Page_fault_in_nonpaged_area, Virus?

By JeffFinnan
Jul 4, 2008
  1. I have been working through a problem with my pc. When I run some malware and related software, I get a page_fault.

    There are details of what I have done so far here:

    I started going through the preliminary removal instructions but when I run Malwarebytes I get the same BSOD page_fault. It happens at a different spot than Spyware Doctor reported in the above link.

    Where do I go from here?

  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    post a hijackthis log and do a scan with SUPERAntiSpyware in safemode then post that log too.
  3. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    HJT.txt Log is attached. Will run SUPERAntiSpyware next.
  4. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    While installing SUPERAntiSpyware in normal mode I got a BSOD

    Stop: 0x1000007e(0xc0000005, 0xb17b6f83, 0xbacf3b98, bacf3894)

    Saskutil.sys address b17b6f83 base at b178100, datastamp 48163ef6​

    Here is the .dmp results:

    Loading dump file mini070508-01.dmp
    ----- 32 bit Kernel Mini Dump Analysis

    MajorVersion 0000000f
    MinorVersion 00000a28
    DirectoryTableBase 0b6c0020
    PfnDataBase 805620c8
    PsLoadedModuleList 8055d720
    PsActiveProcessHead 805638b8
    MachineImageType 0000014c
    NumberProcessors 00000002
    BugCheckCode 1000007e
    BugCheckParameter1 c0000005
    BugCheckParameter2 b17b6f83
    BugCheckParameter3 bacf3b98
    BugCheckParameter4 bacf3894
    PaeEnabled 00000001
    KdDebuggerDataBlock 8054d2e0
    MiniDumpFields 000004ff

    ServicePackBuild 00000300
    SizeOfDump 00010000
    ValidOffset 0000fffc
    ContextOffset 00000320
    ExceptionOffset 000007d0
    MmOffset 00001068
    UnloadedDriversOffset 000010a0
    PrcbOffset 00001878
    ProcessOffset 00002268
    ThreadOffset 000024c0
    CallStackOffset 00002720
    SizeOfCallStack 00004000
    DriverListOffset 000069b0
    DriverCount 00000092
    StringPoolOffset 00009508
    StringPoolSize 00002d20
    BrokenDriverOffset 00000000
    TriageOptions ffffffff
    TopOfStack bacf3c60
    DebuggerDataOffset 00006720
    DebuggerDataSize 00000290

    Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible

    Built by: 2600.xpsp.080413-2111
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
    Debug session time: Sat Jul 05 06:23:04 2008
    System Uptime: 0 days 0:17:18
    start end module name
    804d7000 806e4000 nt Checksum: 001F442E Timestamp: Sun Apr 13 14:
    31:06 2008 (4802516A)

    Unloaded modules:
    b431f000 b434a000 kmixer.sys Timestamp: unavailable (00000000)
    b5d0b000 b5d18000 STREAM.SYS Timestamp: unavailable (00000000)
    b5dc1000 b5dc4000 SLIP.sys Timestamp: unavailable (00000000)
    b5f56000 b5f81000 kmixer.sys Timestamp: unavailable (00000000)
    baedb000 baedc000 drmkaud.sys Timestamp: unavailable (00000000)
    b72f3000 b7300000 DMusic.sys Timestamp: unavailable (00000000)
    baaa8000 baab6000 swmidi.sys Timestamp: unavailable (00000000)
    b5f81000 b5fa4000 aec.sys Timestamp: unavailable (00000000)
    bae3c000 bae3e000 splitter.sys Timestamp: unavailable (00000000)
    b5d99000 b5dad000 parport.sys Timestamp: unavailable (00000000)
    ba094000 ba098000 kbdhid.sys Timestamp: unavailable (00000000)
    bac80000 bac85000 Cdaudio.SYS Timestamp: unavailable (00000000)
    ba098000 ba09b000 Sfloppy.SYS Timestamp: unavailable (00000000)

    Finished dump check


    Windows would not start normally. I even did a restore to a point I made yesterday. Again it would not start normally. I am doing this from Safe Mode now. I am running SUPERAntiSpyware right now from Safe Mode and will see what happens.

  5. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Okay here is the SUPERAntiSpyware Scan Log

    Generated 07/05/2008 at 07:16 AM

    Application Version : 4.15.1000

    Core Rules Database Version : 3497
    Trace Rules Database Version: 1488

    Scan type : Complete Scan
    Total Scan Time : 00:26:42

    Memory items scanned : 266
    Memory threats detected : 0
    Registry items scanned : 7322
    Registry threats detected : 6
    File items scanned : 36676
    File threats detected : 4

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EB4BF0F-852F-4B75-B8FB-21EDAF9DC3C8}

    Adware.Tracking Cookie
    C:\Documents and Settings\House\Cookies\house@statse.webtrendslive[2].txt
    C:\Documents and Settings\House\Cookies\house@serving-sys[1].txt
    C:\Documents and Settings\House\Cookies\house@glb.adtechus[1].txt
    C:\Documents and Settings\House\Cookies\house@revsci[2].txt [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\k2fdgn1s.default\cookies.txt ] [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\tet9xwbx.Teaching\cookies.txt ] [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\tet9xwbx.Teaching\cookies.txt ] [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\tet9xwbx.Teaching\cookies.txt ] [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\tet9xwbx.Teaching\cookies.txt ] [ D:\Notebook\My Documents\Mozilla\Firefox\Profiles\tet9xwbx.Teaching\cookies.txt ]
  6. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Windows can only be started in Safe Mode. I quick search shows that saskutil.sys is associated with SUPERAntiSpyware.

    What do I do to correct this? Uninstall it?
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    ok first you are infected with vundo download the files below to your desktop

    Vundo Fix:

    Removal Steps:
    Please print these instructions as they will be needed later when Internet access is not available.

    Save these instructions in word or notepad to the desktop where they can be easily found.

    Download Vundo Fix and save it to your desktop.

    When it has completed downloading, double-click VundoFix.exe to run it.

    Click the Scan for Vundo button.

    Once it's done scanning, click the Remove Vundo button.

    You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

    When completed, it will prompt that it will shutdown your computer, click the OK button.

    When the computer has shutdown, turn your computer back on.
    The WinFixer and Vundo infection should now be removed from your computer.

    If you are still having a problem then please perform the following steps.


    This step should only be used if the instructions in the previous steps did not remove the infection:
    Download VirtumundoBegone and save it to your desktop.

    Now reboot into Safe Mode.

    This can be done tapping the F8 key as soon as you start your computer

    You will be brought to a menu where you can choose to boot into safe mode.

    Select safe mode with networking using your arrow keys on the keyboard and then press enter.

    When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

    Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

    Exit when it has finished, and reboot back to normal mode.
  8. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Can only run in Safe Mode; therefore, I had to run the Vundo fix in Safe Mode with Networking.

    It found a file c:\windows\qaz4.txt (or some similar name)

    It said it was going to shut down. Never went dark. A box opened saying that I was running in Safe Mode and did I want to do a restore or reboot. I did not choose the restore. It rebooted, not shut down. It would not start in windows normally so I had to go Safe Mode with networking. On rerunning the fix, the c:\windows\qaz4.txt showed immediately without scanning. I checked it off and it went through the same rebooting. On starting back in Safe Mode, the fix did not show the file this time.

    I did a rescan with the VundoFix. It was there again. I clicked removed. It went through the same sequence and would not boot normally. I guess I have to go for the second option.
  9. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Ran second option. It came up with almost instantaneously with:
    [07/05/2008, 14:08:54] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\House\Desktop\VirtumundoBeGone.exe" )
    [07/05/2008, 14:09:02] - Detected System Information:
    [07/05/2008, 14:09:02] - Windows Version: 5.1.2600, Service Pack 3
    [07/05/2008, 14:09:02] - Current Username: House (Admin)
    [07/05/2008, 14:09:02] - Windows is in SAFE mode.
    [07/05/2008, 14:09:02] - Searching for Browser Helper Objects:
    [07/05/2008, 14:09:02] - BHO 1: {074C1DC5-9320-4A9A-947D-C042949C6216} (ContributeBHO Class)
    [07/05/2008, 14:09:02] - BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
    [07/05/2008, 14:09:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [07/05/2008, 14:09:02] - Checking for HKLM\...\Winlogon\Notify\NppBho
    [07/05/2008, 14:09:02] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
    [07/05/2008, 14:09:02] - BHO 3: {2433FEB3-8BCA-49F3-8CA8-AD141C81A724} (QXK Olive)
    [07/05/2008, 14:09:02] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [07/05/2008, 14:09:02] - BHO 5: {67BCF957-85FC-4036-8DC4-D4D80E00A77B} (CIEDownload Object)
    [07/05/2008, 14:09:02] - BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
    [07/05/2008, 14:09:02] - Finished Searching Browser Helper Objects
    [07/05/2008, 14:09:02] - Finishing up...
    [07/05/2008, 14:09:02] - Nothing found! Exiting...​

  10. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    post a fresh hijackthis log
  11. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Now it just shows the listing of files as safe mode starts up and the hard drive keeps showing activity and nothing happens.

    Oh well.
  12. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    So it does not allow you to boot? hmm I read your other thread on testing the ram. Try taking one out if you have 2 leav one see if it works if not try the other one then post back also have you tested the hard drive
  13. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    When I ran MemTest overnight, there were no errors. Why would this be suspect?
  14. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    Her is a recap and what I have done as of late.

    The computer will constantly try to reboot after showing the startup Windows screen with the moving blue bar. It goes for a little bit and then reboots. I tried a repair from the Windows XP CD. Still the same. I probably should not have done that because I think it wants to continue with setup.

    If I F8 and go to Safe Mode, I am pretty sure that it wants to do a Chkdsk /R after about an hour it reboots and if I F8 and Safe Mode it Says It cannot install in Safe Mode and the reboots return.

    I went into the recovery console.
    Did a fixmbr,
    ATTRIB -H C:\\boot.ini
    ATTRIB -S C:\\boot.ini
    ATRIB -R C:\\boot.ini
    del boot.ini
    BOOTCFG /Rebuild
    Still get the constant rebooting.
    I even tried a boot floppy and still the same result.
  15. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    memtest has been known to pass bad ram this sounds like a hardware issue
  16. JeffFinnan

    JeffFinnan TS Rookie Topic Starter Posts: 24

    I am thinking I will put in a new drive.I am thinking that I will put in a new drive.

    Since I was considering a new drive, I decided to see if an new installation of Windows rather than a repair which kept giving me the rebooting. It turns out the new installation is proceeding.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...