HELP! How to access an infected PC

Topic

New Reply

My wife’s Vista desktop is opening with the BSOD and the following message.

Check that any newly installed hardware of software is properly installed.
Disable any newly installed hardware of software.
Disable BIOS memory option such as caching or shadowing.
If safe mode needed, restart PC and press F8 to select Advanced Setup Options and select Safe Mode.
Technical Info
STOP 0x000000050(0xE2D149BO, 0x 00000001, 0x8116F69, 0x 00000002

We have not installed any software or hardware recently, but yesterday my wife called me when she received an email allegedly from DHL stating they had tried to deliver a parcel on 24/10/13 and no one was at home. It would be returned to sender unless she contact them within 72 hours. There was an attachment with a .ZIP suffix which Windows mail had blocked and I told her not to open it. When I phoned DHL there was a message saying don’t open any attachments from them. After typing the details from the BSOD we had lunch, when I learned that there had been a second email amending the date to 24/11/13. And it was that one blocked by Win Mail, and she had already opened the attachment on the other.

So clearly the PC is infected, even though it was OK for the remainder of yesterday, but how to clean it when nothing can be accessed? F8 just returns me to the BSOD, F2 is the boot sequence and F12 Setup did allow a drive check, which was OK. These were before I learned what had really happened. Even reformatting the hard drive seems to be out of the question at the moment. HELP

Reply | Quote

Replies

Are you sure you’re hitting F8 soon enough? It should get you to a menu of boot options where you can select safe mode with networking. You have to hit F8 after the initial BIOS screen and before windows starts to boot. It can be very trickery. Try toggling F8 as soon as you see the initial vendor display.

If you manage to get into safe mode with networking, open your browser and download Malwarebytes from Malwarebytes.org. Run the downloaded file and do a full scan after the signatures update.

Jerry

Reply | Quote

Thanks Jerry. I now have my finger on F8 in advance and click continuously from the moment start is pressed. No change.

Perhaps I should clarify my mixed up description. The initial screen is black and reads ‘Windows Error Recovery. Windows failed to start. A recent H/W or S/W change might be the cause.’ It then offers a choice, Start Windows Normally (which brings one back to the same screen) or Launch Start-up Repair.

Selecting the latter (the default) is followed by a pause whilst it checks the system, then the blue screen with ‘A problem has been detected. Windows has been shut down to prevents damage to the PC.
PAGE_FAULT_IN_NONPAGED_AREA, followed by the text in the initial post.

I have no idea whether this Page Fault makes any difference, but we seem to be at a dead end.

George

Reply | Quote

Sorry about that, George.

You really need to tell your wife never to open attachments of any kind. You probably also need to think about your active protection on the PCs she can have access to…

Anyway, to solve your problem, I suggest that you use something that can boot and check the computer, something like:

http://www.avg.com/eu-en/avg-rescue-cd
http://www.sophos.com/en-us/support/knowledgebase/52011.aspx
http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

Just pick one, follow the instructions to create a bootable CD and then boot from it.

Reply | Quote

Sorry about that, George.

You really need to tell your wife never to open attachments of any kind. You probably also need to think about your active protection on the PCs she can have access to…

Anyway, to solve your problem, I suggest that you use something that can boot and check the computer, something like:

http://www.avg.com/eu-en/avg-rescue-cd
http://www.sophos.com/en-us/support/knowledgebase/52011.aspx
http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

Just pick one, follow the instructions to create a bootable CD and then boot from it.

Would restoring to a date prior to the first email help?

Reply | Quote

If none of the above works, you could try Windows Defender Offline:

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

From another computer, go to the website and create a CD, choosing either 32-bit or 64-bit (depending on which version of Vista is installed).

Now boot the infected computer with the CD you just created.

Your computer will be scanned and cleaned. It will probably take a long time for the process to complete.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Do you have a Windows Vista disc? If so, following the procedure here may help: http://pcsupport.about.com/od/toolsofthetrade/ss/windows-vista-startup-repair.htm

If it doesn’t solve it, resorting to the Advanced options (link at step 4) may be an option, allowing you to try a System Restore, for example.

Alternatively, do you have a Vista system repair disc, or can you create one?

Reply | Quote

The stop code you mention may also indicate faulty hardware.

If you feel comfortable working within the PC try reseating the graphics card and the memory modules. You may also try using only one of the installed memory modules if that is an option.

Reply | Quote

The stop code you mention may also indicate faulty hardware.

If you feel comfortable working within the PC try reseating the graphics card and the memory modules. You may also try using only one of the installed memory modules if that is an option.

Opening an attachment despite the warning suggests a probable infection, but if all else fails will give it a go. Sorry, I don’t understand your last sentence, beinglly technically illiterate.

Reply | Quote

Rui. She’s always complaining that I’ve locked down everything on her PC, so it doesn’t have much effect.

It’s a shame you posted whilst I was copying two pages of text from the Vista machine – if I had delayed it would have saved the effort.

Thanks for the links, although there is something strange about them. I started with AVG, and eventually found a download at the end of all the AVG Pro links. It downloaded OK, but the laptop refused to accept CGeorgeDownloads>SVAM 10 (or whatever it was) as a valid file, and it was impossible to remove the >. Moving on to the others was even less successful, there were no instructions and each time I was asked what to open the download with –having no ide I sometimes chose FF and sometimes Imgburn.

I left the PC for the best part of an hour, and on my return an Imgburn popup requested a disk to be inserted for the AVG. No idea if it is working properly, it only took about 10 minutes to burn and has been in the Vista desktop for about 90 minutes now, still with the blue screen and the same message. But I can hear something whirring inside whether the hard drive or the DVD. Think I’ll leave it overnight, then try the Vista disk tomorrow. I also see that Chrome has downloaded the Bitdefender rescue disk three times.

This is really annoying, as it’s preventing me from completing the installation of my new PC.

Reply | Quote

Rui. She’s always complaining that I’ve locked down everything on her PC, so it doesn’t have much effect.

It’s a shame you posted whilst I was copying two pages of text from the Vista machine – if I had delayed it would have saved the effort.
[/quote]
Sorry about that :).
Actually, the consequences of clicking such attachments or links can even be worse – if she gets a silent infection and then you get resident malware, with passwords captured, etc., it can get serious. Have you considered the option of having her account as a standard account, thus minimizing, in most cases, the negative effects of a malware infection?

Thanks for the links, although there is something strange about them. I started with AVG, and eventually found a download at the end of all the AVG Pro links. It downloaded OK, but the laptop refused to accept CGeorgeDownloads>SVAM 10 (or whatever it was) as a valid file, and it was impossible to remove the >. Moving on to the others was even less successful, there were no instructions and each time I was asked what to open the download with –having no ide I sometimes chose FF and sometimes Imgburn.

I left the PC for the best part of an hour, and on my return an Imgburn popup requested a disk to be inserted for the AVG. No idea if it is working properly, it only took about 10 minutes to burn and has been in the Vista desktop for about 90 minutes now, still with the blue screen and the same message. But I can hear something whirring inside whether the hard drive or the DVD. Think I’ll leave it overnight, then try the Vista disk tomorrow. I also see that Chrome has downloaded the Bitdefender rescue disk three times.

You mean the PC has blue screened again, after you booted from the AVG boot disc?

This is really annoying, as it’s preventing me from completing the installation of my new PC.

I understand the feeling :(.

Reply | Quote

Sorry about that :).
Have you considered the option of having her account as a standard account, thus minimizing, in most cases, the negative effects of a malware infection? :(.

Good idea, thanks.

Reply | Quote

STOP 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA
Usual causes: Defective hardware (particularly memory – but not just RAM), Faulty system service, Antivirus, Device driver, NTFS corruption, BIOS

So it could be that the AV software is crashing the machine at boot, due to an inability to write to disk at that point.

Reply | Quote

So it could be that the AV software is crashing the machine at boot, due to an inability to write to disk at that point.

Considering the events immediately before this situation, I would say that’s likely what is happening.

Reply | Quote

So it could be that the AV software is crashing the machine at boot, due to an inability to write to disk at that point.

Quite a list!

Reply | Quote

George,

Do you have a recent Image of her PC? If so, just restore to an Image prior to the infection. This will get you back to a clean installation. You can then set up a Standard User account for her.

I have had similar problems with my 83 year old mother, but have finally gotten her to NOT click on ANY unexpected pop up or link or attachment. It has gotten so good that the other day I sent her a link to my Skydrive account with some pictures and she actually called me to ask if it was OK to open the link. After assuring her this was OK, I high fived my wife!

You will have to do the same with your wife. To make your life easier, you have to be firm with her.

Reply | Quote

UPDATE
I left the AVG rescue disc running all night, as it’s been said that the process can take a long time, although #11 suggests that the blue screen should disappear at some stage. Nothing had changed this morning.

Rescue discs from Windows Defender Off line, Bit defender and an old Avira – which I found when looking for case to put the Defender disc in – all failed, though admittedly I only gave each a few minutes to remove the blue screen. The Vista install CD likewise did not work. Presumably this is due to the system having shut down Windows ‘to prevent damage to the computer’ as they state.

I opened the PC and everything seems to be firmly in place.

With the current state of affairs reformatting the hard drive is impossible. However, I have a 120GB HDD that I used to test my only attempt at imaging, which failed. Unable to remember whether the Vista has 120 or 250 GB, but there is little on it except for hundreds of emails, so 120 should be enough to get it going. Presumably Vista can be installed directly on to that.

My wife is unhappy about losing the emails, but I see no way of saving them. I’m more upset that I purchased two Win 8 updates last January when it was cheap, one being installed on the laptop, and the other downloaded to her Vista, but never installed. She only agreed to this on my assurance that once I bought a new PC and updated hers, it would be easy to set up sharing the printer on a Win 8 network, which for a long time has not worked between XP and Vista. I have the key recorded somewhere, but doubt if MS will allow me to download it again.

PS.
When my wife came home from her social group just now she switched on the PC to check that it was still as I had told her. However, she noticed a change on the keyboard, which she thinks is significant. There are a series of lights at the centre top, related to Media Centre. There is a padlock surrounding the number 9, or a keyhole in her opinion, which she claims has not been there before. In my opinion it probably only indicates that Windows is locked, being unable to conceive how the keyboard could solve the problem.

George

Reply | Quote

My wife is unhappy about losing the emails, but I see no way of saving them.

George: For future reference, if you set up your wife’s email account as IMAP, the server mailbox will always stay synchronized with the mailbox on your wife’s computer. What that means is, if her hard drive crashes, all of her email will still be on the email provider’s server. It will then all magically reappear when you get the computer up and running again.

Another option is that if she is set up as POP3, you can specify in the settings that her email stay on the server for a long time, say 30 days. In this way, you will have 30 days to get her computer up and running again before her email disappears off of the server. During those 30 days, once she gets up and running again, all of the email which arrived in the past 30 days will be downloaded again to her computer.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Booting with a boot disc created by your imaging app of choice, you can surely image her disk to an external drive and then recover the contents. Data is surely still safe, so you could maybe recover it.

Of course, not wanting to sound mean, but losing the data may be an unpleasant enough experience that your wife will remember it in the future and will avoid clicks in attachments from unexpected 3rd parties (or even expected ones!).

Did you get any error messages with the Vista disc?

Reply | Quote

Thanks Rui,

Macrium is installed on the laptop, if I create a rescue disc with that is it likely to have more success than the others? I have also found Macrium discs created a year or so ago on the old XP machine –both Linux and PE – which may be better than new ones made on a W8 machine. What do you think?

No messages from Vista or the rescue discs, in fact the same response as when booting normally.

Reply | Quote

Booting with a boot disc created by your imaging app of choice, you can surely image her disk to an external drive and then recover the contents. Data is surely still safe, so you could maybe recover it.

Of course, not wanting to sound mean, but losing the data may be an unpleasant enough experience that your wife will remember it in the future and will avoid clicks in attachments from unexpected 3rd parties (or even expected ones!).

Did you get any error messages with the Vista disc?

Thanks Rui,
The discs were created with ImgBurn from the downloads, but I was uncertain which of the options to choose:
Write image file to disc
Write files/folders to disc
Create image file from disc
Create image file from files/folders
Verify disc
Discovery

I chose the first, but was really expecting to see an option to burn the ISO to disc.

Macrium is installed on the laptop, if I create a rescue disc with that is it likely to have more success than the others? I have also found Macrium discs created a year or so ago on the old XP machine –both Linux and PE – which may be better than new ones made on a W8 machine. What do you think?

I can’t see how to image her disk to an external drive when unable to get beyond the initial screen.

No messages from Vista or the rescue discs, in fact the same response as when booting normally.

The wife is so reluctant to accept that her data is lost she wants to take the PC to a repair shop. Has more confidence in them than me.

Reply | Quote

No messages from Vista or the rescue discs, in fact the same response as when booting normally.

Are you saying that you get the same blue screen error?

Reply | Quote

Are you saying that you get the same blue screen error?

Yes, that’s exactly what I am saying. It starts with a black screen, saying there is a problem, do I want to start normally or let the system search for a solution. If the first is selected it restarts with the same message, and if the second option is chosen the result is a blue screen saying that Windows has been shut down to protect the PC from damage.

It’s the same whether there is a rescue disc in the drive, the Vista install disc, or an empty drive. That’s why I reckon the various discs are not booting the system, and it is pointless talking about making an image or restoring one, as there is no way to access anything. It appears to me that the only way to get the PC working is to install a new hard drive and accept that everything on the current drive is lost.

Reply | Quote

The wife is so reluctant to accept that her data is lost she wants to take the PC to a repair shop. Has more confidence in them than me.

My wife once threatened to go to the Geek Squad for computer support!

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Sorry to ask, George, but are you sure that the computer booted from the discs?

A Macrium disc should boot into a Macrium specific environment and allow you to backup, unless for a strange coincidence, you really have some hardware issues. Even in that case, you should be able to remove the disc from the PC and add it to an external enclosure or add it to another computer and read the data.
Of course, the same applies to the other discs, thus my question about you being sure that the computer booted from the CDs and not from the hard disk.

Reply | Quote

George,

Did you change the BIOS boot options, to make the pc boot from the drive instead of booting from the disc?

Reply | Quote

George,

Did you change the BIOS boot options, to make the pc boot from the drive instead of booting from the disc?

How can I when F8 doesn’t work?

Reply | Quote

How can I when F8 doesn’t work?

Usually the BIOS is accessed through a different key, F1 or F2 or ESC, or even a combination including DELETE. F8 is a Windows thing, the BIOS does not depend on that. If you have a manual for the Dell, maybe check it – seems F12 is common to go into the BIOS on a Dell.

Reply | Quote

Rui, I wish to offer my sincere apologies for my previous reply.

Shortly after posting it I recalled previously getting into another screen that didn’t give an option for safe mode, and I’m unable to remember whether I changed the start order. So I started the Vista PC again, and this time F8 worked. Previously I had clicked F8 continuously from the moment of switching on, and occasionally must have left it too late, but this time it opened. There was no option for boot order, and uncertain of what to do in safe mode, ‘restore to the last known good config’ was my choice.

The screen went black for some time, during which I remembered it was F2 or F12 I had used previously. After 5 – 10 minutes the log on screen appeared, and, although slow at first, everything seems to be in order. WHAT A RELIEF FROM NAGGING!

Malwarebytes and Superantispyware have passed it as clean, apart from the usual tracking cookies from the latter, but I’m still concerned that if a virus is present the problem could recur. Would it be useful to run a rescue disk in the hope that it would be more thorough than Malwarebytes, or perhaps an online scanner?

Furthermore, my wife’s assertion that the problem arose from my use of flash drive rather than the email attachment may be correct. When she went to bed Tuesday I was typing a letter to accompany a faulty standard lamp I intended to return to the store next day. But I was unable to print it, being informed it was ‘READ ONLY’, and I couldn’t change that. How ridiculous that Word 2010 will not allow me to change something I have composed and saved! But I was able to copy it to a flash drive, plug that into the Vista PC which runs the slightly more user-friendly Office 2007, paste the letter and change it to .doc format. Unfortunately it couldn’t be pasted back to the flash drive, so I closed down and went to bed.

The wife says I must have removed the flash drive too soon, which is possible as it was after 1 am by then, when my mind is not at its best. However, my understanding is that omitting the normal procedure may cause loss of data from the flash drive, but not damage the PC. Therefore, the weight of evidence seemed to point to the email attachment which DHL say not to open.

But, and a big but, once signed in to Vista today a pop up appeared about a file waiting to be printed, which is impossible as there is no printer attached to the PC. Investigation showed it to be my letter to BHS, which required several attempts before it was removed.

So we are left with a situation where the PC was working for hours after the suspected virus, until I removed the flash drive, but failed at start-up the following morning. It seems that my wife may be correct, or perhaps there were two problems:

1 The flash drive
2 The attachment may have installed a rootkit which could still be lurking there.

The sooner I get my PC partitioned, data installed, Acronis or Macrium added to all three machines and images created on the ext. drive bought last Saturday the better.

Reply | Quote

George,

No apologies are needed at all :).

System Restore can be helpful in some circumstances, so I am happy that it helped you getting your computer back. I would run something on there, yes, maybe one or two of the rescue disks, for sure, or even this : http://www.emsisoft.com/en/software/eek/. One can never be too cautious.

I doubt the boot issue was caused by the flash drive. Never heard of anything similar.

Anyway, I am glad you got the computer back. Well done for that :).

Reply | Quote

Hi Loungers,

My thanks to all who contributed to this thread, and especially Rui, whose query as to whether I had changed the bios to boot from DVD stirred my failing memory sufficiently to recall that earlier I had found another way into the system. My credibility, and that of the lounge has probably been restored my wife’s eyes.

Now I can concentrate on doing some more scans on her PC, and take a look at my other recent thread about partitioning.

THANK YOU

George

Reply | Quote

You’re welcome, George :).

Reply | Quote