Windows 7 x64 Safe Mode only, Startup Repair reports bad driver (spldr.sys)

[Jerry the Computer Guy]

This is complicated...

Let me give an account of where this started and then we'll get to the current situation:

The client was having a problem with "Drive G:" needing to be formatted before being used. The confusing part; there IS no G:. It turns out the SD card reader port keeps trying to activate, as if a card was inserted (the card slot is empty). Even looking at the Disk Manager, it would appear and disappear several times per second. I managed to get it to calm down by disabling the device in the Device Manager and uninstalling the Ricoh drivers that identify them. So far, sounds like a hardware short of some kind making the card slot think something's there. Not much I can do from here, as I'm dealing with this remotely via LogMeIn.

Now, it gets tricky.

After also removing some toolbars that were apparently installed a little before all this started happening, as well as an MSSE installation that the client swears he's never seen before, as he's using AVG IS, I rebooted the system. (Yeah, multiple changes prior to reboot... I'll be sure to kick myself later.) Now, it's been a long day, so I don't recall the exact order of operations, but the system rebooted and at some point loaded into Startup Repair (the client's day has been pretty chaotic, so he's not sitting right there this whole time). Startup Repair says that it can't fix the problem automatically. I had the client find and read the pertinent details (the errors) from the log and found that there was a driver failure and a failed System Restore. Lovely...

We managed to get him into Safe Mode w/ Networking. I had to use Zoho Assist to gain access, since LMI doesn't work in Safe Mode. This works ok (not great, but it's the best I could do) and lets me see that now "spldr.sys" is reporting an error (love D7) and am getting a ton of Event ID 7023 for Windows Modules Installer.

I tried replacing spldr.sys with a known-working copy from my own system, but it had no effect. I've tried resetting all permissions, running sfc /scannow (in offline mode using startup recovery command prompt), and anything else I could think of (too numerous to recall). Nothing I Googled could help and Microsoft Support KBs were of no use at all.

I may feel like an idiot if it turns out to be a simple answer, but I'll be damned if I can find it. Honestly, I really hope it is simple and I've just overlooked something.

 

[ComputerRepairTech]

What is up with that anyway, the whole automatic startup repair...i HATE THAT! Specially the ones where it goes into it and its sitting there taking hours and you know the risk of interupting it but you cant just leave it sitting there forever.

When you view the device manager in safe mode, hidden devices does the spldr.sys give you an error code (not that those are usually that useful but hey never know). Have you tried reinstalling what you have removed as far as MSSE (not the toolbars and junk) or maybe fully uninstalling AVG? Have you checked for bad sectors and checked the file system with chkdsk.

 

[FoolishTech]

This works ok (not great, but it's the best I could do) and lets me see that now "spldr.sys" is reporting an error (love D7) and am getting a ton of Event ID 7023 for Windows Modules Installer.

Thanks!

Assuming you can't System Restore out of this problem (then repair the installer service if it is still messed up, then remove MSSE and that other junk one by one....)

Then I would first focus on the Windows installer issue. It could be a problem with the installer service that caused a hiccup while removing MSSE, perhaps this ultimately causes the spldr.sys issue... I'm not 100% sure what spldr.sys is off the top of my head but I think it's security related...

Try Repair Windows Installer (D7 > Windows Repair > Windows Installer) and then see if you can at least start the Windows Installer Service in Safe Mode (D7 > tweaks > misc > last item in the list). Then I would probably remove AVG from safe mode and reinstall later in normal mode if that works.

 

[ComputerRepairTech]

hmm I skipped over that part because I assumed it was because you hadn't successfully rebooted into windows after the uninstalls and the windows installer wouldnt run in safe mode

Edit: Oh wait I think I see where hes going with that. Try the "start the Windows Installer Service in Safe Mode (D7 > tweaks > misc > last item in the list)." first.

 

[Jerry the Computer Guy]

...I would first focus on the Windows installer issue. It could be a problem with the installer service that caused a hiccup while removing MSSE, perhaps this ultimately causes the spldr.sys issue...

Hmmm... I'll give it a shot. As far as I know, Windows Installer is working fine and can even be started from Safe Mode (used the method you mentioned last night). I've been able to successfully install and uninstall without errors or notifications about Windows Installer failing. Makes me wonder how closely the Modules Installer is (or is not) related to Windows Installer... I wasn't able to see a connection, but I'll try it anyway.

I'm not 100% sure what spldr.sys is off the top of my head but I think it's security related...

It's the "Security Processor Driver Loader". It doesn't load in Safe Mode, but cannot (apparently) be disabled when starting "normally", even when using the Diagnostic Startup option in MSConfig (still hangs).

As a point of note, I can delete it from the non-pnp list in Device Manager, but it seems that the D7 option to "Fix Missing Non-Plug and Play Drivers in DevMgr" will NOT immediately replace it. (If this is actually normal and requires a reboot to show up, then disregard.)

Try Repair Windows Installer (D7 > Windows Repair > Windows Installer) and then see if you can at least start the Windows Installer Service in Safe Mode (D7 > tweaks > misc > last item in the list).

Yeah, as I mentioned above, I had already tried this. I can't find any problems with Windows Installer, but I'll try a repair anyway. Everything I've found on it points to TrustedInstaller not working properly, but sfc /scannow in offline mode should have fixed that. Even if permissions had been totally screwed up, I repaired them already (assuming that worked properly... meaning Windows, not the script), so that shouldn't be an issue. I'll have to check out the CBS.log when I check in with the client today to see if I can make heads or tails of this.

Then I would probably remove AVG from safe mode and reinstall later in normal mode if that works.

While my initial thought is to dismiss this, I'm willing to try just about anything. It's entirely possible that the "phantom" MSSE install (and subsequent uninstall) caused a hiccup that's preventing spldr.sys from loading and that AVG might be preventing the fix...

Then again, when it comes to Windows, NOTHING is impossible to imagine. I've seen some pretty bizarre things affect what should have been wholly and entirely unrelated processes in the system.

Thanks for the thoughts and suggestions. Keep them coming!

*Update (yeah, before I've even posted this):

Just spoke with my client and he told me he has purchased a new notebook due to urgency and (fortunately) had backed everything up recently, so he's not totally dead in the water. He's back up and running for now and will get the system physically to me sometime next weekend when he's back in town.

I'll keep checking back to see any other suggestions and make a list of things to try. Regardless, I'll post my findings and what the resolution ends up being.

 

[FoolishTech]

As a point of note, I can delete it from the non-pnp list in Device Manager, but it seems that the D7 option to "Fix Missing Non-Plug and Play Drivers in DevMgr" will NOT immediately replace it.

Oops... Another one of those things that needs more detail than I can provide within D7's interface. That function is designed to show the Non-Plug and Play Drivers category in Device Manager when the category itself doesn't show up on a normal launch of Device Manager (because the category itself can be hidden by malware) -- this function does nothing more and doesn't replace actual driver entries in Device Manager.

To be honest each and every time you launch Computer Management from within D7's Windows menu, it now performs this fix, so I don't even know why I have it elsewhere in D7 anymore...

 

[732914TECH]

i believe i just had this issue and i was able to run tddskiller and it removed a rootkit causing this.

 

[Jerry the Computer Guy]

i believe i just had this issue and i was able to run tddskiller and it removed a rootkit causing this.

I actually tried that. I had no reason to believe it was malware beyond the screwiness of the situation, but the scans turned up clean. An excellent thought, though!

Now, once I get the system in my hands, I'll be able to do a more thorough job scanning, since I won't be booting from the drive in question. I generally run the full D7 Offline Mode scan and an AVG manual scan via my bench system while cleaning up the system itself.

And to answer ComputerRepairTech from yesterday, yes, I ran a chkdsk /f and it did find an error and fixed it, but this had no effect. I'm loathe to try running a /r remotely due to the (rather remote... heh...) possibility that the system will become COMPLETELY inaccessible).

Regarding the "Fix PnP" item, it's just as well. I was able to get it back again anyway (tho still broken), so no worries. I'd never come across the particular malware behavior you mentioned, so it didn't occur to me. Hey, at least it reminded you of another D7 tweak you'd meant to add to the list! (Though, honestly, I probably run Manage from the Computer context menu as often as not just due to force of habit, so it might be something to leave in under a "special circumstances" menu or something.)