check your event viewer to see what's causing the fault. Also, some spyware/adware hides pretty well these days. I suggest making a UBCD4Win CD (http://www.ubcd4win.com/)
Main Topics
Browse All Topics
Loading Advertisement...
Question
BSOD on boot to safe mode ONLY
I have a laptop that is infected with some virus or malware. The syptoms are an auto redirect from any broswer when clicking on a search engine link (at first i thought it was just bing and firefox, but it is in IE and google as well). Some links work, some will just redirect to another page. SPybot S&D fond nothing malwarbytes found hijack.shell and disable.securitycenter in quarantine. VIPRE AV found fraudtool,win32.roguesecur
Now i wanted to boot to safe mode to help disinfect the machine. When i try to start into safe mode (all options) i get a BSOD with PAGE_FAULT_IN_NONPAGE_AREA
'
HELP!!
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
-If issues still exist after above experts suggestions try scanning that system with this live cd:
Kaspersky live cd http://devbuilds.kaspersky
--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.
Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files are removed:
http://michaelstevenstech.
1) Download COMBOFIX from www.bleepingcomputer.com using a known good system. burn onto a CD and then execute ( http://www.bleepingcompute
DO NOT DOWNLOAD FROM COMBOFIX.ORG ...it may come up first in google, but its a bogus site.
2) Let combofix do its thing. see second link above for tutorial.
Depending on what was done earlier the BSOD may be afunction of hte malware, or the rough removal of malware from another tool. hard to tell.
3 )Put the system back in functional shape with Dial-A-Fix http://wiki.lunarsoft.net/
4) Get out the install dik and run sfc /scannow (with a known good instal lCD i nthe drive)
5) reboot and rerun MS-Updates
It may be wise to reverse the order of 3 & 4 depending o nthe isuse.
Is the search still being redirected?
Thanks for the logs, I couldn't find any suspicious entry in the CF log that would help point to the culprit, like you said it could also be a driver that isn't loading.
I thought it could be a patched system file but no indication in the CF log.
Try running these scanners and let's see the their logs show.
1. Download the GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.ne
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
2. Download RootRepeal from either one of the links below and save it to your desktop.
http://ad13.geekst
http://a
Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:
o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT
Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
ok so i created a new UBCD for myself, good thing since mine was too old. I ran most every scanner that would work and function. Including spybot s&d, avast, vipre, gmer.
Spybot found a microsoft.windows.security
I also created a kasparsky rescue disk and got it to update (a pain in the arse). It found nothing.
I also ran root repeal...
then ran combo fix from windows. i could not get combofix to run out of the UBCD environment
i will attach all log files...
i am hitting my head because after about 10 minutes, the first entry for wikipedia in a search brought me back to the crap. Seems when it is run once, it tends to infect more pages.....
Thanks for the logs... I still don't know wha caused the BSOD in safe mode....
Could be one of your software causing this when unable to load their drivers, since you have so many services there.
Or could be one of the recent nasties that eludes the scanners we used.
Try scanning with OTL(the first scan will just enumerates what's runnning similar to a diagnostic tool.
Download OTL to your Desktop
http://oldtimer.gee
Do
Under the Custom Scan box paste this in (bolded text below)
netsvcs
%SYSTEMDRIVE%
%SYS
%SYSTEMDRIVE%\scecli.d
%SYSTEMDRIVE%\netlogon
%SYSTEMDRIVE%\cngaudit
%SYSTEMDRIVE%\sceclt.d
%SYSTEMDRIVE%\ntelogon
%SYSTEMDRIVE%\logevent
%SYSTEMDRIVE%\iaStor.s
%SYSTEMDRIVE%\nvstor.s
%SYSTEMDRIVE%\atapi.sy
%SYSTEMDRIVE%\IdeChnDr
%SYSTEMDRIVE%\viasraid
%SYSTEMDRIVE%\AGP440.s
%SYSTEMDRIVE%\vaxscsi.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL, please attach the logs.
use a bart pe disc or a linux live disc of some description and backup any data you want to keep , do a full format ( which will also check for bad sectors etc on the hdd ) then do a fresh install along with latest drivers and re install any software.
Then try again ref safe mode etc
Also before you run any scans if you want to go down that route, disable system restore , delete restore points and then do the scans but again I would backup data first
Re: BSOD in safe mode. I agree with optoma that minidumps -- if created -- should help pinpoint the cause.
You seem to have a driver issue which is a reversal from the norm. Intrinsic (built-in) drivers are used in safe mode (e.g. Standard VGA driver in lieu of video card manufacturer's driver) and one of those intrinsic drivers may be corrupt. To see if it is the VGA driver, try booting into VGA Only Mode instead of Safe Mode.
When you're in safe mode, check the HOSTS file - it should only contain one entry for localhost unless you are specifically using a HOST file for added protection.
You'll find the HOSTS file in C:\Windows\System32\driver
As for your BSOD, you might want to download this and somehow get it installed and running to get some logs for us.
I am not finding a mindump created!!!
THe host file was switched, probably by one of these scanning programs to just 127.0.0.1
I switched back to my original hosts which includes entries from spybot s & d to route bad sites to loopback.
I tried booting in VGA mode, worked fine.
I am going on vacation, so i do not have the time to do a full format and reinstallation, something i wsa avoiding in the first place. My main issue is not the safe mode boot, but the redirection of search engine results, just scares me. I have started using google chrome which seems to have not been affected.
One of the scans likely resolved the malware issue, but the safe mode issue still needs to be resolved. Try this (it applies to XP SP3 too):
http://blog.didierstevens.
Sorry, one follow-up to my previous post: I ran into these same issues on several pc's, and the link I posted fixes the safe mode problem, but to fix the link redirection:
I attached the drive to another computer and ran a full battery of scans against it (you might be able to use BartPE or some other LiveCD alternatively).
Specifically, http://www.freedrweb.com/c
Once that's done, put the drive back in, boot the machine up, and Run combofix (http://www.bleepingcomput
Once safe mode is working (either from these steps or the .reg merge), I'd suggest running some of these tools again, just to be sure.
A search online shows this is a virus file, so hopefully the file was removed, not just cleaned. I'd put that hard drive on another system again, then mount the registry hives and search for references to that file to see if you can track the offending entry down, post what you find. More than likely there's references to it that prevent the system from booting.
The blue screen error may shed light on the issue as well if you can post it.
Agreed. Load the Hives from that drive into the host's registry before you run MBAM again.
You'll have to load SYSTEM then scan, then unload it and load SOFTWARE then scan it again in order to get all the keys from the infected PC - other than the USERS key, which shouldn't matter much if the files and critical registry entries are removed.
Once it's bootable again then you can rerun MBAM on the real system when it's live.
I did a repair using the XP install disk and have the machine up and running. I have yet to check if the bug is still there. I did delete the file when i did the malwarebytes scan.
I will see if the redirect still occurs. FYI when i started the MBAM scan from my Win7 machine with the laptop harddrive connected externally i got blue screened immediately......
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: houssam_balloutPosted on 2009-10-23 at 14:30:12ID: 25648862
Try to remove all additional hardware , remove one RAM slot ,
& try to login via safe mode.