BSOD Page Fault in Nonpaged Area

[supermonkey]

Hi All,

First post here so hope I have done all correctly! Had hoped to catch up on my workload today but windows decided otherwise!

Have had multiple BSOD. Mainly Page Fault in Nonpaged Area but also others such as Apc Index Mistmatch. I am getting BSOD on every boot. I literally cannot use the laptop at all (except for in safe mode).

I have attached a zip containing dump files which have been manually collected (I cannot use the pc to download the bsod collector). View attachment 157173

I have tested the ram with mdsched.exe and found no errors.

When I try perfmon /report it states "an error occured while attempting to generate the report."

Spec: Win 7 Home Premium x64, pre installed on laptop by HP. OS never re-installed. System 18 months old.

 

[yowanvista]

Your Kaspersky product is the cause, remove it completely and download the latest version
Product Updates

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffffffffffffff, 0, fffff800035647f3, 0}

Unable to load image \SystemRoot\system32\DRIVERS\klif.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for klif.sys

Could not read faulting driver name
Probably caused by : klif.sys ( klif+332fa )


PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffffffffffff, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800035647f3, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034c50e0
 ffffffffffffffff 

FAULTING_IP: 
nt!CmpConstructName+24
fffff800`035647f3 443830          cmp     byte ptr [rax],r14b

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  SearchIndexer.

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8800c224f50 -- (.trap 0xfffff8800c224f50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffffffffffffff rbx=0000000000000000 rcx=fffff8a00008dde8
rdx=0000000000000011 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800035647f3 rsp=fffff8800c2250e0 rbp=000000000000001d
 r8=fffffa8008680010  r9=0000000000000000 r10=fffff8000354f230
r11=fffff80003410fb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!CmpConstructName+0x24:
fffff800`035647f3 443830          cmp     byte ptr [rax],r14b ds:ffffffff`ffffffff=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000330e024 to fffff8000328d700

STACK_TEXT:  
fffff880`0c224de8 fffff800`0330e024 : 00000000`00000050 ffffffff`ffffffff 00000000`00000000 fffff880`0c224f50 : nt!KeBugCheckEx
fffff880`0c224df0 fffff800`0328b7ee : 00000000`00000000 fffff8a0`02559b98 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x427f7
fffff880`0c224f50 fffff800`035647f3 : 00000000`00000000 00000000`00000000 fffff8a0`04540290 fffff800`0357edf7 : nt!KiPageFault+0x16e
fffff880`0c2250e0 fffff800`0354f2e5 : 00000000`00009038 fffffa80`03c1c000 fffff800`03410f80 fffff800`03256202 : nt!CmpConstructName+0x24
fffff880`0c225130 fffff800`03572044 : 00000000`00000000 00000000`00000000 fffff8a0`04cbe000 00000000`00000000 : nt!CmpQueryKeyName+0xb5
fffff880`0c225190 fffff800`035730ea : fffff8a0`04540290 fffff8a0`04cbe000 00000000`00001000 fffff880`0c225320 : nt!ObpQueryNameString+0xb0
fffff880`0c225290 fffff880`0236e2fa : fffff8a0`02ad4100 00000000`c0000004 fffff8a0`02ad4100 fffff880`01ad421f : nt!ObQueryNameString+0xe
fffff880`0c2252d0 fffff8a0`02ad4100 : 00000000`c0000004 fffff8a0`02ad4100 fffff880`01ad421f 00000000`c0000004 : klif+0x332fa
fffff880`0c2252d8 00000000`c0000004 : fffff8a0`02ad4100 fffff880`01ad421f 00000000`c0000004 fffff8a0`04cbe000 : 0xfffff8a0`02ad4100
fffff880`0c2252e0 fffff8a0`02ad4100 : fffff880`01ad421f 00000000`c0000004 fffff8a0`04cbe000 00000000`00000001 : 0xc0000004
fffff880`0c2252e8 fffff880`01ad421f : 00000000`c0000004 fffff8a0`04cbe000 00000000`00000001 00000000`00000000 : 0xfffff8a0`02ad4100
fffff880`0c2252f0 fffff880`0235fd00 : fffff8a0`00000000 fffff8a0`0462f470 fffff880`0c2255c0 00000000`00000000 : fltmgr!FltAcquirePushLockExclusive+0xf
fffff880`0c225320 fffff8a0`00000000 : fffff8a0`0462f470 fffff880`0c2255c0 00000000`00000000 00000000`00000000 : klif+0x24d00
fffff880`0c225328 fffff8a0`0462f470 : fffff880`0c2255c0 00000000`00000000 00000000`00000000 00000000`00020019 : 0xfffff8a0`00000000
fffff880`0c225330 fffff880`0c2255c0 : 00000000`00000000 00000000`00000000 00000000`00020019 00000000`00000000 : 0xfffff8a0`0462f470
fffff880`0c225338 00000000`00000000 : 00000000`00000000 00000000`00020019 00000000`00000000 fffff880`0236119b : 0xfffff880`0c2255c0


STACK_COMMAND:  kb

FOLLOWUP_IP: 
klif+332fa
fffff880`0236e2fa ??              ???

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  klif+332fa

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: klif

IMAGE_NAME:  klif.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4afabce0

FAILURE_BUCKET_ID:  X64_0x50_klif+332fa

BUCKET_ID:  X64_0x50_klif+332fa

Followup: MachineOwner
---------

 

[supermonkey]

Thanks, I am giving it a go right now! Really appreciate the help!

 

[supermonkey]

just to update, it took me a while to remove Kaspersky as I cant achieve anything without using safe mode and I couldnt work out how to uninstall in safe mode. Thanks to another post here I've now managed it!

Problem is that I am still getting the error with Kasperky removed.

Any more ideas?

 

[yowanvista]

just to update, it took me a while to remove Kaspersky as I cant achieve anything without using safe mode and I couldnt work out how to uninstall in safe mode. Thanks to another post here I've now managed it!

Problem is that I am still getting the error with Kasperky removed.

Any more ideas?

Upload the latest dump files

 

[supermonkey]

just to update, it took me a while to remove Kaspersky as I cant achieve anything without using safe mode and I couldnt work out how to uninstall in safe mode. Thanks to another post here I've now managed it!

Problem is that I am still getting the error with Kasperky removed.

Any more ideas?

Upload the latest dump files

Trying to attach but seem to have connectivity problems!View attachment 157244

 

[yowanvista]

Download Malwarebytes
Update and run a scan.

Latest dumps point to explorer.exe, this may be caused by malware

 

[supermonkey]

thanks again. I'm just running a scan now (have tried quick scan to begin with).

We'll see what happens. I have not yet installed the new kaspersky (I only uninstalled the old version). I presume it's worth installing it and doing a full scan with that.

 

[supermonkey]

All done with Mbam, no infected objects.

It would seem the machine is infected. On running the Kaspersky 2011 installer it states "the setup wizard could not install"...... "It is possible your computer is infected"... and suggests running the AVPTool

 

[Homeuser66]

If you can, try to download Blue Screen View, found

Blue screen of death (STOP error) information in dump files.

or

Who Crashed:

Resplendence Software - WhoCrashed, automatic crash dump analyzer

They will tell you exactly what is causing your BSOD

 

[yowanvista]

If you can, try to download Blue Screen View, found

Blue screen of death (STOP error) information in dump files.

or

Who Crashed:

Resplendence Software - WhoCrashed, automatic crash dump analyzer

They will tell you exactly what is causing your BSOD

These tools don't provide any detailed information on faulting drivers and possible causes

 

[supermonkey]

Thanks.

I've run Kasperskys AVP tool (Virus Removal Tool) overnight and it stopped at 49% finding some Trojans. Will let it finish and hopefully it'll cure the problems!

 

[supermonkey]

The scan has now completed. Detected & deleted 2 threats:

Exploit.Java.CVE-2010-0094z
C:\Users\Supermonkey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\4\cafbd48-55da35b0/CustomClass.class
& also
C:\Documents and Settings\Supermonkey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\4\cafbd48-55da35b0/CustomClass.class

Will now try to restart in normal mode and see what happens

 

[supermonkey]

Unfortunately, the system still blue screens. Please can you look at the latest dump files and advise? Much appreciated
View attachment 157372

Although I ran the Kaspesky Tool which removed infections, I still cant install KIS 2011

 

[yowanvista]

Still malware activity, run http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
Use this Microsoft Standalone System Sweeper Beta | Microsoft Connect

 

[supermonkey]

Thanks. I ran the SFC check which "did not find any intergrity violations".

I'm now creating a CD using the Microsoft Tool (confused me at first!)

 

[Homeuser66]

Quote: Originally Posted by Homeuser66
If you can, try to download Blue Screen View, found

Blue screen of death (STOP error) information in dump files.

or

Who Crashed:

Resplendence Software - WhoCrashed, automatic crash dump analyzer

They will tell you exactly what is causing your BSOD
These tools don't provide any detailed information on faulting drivers and possible causes

They have helped me....told me it was a driver one time, another time it told me it was an application. Other times it has given me specific's.... Fortunately I haven't had to use them all that often, but maybe you have....I was just trying to help....

 

[supermonkey]

Thanks for all the help everyone.

Currently scanning with the Microsoft Standalone System Sweeper which states "preliminary scan results show that malicicoious or potentially unwanted software might exist"....

 

[supermonkey]

Microsoft Standalone System Sweeper has finished and found 4 items:
Exploit:Jave/CVE-2009-3867.GV
Exploit:Jave/CVE-2010-0094.A
Exploit:Jave/CVE-2010-0840.CI
Exploit:Jave/CVE-2008-5353.SV

I selected clean and it only resolved 1 item and couldn't resolve the other 3. It is now doing a quick scan (hopefully won't be another 4 hours) and will try to remove again.

Shouldn't Kaspersky have prevented / detected these? In total thats 6 infections!

 

[yowanvista]

Microsoft Standalone System Sweeper has finished and found 4 items:
Exploit:Jave/CVE-2009-3867.GV
Exploit:Jave/CVE-2010-0094.A
Exploit:Jave/CVE-2010-0840.CI
Exploit:Jave/CVE-2008-5353.SV

I selected clean and it only resolved 1 item and couldn't resolve the other 3. It is now doing a quick scan (hopefully won't be another 4 hours) and will try to remove again.

Shouldn't Kaspersky have prevented / detected these? In total thats 6 infections!

Nothing can protect you from all threats. Try running a full scan of malwarebytes