Booted from new NIS 2012 cd to run pre-installation scan.
CD loads windows files then produces "Page fault in non paged area" BSOD. Cannot run scan prior to installation.
Norton 2011 reports having quarantined 3 java exploit based trojans previously.
NIS 2011 version bootable cd stars and scans normally and reports no problems. NIS 2011 scans from within windows and reports no problems.
HP tx2500 laptop AMD Turion x2 mobile
4GB Ram
Windows Vista 64 SP2
Norton 2011 installed
Booted from new NIS 2012 cd to run pre-installation scan.
CD loads windows files then produces "Page fault in non paged area" BSOD. Cannot run scan prior to installation.
Norton 2011 reports having quarantined 3 java exploit based trojans previously.
NIS 2011 version bootable cd stars and scans normally and reports no problems. NIS 2011 scans from within windows and reports no problems.
HP tx2500 laptop AMD Turion x2 mobile
4GB Ram
Windows Vista 64 SP2
Norton 2011 installed
Can you provide more information about the BSOD? Which driver?
Thanks for your replies.
I prefer to do a pre-install scan from the Norton bootable CD. The Norton 2011 infection reports say that the trojans have been quarantined. No further action offered.
How do I determine which driver?
There should have been a error message and a series of numbers at the time of the BSOD. You can download Nirsoft Bluescreenview, which will read Windows dump files and provide some information. The download is in purple near the bottom of the page.
http://www.nirsoft.net/utils/blue_screen_view.html
When you ran the disc, did it ask for your activation key? Did you put in the 2011 key or the 2012 key that came with the disc? Did you turn off tamper protection in the 2011 version on your machine?
Hi,
Thanks for using the Norton Bootable Recovery Tool. As you pointed out you were able to boot NBRT 2011 and use it successfully, and the NBRT 2012 gave a BSOD on booting. To understand the problem better, can you please follow the procedures below :
1) Download the NBRT Wizard from the following location :
http://www.norton.com/nbrt
2) Use appropriate link on the screen to download the NBRT Wizard setup.
3) Use the wizard to create a fresh NBRT media of your choice (CD/DVD/USB).
4) Try to boot the same machine with this media and let us know if it worked out for you.
Thanks,
NBRT Team
Thanks for the replies. This is clearly a willing and helpful community.
To clarify, I am using a factory fresh, purchased NIS 2012 CD. As I understand it, this CD should be used to load files and scan your system independent of the operating system - even if the pc is "unbootable" as a result of an infection. I have always used this method, buying new NIS discs every year on release of a new version.
My intention is to boot the system with the NIS factory CD to examine the system with a "known good OS" - the NIS CD. This way, I also know what to expect if I have to use the Norton disc in a real recovery.
I am not aware of any requirement to turn off 2011 tamper protection, and this would be impossible with a compromised, unbootable pc.
The NIS 2012 CD does not reach the point of asking for the licence key before bluescreening.
I used the NIS 2012 CD to boot another system with NIS 2011 installed - it displayed the 2011 licence key, and would not allow me to enter the new 2012 key.
Upon clicking the scan button on the second system, the scan screen disappeared and displayed the familiar Yellow background only. Re - clicking the scan button briefly brought up an animated scanning box, which immediately disappeared again. This is not the behavior shown on the tutorial page for the 2012 tool.
Am not in front of the "bluescreening machine" at the moment, but I will obtain the error information and post it.
Regarding the NBRT team's suggestion to download a new copy of the NBRT wizard - have there been changes to this tool since the release of the NIS 2012 CD?
Downloading and burning a new CD on a system that may have been compromised does not necessarily provide a "known good copy" of the bootable recovery tool. This would also be impossible on a compromised, unbootable system.
Could the NIS 2012 bootable recovery tool be flawed? So far, it has not worked on two machines. This has never happened before, and I have been buying NIS for a number of years.
Thanks for your assistance.
You can use the NBRT Wizard on a separate clean system and then use the media to boot the compromised system. Since you said that the NIS 2012 CD did not work on two different systems, we assume there could be problems with the CD probably a bad sector.
Just to confirm if this is not the case we want you to try the NBRT Wizard and create a bootable USB/CD and try again.
I suggested turning off tamper prevention because you are booting into an active NIS2011. Normally when using the boot tool, the system is compromised and the antivirus product is disabled. Since the 2011 activation key is presented in the tool, it seems that the drivers are conflicting.
Thanks again for your continuing attention to this thread. Still have not been in front of the BSOD system.
On the second system (not the bluescreen pagrefault one) I removed the drives, installed a new one and upgraded to Windows 7 Professional via clean install - all updates applied. Norton not installed.
Booted from Norton 2012 cd, (it asked for product key and I entered it) and refreshed network connection. Ran NBRT tool, It scanned system showing signatures dated 11 October, 2011. Scan completed showing no infections.
Decided to try Power Eraser Tool - Rebooted pc from NIS 2012 Disc, clicked refresh network connection, then clicked on power eraser - similar behaviour as before - dialog box disappeared. Re-clicking this eraser option again flashed a dialog box which again disappeared in the blink of an eye. By repeatedly clicking the Power Eraser tool I was able to discern that the dialog said "downloading Power Eraser tool" with an immobile progress indicator and a cancel option.
It appeared to be downloading nothing so, I clicked on the command prompt option and ran netstat 1 to show network connections at 1 second intervals. It displayed no foreign connections till I repeatedly clicked on the power eraser tool command,
whereupon it connected to 66.185.85.187 via http. The connection was dropped shortly, however, and the system continued doing nothing.
To be certain it was not a slow connection, I left the machine alone for half an hour - no results. Exit and reboot into Windows.
An ARIN whois lookup for 66.185.85.187 indicated that the address belongs to Rogers cable, my internet provider - but added: "ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2010-07-08"
Querying the IP with Steve Gibson's "IDServe" produced the following:
Initiating server query ... Looking up the domain name for IP: 66.185.85.187
(The domain name for the specified IP address could not be found.)
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server's default page.
The server returned the following response headers:
HTTP/1.0 400 Bad Request
Server: AkamaiGHost
To sum up: The NBRT tool now works on a fresh install with a new hard drive, The Norton Power eraser, on the same cd (which must apparently be downloaded from the internet,) apparently does not.
Norton 2012 cd apparently connects to what appears to be a local Akamai server to obtain the power eraser tool and fails.
While I wouldn't rule out the suggestion of turning off tamper protection, there are no instructions ro do so in the tutorials for NBRT and the Power eraser found here: http://us.norton.com/products/tutorials/tutorials.jsp?pvid=nis2012&tutid=recovery_tool
Looking forward to trying again on the laptop that produced the "Pagefault in non paged area" BSOD
Finally in front of laptop.
On booting with the Norton CD: Pagefault in non paged area. BSOD says:
***STOP: 0X00000050 (0XE0088024, 0X00000000, 0XEEC87F34, 0X00000002)
Google search produced the following: "0x00000050 Error Codes are caused in one way or another by misconfigured system files in your windows operating system."
This system operates normally otherwise without bluescreening. This only occurs when booting from the Norton CD..
Upgraded laptop NIS from 2011 to 2012 within windows using CD, Installer froze briefly ("not reponding"), then completed successfully.
Activation successful on reboot. Liveupdate completed successfully.Downloaded Norton power eraser tool from within windows - it ran successfully. No infections found.
So, with respect to the laptop, NIS 2012 is now installed and running, but I cannot use the NIS 2012 Boot disc to recover from a serious infection.
Google Chrome reported that the Norton confidential plug-in crashed in a subsequent browsing session.
On the second system with a new install of windows 7, I can boot from the Norton cd and run a system scan, but cannot access the Power Eraser Tool. Norton has not yet been installed.
Any further suggestions would be appreciated.
Anyone?
Hi, pagefault2012. There are a couple of possibilities:
1. The Windows installation which is faulting may have a bad driver or DLL which is inducing the problem. This is especially common with Video Drivers. Check to see if there are video driver updates available for your particular video card.
2. Similarly to the above, check for updates to:
a) Motherboard BIOS
b) Chipset Drivers
c) Sound Drivers
d) Mouse and Keyboard Drivers (especially with some of the fancy Logitech, Kensington and Microsoft keyboards)
e) Are you running special software such as Nero or EZ-Media Creator for CD/DVD burning? This software is notorious for causing incompatibilities and crashes in what would seem to be unrelated software. You want to be on top of updates for this software on a regular basis.
3. You can make an updated Bootable Recovery CD using the Norton Bootable Recovery Disk Builder tool.
This is available here: http://www.norton.com/nbrt/
Read all the instructions on that page. Follow the instructions to download the builder-application and make a fresh Bootable Recovery Disk. If the new disk you make works properly, then there is an incompatibility between your Windows installation and the old version of the Bootable Recovery Disk on the CD you purchased. This is one of the reasons that updates are made available. 
Hope this helps.
The error you are getting has nothing to do with the operating system on your computer.
It can't possibly be a problem or conflict with anything on your hard drive.
It's coming from the bootable CD because the bootable CD contains a small version of windows.
Since your installation disk has not worked correctly on any system you have tried it on, the best suggestion has been to make another NBRT disk and try it.
Go back to post #6
If a new NBRT disk works fine on all your other systems but not the problem system, then you have a bad or dirty optical drive or a RAM problem.
Dave
DaveH wrote:The error you are getting has nothing to do with the operating system on your computer.
It can't possibly be a problem or conflict with anything on your hard drive.
It's coming from the bootable CD because the bootable CD contains a small version of windows.
Since your installation disk has not worked correctly on any system you have tried it on, the best suggestion has been to make another NBRT disk and try it.
Go back to post #6
If a new NBRT disk works fine on all your other systems but not the problem system, then you have a bad or dirty optical drive or a RAM problem.
Dave
Hi, Dave. Not quite. The bootable CD interfaces with the copy of Windows on the Hard Disk at the time of bootup. This is how it retrieves the list of Disk Partitions to search, as well as which version of Windows (XP, Vista, W7) it is going to scan and attempt to repair, along with the match (or not) between the Symantec Product Keys on the NBRT and the Symantec Product Installation on the suspect Hard Disk.
My understanding of the Recovery Process is as follows:
If there is Registry corruption (or incompatibility) between the Registry on the suspect Hard Disk and what the mini-copy of Windows running in-RAM from the NBRT reads from the suspect Hard Disk's Registry - and this creates a conflict during the inquiry process as part of the bootup-integration between the NBRT and the suspect Hard Disk - the kind of problem noted by pagefault2012 can occur.
One of the ways to check this is to create a new Bootable Recovery CD. If the problem vanishes, then either the original CD is damaged (noted as a possibility by others in previous posts) or there is a conflict that prevents successful integration between the mini-copy of Windows in the NBRT and the copy of Windows on the suspect Hard Disk.
This is why, as mentioned by many respondents to pagefault2012's query, we have all recommended that he create a fresh NBRT CD as the next step in the process of determining where the problem lies.
The stuff I was talking about checking on the suspect machine is the stuff I know that creates the kind of Registry Corruption or Motherboard BIOS incompatibility that prevents the successful integration of the NBRT's mini-copy of Windows and the inert copy of Windows on the suspect Hard Disk when the NBRT is run.
If my understanding is in error, please feel free to correct me. Thanks.
Your correct that Windows PE will try to access the mounted devices registry key to determine the drive letters but that is not necessary.
I'm using VirtualPC for these examples.
Here it is booted up with an unpartitoned and unformatted hard drive to show that a hard drive is not even necessary.
Here it is booting up on a drive that has Puppy Linux
Of course I couldn't run any scans, the file system is EXT3 but that should show that it will still boot to a totally "corrupted" system or drive.
Curious about your comment about a possible blue sceen with a corrupted registry, I went back to the first drive and made a partition and formatted it with NTFS.
I then used another PE disk of mine to create a folder structure of Windows\Ststem32\config
Inside that config folder I copied a bitmap picture file a few times into it (It was the first extra file I found)
Then I renamed those to match the registry hives.
You can see those phony registry hives are all the same size, those five files and the folders were the only thing on the drive and it still booted fine without error.
The NBRT tool updated and ran a scan, I assume it shows 0 files scanned because the ones I made have no extentions or maybe registry hives are excluded?
I'm also positive that no conflict could possibly occur between the NBRT and system files or drivers that may be installed on the actual system.
Since none of those are loaded, from the perspective of Windows PE and NBRT they are only just files.
Dave
Hi, Dave. Hmmm. Interesting.
I know that a PE will boot successfully to an unpartitioned disk. That's how a normal Windows install is performed to an unformatted Hard Disk. This is also normal and correct for a Virgin Restore - such as from the PE for a Norton Ghost /Norton Save & Restore CD in order to restore info from an image when a failed Hard Disk is replaced..
And yes, I get that a Partition Table inquiry to a partition the system is unable to understand (Eg: EXT3) will fail - and quite rightly so.
Both the above are normal circumstances that any Microsoft -based PE will be able to deal with successfully.
But what about a failed Hard Disk where there are valid entries on that disk that the PE can link to? And if it does integrate itself (which I think it must in order to mount those partitions so they can be examined) what happens in that circumstance if there is something in the MBR or the Registry or some DLL that the PE "sniffs" during the boot process that prevents the PE integration with what's on the disk? Blocking a PE in this manner is the kind of thing a rootkit would do in order to prevent recovery...
I know I have seen situations with Norton Ghost Restores - where the status of the Primary Partition would forbid the Ghost Restore from accessing the Extended Partitions until the machine was rebooted at least once so the restored Windows installation could reintegrate itself with the restored C: partition.
In those circumstances, upon reboot to the Hard Disk with the restored C: partition, Windows would "discover" a "new Hard Disk" the first time the system was rebooted after a restore. Only then would shutting down Windows normally and rebooting to the Ghost Recovery CD allow the D: and E: partitions on that disk to be restored as well. The D: and E: partitions would be completely inaccessible (IOW, not there at all in the PE) until that reboot was performed and the "discovery" was integrated into the C: Partition's Windows installation.)
The above would indicate to me that (at least in those older Ghost versions) something about the PE needs to "see" the status of the Hard Disk if the disk is not blank. Therefore, what was on the Hard Disk is something that the PE would need to know about if it was going to successfully integrate itself so as to be able to interface successfully with the existing Windows Installation/Partition Set.
Since I have seen that particular wrinkle before - with Symantec's PE CDs for other products - I am wondering if something similar is happening in this circumstance as well. Ergo, my suspicions as detailed in my originating post.
Hope this makes my previous post more comprehensible.
As far as I know, PE disks based on windows vista or windows 7, only take a "sniff" at the registry key:
HKLM\System\Mounteddevices
Just to see what drive letters are assigned to each partition. The only reason it does that is so the user can see the partitions with the same letters that they are used to seeing and it also prevents people from doing something bad to the wrong partition. (it sucks when you format the wrong partition).
All it does it take a quick look, it doesn't leave any handles open or anything. From that point on the partitions are totally offline and thats why you can immediatly run chkdsk on that partition, it is not in use.
If it can't read the registry key, it just skips that part and i assume it is forced to "guess" by falling back to the old DOS through windows XP way of assigning letters. I think this started in VistaPE because of the way partition signatures are used to identify and boot partitions.
I think that also explains why your reboots were necessary in DOS or XP based PE disks. It was common for the RAM drive or CD-Rom drive to get in the way and take on the first availible drive letter. Then as partitions became restored, those drives would either get in the way or windows would force a reboot so it could follow the DOS lettering rules of primary before extended, HD0 before HD1, etc.
But if it mounts a registry that is semi-corrupted, I guess the worst case would be that the drive letters are wrong. The C drive should be correct since the OS is almost always the first primary partition on the first hard drive but some of the later partitions may take the wrong letter.
I personally used PE disks to replace registry hives offline so I know PE disks boot and work with partitally corrupted registries as well.
But the main point I was trying to make is that no drivers on the OS partition could possibly interfere because they are not loaded. From PE's perspective they are only files like everything else.
I also don't see how a rootkit could interfere for the same reason, it would not be loaded and therefore not able to do anything. Even if a rootkit normally was set to load through the MBR, that OS partition has not even started to boot, it should be thought of as a inactive data drive.
Dave
Hi, Dave. Thanks for the clarification.
I understand the intent of a PE is to have an inert set of Hard Disks so that everything on those partitions can be treated as files and examined/manipulated as such - including the MBR.
I just wasn't sure whether or not the PE would "sniff" something on the disk drives it was going to examine during the PE's startup routine - other than the Registry - and then drop out of that so the disk would return to inert status for examination.
The thing I'm curious about is how the PE reacts and adapts to RAID signatures and the custom drivers needed to access (for example) the Intel ICH5/6/7/8/9/10 RAID arrays. There are a whole bunch to things that are required as part of the boot process in order to mount those partitions in their various striped or mirrored modes. Not to mention the various HPT and SIL chipsets as well - along with all their variations. Then there is the whole SCSI driverset issue and all its variations.
Every year this stuff gets more complex - the "gotchas" get more weird and obscure - and the number of things that have to be accommodated during the PE's startup procedure gets larger - in order for the PE to integrate itself with that particular motherboard chipset and its HDDs. Then you add in the Network Driver integration if you want the PE to be able to get to the net to download the latest whatever as part of the PE's operation...
I just can't see it being as trivial as it was in the days of simple IDE operation with no need for network access.
Much scratching of head...
