Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AVG, MBAM disabled in Win 7 after momenatry blue screen [Solved]


  • This topic is locked This topic is locked

#31
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK good. We have multiple backups in case anything goes wrong. Time to rewrite the boot-code in case it's infected.

Please note that although nothing should go wrong, it may, especially with an unknown infection like this. Ensure that all your critical data is backed up. If something goes wrong where your machine becomes unbootable we have backups on your USB drive that we can use to get you running again.

 

MBRTool - Rewrite Bootcode

1. Plug in the USB drive that you made previously and boot to it again.

2. Hit Enter on the 1st screen which should initiate the Start MBRtool option.

3. Type 4 and hit enter. The option is work with a MBR (backup, restore, display etc.).

4. Type 5 and hit enter to dump to plain text file. Note: This isn't really a part of rewriting the bootcode but would like this for comparison.

5. Type 0 at the enter disk number prompt and hit enter.

6. Type O and hit enter.

7. After a few seconds, hit Esc on the keyboard to go back a screen.

8. Type 5 and hit enter to dump to plain text file.

9. Type 1 at the enter disk number prompt and hit enter.

10. Type O and hit enter.

11. After a few seconds, hit Esc on the keyboard to go back a screen.

12. Type 9 and hit enter. This option is write/refresh bootcode.

13. Type 0 at the enter disk number prompt and hit enter.

14. Type O and hit enter.

15. After a few seconds, hit Esc on the keyboard to go back a screen.

16. Type 9 and hit enter. This option is write/refresh bootcode.

17. Type 1 at the enter disk number prompt and hit enter.

18. Type O and hit enter.

19. After a few moments you can unplug the USB drive and then press CTRL-ALT-DEL to reboot your computer into normal mode.

 

Assuming your machine boots normally, see if Malwarebytes will open and run.

 

Also zip and attach MBRTOOL.DMP from the USB drive. Thank you.


  • 0

Advertisements


#32
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

Malwarebytes did not open.  This sounds like a "toughie" to find!

Attached Files


  • 0

#33
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thank you for your patience so far. Please do the following.

 

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   734bytes   79 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#2 - FRST Scan
1. Please download Farbar Recovery Scan Tool and save it to your Desktop.
    Note: You need to run the 64-bit Version so please ensure you download that one.
2. Right click to run as administrator. When the tool opens click Yes to disclaimer.
3. Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running (if not already).
4. Press Scan button.
5. It will produce a log called FRST.txt in the same directory the tool is run from (which should now be the desktop)
6. Please copy and paste log back here.
7. Another log (Addition.txt - also located in the same directory as FRST64.exe) will be generated Please also paste that along with the FRST.txt into your reply.

 

Items for your next post

1. Fixlog.txt

2. FRST.txt & Addition.txt


  • 0

#34
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

I should note that during the second  scan, the tool seemed to have gotten hung up on AVGIDSHA for an inordinately long time, as compared to the others which "flew by" in the scanning progress window.

 

I do appreciate your patience and assistance....

Attached Files


  • 0

#35
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thanks for the info. Please do the following.

 

Step#1 - Install SysMon

1. Download SysMon and save to your desktop.

2. Click your Start button and type cmd in the search box.

3. Right-Click on cmd.exe that comes up in the search results and select Run as administrator. Answer Yes to the UAC prompt if it appears.

4. Copy/Paste the following into the command-prompt and hit enter.

%userprofile%\desktop\sysmon.exe -accepteula -I

 

5. You should see something similar to the following in the command prompt window after running the command.

Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

 

6. You may close the command-prompt window now.

 

Step#2 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   908bytes   70 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 

Step#3 - Attempt to Run Some of the failing programs

1. Attempt to run some of the failing programs like Malwarebytes or JRT or anything that you know that doesn't work. I don't expect it to work but this is to hopefully get some logging that will be useful.

 

Step#4 - Retrieve Event Log Info

1. Click your Start button and type cmd in the search box.

2. Right-Click on cmd.exe that comes up in the search results and select Run as administrator. Answer Yes to the UAC prompt if it appears.

3. Copy/Paste the following into the command-prompt and hit enter.

wevtutil epl Microsoft-Windows-Sysmon/Operational %userprofile%\desktop\SysMon.evtx

 

4. There will be a SysMon.evtx file on your desktop. Please zip and attach or if too large upload to SendSpace and provide link.

 

Items for your next post

1. Fixlog.txt

2. SysMon Event Log file


  • 0

#36
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

attached as requested.  In Step 2, I was unable to open Malwarebytes & AVG 2015.  I tried to run a new copy of Malwarebytes downloaded, but it would not respond.

Attached Files


  • 0

#37
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thank you. I'm wondering if you would be open to the following. We could do a physical to virtual conversion of your machine (basically this will create a .VHD file) and I could provide a private link for you to upload this as we wouldn't want it on the public forum.

 

I'll then be able to restore the .VHD file into a virtual machine and then be able to do some more serious fixes and analysis. If I figure out the issue then I can just provide a fix for you. If you are open to this let me know and I'll provide instructions for doing so.

 

 


  • 0

#38
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

Brian, I'm agreeable to having you do a physical virtual conversion.


  • 0

#39
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Excellent. Let's give it a go.

 

Step#1 - Create a New Local User Account

1. Create a new local user account on the machine named G2G. Set a password for this account. Send me a PM with the password.

2. Ensure that you add this user to the local Administrators group  on the machine.

 

Step2 - Disk2VHD

Note: You will be able to use your machine while this runs although it may be a little slower until complete.

1. Download Disk2VHD.exe and save to your desktop.

2. Open the program and accept the EULA.

3. Unless you want to change the path to where the VHDX file is saved you can accept all the defaults and click Create. It will use around 121 GB and you have plenty of space to store it at the default location. If you have an external USB drive that you want to store it on instead you can plug it in and change the path as long as it's bigger than about 121GB.

 

Let me know when it's complete and we'll continue.


  • 0

#40
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

I have set up the account  as you requested, however after I press the "create" button on Disk2vhd, within a second or two, I get a red-x message "Error Snapshotting Volumes" and it ceases to operate.  Any suggestions?


  • 0

Advertisements


#41
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Bummer. Can you do the following?

 

1. Click your Start button. Type cmd in the search box and then right-click on cmd in the search results and select Run as administrator. Answer Yes to the UAC prompt.

2. Copy/Paste the following into the command prompt window and hit enter.

vssadmin list writers >1 && notepad 1

 

3. Notepad will open when complete. Please paste or attach this text file.

 

Thank you.


  • 0

#42
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

I still can't right/click/paste to any site on IE11...attached file is the result of the cmd exercise.     Just out of curiosity, on the program you wanted me to run, I unchecked the x's from Factory Image & System and just ran the larger "C" alone and it worked without interruption.  I did not let it go for long, as I saw your new idea and stopped the creation process.

Attached Files


  • 0

#43
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

I see lots of people having the same issue where it will work if you select just one of them or two of them but not all. I see the following from the log.

 

Writer name: 'ASR Writer'
   Writer Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
   Writer Instance Id: {c066a2ed-d534-4fd8-baa7-574de470da65}
   State: [8] Failed
   Last error: Inconsistent shadow copy

 

Explanation of this from here.

 

Automated System Recovery (ASR) Writer

The ASR writer stores the configuration of disks on the system. This writer reports the Boot Configuration Database (BCD) and is also responsible for dismounting the registry hive that represents the BCD during shadow copy creation. The ASR writer must be included in any backups required for bare-metal recovery.

 

 

 

Can you reboot your machine and then perform my previous step again before doing anything else (i.e. vssadmin list writers)? I want to see if it shows this writer as failed immediately after a reboot or if it was put in this state by running the Disk2VHD.


  • 0

#44
broadcastec

broadcastec

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts

"After Reboot" is the notepad file you are looking for. Oddly enough, this was the 2nd reboot after I shut it down as per your request.  The first brought up a blue screen with loads of writing on it, scrolling,  and the only thing I caught was at the very bottom, two entries, "collecting  data for crash dump."  Upon the self-reboot, an error message popped up and the contents of the details from that message are on the "Collecting Data" file attached

Attached Files


  • 0

#45
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK, looks like the writer fails when we attempt the conversion. I have another idea.

 

Can you copy the C:\Windows\Memory.dmp to your desktop and then zip it up. Upload it to SendSpace and provide the link here.

 

Also do the following.

 

1. Click your Start button and then Right-Click on Computer and select Manage
2. Select Storage -> Disk management.

3. On the bottom half of the screen can you tell me what each partition shows? If you know how to take a screen shot, you can do this as well and attach. As an example, a VM I have shows the following.

Disk 0

System Reserved

100 MB NTFS

Health (System, Active, Primary Partition)

 

(C:)

59.90 GB NTFS

Healthy (Boot, Page File, Crash Dump, Primary Partition)

 

In the top half of the screen you will also see a column that shows Free Space. If you could provide that as well. In my example 72 MB are Free on the System Reserved partition and 22.35 GB on the (C:) partition.

 

Thank you so much.
 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP