Windows XP:SP2, Page fault in nonpaged area BSOD

By Stuff_
Jan 14, 2008
Topic Status:
Not open for further replies.
  1. Firstly hello to everyone on here this is my first post! :)

    I hauled my PC to another location for music purposes and on it's return I am now getting the BSOD with this page fault message.

    Here is the HEX data,

    STOP: 0x00000050, (0xF000E819, 0x00000008, 0xF000E819, 0x00000000)

    The code is the same each time and does not change.

    I can boot in safe mode (altho the onboard NIC isn't picked up in safe mode networking)

    When I hauled the PC to another house I had it connected to the net and installed Limewire, I have since uninstalled it. To my knowledge thats the only thing that's changed.

    I will attach 3 zipped minidumps shortly

    Hope someone can finger a possible culprit

    Thanks
  2. mscrx

    mscrx Newcomer, in training Posts: 829

    microsoft knowledge base says that this error message is caused by a kernel driver which comes with a spyware/rootkit program. that would be an option because you did use limewire...
    there a short documentation on how to solve this. maybe you give it a try?

    Method 1: Rename the malicious driver by using Internet Explorer
    1. Open Internet Explorer.
    2. In the Address box, type %windir%\system32\drivers, and then press ENTER.
    3. Locate the randomly named .sys file, right-click the file, and then select Rename.
    4. Type malware.old to rename the file, and then press ENTER.
    5. In the Address box, type \WINDOWS\system32, and then press ENTER.
    6. Locate and then rename the following files, if they exist:
    • Msupd5.exe. Rename this file Msupd5.old.
    • Msupd4.exe. Rename this file Msupd4.old.
    • Msupd.exe. Rename this file Msupd.old.
    • Reloadmedude.exe. Rename this file Reloadmedude.old.
    7. Close Internet Explorer.
    8. Restart the computer.
    9. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

    Method 2: In Safe Mode, rename the malicious driver by using My Computer
    1. Start the computer in Safe Mode. To do this, follow these steps:
    a. Restart the computer.
    b. As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
    c. Use the UP ARROW and DOWN ARROW keys to highlight Safe Mode, and then press ENTER.
    2. Open Internet Explorer
    3. In the Address box, type %windir%\system32\drivers, and then press ENTER.
    4. Enable the viewing of hidden files. To do this, follow these steps:
    a. Click Start, and then click My Computer.
    b. On the Tools menu, click Folder Options.
    c. On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
    d. Under Hidden files and folders, click Show hidden files and folders.
    e. Click to clear the Hide extensions for known file types check box.
    f. In the Folder views area, click Apply to All Folders, and then click OK.
    5. Locate the folder named C:\%windir%\System32\Drivers.
    6. Locate any .sys file that has the following characteristics:
    a. A randomly generated file name that is made up of eight lowercase letters, such as "gbqxmhia.sys," "upzvlbvv.sys," or "jsbmefvk.sys"
    b. A date of January 11, 2005
    c. A size of 14 KB (13,824 bytes)
    d. A hidden attribute that is set

    Note A file that has its hidden attribute set displays an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b of the procedure that is described in the "More information" section.
    e. It has no version, product name, or manufacturer information.
    7. For each file that you locate, right-click the file, and then select Rename.
    8. Type malware1.old to rename the first file, and then press ENTER.

    Note Type malware2.old to rename the second file, type malware3.old to rename the third file, and so on.
    9. Locate the %windir%\System32 folder.
    10. Rename the following files, if they exist:
    • Msupd5.exe. Rename this file msupd5.old.
    • Msupd4.exe. Rename this file Msupd4.old.
    • Msupd.exe. Rename this file Msupd.old.
    • Reloadmedude.exe. Rename this file Reloadmedude.old.
    11. Restart the computer.
    12. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

    Method 3: In Safe Mode, rename the malicious driver by using the command prompt
    1. Start the computer in Safe Mode. To do this, follow these steps:
    a. Restart the computer.
    b. As the computer starts, press the F8 key repeatedly (one time per second). This action will cause the Microsoft Windows Advanced Startup Menu options to appear.
    c. Use the UP ARROW and the DOWN ARROW keys to select Safe Mode with Command Prompt, and then press ENTER.
    2. Click Start, click Run, type cmd in the Open box, and then click OK.
    3. At the command prompt, type CD %windir%\system32\drivers, and then press ENTER.
    4. Type Dir /ah, and then press ENTER.
    5. You will see text that is similar to the following text. The .sys file name will be randomly generated.

    Directory of C:\WINDOWS\system32\drivers

    01/11/2005 09:18 AM 13,824 gbqxmhia.sys
    1 File(s) 13,824 bytes
    0 Dir(s) 961,425,408 bytes free

    6. Type Attrib –s –h RandomFilename, and then press ENTER. This action removes the system attributes and the hidden attributes from the file.

    Note The placeholder RandomFilename represents the name of the .sys file that is displayed after you perform step 5. For example, for the file name that is specified in the example in step 5, you would type Attrib –s –h gbqxmhia.sys.
    7. Type Ren RandomFilename malware.old, and then press ENTER. This action renames the randomly named file.
    8. Type CD, and then press ENTER. This changes the command line to the %windir%\System32 folder.
    9. Type the following commands one at a time, and then press ENTER after you type each command:
    Ren msupd5.exe msupd5.old
    Ren msupd4.exe msupd4.old
    Ren msupd.exe msupd.old
    Ren reloadmedude.exe reloadmedude.old
    Note If you receive the following error message, you can safely ignore the message, because it indicates that the targeted file does not exist:
    The system cannot find the file specified.
    10. Type Exit, and then press ENTER.
    11. Restart the computer.
    12. Make sure that your antivirus or anti-spyware software is updated with the latest signatures, and then perform a complete system scan.

    MORE INFORMATION
    To verify whether the computer is infected with this spyware, follow these steps:
    1. Start Internet Explorer.
    2. In the Internet Explorer Address box, type %windir%\system32\drivers, and then press ENTER.
    3. Change the way that Windows displays hidden files and protected operating system files. To do this, follow these steps:
    a. On the Tools menu, click Folder Options.
    b. On the View tab, click to clear the Hide protected operating system files (Recommended) check box, and then click Yes when you receive a warning message that states that you have chosen to display protected operating system files.
    c. Under Hidden files and folders, click Show hidden files and folders.
    d. Click to clear the Hide extensions for known file types check box.
    e. Click to select the Display the contents of system folders check box, and then click OK.
    f. On the View menu, click Details.
    4. Press F5 to update the Drivers folder display.
    5. Locate any system files (files that have a .sys extension in the name) that have their hidden attribute set and are missing details regarding product name, company, and file version.

    Note Files that have their hidden attribute set display an "HA" in the Attributes column in Windows Explorer. For instructions on how to view the Attributes column, see steps 5a and 5b.

    To do this, follow these steps.

    Note The spyware file may appear to have a randomly generated file name that is made up of eight lowercase letters.
    a. Change the way that Windows Explorer displays details for the files in the folder. To do this, follow these steps:
    1. On the View menu, click Choose Details.
    2. Click to select the Attributes check box.
    3. Click to select the Product Name check box.
    4. Click to select the Company check box.
    5. Click to select the File Version check box.
    b. Click the Attributes column heading to sort the list of files by attributes. Files in the Drivers folder typically contain only the archive attribute (A). Look for any files that also have the hidden attribute (HA).
    The following list contains example names of spyware files that are known to cause this problem:
    • gbqxmhia.sys
    • upzvlbvv.sys
    • jsbmefvk.sys
    After you locate a file that you suspect is a spyware file, verify the properties of the file by using the Properties dialog box. Right-click the file, click Properties, and then look for the following information:
    • On the General tab:
    • Modified : January 11, 2005
    • Size: 14 KB (13,824 bytes)
    • A check mark in the Hidden check box
    • On the Version tab:
    • No file version
    • No description
    • No copyright
    • No company name
    • No product name
    If a file has the hidden attribute set and is also missing details regarding product name, company, and file version, the computer is infected with the spyware.
    6. Click OK to close the Properties dialog box, and then follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.
    7. In the Internet Explorer Address box, type %windir%\system32, and then press ENTER.
    8. Look for application files (files that have an .exe extension in the name) that have names that are similar to the following:
    • Msupd.exe
    • Msupd*.exe

    Note The placeholder * represents a single-digit number
    • Reloadmedude.exe
    These files will have a random date and a size of 60 KB (61,440 bytes).
    Known names of the spyware files include the following file names:
    • Msupd.exe
    • Msupd4.exe
    • Msupd5.exe
    • Reloadmedude.exe
    9. If one or more of these files exist, the computer is infected with the spyware. Follow the steps of one of the methods that are described in the "Resolution" section to resolve the problem.
  3. Stuff_

    Stuff_ Newcomer, in training Topic Starter

    Hi Mscrx,

    Many thanks for the very comprehensive reply.

    Alas though there were NO randomly generated sys files in the drivers folder, NO files at all with the date of Jan 11th 2005, 2 files with "AH" (rather than HA but i figured it meant the same thing) but they were NOT randomly generate and had version info etc.

    I have not tried any hardware checks, I beleive though that if it's hardware the stop message generally doesn't remain static. Also I am able to boot in safe mode as mentioned.

    Attached are 3 minidumps for anybodies perusal.
  4. mscrx

    mscrx Newcomer, in training Posts: 829

    the dumps

    ok here we go with the dumps.
    looks like nvidia video driver error to me:

    Unable to load image nv4_mini.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for nv4_mini.sys
    *** ERROR: Module load completed but symbols could not be loaded for nv4_mini.sys
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 10000050, {f000e819, 8, f000e819, 0}


    Could not read faulting driver name


    Probably caused by : nv4_mini.sys ( nv4_mini+22d916 )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced. This cannot be protected by try-except,
    it must be protected by a Probe. Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: f000e819, memory referenced.
    Arg2: 00000008, value 0 = read operation, 1 = write operation.
    Arg3: f000e819, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000000, (reserved)

    Debugging Details:
    ------------------


    Could not read faulting driver name



    WRITE_ADDRESS: f000e819

    FAULTING_IP:
    +fffffffff000e819
    f000e819 ?? ???

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 0x50

    PROCESS_NAME: csrss.exe

    LAST_CONTROL_TRANSFER: from f6f89916 to f000e819

    STACK_TEXT:
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    f6beb430 f6f89916 8692d840 00000000 00000000 0xf000e819
    00000000 00000000 00000000 00000000 00000000 nv4_mini+0x22d916


    STACK_COMMAND: kb

    FOLLOWUP_IP:
    nv4_mini+22d916
    f6f89916 ?? ???

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: nv4_mini+22d916

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nv4_mini

    IMAGE_NAME: nv4_mini.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 453bddb2

    FAILURE_BUCKET_ID: 0x50_W_nv4_mini+22d916

    BUCKET_ID: 0x50_W_nv4_mini+22d916

    Followup: MachineOwner
    ---------
  5. Stuff_

    Stuff_ Newcomer, in training Topic Starter

    Wow thanks dude. I'm impressed with your level of knowledge compared to mine. I will uninstall those crafty drivers and install some new ones perhaps in the hope it will work.

    Many Many thanks for your contribution I'll let you know how it goes when i check it tonight.

    Stuff
  6. Stuff_

    Stuff_ Newcomer, in training Topic Starter

    **************RESOLVED RESOLVED RESOLVED*********

    Uninstalled the nVidia graphics drivers (i also have an nForce mobo incidentally) and hey presto the machine boots!!!


    Many many thanks for your kind help this forum is lucky to have you posting on it!

    Cheers

    Stuff
  7. mscrx

    mscrx Newcomer, in training Posts: 829

    you're welcome!
    glad I could help you
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.