Solved

Strange BSOD and ini file keeps opening at boot up of Win 7

Posted on 2013-12-29
19
575 Views
Last Modified: 2013-12-31
I very rarely have a BSOD on my rig, but here is one that just happened and I have no clue why or if it was just a burp in Win 7 Ultimate.  However, since it happened, every time I restart or bootup, and after Win 7 is up and running, notepad opens the desktop ini file and I have to manually close it.  What is that all about?  I have attached all files for you people to look at and give me some feedback.  I am going to run my AV scans, etc. just in case.
BSOD-12-29-13.docx
122913-12745-01.dmp
file-strange.jpg
WER-28033-0.sysdata.xml
0
Comment
Question by:ArtG2521
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 39744850
The dmp file says Page Fault in Non Paged area.

It could be memory, so check memory with memtest.ext (memtest.org).

More likely it is a virus corrupting your operating system.

Check for viruses with your own application and then scan with malwarebytes (malwarebytes.org).

... Thinkpads_User
0
 

Author Comment

by:ArtG2521
ID: 39744872
Will do and doing.
0
 

Author Comment

by:ArtG2521
ID: 39745059
Ok, finished.  Bitdefender and Malware Bytes found some stuff and took care of it.  EXCEPT the desktop.ini file keeps opening up after boot up and I have to close it every time.  See the image I uploaded before called "file-strange".  The desktop.ini file says:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39745078
See if you can log into the system with a different username (member of administrators group) and delete the file from the different username.

Get a copy of Process Explorer (free from Microsoft). Run it. Look down in the Explorer process and see if there is any process with a strange alpha numeric label. If so, kill the process and run malwarebytes again.

... Thinkpads_User
0
 
LVL 91

Expert Comment

by:nobus
ID: 39745665
your dump file points to Vsserv.exe Which is the main Bitdefender process that provides continuous real-time protection

so best uninstall bitdefender for testing
0
 
LVL 14

Expert Comment

by:Rob Miners
ID: 39745672
You also have a few outdated drivers so update them.

Filename: 000.fcl Fri Sep 26 23:11:22 2008
Command: c:\program files\cyberlink\powerdvd10\navfilter\000.fcl
Description: Added by the PowerDVD universal media player.
File Location: %ProgramFiles%\cyberlink\powerdvd10\navfilter\000.fcl

Filename: lmimirr.sys  Wed Apr 11 08:32:45 2007
Command: %System%\DRIVERS\lmimirr.sys
Description: Video driver for the the LogMeIn remote management software.
File Location: %System%\DRIVERS\lmimirr.sys
0
 
LVL 8

Expert Comment

by:Ratnesh Mishra
ID: 39745749
Bug Check Code 50 with 2nd parameter as 0 means "Page Fault in Non Paged area while reading". It means when operating system tries to read from memory [virtual memory] which reside on RAM [Physical memory] and which is supposed not to be paged out has not been found and inorder to save from file corruption Windows operating system gives a bugcheck code 0x00000050 . The memory address fffff80003b53b41 [Virutal memory address]
Nobus is absolutly correct the process which was running during the BSOD on processor 0 was VSSERV.EXE

Even if you are getting Shell32.dll error ,please dont play with it , its operating system file which is required at the time of booting . Your explorer gets loaded on the shell so dont try to delete the file.
Its always better to test with clean boot in order to find the root cause however when its related to antivirus or any application which uses kernla mode driver which gets loaded at boot time . You need to disable it through registry so that its completely gets deactivated.
0
 

Author Comment

by:ArtG2521
ID: 39745935
Ratnesh & Nobus, I'm about a mid-level tech in experience, so I do not know exactly how to disable things in the registry.  I need help/instructions to do this.  I have a couple of questions so I can better understand:

Is the desktop.ini file that keeps opening just after boot, the Shell32.dll error?
Nobus, when you say uninstall Bitdefender, should I uninstall and then re-install?  Or run a repair install?  Or talk to Bitdefender tech support and notify them of this error and let them advise as well?

I've had NO BSODs since, but this desktop.ini file that keeps opening, is it directly related to the BSOD I had?  It would seem that way.  If so, then Bitdefender in taking care of a problem, has caused a slight malfunction somewhere that causes the ini to keep opening, yes?
0
 
LVL 8

Expert Comment

by:Ratnesh Mishra
ID: 39745945
First Uninstall [If you can else you can follow http://support.microsoft.com/kb/816071] Bit-defender and then verify if it reappears again or not. Then we can go ahead with other action plan based on the outcome.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ArtG2521
ID: 39745951
Quick note:
I ran Process Explorer, and there are NO strange alpha numeric labels.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39745955
Did you try deleting the file from another username?

... Thinkpads_User
0
 
LVL 8

Expert Comment

by:Ratnesh Mishra
ID: 39745966
You can't find that in Process Explorer , if want you can see that, it may be visible in procmon however at what level that matters .

Is this error you are facing is happening with only one user ? if the answer is yes then recreate the user profile .
Did you try clean boot [Disabling all 3rd party application and then boot in normal mode] ?
Are you getting this issue in safe mode as well ? Whats about safemode with networking ?

Or updating Win32k.sys and shell32.dll will help you to resolve the issue. However if BitDefender get corrupt then even upgrading the system files will also not help . SO first uninstall the Bit defender and they try to verify. Deleting shell32.dll will destabilize your system , so if you want to check rename it .
0
 
LVL 91

Expert Comment

by:nobus
ID: 39746209
Art - i never talked about registry - all i said was "so best uninstall bitdefender for testing "
in the mean time, you can use a free AV, like AVG, or Avast
0
 

Author Comment

by:ArtG2521
ID: 39747200
I am the only user.  I will try a couple of these things you all suggest.  Give me a day or two and then I will post the resuts.   In the mean time, everyone have a Happy New Year!!
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39747213
Even though you are the only user, setting up a test user is quite easy. Make it a member of the admin group. You can always remove it later.

... Thinkpads_User
0
 

Author Comment

by:ArtG2521
ID: 39748011
Since I am off from work today, here is what I have done so far:

Boot up in safe mode.  desktop.ini does NOT open after boot.

Boot up in safe mode with networking.  desktop.ini does NOT open after boot.

Uninstalled Bitdefender.  Re-started. desktop.ini file STILL opens (in Notepad).

Re-installed Bitdefender.  Re-started.  desktop.ini file STILL opens (in Notepad).

Did a search for "desktop.ini" file on "C" drive.  It turns up only one file by that name.  See the attached image called "desktop ini search".  When I open this ini file it reads the following:

[.ShellClassInfo]
IconFile=folder.ico
IconIndex=0
ConfirmFileOp=0

But the desktop.ini file that opens at every re-boot is:

(space)
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787


I have some questions:

How do I update Win32k.sys and shell32.dll?

How do I set up a test user and make it a member of the admin group?  Is that just simply going to Users Accounts and creating a user?
desktop-ini-search.jpg
0
 
LVL 8

Accepted Solution

by:
Ratnesh Mishra earned 500 total points
ID: 39748035
I am so sorry for this entire issue you faced , the mentioned issue is a known issue with microsoft you can follow the article  
http://support.microsoft.com/kb/330132
 
and perform what is mentioned there. I can understand it belongs to windows XP but give it a try on Windows 7

Don't update win32k.sys and shell32.dll .
just for information , hotfixes are available for different issues we need to find which version you have and accordinly suggest which hotfix you can use for updating the files.
Need not even to create a test user.
If you want to create a test user , it means go to users and create a user . Now based on the troubleshooting steps you can give admin rights or simply putting in a different OU where no Group policy is implemented and many more situations....


JUST USE follow from the article http://support.microsoft.com/kb/330132 , it will resolve the issue.

If this doesn't fix the issue , then I think it is a trojan kind of virus. Inorder to find the path of trojan , we may need to collect bootlog from procmon. That will help us in understanding the origin and can help in finding how it gets activated.

Mean while you can use Any registry cleaner tools.
You can also use Autoruns from sysinternals to find any unwanted loaded entry  and can unload it or even can note the location and delete it after confirming that the file doesnot belongs to any applicatio you are using or OS is using.

I also suspect it to be an issue with "Folder Redirection" . Can you remove any folder redirected through any script or group policy or what ever method you are using.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39748129
Is that just simply going to Users Accounts and creating a user?

Yes. then go to groups and add the user to "administrators"

I use this method a lot. It may not work here if a virus continues to cause the issue, but it is worth a try.

... Thinkpads_User
0
 

Author Closing Comment

by:ArtG2521
ID: 39748588
Thanks to everyone's help, but Ratnesh is the clear winner.  That solution when applied to Win 7, worked.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now