What IS going on?

[aimeeandbeatles]

Recently, I've noticed weird things such as the Quick Launch bar rearranging itself and various folders under User/Aimee getting deleted. It's almost as though somebody's messing around with my computer, but I have a router/firewall and up-to-date antivirus and up-to-date Windows Updates.

Just now, the Videos folder went missing. Earlier today I noticed the Quick Launch was rearranged again and Winamp was on repeat, which I clearly remember NOT leaving it.

Is there a log of system events somewhere?

Any ideas?

Edit: Found the Event Viewer. There was some "Audit Policy Changes" and Windows Updates at 2:10 a.m. but that'll all I find. Also some weird "Volume Shadow Copy" at around 6am.

 

[Zelig]

Don't worry about it.

 

[aimeeandbeatles]

Like hell I'm not worrying about something freaky like this!

 

[homeyg]

You might want to open up your computer and see if some kind of worm is fiddling with the circuit boards.

 

[aimeeandbeatles]

I have a see-through case, and I most certainly don't see any unusual organisms inside.

 

[homeyg]

In all seriousness, run some kind of virus or spyware scanning software.

 

[aimeeandbeatles]

AVG runs every day and didn't pick up anything except about 5000000 tracking cookies. lol.

 

[homeyg]

Does anyone else use your computer?

 

[aimeeandbeatles]

No, just me.

 

[Aramazd]

As Zelig said, don't worry about it. But, if it'll make you feel better you could run HijackThis and post the results on one of the forums that reads those for you.

 

[aimeeandbeatles]

The quick launch rearranged itself again. All google points to is it rearranging on reboot but I didn't reboot.

Some weird stuff in Event Viewer:

Spoiler :

12:00:20 a.m. User PnP
Driver Management concluded the process to install driver FileRepository\volsnap.inf_7eb8cdb5\volsnap.inf for Device Instance ID STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT42 with the following status: 0.

Spoiler :

12:00:00 a.m. DistributedCOM
DCOM started the service swprv with arguments "" in order to run the server:
{65EE1DBA-8FF4-4A58-AC1C-3470EE2F376A}

(there's also a second one with "{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}")

Spoiler :

12:03:35 a.m. VSS
The VSS service is shutting down due to idle timeout.

Some stuff on System Restore creating checkpoints. There's also some stuff on ImageMagick but that was a few hours before the rearrangement.

Googled it, and if I understood right it's all to do with that danged VSS> Could the VSS be messing around with my folders?

 

[aimeeandbeatles]

Now I'm getting even more nervous. I put in a CD to try to install a game, and Explorer froze up. Then a blue screen came up, something about Kernal Inpage Somewordimissed error. When it rebooted, Windows said something about being unable to access the HDD.

Ran the crash dump through the debugger and it said this:

Probably caused by : volsnap.sys ( volsnap+173bb )

Also, here's the crash dump for anyone who wants to do some more serious debugging:
http://www.mediafire.com/?m0yzdungm4g

Also should mention I recently did a system restore to fix a screwed-up Games Explorer (I accidentally deleted everything out of it, and it was refusing to add anything else even with drag and drop)

From the event viewer, just before the blue-screen:

Spoiler :

4:24:06 p.m.
The Volume Shadow Copy service entered the stopped state.

Now, I'm starting to think there's a problem with the volsnap.sys. Is it possible? Should I try to replace it?

 

[aimeeandbeatles]

Debug info. This is the one that happened when I put CD in drive.

Spoiler :

******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in. Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed because
a filesystem failed to make forward progress.
Arguments:
Arg1: c04551e8, lock type that was held (value 1,2,3, or PTE address)
Arg2: c000000e, error status (normally i/o status code)
Arg3: 92cad8c0, current process (virtual address for lock type 3, or PTE)
Arg4: 8aa3d18c, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc000000e - A device which does not exist was specified.

DISK_HARDWARE_ERROR: There was error with disk hardware

BUGCHECK_STR: 0x7a_c000000e

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

TRAP_FRAME: 8a9e3c54 -- (.trap 0xffffffff8a9e3c54)
ErrCode = 00000002
eax=8aa3d188 ebx=00000000 ecx=8ab45660 edx=8393c054 esi=85d45698 edi=85d458a0
eip=89c363bb esp=8a9e3cc8 ebp=8a9e3ce8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
volsnap!VspCleanupVolumeSnapshot+0x61:
89c363bb 897804 mov dword ptr [eax+4],edi ds:0023:8aa3d18c=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8181f7bd to 818d85c9

STACK_TEXT:
8a9e3aac 8181f7bd 0000007a c04551e8 c000000e nt!KeBugCheckEx+0x1e
8a9e3b10 8182a7d3 8a9e3b68 819123c0 000000c0 nt!MiWaitForInPageComplete+0x1df
8a9e3bc0 818aaf05 8aa3d18c 00000000 00000000 nt!MiDispatchFault+0xe07
8a9e3c3c 8188fa74 00000001 8aa3d18c 00000000 nt!MmAccessFault+0x1119
8a9e3c3c 89c363bb 00000001 8aa3d18c 00000000 nt!KiTrap0E+0xdc
8a9e3ce8 89c367ac 8aa4fe58 8a9e3d34 85b99900 volsnap!VspCleanupVolumeSnapshot+0x61
8a9e3d08 89c368a7 85b997a0 8a9e3d34 8a9e3d3c volsnap!VspDeleteOldestSnapshot+0xc4
8a9e3d44 81878e18 85b99900 00000000 8398d020 volsnap!VspDestroyAllSnapshotsWorker+0x67
8a9e3d7c 81a254a8 85b99968 8a9e8680 00000000 nt!ExpWorkerThread+0xfd
8a9e3dc0 8189145e 81878d1b 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
volsnap!VspCleanupVolumeSnapshot+61
89c363bb 897804 mov dword ptr [eax+4],edi

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: volsnap!VspCleanupVolumeSnapshot+61

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: volsnap

IMAGE_NAME: volsnap.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4549b1bb

FAILURE_BUCKET_ID: 0x7a_c000000e_volsnap!VspCleanupVolumeSnapshot+61

BUCKET_ID: 0x7a_c000000e_volsnap!VspCleanupVolumeSnapshot+61

Followup: MachineOwner
---------

Edit: Also attached a HijackThis log, as somebody on another forum suggested it may be malware. Scary.

 

[Till]

Your Quick Launch problem might be due to the icon cache overflowing. Try increasing it.

The BSOD and crash dump point to a disc failure. Could be either harddrive, or disc drive, or both. I'd check the harddrive for bad sectors, try the disc drive with different discs, and replace the cables that connect them to the MB.

 

[aimeeandbeatles]

I know that it's only one disc that caused the BSOD, which is odd, I only found one very fine scratch. My SimCity 2000 disc is scratched up to pieces and it went through okay.

About the cables... My mom did move the tower recently to get it off the floor. I'll have to check to see if they're loose. If they need replacing, that'll take a while, we're broke (late fees and mom's cigarettes )

 

[aimeeandbeatles]

The SMART values disappeared!

 

[aimeeandbeatles]

Should I just do a Vista reinstall and hope for the best?

 

[Till]

If only one disc is affected, then that disc is most likely the problem. Even a tiny scratch can be fatal, if it is oriented in such a way that a whole sector is destroyed.

 

[aimeeandbeatles]

thanks.

I think I figured out the cause of the blue screens:

Spoiler :

Teenage angst!