ichase Posted February 16, 2012 Share Posted February 16, 2012 Greetings all, Normally I can work through most Windows issues and come to some sort of repair or fix option but I have one in my possession that has got me a little stumped. Owner of laptop reports the following: Viewing pictures in "My Documents" Viewing pictures in screenshow option. By approximately 14th picture, Windows goes into BSOD, Physical Memory Dump, force restart. After Toshiba Screen gets black screen with blinking cursor on top left of screen I get the laptop and confirm on startup that in fact after the Toshiba screen, OS fails to load, no errors black screen w/ blinking cursor. I attempt restart, F8 to try to go into Safe Mode. The same, black screen w/ cursor Run Windows 7 (64Bit) Recovery console from CD (It's just the recovery console, no OS to load) (Have one for all OS from XP up to 7 32bit and 64bit where applicable) Chose run from Command Prompt, it goes into Command Prompt fine. CD to C: and run chkdsk /r I receive no errors after this ran for a couple of hours. Rebooted and still same blinking cursor. Booted back into Recovery Console. Attempted to restore from previous day. Chose last restore point 2/12/2012. Failed to restore. Error code 0x80000ffff which I am sure some of you have seen before. I have never found exactly what that error code is supposed to mean. Other restore points yield the same result. Booted Parted Magic (Linux) CD, looked at partitions to see if there was a recovery partition. Ahhhhh, there was a 9 GB HDD Recovery Partition. Looked online to find out that the "Secret Squirral Handshake" to get into the HDD Recovery Partition on a Toshiba Satelite was "Hold the '0' key down while turning on the laptop. Release at Toshiba screen and then proceed to tap '0' key until it goes into the recovery suite" I had no intention on restoring the system, just wanted to see if it would go in. Only thing different was the blinking cursor became a solid non blinking cursor. So it looks like you can't even get into the Recovery Partition to restore to factory settings if it came to that. So at this point, I plan on running a memory test this evening. Let it run a few times to see if it could be memory related (I doubt it) but do not want to leave no stone unturned. I will then work on getting the owners important files off the HDD (just in case) no, he had no backup what so ever. So, I am up for any and all suggestions you may have. Thanks and All the best, Ian Quote Link to comment Share on other sites More sharing options...
lewmur Posted February 16, 2012 Share Posted February 16, 2012 Greetings all, Normally I can work through most Windows issues and come to some sort of repair or fix option but I have one in my possession that has got me a little stumped. Owner of laptop reports the following: I get the laptop and confirm on startup that in fact after the Toshiba screen, OS fails to load, no errors black screen w/ blinking cursor. I attempt restart, F8 to try to go into Safe Mode. The same, black screen w/ cursor Run Windows 7 (64Bit) Recovery console from CD (It's just the recovery console, no OS to load) (Have one for all OS from XP up to 7 32bit and 64bit where applicable) Chose run from Command Prompt, it goes into Command Prompt fine. CD to C: and run chkdsk /r I receive no errors after this ran for a couple of hours. Rebooted and still same blinking cursor. Booted back into Recovery Console. Attempted to restore from previous day. Chose last restore point 2/12/2012. Failed to restore. Error code 0x80000ffff which I am sure some of you have seen before. I have never found exactly what that error code is supposed to mean. Other restore points yield the same result. Booted Parted Magic (Linux) CD, looked at partitions to see if there was a recovery partition. Ahhhhh, there was a 9 GB HDD Recovery Partition. Looked online to find out that the "Secret Squirral Handshake" to get into the HDD Recovery Partition on a Toshiba Satelite was "Hold the '0' key down while turning on the laptop. Release at Toshiba screen and then proceed to tap '0' key until it goes into the recovery suite" I had no intention on restoring the system, just wanted to see if it would go in. Only thing different was the blinking cursor became a solid non blinking cursor. So it looks like you can't even get into the Recovery Partition to restore to factory settings if it came to that. So at this point, I plan on running a memory test this evening. Let it run a few times to see if it could be memory related (I doubt it) but do not want to leave no stone unturned. I will then work on getting the owners important files off the HDD (just in case) no, he had no backup what so ever. So, I am up for any and all suggestions you may have. Thanks and All the best, Ian Can you boot a LiveCD of a "regular" distro that will allow you to mount the HDD and see if you can read the files? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 16, 2012 Share Posted February 16, 2012 That is a very weird thing. Are you using a wireless keyboard/mouse? Maybe hook up a USB keyboard/mouse and see if it makes a difference. Could be driver issues. They have some other ideas too but they are much less promising then having it turn out to be a keyboard/mouse driver... The suggestions they have about fixing mbr, etc. won't help if you can't boot to an install disk (not a recovery disc or partition). But some of the items listed here or here maybe helpful..don't know... Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 16, 2012 Share Posted February 16, 2012 Not being an MS Windows expert leaves me with only one method to fix this: Big Hammer Method Nuke it! Reinstall fresh MS Win OS. All better. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 16, 2012 Author Share Posted February 16, 2012 @Fran - Thanks for the links. Will be checking those out shortly. Had seen a few things online in regards to a potential driver issue and will definitely try the external keyboard. @lewmur - I booted Parted Magic (My #1 Linux tool) and was able to mount the file system and read all files. @Eric - I LOVE the way you think. @temmu - Not sure what you are saying. There is no attached USB device, external HDD or CD in the slot. It's not booting into the OS (Win 7 on the internal HDD) No error, nothing saying OS won't boot. OS just does not boot. After the Toshiba screen, you will normally get a black screen with the cursor blinking on the top left for a second then the OS starts to boot. (At least that is what the Wifes Toshiba laptop does) on this particular laptop, it never leaves the black screen with the blinking cursor. Thanks for all the replies. The laptop in question is currently running MemTest86 which I expect will come back fine. Like I said, do not want to leave no stone unturned with a customer's computer. Is there a good hardware diagnostic tool that will check HDD, Southbridge, Northbridge etc? I very rarely run into un-obvious hardware issues. 95% of my work is either virus related, or someone dropped their laptop and OMG ALL MY KIDS PICTURES ARE ON THE LAPTOP. And normally there is no backup on external or DVDs. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted February 17, 2012 Share Posted February 17, 2012 @Eric - I LOVE the way you think. It's a time-saving method. I highly recommend it. Life is too short to be wasting time trying to fix corrupted Windows installations. Step 1: Boot Linux Live CD Step 2: Copy Documents to thumb drive Step 3: NUKE! Step 4: Reinstall/Update Windows Step 5: Restore Documents from thumb drive backup Step 6: Return lappy to happy customer Optional: Give them a dual boot with Linux on the lappy. Tell them to stop doing silly slideshow porn stuff in Windows. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 17, 2012 Share Posted February 17, 2012 Yep. That was my first thought too. But sometimes you can find the driver issue and correct it. Hard to say. Would depend on how quickly Ian can find it. I sure hope it's not the hard drive/chipset drivers... Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted February 17, 2012 Share Posted February 17, 2012 If you are able to recover files, please get the dump files - \windows\minidump I'd love to see if they reveal any clues. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 17, 2012 Share Posted February 17, 2012 Excellent point, J.C.! Quote Link to comment Share on other sites More sharing options...
lewmur Posted February 17, 2012 Share Posted February 17, 2012 @Fran - Thanks for the links. Will be checking those out shortly. Had seen a few things online in regards to a potential driver issue and will definitely try the external keyboard. @lewmur - I booted Parted Magic (My #1 Linux tool) and was able to mount the file system and read all files. @Eric - I LOVE the way you think. @temmu - Not sure what you are saying. There is no attached USB device, external HDD or CD in the slot. It's not booting into the OS (Win 7 on the internal HDD) No error, nothing saying OS won't boot. OS just does not boot. After the Toshiba screen, you will normally get a black screen with the cursor blinking on the top left for a second then the OS starts to boot. (At least that is what the Wifes Toshiba laptop does) on this particular laptop, it never leaves the black screen with the blinking cursor. Thanks for all the replies. The laptop in question is currently running MemTest86 which I expect will come back fine. Like I said, do not want to leave no stone unturned with a customer's computer. Is there a good hardware diagnostic tool that will check HDD, Southbridge, Northbridge etc? I very rarely run into un-obvious hardware issues. 95% of my work is either virus related, or someone dropped their laptop and OMG ALL MY KIDS PICTURES ARE ON THE LAPTOP. And normally there is no backup on external or DVDs. If the computer is running Win7, you should be able to boot a Win7 DVD and use the "Repair boot problems" option. Quote Link to comment Share on other sites More sharing options...
Corrine Posted February 17, 2012 Share Posted February 17, 2012 If you are able to recover files, please get the dump files - \windows\minidump I'd love to see if they reveal any clues. And, if there are any clues, you're the one who can find them! Quote Link to comment Share on other sites More sharing options...
jolphil Posted February 18, 2012 Share Posted February 18, 2012 Just another point to consider..Follow the great suggestions you got from the other posters but first, either from a live cd or from a caddy that can mount both Sata and IDE drives to a USB cable, retrieve your children's pictures just in case the worst happens.. PS I purchased a Star Tech docking station about a year ago and it has proved a worth while investment..The fact it will accept both drive types makes it more universal IMHO.. jolphil Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 18, 2012 Share Posted February 18, 2012 Just another point to consider..Follow the great suggestions you got from the other posters but first, either from a live cd or from a caddy that can mount both Sata and IDE drives to a USB cable, retrieve your children's pictures just in case the worst happens.. PS I purchased a Star Tech docking station about a year ago and it has proved a worth while investment..The fact it will accept both drive types makes it more universal IMHO.. jolphil Excellent idea! I have a very nice Rosewill SATA 2.5/3.5 drive dock from NewEgg to do that too. Good to backup all your data just in case before trying further. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 18, 2012 Author Share Posted February 18, 2012 I have recovered all of the customer's important files using Live CD and have them on an external device. There were a total of 4 dump files within the /windows/minidump folder and I have also recovered all 4 of those. I have them zipped. How can I upload a zip file so you can see them jolphil? Thanks a bunch, Ian Quote Link to comment Share on other sites More sharing options...
Corrine Posted February 18, 2012 Share Posted February 18, 2012 It is jcgriff2 who wants to see the dump files. I checked a couple of the sites where he does much of the BSOD analysis and he isn't online. I sent him a message pointing him here so he can advise how to proceed. Quote Link to comment Share on other sites More sharing options...
jcgriff2 Posted February 18, 2012 Share Posted February 18, 2012 I sent Ian a PM w/ email address. Quote Link to comment Share on other sites More sharing options...
Corrine Posted February 19, 2012 Share Posted February 19, 2012 Thanks, jcgriff2! It will be interesting to see if you spot something that will help. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 19, 2012 Author Share Posted February 19, 2012 Sorry, thread starts getting longer and you mixed up the screen names. File sent to jcgriff. You are not the only one Corrine that is definitely currious as to what he may find. Thanks again everyone for taking the time to help with this one. I have not been stumped in a while and actually, its ones like this that increases my knowledge so I kind of look forward to them. All the best, Ian Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 19, 2012 Share Posted February 19, 2012 Thanks, jcgriff2! As Corrine and Ian said, definitely will be interested to see what you find. Could help others in the future. Quote Link to comment Share on other sites More sharing options...
Corrine Posted February 19, 2012 Share Posted February 19, 2012 Could help others in the future. Not unless they know how to analyze the report. There are BSOD self-analyzing programs just like the old on-line HJT analyzers. Unfortunately, more often than not do not point out the correct causes of the BSOD. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 19, 2012 Share Posted February 19, 2012 True! But if you could see some of the driver issues that have been happening along the way... Quote Link to comment Share on other sites More sharing options...
ichase Posted February 19, 2012 Author Share Posted February 19, 2012 I picked up a program called BlueScreenView (not saying it's the topshelf) but there were a total of 4 minidump files 2 point to volsnap.sys and 2 point to kdcom.dll I would rather have someone with jcgriff's knowledge and background make the final conclusion. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 19, 2012 Share Posted February 19, 2012 Hmmm, that's not good. volsnap.sys is one of the things that Rootkit TDSS hits.... http://greatis.com/blog/rootkit/volsnap-sys-rootkit-tdss.htm (look at the reader comments on the small middle column) BleepingComputers: please help get rid of volsnap sys virus: http://www.bleepingcomputer.com/forums/topic403125.html MSE tried to Clean volsnap.sys TDSS on a Windows XP computer and it would never boot again. I had to reinstall the OS after lifeboating their data. Quote Link to comment Share on other sites More sharing options...
amenditman Posted February 19, 2012 Share Posted February 19, 2012 (edited) I love BleepingComputer.com, one of the best sites for relavent info to solve malware problems and tune your system. @ichase If this does turn out to be corrupted boot files, which it sounds like, use something like dban to wipe the drive before doing a format and re-install. A lot of the current rootkits will survive a standard format and re-install. Sucks to do all that work and then have to do it again when the problem rears it's ugly head again. Edited February 19, 2012 by amenditman Quote Link to comment Share on other sites More sharing options...
ichase Posted February 19, 2012 Author Share Posted February 19, 2012 (edited) Thanks for the links Fran. Yeah, it's not looking to good for the home team. I have had this same laptop 2 times before. Both of the previous times due to malware from let's say not so family friendly web surfing. I was able to clean the system (to the best of my knowledge) and the customer has had the laptop now for about 2 months and states its been working great; uses it everyday. Then while looking at pictures on his HDD, he gets the BSOD, physical mem dump and poof, no access to OS. Could be related, something may have sat dormet. Hard to tell with these virus' now a days. Edited February 19, 2012 by ichase Quote Link to comment Share on other sites More sharing options...
ichase Posted February 19, 2012 Author Share Posted February 19, 2012 @ichase If this does turn out to be corrupted boot files, which it sounds like, use something like dban to wipe the drive before doing a format and re-install. A lot of the current rootkits will survive a standard format and re-install. Sucks to do all that work and then have to do it again when the problem rears it's ugly head again. Thanks amenditman for piping in. I use dban on any HDD that I get second hand before I install anything on it. Great program for complete data destruction. Quote Link to comment Share on other sites More sharing options...
amenditman Posted February 19, 2012 Share Posted February 19, 2012 @ichase - Have you tried any of the command line tools on the PartedMagic distro? I just used ms-sys yesterday to fix a bad MBR for a customer. No need to boot into Recovery Console, just use PartedMagic. (Here's the web address of the list you can use including all the commandline tools - http://partedmagic.com/doku.php?id=programs) God I love that distro, I think it's about time I sent them another little donation. Quote Link to comment Share on other sites More sharing options...
ichase Posted February 19, 2012 Author Share Posted February 19, 2012 Patrick Verner has done an excellent job with this tool. I donate to it as well as advertise it in my signature. I have not gone as far as messing with the MBR yet because I am wanting to try to find the root cause of the problem first. I have a hunch its going to require a full wipe and re-installation of the OS. I have informed the owner that this MAY be the final conclusion. He does not have any restore disks. He may have to buy Win7 64 bit Home Premium or buy a new laptop. I have all of his files removed to external media but have to admit my fear is that this pest could be lurking somewhere within those pictures and other files. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted February 19, 2012 Share Posted February 19, 2012 Yes, swiss army knife of tools on Parted Magic! Wish you luck Ian! Quote Link to comment Share on other sites More sharing options...
Tushman Posted February 19, 2012 Share Posted February 19, 2012 I picked up a program called BlueScreenView (not saying it's the topshelf) but there were a total of 4 minidump files 2 point to volsnap.sys and 2 point to kdcom.dll Windows Debugger tool (available from Microsoft's website) is the correct tool to use if you want to analyze windows crash dump files. It's an extremely capable tool with many options and 99.9% of the time, it will lead you to the correct culprit. I don't use/rely on anything else. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.