Page_fault_in_nonpaged_area

[AtYourService]

I braved the "nor'easter" snow storm to come into the shop today already I had 2 computers in this morning that the customers had applied last nights windows updates and it hosed the computer from starting up with a bluescreen
with this error:
PAGE_FAULT_IN_NONPAGED_AREA
STOP: 0x00000050 (0x80098004, 0x00000001, 0x80515103, 0x00000000)


not sure if microsoft realizes there is a problem with the update



my easy fix was to boot up with Sysinternals ERD2005 and use the hotfix removal tool



still waiting for an answer to why its hosing systems seen another posting on bleepingcomputer about the issue and posted here just in case you guys are getting calls




someone else posted that KB977165 update is the issue and You will have to replace ntkrnlpa.exe and ntoskrnl.exe in the system32 folder with the originals from the $NtUninstallKB977165$ folder.





or you can try this solution:

1. Boot from your Windows XP CD and start the recovery console. You may need to press F6 while RC loads in order to load SATA drivers; you will then have a c:\WINDOWS console prompt.

2. Type: CD $NtUninstallKB977165$\spuninst (this is the update I had to uninstall to get out of the boot loop, other updates may be uninstalled by changing the directory name to $NtUninstallKBCODE$, where KBCODE is the KB code)

3. Type: BATCH spuninst.txt

4. Type: exit

 

[MobileTechie]

Thanks for this heads-up.

 

[AtYourService]

Hotfix - KB977165
MS10-015: Vulnerabilities in Windows kernel could allow elevation of privilege
http://support.microsoft.com/kb/977165

seems to be the root of the problem, seeing reports of windowsXP and Windows7 both having issues after installing the update

 

[ijunkie]

Luckily I have not seen this with any of my machines yet. Thanks for posting this.

 

[tminer]

had a customer with this problem the other day, wish i woulda found out about this first before N&P. Couldnt access normal or safe mode. Found viruses so decided best on N&P anyway.

 

[Jim Perth]

Just had a client phone with this problem also. Thanks for the info.

 

[Appleby]

Any problems with Vista doing this? I've got a customer dropping off a Vista machine tomorrow that she said started blue screening after a normal shutdown and attempted reboot. She said it happened Tuesday night....sounds like an update problem?

 

[vermonter]

Yes, thank you for the heads up. Also just had a client call with the exact same symptoms. Once again, the time spent on Technibble has paid for itself several times over.

 

[sjc@blainecs]

Any problems with Vista doing this? I've got a customer dropping off a Vista machine tomorrow that she said started blue screening after a normal shutdown and attempted reboot. She said it happened Tuesday night....sounds like an update problem?

The TN linked lists Both Vista SP1 and Vista SP2 as OS that are effected

sjc
Blaine Computer Services

 

[Galdorf]

Seen this twice yesterday when they pushed the update had to un-install the updates to get the machine to boot.

 

[todneykros]

YES! I confirm the culprit is hotfix KB977165, installed on 10/02/2010, and i also solved the problem the same way the first poster did, with ERD 5.0!!!

Thank god technibble exists, i avoided to N&P a client's pc. It would have been the first in years, and that was wounding my self-esteem....

...what a great community, i owe you a beer!!!!

 

[AtYourService]

liquor is quicker

 

[MrUnknown]

thanks for the heads up everyone. I am expecting some computers to come in with this problem. Without knowing this, I probably would have recommended a N&P.

but how is an update installed in October of last year affecting systems today?

 

[NYJimbo]

Damn it, nothing so far.

I really want to $ee $ome of the$e infection$ $o I can HELP cu$tomer$.

 

[todneykros]

Sorry, not october, february! (I write the dates in dd/mm/yyyy, cause i'm italian!!!)

 

[MrUnknown]

Sorry, not october, february! (I write the dates in dd/mm/yyyy, cause i'm italian!!!)

lol crap, sorry for my american assumptions.

 

[AtYourService]

microsoft finally listened and pulled the update
http://blogs.technet.com/msrc/archive/2010/02/11/restart-issues-after-installing-ms10-015.aspx


for those who want to have some layer of protection against this flaw you can get the fixit tool
http://support.microsoft.com/kb/979682


its highly unlikely for someone to exploit this unless theyre a local user and if they have physical access its usually game over anyhow

ive tested the exploit on my own machine and it works like a charm, nice tool to use to get system access if you only have user level access

 

[hyfidel]

There is a story linked on Slashdot about how this may be linked to a previous rootkit infection. If you revert the hotfix, you may want to do a complete scan and checkout atapi.sys

 

[AtYourService]

yea i was actually looking into this because one of the computers did have a atapi.sys infection but didnt think it was related

 

[AtYourService]

anyone who needs to remove the atapi.sys infection should use this tool
http://support.kaspersky.com/downloads/utils/tdsskiller.zip