Jump to content

PaulHartley

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by PaulHartley

  1. Hi Rubber Ducky I suspect that the bluescreen is caused by Malwarebytes attempting to delete Ntdll.dll on reboot as this file is a protected system file and previously when things went wrong with it in Vista it was easier to remove the hard drive and mount it in a usb caddy and work on it as a slave drive. Once I had removed the mbam-log xml files from the logs folder the bluescreens stopped but it still kept repeatedly rebooting, just without the bluescreens. When I went into the recovery console in advanced mode, doing a simple startup repair failed and the repair report told me the file was missing but the repair didn't put it back. Initially when I was trying to figure it out the report stated that the file was missing even though the file was clearly still there and it did not matter what version of Ntdll.dll I used, the repair would still not see the file was present!. When I copied the quarantined file into place and renamed it and rebooted it did boot through to desktop so I suspect that you may be correct and that the presence of an unreadable file rather than simply an absent file may have triggered a self repair pulling a recovered file from somewhere else. My problem was that I had a number of users with this issue at remote locations all over the UK and the only usable user interface they had to work with was the command prompt in recovery console as they could not boot into windows fully and recovery console would not find any removable USB drives to copy a clean copy onto the failed machine or copy the encrypted files off to recover on a clean machine. these users also had no ability to remove their hard drives and caddy them up on a second machine so they could only go with what they had on their local drive. I figured that renaming the original file and then copying the quarantined file into the gap left by this action or if the file was missing was probably not going to do any further damage given that startup repair wasn't seeing the file anyway. I may be wrong but I suspect that trying to restore the ntdll.dll file from quarantine once the machine has been recovered to a desktop may just trigger another bluescreen loop as malware bytes attempts to overwrite a protected file so I didn't attempt that course of action in case it got me into further bother. I've offered this solution here simply as a quick and dirty work-around and nothing more. I leave it to you guys to come up with a more elegant and lasting fix. I'm just happy to help :0)
  2. Hi Blender, Regardless of whether renaming the file does the job or whether the presence of the encrypted file prompts windows to see it as a corrupted file and automatically replace it, the method I detailed has allowed me to get several machines to boot to a desktop today. I'm sure that you guys may come up with a more elegant way of reviving those machines presently going around in circles rebooting into a bluescreen but for now, in the absence of any other solution, it's a starting point. Folks could instead use command prompt from the advanced recovery console and copy the file found at x:\windows\system32\ntdll.dll into place at c:\windows\system32 instead or even type SFC /scannow at the command prompt to force windows to fix the issue.
  3. Hi Guys For all of you with machines that are blue screening I have a quick and dirty fix. get into advanced recovery mode where you have a command prompt and delete the latest mbam-log xml file in the directory \ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs. you can now reboot the machine and it should boot without blue screening but in the event that it just reboots, go into advanced recovery once more and bring up command prompt and go to the quarantine folder here: \ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Quarantine Look for the latest quarantined files and there should be several that are all about 1.2mb in size and were created with todays date. These are renamed copies of the Ntdll.dll file. rename one of these files and then copy it back to windows\system32\ and reboot and the machine will reboot to the login screen and you can log in to the desktop
  4. I have found a fix for this Ntdll.dll is a protected file and it is set to be removed on reboot - hence the bluescreen when it tries to do this. In my case I removed the xml log files from the logs directory in the malwarebytes folder in programdata and then on the first machine I tried, I rebooted and the machine booted to the login screen. On a second it went through a registry check and then rebooted to windows recovery. Once in recovery I went to advanced recovery and using command prompt checked for the presence of ntdll.dll in the windows\system32 folder. It was missing so I copied one of the several renamed copies of this file from the malware bytes quarantine folder on the local machine and renamed it ntdll.dll and then rebooted and the machine booted up to a login screen. The key points: Stop malware bytes removing the protected system file to stop the bluescreen replace the Ntdll.dll file with either one from quarentine or another machine
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.