logs too for any other errors - they may be related.

It's quite rare for "malicious code" to cause blue screens, as the
people who write the code are far too good at their job to allow that to
happen - they tend to have a solid understanding of the kernel level.

--
Gerry Hickman (London UK)

LostOne wrote:
> When I have these blue screens, the only way I can get out is to power
> down, then power up again. (Is there any way to either print, or
> save the contents of the blue screen?)

There used to be some special software to print them out, and some info
is in the event log, but personally I just use pen and paper. You only
need the top half of the screen, you don't need the list of processes
very often, although they may be useful once you've got the driver name.

> I cannot say with certainty, (without causing another blue screen by
> rebooting), but I am pretty sure no driver is specifically named.

Next time it happens, you must look very carefully and write down all
the letters and numbers in the first few lines. To the far right of the
screen, you'll often see a driver name, such as zzyyzz.sys

> The response I get is always the same, essentially saying that it is
> probably a driver but the exact cause cannot be determined.

This does not surprise me in the slightest!

> I have had blue screens before, and not been terribly concerned ,
> because they were very random,

If you were getting them on NT/2000 you *should* have been concerned
because there's no reason these machines should EVER blue screen. If you
were getting them on some other Mikey Mouse O/S such as 98/ME/XP then
it's not exactly surprising.

> The string in event viewer is: Error code 0000000a, parameter1
> 000000b0, parameter2 00000002, parameter3 00000000, parameter4
> 804d71af.
>
> Hopefully that information will be of use?

It would be of use to someone with your full crash-dump file, the
Windows source code, a good debugger and a couple of hours to spare,
LOL, but failing that the only way to get to the bottom of it is to try
and find a pattern, compare notes with others and so on. We don't know
the history of your system, it could have all kinds of software and
driver conflicts - I'd be tempted to backup any data, format the system
partition and start again.

> It seems even more odd to me that there is this system error during a
> boot, but then the next boot does not generate it, and is successful.

Yes, that is certainly odd.

> Looking for help I was directed to the NGs by MS,

Yes, you get asked to go to the NGs (easy option for MS), but then
people in the NGs claim they're not the unpaid replacement support team
for Microsoft!

In my experience, there's very few big companies will allow themselves
to get dragged into disassembling crash-dump files unless you're on the
super-special-gold-enterprise contract (or whatever). Most of them will
just suggest backing up all the data and then running the "recovery" CD.

> immediately saw your
> notice concerning the Security Bulletin. Seemed way too coincidental.

Personally, I think it *is* coincidence.

> Is it not possible that in the time between I downloaded that skin,
> and then did the upgrade, that some script or something had already
> been executed on my computer.

I've already answered this earlier in the thread.

> (I probably sound like a paranoid idiot here,

Nope.

> But it does seem to me that although the patch you linked to fixes the
> vulnerability, if some invasion or other malicious thing has already
> occured it would not be affected by the patch or the upgrade. Does
> that make sense?

I've already answered this earlier in the thread.

> If so, what can one do about it?

Well if it *was* a trojan - which is *unlikely*, then unless you enjoy
hours of reverse-engineering of trojans that you can't even see, there's
probably not much that CAN be done, other than formatting the hard disk
and re-installing everything, but since it probably isn't a trojan just
stick to troubleshooting the blue screen. Here an article

http://support.microsoft.com/default.aspx?scid=kb;en-us;130802

Interestingly, it does not cover XP?

> As far as the possiblity of a trojan goes, all I can say is I am
> religious about keeping my virus definitions up to date, and that is
> supposedly also including trojans.

I think "supposedly" is the operative word here. Some trojans end up in
the sigs, but you can write a new one in minutes and you can use
standard software like process killers. The difficulty is getting it
INTO the machine in the first place, and this is where the
vulnerabilities come in handy.

--
Gerry Hickman (London UK)

LostOne wrote:
> When I have these blue screens, the only way I can get out is to power
> down, then power up again. (Is there any way to either print, or
> save the contents of the blue screen?)

There used to be some special software to print them out, and some info
is in the event log, but personally I just use pen and paper. You only
need the top half of the screen, you don't need the list of processes
very often, although they may be useful once you've got the driver name.

> I cannot say with certainty, (without causing another blue screen by
> rebooting), but I am pretty sure no driver is specifically named.

Next time it happens, you must look very carefully and write down all
the letters and numbers in the first few lines. To the far right of the
screen, you'll often see a driver name, such as zzyyzz.sys

> The response I get is always the same, essentially saying that it is
> probably a driver but the exact cause cannot be determined.

This does not surprise me in the slightest!

> I have had blue screens before, and not been terribly concerned ,
> because they were very random,

If you were getting them on NT/2000 you *should* have been concerned
because there's no reason these machines should EVER blue screen. If you
were getting them on some other Mikey Mouse O/S such as 98/ME/XP then
it's not exactly surprising.

> The string in event viewer is: Error code 0000000a, parameter1
> 000000b0, parameter2 00000002, parameter3 00000000, parameter4
> 804d71af.
>
> Hopefully that information will be of use?

It would be of use to someone with your full crash-dump file, the
Windows source code, a good debugger and a couple of hours to spare,
LOL, but failing that the only way to get to the bottom of it is to try
and find a pattern, compare notes with others and so on. We don't know
the history of your system, it could have all kinds of software and
driver conflicts - I'd be tempted to backup any data, format the system
partition and start again.

> It seems even more odd to me that there is this system error during a
> boot, but then the next boot does not generate it, and is successful.

Yes, that is certainly odd.

> Looking for help I was directed to the NGs by MS,

Yes, you get asked to go to the NGs (easy option for MS), but then
people in the NGs claim they're not the unpaid replacement support team
for Microsoft!

In my experience, there's very few big companies will allow themselves
to get dragged into disassembling crash-dump files unless you're on the
super-special-gold-enterprise contract (or whatever). Most of them will
just suggest backing up all the data and then running the "recovery" CD.

> immediately saw your
> notice concerning the Security Bulletin. Seemed way too coincidental.

Personally, I think it *is* coincidence.

> Is it not possible that in the time between I downloaded that skin,
> and then did the upgrade, that some script or something had already
> been executed on my computer.

I've already answered this earlier in the thread.

> (I probably sound like a paranoid idiot here,

Nope.

> But it does seem to me that although the patch you linked to fixes the
> vulnerability, if some invasion or other malicious thing has already
> occured it would not be affected by the patch or the upgrade. Does
> that make sense?

I've already answered this earlier in the thread.

> If so, what can one do about it?

Well if it *was* a trojan - which is *unlikely*, then unless you enjoy
hours of reverse-engineering of trojans that you can't even see, there's
probably not much that CAN be done, other than formatting the hard disk
and re-installing everything, but since it probably isn't a trojan just
stick to troubleshooting the blue screen. Here an article

http://support.microsoft.com/default.aspx?scid=kb;en-us;130802

Interestingly, it does not cover XP?

> As far as the possiblity of a trojan goes, all I can say is I am
> religious about keeping my virus definitions up to date, and that is
> supposedly also including trojans.

I think "supposedly" is the operative word here. Some trojans end up in
the sigs, but you can write a new one in minutes and you can use
standard software like process killers. The difficulty is getting it
INTO the machine in the first place, and this is where the
vulnerabilities come in handy.

--
Gerry Hickman (London UK)