Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD


  • This topic is locked This topic is locked
42 replies to this topic

#1 Tim F.

Tim F.

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 March 2010 - 06:38 PM

Hello - I believe I picked up the Vundo virus on my PC. Before I was able to take any action on it, my Windows desktop froze. I was not able to use the mouse, Tab or cursor. I had no choice but to power down. When the PC powered up, I got a blue screen. The blue screen read:


A problem has been detected and Windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following files: iastor.sys.

PAGE_FAULT_IN_NONPAGE_AREA

If this is the first time that you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xA23BE72B,0x00000000,0xF7BDC589,0x00000000)

*** iastor.sys - Address F7BDC589 base at F7B0A000, DateStamp426d0c8c


I attempted to restart, then got a screen explaining that windows was shutdown prematurely and asked if I wanted to boot in Regular or Safe Mode. I chose Regular Mode and received this message again. I have not installed ANYTHING on the PC in quite a while.

I attempted to change the bios and boot up in all three safe modes, using both RAID Autodetect/AHCI and RAID Autodetect/ATA. Nothing seems to work. I would appreciate ANY help you can provide.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 22 March 2010 - 07:23 PM

Hi, Tim F. smile.gif

Welcome.

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer, so we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 March 2010 - 07:36 PM

Hi, Thanks for the response. I have one question - how can I copy and PASTE the lines from this forum to the utility when I run it on the bad computer?

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 22 March 2010 - 08:09 PM

QUOTE(Tim F. @ Mar 22 2010, 08:36 PM) View Post
Hi, Thanks for the response. I have one question - how can I copy and PASTE the lines from this forum to the utility when I run it on the bad computer?

You need to save the instructions and reports to the flash drive. While in the Reatogo PE environment you will be able to read and write from and to the flash drive.

Use Notepad to save the instructions and open the reports.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 22 March 2010 - 08:09 PM

Hi - bad news (for me). I was able to boot from the DVD and load REATOGO. I got the Windows splash screen then another BSOD. This time:

*** STOP: 0x0000007B (0xF78DA528,0xC0000034,0x00000000,0x00000000)

Please help!!! Thanks. sad.gif

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 22 March 2010 - 08:20 PM

There may be many reasons. The error indicates hat the driver for the boot device might have failed to initialize the device the system is attempting to start from. Make sure the BIOS is set to boot from the DVD/CD first. Also, I must assume both computer use DVDs.

Another reason may be due to a bad download or a bad burn. Please run this program in the computer with the OTLPE.iso

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    QUOTE
    :filefind
    OTLPE.iso

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

This information will help us determine if we have a bad download.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 09:11 AM

Hi,

Here's the results. On my previous post, I meant to say "CD" as opposed to "DVD". On the bad PC, I have two drives, one a CD and one a DVD. I was unable to boot form the CD drive, so I tried the DVD drive and it worked. And yes, I changed the boot order in order to boot from a CD or DVD drive.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:00 on 23/03/2010 by Dad (Administrator - Elevation successful)

========== filefind ==========

Searching for "OTLPE.iso"
C:\Documents and Settings\Dad\My Documents\My Downloads\OTLPE.iso --a--- 290242560 bytes [22:02 22/03/2010] [22:02 22/03/2010] C72B3626EB6F6F8FA839354983749CC7

-=End Of File=-

Thanks again for your help.

#8 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 10:29 AM

I'm sorry - to clarify my last post - I was able to run the REATOGO to the point of the Windows splash screen, then received the new blue screen as described. I never was able to even use the REATOGO tool. I was just relating that I was unable to run from the CD drive, but got the REATOGO to load from the DVD drive, then received the blue screen before I was able to move further. I ran the SystemLook utility to make sure that the REATOGO was downloaded correctly and posted those results. I guess I provide TOO MUCH information sometimes. I apologize for the confusion. According to the SystemLook log, was the REATOGO tool downloaded correctly? Thanks.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 23 March 2010 - 10:48 AM

The download is correct. Please burn another CD at a lower speed.

Edited by JSntgRvr, 23 March 2010 - 10:49 AM.
Typo

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 10:53 AM

OK - will do.

#11 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 11:17 AM

Hi - I burned the CD at 4x, this time, and received the same results.

*** STOP: 0x0000007B (0xF78DA528,0xC0000034,0x00000000,0x00000000)

sad.gif

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 23 March 2010 - 11:29 AM

Is the BIOS set to RAID Autodetect/ATA?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 11:41 AM

No - It's at the original setting of RAID Autodetect/AHCI

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,211 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:11:33 PM

Posted 23 March 2010 - 11:43 AM

Change it to RAID Autodetect/ATA and try again.

Please post the following information:

Computer Brand, Model and Series, as well as the operating system installed.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Tim F.

Tim F.
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 23 March 2010 - 12:05 PM

Hi - IT WORKED - but the description of the steps to take is not exactly as written.

First, I never received the "Do you wish to load the remote registry?" question. Secondly, on the screen that offers to "Automatically Load All Remaining Users", I have 3 listed under select User Profile: Local Service, Network Service and TIM. I haven't started anything until I hear from you.

I am running a Dell Dimension 8400 using WIndows XP Professional SP2 as an OS.

Please let me know how I should proceed. Thanks so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users