Jump to content

Unable to boot - MBAMSwissArmy.sys


Recommended Posts

Hi,

I was casually watching Youtube videos yesterday and suddenly the whole computer froze without warning. I did the hold power button for 5 seconds to turn it off after trying CTRL + ALT + DEL which didn't work. When I turned it back on, put in my Motherboard password, fine, great, put in my Bitlocker password, fine great, then it stuck. It said:

The operating system could not be loaded because a required file is missing or contains errors.

Windows\System32\Drivers\mbamswissarmy.sys

error code: 0xc000007b

I did the typical think of trying to reboot it normally, tried to put it in safe mode with no luck etc etc. I did panicked googling and have seen others had this problem before and fixed it: https://forums.malwarebytes.com/topic/205132-error-on-startup-mbamswissarmysys/ & https://forums.malwarebytes.com/topic/214745-laptop-will-not-boot/ and I did the FRST on a memory stick and managed to run it. Attached is my log from it and I'm hoping someone can help, I'd really love to NOT do a whole reinstall if I can help it.

 

Any help at all would be greatly appreciated!

 

 

FRST.txt

Link to post
Share on other sites

Hi there,

I have waited 4 days without a response. As I'm sure you can appreciate, this is very frustrating for me, especially as I have Asperger's Syndrome as this makes it all the more concerning for me. I have attached the FRST.txt to my post above following your instructions here: https://forums.malwarebytes.com/topic/214745-laptop-will-not-boot/

I presume I would need a unique fixlist.txt file which is why I haven't used the ones in that thread. I know the Drive isn't the issue as I have been able to recover data from it using my backup OS on a different drive. Hence it must be something crashing it on startup and Windows Startup Recovery is unable to sort anything. Nor am I able to boot it in safe mode or anything. The only way I have been able to get the CMD prompt up is using the repair function on the Win10 disc I have made.

Any help on this would be appreciated as it does appear to be some kind of problem with malwarebytes interfering with the startup process.

 

Link to post
Share on other sites

Nope. Check. This is from the first FRST.txt log you posted:

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-07-30] (IvoSoft)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [323056 2015-11-04] (Intel Corporation)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5571944 2016-04-19] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1953688 2016-08-05] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1767816 2016-08-05] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567928 2017-12-14] (Dropbox, Inc.)
HKLM-x32\...\Run: [WDAppManager] => C:\Program Files (x86)\Western Digital\WD App Manager\AppManagerLauncher.exe [21384 2017-03-21] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [GfK SE EdgeTracker] => C:\Program Files (x86)\GfK Internet-Monitor\EdgeTracker\0.2.9\GfK SE EdgeTracker.exe [1024480 2017-11-08] (GfK SE)
HKLM-x32\...\Run: [GfK SE Login Interface] => C:\Program Files (x86)\GfK Internet-Monitor\LoginInterface\2.1.10\GfK SE Login Interface.exe [687624 2017-11-08] (GfK SE)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM-x32\...\Run: [PowerPDF Registry Controller] => C:\Program Files (x86)\Nuance\Power PDF 21\RegistryController.exe [274216 2017-05-16] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PowerPDFInboxMonitor] => C:\Program Files (x86)\Nuance\Power PDF 21\InboxMonitor.exe [255544 2017-05-16] (Nuance Communications, Inc.)
HKU\Default\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [519680 2017-09-29] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [519680 2017-09-29] (Microsoft Corporation)
HKU\defaultuser0\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [519680 2017-09-29] (Microsoft Corporation)
HKU\Richa\...\Run: [f.lux] => C:\Users\Richa\AppData\Local\FluxSoftware\Flux\flux.exe [1676280 2017-11-28] (f.lux Software LLC)
HKU\Richa\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3111712 2017-12-15] (Valve Corporation)
HKU\Richa\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [41061856 2017-11-20] ()
HKU\Richa\...\Run: [Discord] => C:\Users\Richa\AppData\Local\Discord\app-0.0.299\Discord.exe [57954808 2017-12-11] (Discord Inc.)
HKU\Richa\...\Run: [inCompass] => C:\Program Files\inCompass\UsageMonitor.UI.App.exe [341264 2016-12-12] (RealityMine Ltd)
HKU\Richa\...\Run: [inCompassHealthcheck] => C:\Program Files\inCompass\UsageMonitor.HealthCheck.exe [11024 2016-12-12] (RealityMine Ltd)
HKU\Richa\...\Run: [DVSFreeVideoCallRecorder] => "C:\Program Files (x86)\DVDVideoSoft\Free Video Call Recorder for Skype\FreeVideoCallRecorder.exe" /minimized
HKU\Richa\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27832264 2017-10-06] (Skype Technologies S.A.)
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
Startup: C:\Users\Richa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk [2016-10-06]
ShortcutTarget: Telegram.lnk -> C:\windows\system32\config\systemprofile\AppData\Roaming\Telegram Desktop\Telegram.exe (No File)
GroupPolicy: Restriction <==== ATTENTION

This is from the second. Notice how there's almost nothing left?

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
Startup: C:\Users\Richa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Telegram.lnk [2016-10-06]
ShortcutTarget: Telegram.lnk -> C:\windows\system32\config\systemprofile\AppData\Roaming\Telegram Desktop\Telegram.exe (No File)
GroupPolicy: Restriction <==== ATTENTION

In fact, in the second log, there's no traces of Malwarebytes installed at all.

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [365040 2017-10-20] (Intel Corporation)
S2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462968 2017-10-27] (NVIDIA Corporation)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4329952 2017-11-26] (Microsoft Corporation)
S2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10945776 2017-12-15] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [355304 2017-09-29] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [105944 2017-09-29] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nv_ref_pubwu.inf_amd64_2e7fa54192fe16d0\nvlddmkm.sys [16936048 2017-11-09] (NVIDIA Corporation)
S3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-09-29] (Realtek )
S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [151552 2017-09-30] (Microsoft Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44608 2017-09-29] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [309144 2017-09-29] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119192 2017-09-29] (Microsoft Corporation)

 

Link to post
Share on other sites

Okay, I have an update:

After scratching my head for awhile, I think I know what happened. You were right, as I have multiple OS'es installed (2), one as main and one as backup. I was getting confused as I had to enter my bitlocker recovery key to access the non-bootable drive and so that's why I thought it was the same. I applied the fixlist to the correct drive and I got some progress as it finally booted. I got to the login screen, logged on fine, then it froze completely. I restarted manually (power button 5 secs) and I'm now at various points of functionality, on some restarts I get to desktop, others I'm stuck on logon with no response despite mouse movement on screen and keyboard inputs. I managed to get it into safe mode with networking with a view of uninstalling malwarebytes as in the other thread I linked but it froze on me. 

I have attached the fixlog and a new FRST file if its any help. Otherwise I'm not sure where to go from here. A friend of mine things it might be a virus but I'm not sure how as everything was working fine before this. Ideally if I have to redo windows I'd like to do it with minimal damage to the filesystem (i.e. keep my personal files intact) but if I have to do over then I'll do over as  I managed to recover most if not all the files off the drive using the backup OS.

Do let me know what you think the next best course of action is. Thanks!

FRST.txt

Fixlog.txt

Link to post
Share on other sites

Update: I managed to boot it into Safe Mode and uninstall malwarebytes through the control panel, I also then used the Malwarebytes Clean Uninstall Tool afterwards. I managed to reboot into normal boot mode and reinstalled Malwarebytes cleanly, ran a scan and its come up with nothing. I will see if it boots normally tomorrow but it might be fixed, will confirm after a few trials.

Link to post
Share on other sites

Further Update: Looks like I got my hopes up for nothing. It does seem to make it to the Desktop and almost to the point I can do things with it, but it experiences a complete system freeze consistently within about 30 seconds of logging in, completely unresponsive to mouse movement, clicks, typed responses (e.g. CTRL + ALT + DEL) or anything. I have no idea whats wrong with this machine... any ideas?

By chance I did manage to get a full FRST once I was logged in, don't know if thats any further help?

mb-clean-results.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Alright, we'll do a sweep with AdwCleaner and RogueKiller just to rule out malware, but like I said, you aren't infected except for an hijacked proxy settings, so I doubt that malware is the culprit here.

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted AdwCleaner clean log
  • Copy/pasted RogueKiller clean log

Link to post
Share on other sites

There's nothing in these logs that could explain the issue you're having. Let's make sure your hard drive isn't failing.

S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:

  • Download GSmartControl and save it on your Desktop;
  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);
    info_failing.png

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.