BSOD on boot to safe mode ONLY

dgoldfluss
dgoldfluss used Ask the Experts™
on
I have a laptop that is infected with some virus or malware.   The syptoms are an auto redirect from any broswer when clicking on a search engine link (at first i thought it was just bing and firefox, but it is in IE and google as well).  Some links work, some will just redirect to another page.  SPybot S&D fond nothing  malwarbytes found hijack.shell and disable.securitycenter in quarantine.  VIPRE AV found fraudtool,win32.roguesecurity.  I have gone through the hijack this and removed any suspect entries...

Now i wanted to boot to safe mode to help disinfect the machine.  When i try to start into safe mode (all options) i get a BSOD with  PAGE_FAULT_IN_NONPAGE_AREA.  Regular boot works fine every time.  Upon research I get two problems associated with this BSOD, one would be bad memory, the other is driver issue.  The first i cannot see a problem, the second i do not get since i am booting in safe mode is a driver not loading??
'
HELP!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Try to remove all additional hardware , remove one RAM slot ,
& try to login via safe mode.
check your event viewer to see what's causing the fault. Also, some spyware/adware hides pretty well these days. I suggest making a UBCD4Win CD (http://www.ubcd4win.com/) with the spybot and Malwarebytes plugins and anti virus plugins as well and scan with that.

Author

Commented:
thanks i will start by undocking the laptop and anything else connected.  I did try UBCD with VIPRE.  I think i need an updated UBCD so I will download and setup again....

 I tried using combo fix as well.....  

Thanks I will let you knwo the results
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2009

Commented:
-If issues still exist after above experts suggestions try scanning that system with this live cd:
Kaspersky live cd http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

--It is in iso/image format so you will have to burn it to a cd.
--Once the cd is created, boot the infected machine to that cd and scan your system
NB-Update the virus database in live cd before scanning.



Also, do you have your installation media?
If so you may have to do a repair installation afterwards, depending on what infected files are removed:
http://michaelstevenstech.com/XPrepairinstall.htm

Commented:
1) Download COMBOFIX from www.bleepingcomputer.com using a known good system.  burn onto a CD and then execute  ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
DO NOT DOWNLOAD FROM COMBOFIX.ORG ...it may come up first in google, but its a bogus site.
2) Let combofix do its thing.   see second link above for tutorial.
Depending on what was done earlier  the BSOD may be afunction of hte malware, or the rough removal of malware from another tool.   hard to tell.
3 )Put the system back in functional shape with Dial-A-Fix  http://wiki.lunarsoft.net/wiki/Dial-a-fix
4) Get out the install dik and run sfc /scannow (with a known good instal lCD i nthe drive)
5) reboot and rerun MS-Updates
It may be wise to reverse the order of 3 & 4 depending o nthe isuse.

Author

Commented:
Undock did not work.  There was only one ram module which i swapped from another machine.  Nothing.

Kaspersky disk did not start the scan with a corrupt database.  Trying to get a UBCD together, but have 10 minutes before i leave for the weekend!
Top Expert 2009

Commented:
After the weekend try the scan again. The updates being pulled down maybe ok then :)
Top Expert 2007

Commented:
Can you please attach or paste here the MalwareBytes and the Combofix logs?
The logs might help us point to the culprit.

Author

Commented:
here is combofix and hijackthis logs. i guess i did not save a log file for malwarebytes i cannot find it....
hijackthis.log
ComboFix-quarantined-files.txt
ComboFix.txt
Top Expert 2007

Commented:
Is the search still being redirected?
Thanks for the logs, I couldn't find any suspicious entry in the CF log that would help point to the culprit, like you said it could also be a driver that isn't loading.
I thought it could be a patched system file but no indication in the CF log.



Try running these scanners and let's see the their logs show.

1.  Download the GMER Rootkit Scanner. Unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.



2.  Download RootRepeal from either one of the links below and save it to your desktop.
http://ad13.geekstogo.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.rar


Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:

o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Author

Commented:
ok so i created a new UBCD for myself, good thing since mine was too old.  I ran most every scanner that would work and function.   Including spybot s&d, avast, vipre, gmer.  

Spybot found a microsoft.windows.security registry change.  Avast nothing Vipre nothing.  I think gmer found nothing, but will attach log.  I did make sure all scanners were up to date.

I also created a kasparsky rescue disk and got it to update (a pain in the arse).   It found nothing.

I also ran root repeal...

then ran combo fix from windows.   i could not get combofix to run out of the UBCD environment

i will attach all log files...

i am hitting my head because after about 10 minutes, the first entry for wikipedia in a search brought me back to the crap.  Seems when it is run once, it tends to infect more pages.....
gmer.log
SpybotSD.Results.txt
combofix102709.txt
RootRepeal-report-10-26-09--10-1.txt
Top Expert 2007
Commented:
Thanks for the logs... I still don't know wha caused the BSOD in safe mode....
Could be one of your software causing this when unable to load their drivers, since you have so many services there.

Or could be one of the recent nasties that eludes the scanners we used.
Try scanning with OTL(the first scan will just enumerates what's runnning similar to a diagnostic tool.

Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in (bolded text below)

netsvcs%SYSTEMDRIVE%\*.exe%SYSTEMDRIVE%\eventlog.dll /s /md5%SYSTEMDRIVE%\scecli.dll /s /md5%SYSTEMDRIVE%\netlogon.dll /s /md5%SYSTEMDRIVE%\cngaudit.dll /s /md5%SYSTEMDRIVE%\sceclt.dll /s /md5%SYSTEMDRIVE%\ntelogon.dll /s /md5%SYSTEMDRIVE%\logevent.dll /s /md5%SYSTEMDRIVE%\iaStor.sys /s /md5%SYSTEMDRIVE%\nvstor.sys /s /md5%SYSTEMDRIVE%\atapi.sys /s /md5%SYSTEMDRIVE%\IdeChnDr.sys /s /md5%SYSTEMDRIVE%\viasraid.sys /s /md5%SYSTEMDRIVE%\AGP440.sys /s /md5%SYSTEMDRIVE%\vaxscsi.sys /s /md5


Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL, please attach the logs.

Author

Commented:
here are the log files from OTL....
Extras.Txt
OTL.Txt
Top Expert 2007

Commented:
I don't see any suspicious\malicious entries in the logs....
I'll call for help in case this is a hardware or software issue, Experts in those areas might be able to find the solution.
Top Expert 2009

Commented:
Could you upload the three latest minidump files located at
C:\Windows\Minidump
Rename them from .dmp to .txt to upload
Shane Russell2nd Line Desktop Support

Commented:
use a bart pe disc or a linux live disc of some description and backup any data you want to keep , do a full format ( which will also check for bad sectors etc on the hdd ) then do a fresh install along with latest drivers and re install any software.

Then try again ref safe mode etc

Also before you run any scans if you want to go down that route, disable system restore , delete restore points and then do the scans but again I would backup data first

Commented:
Re: BSOD in safe mode. I agree with optoma that minidumps -- if created -- should help pinpoint the cause.

You seem to have a driver issue which is a reversal from the norm. Intrinsic (built-in) drivers are used in safe mode (e.g. Standard VGA driver in lieu of video card manufacturer's driver) and one of those intrinsic drivers may be corrupt. To see if it is the VGA driver, try booting into VGA Only Mode instead of Safe Mode.
Top Expert 2005

Commented:
When you're in safe mode, check the HOSTS file - it should only contain one entry for localhost unless you are specifically using a HOST file for added protection.

You'll find the HOSTS file in C:\Windows\System32\drivers\etc.  Open it in Notepad, but make sure you uncheck the box for Always use this program...

As for your BSOD, you might want to download this and somehow get it installed and running to get some logs for us.

Author

Commented:
I am not finding a mindump created!!!

THe host file was switched, probably by one of these scanning programs to just 127.0.0.1

I switched back to my original hosts which includes entries from spybot s & d to route bad sites to loopback.

I tried booting in VGA mode, worked fine.

I am going on vacation, so i do not have the time to do a full format and reinstallation, something i wsa avoiding in the first place.   My main issue is not the safe mode boot, but the redirection of search engine results, just scares me.  I have started using google chrome which seems to have not been affected.  

One of the scans likely resolved the malware issue, but the safe mode issue still needs to be resolved.  Try this (it applies to XP SP3 too):
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Sorry, one follow-up to my previous post: I ran into these same issues on several pc's, and the link I posted fixes the safe mode problem, but to fix the link redirection:
I attached the drive to another computer and ran a full battery of scans against it (you might be able to use BartPE or some other LiveCD alternatively).
Specifically, http://www.freedrweb.com/cureit/ ended up finding that the atapi.sys driver was corrupted. I ran other av programs too, malwarebytes is a good idea, perhaps http://www.trendmicro.com/download/dcs.asp (with pattern files: http://www.trendmicro.com/download/pattern.asp) too.

Once that's done, put the drive back in, boot the machine up, and Run combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix), which removed a few more things and on one machine actually fixed the safe mode issue at the same time!

Once safe mode is working (either from these steps or the .reg merge), I'd suggest running some of these tools again, just to be sure.

Author

Commented:
Well here we go....

Took the drive out and did a malwarebytes scan on it from another pc.  Found one issue with backdoor.brediva in \WINDOWS\system32\cpcp.cpo.  After cleaning the file, computer goes to BSOD no matter what....  
A search online shows this is a virus file, so hopefully the file was removed, not just cleaned.  I'd put that hard drive on another system again, then mount the registry hives and search for references to that file to see if you can track the offending entry down, post what you find.  More than likely there's references to it that prevent the system from booting.

The blue screen error may shed light on the issue as well if you can post it.
Top Expert 2005
Commented:
Agreed.  Load the Hives from that drive into the host's registry before you run MBAM again.

You'll have to load SYSTEM then scan, then unload it and load SOFTWARE then scan it again in order to get all the keys from the infected PC - other than the USERS key, which shouldn't matter much if the files and critical registry entries are removed.

Once it's bootable again then you can rerun MBAM on the real system when it's live.

Author

Commented:
I did a repair using the XP install disk and have the machine up and running.   I have yet to check if the bug is still there.  I did delete the file when i did the malwarebytes scan.  

I will see if the redirect still occurs.   FYI when i started the MBAM scan from my Win7 machine with the laptop harddrive connected externally i got blue screened immediately......
@Netman66: will MBAM actually scan hives that are just mounted and not on the local system?  That'd be pretty sweet, I wouldn't think it would detect them since they are not in use by the active system.

Author

Commented:
On my initial testing, looks like my offending redirects are gone....

AND SAFE MODE WORKS!!!!
That's great, congrats!

Author

Commented:
I know!!!!  Should have done that awhile back, although using Google Chrome as a browser helped me avoid the problem while on vacation.

I'd like to thank the academy.....

Author

Commented:
finally solved my problem, all the help was appreciated
Top Expert 2005

Commented:
@slashblue:  If the Hives are mounted, they should get scanned with the "live" registry.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial