Jump to content

Stuck in boot loop - "mbamswissarmy.sys"


Oroko

Recommended Posts

Running on Windows 10 64-bit

I decided to boot up an old laptop and ended up performing a system restore. The process never completed and now I'n in a bootloop. The error points to mbamswissarmy.sys as the issue. 

Any help with getting my laptop to boot would be greatly appreciated.

Link to post
Share on other sites

FRST txt gave me the following:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by SYSTEM on MININT-D5FPF6M (09-01-2018 21:47:23)
Running from d:\
Platform: Windows 10 Home Version 1607 14393.1884 (X64) Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-21] (IDT, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre6\bin\jusched.exe [171520 2009-11-14] (Sun Microsystems, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2017-04-27] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1814312 2009-08-14] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [297784 2017-10-19] (Apple Inc.)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Java\jre6\bin\jusched.exe [149280 2009-11-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [448856 2014-08-18] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968 2014-01-09] ()
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567928 2017-11-13] (Dropbox, Inc.)
HKLM\...\RunOnce: [*Restore] => C:\WINDOWS\system32\rstrui.exe [268288 2016-07-16] (Microsoft Corporation)
HKU\DefaultAppPool\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2016-07-16] (Microsoft Corporation)
HKU\Vonnie\...\Run: [GoogleChromeAutoLaunch_4A359349AB278D655DA937C97D6C241B] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1556312 2017-11-10] (Google Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-10-11] (Apple Inc.)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-09-08] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-09-08] (Dropbox, Inc.)
S2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51016 2017-11-13] (Dropbox, Inc.)
S2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [323952 2017-09-27] (HP Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-07] (Malwarebytes)
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [743688 2014-10-12] (DEVGURU Co., LTD.)
S2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [253960 2016-03-30] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-27] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103704 2017-10-08] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
S0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [252232 2017-11-23] ()
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 idsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-09 21:47 - 2018-01-09 21:47 - 000000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-09 21:42 - 2017-11-23 03:10 - 000000000 _____ C:\Recovery.txt

Some files in TEMP:
====================
2017-08-04 21:34 - 2017-09-14 13:21 - 000079904 _____ () C:\Users\Vonnie\AppData\Local\Temp\i4jdel0.exe
2017-11-19 15:57 - 2017-10-17 11:01 - 000927784 _____ () C:\Users\Vonnie\AppData\Local\Temp\TAInstaller.exe
2016-10-12 04:08 - 2016-10-12 04:09 - 030533688 _____ () C:\Users\Vonnie\AppData\Local\Temp\vlc-2.2.4-win32.exe
2017-06-06 10:46 - 2017-06-06 10:51 - 030950664 _____ () C:\Users\Vonnie\AppData\Local\Temp\vlc-2.2.6-win32.exe

==================== Known DLLs (Whitelisted) =========================


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe
[2017-07-12 15:44] - [2017-06-20 22:39] - 000673792 _____ (Microsoft Corporation) CB440E1C4EC9C369EC9DD07B48A83F36

C:\Windows\System32\wininit.exe
[2017-11-14 16:05] - [2017-10-08 18:24] - 000304232 _____ (Microsoft Corporation) 5CB4612F106B3C69CE99335AEF034A2B

C:\Windows\explorer.exe
[2017-08-08 14:51] - [2017-07-11 21:55] - 004674872 _____ (Microsoft Corporation) 577119EC77525D3F80FFB03BFACC17D4

C:\Windows\SysWOW64\explorer.exe
[2017-08-08 14:54] - [2017-07-11 21:52] - 004312760 _____ (Microsoft Corporation) 54210509B3129D716D6C9C5775710598

C:\Windows\System32\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 000044496 _____ (Microsoft Corporation) 36F670D89040709013F6A460176767EC

C:\Windows\SysWOW64\svchost.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 000038792 _____ (Microsoft Corporation) 1F8434DD4907C832E6E90D6298EAB85B

C:\Windows\System32\services.exe
[2017-09-12 19:04] - [2017-08-07 21:45] - 000453544 _____ (Microsoft Corporation) 29C7C9F0FE9F048FB47DEE5F66134940

C:\Windows\System32\User32.dll
[2017-10-11 09:43] - [2017-09-17 18:57] - 001460696 _____ (Microsoft Corporation) BAB449E496892494C1E8152A25A1E867

C:\Windows\SysWOW64\User32.dll
[2017-10-11 09:58] - [2017-09-17 18:49] - 001435896 _____ (Microsoft Corporation) 99216EEF4FE75AB440C4168E5420BFBC

C:\Windows\System32\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 000033280 _____ (Microsoft Corporation) C1B1FFC800BE2F31EB2CF8CB40629C69

C:\Windows\SysWOW64\userinit.exe
[2016-07-16 03:42] - [2016-07-16 03:42] - 000027648 _____ (Microsoft Corporation) FA900E6CCCF0A429D5B720C6F0E2274B

C:\Windows\System32\rpcss.dll
[2017-05-10 03:43] - [2017-04-27 15:41] - 000890368 _____ (Microsoft Corporation) 4A7015195E49A3BA7DB967B277B21E9D

C:\Windows\System32\dnsapi.dll
[2017-10-11 09:40] - [2017-09-17 19:09] - 000646688 _____ (Microsoft Corporation) 2DA9DA17F0FE6C0A8598EBBB1E59E320

C:\Windows\SysWOW64\dnsapi.dll
[2017-10-11 09:56] - [2017-09-17 19:05] - 000497424 _____ (Microsoft Corporation) C1A05F68C92A8B9D4D5A3D4953427154

C:\Windows\System32\Drivers\volsnap.sys
[2017-11-14 16:05] - [2017-10-08 18:25] - 000392024 _____ (Microsoft Corporation) 8F8887440BC649ABEC29FACEE7B5389F


BCD (recoveryenabled=No -> recoveryenabled=Yes) <==== restored successfully

==================== Association (Whitelisted) =============


==================== Restore Points  =========================

Restore point date: 2017-11-14 16:19
Restore point date: 2017-11-21 21:39
Restore point date: 2017-11-22 22:57
Restore point date: 2018-01-09 20:35

==================== Memory info =========================== 

Percentage of memory in use: 25%
Total physical RAM: 3836.2 MB
Available physical RAM: 2850.48 MB
Total Virtual: 3836.2 MB
Available Virtual: 2889.72 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:451.54 GB) (Free:283 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: () (Removable) (Total:0.94 GB) (Free:0.93 GB) FAT
Drive f: (RECOVERY) (Fixed) (Total:13.92 GB) (Free:2.29 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive g: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: () (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 8AE1E4AE)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=451.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13.9 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (Size: 961 MB) (Disk ID: 698097FE)
Partition 1: (Not Active) - (Size=961 MB) - (Type=06)

LastRegBack: 2017-11-18 20:47

==================== End of FRST.txt ============================

Link to post
Share on other sites

Hello Oroko and welcome to Malwarebytes....

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

28 minutes ago, kevinf80 said:

Hello Oroko and welcome to Malwarebytes....

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

 

fixlist.txt

Hello Kevin,

Unfortunately I'm still getting the same boot error:unsure:. Here are my fixlog.txt results:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by SYSTEM (10-01-2018 01:36:39) Run:1
Running from h:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
HKLM\...\RunOnce: [*Restore] => C:\WINDOWS\system32\rstrui.exe [268288 2016-07-16] (Microsoft Corporation)
End
*****************

"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore" => removed successfully

==== End of Fixlog 01:36:39 ====

Link to post
Share on other sites

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

7 hours ago, kevinf80 said:

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

fixlist.txt

So, I've gotten past the blue error screen but I still can't boot completely. I'm able to get to the Windows loading screen (with the dotted circle animation) but after a few seconds, the animation disappears and I'm left with a black screen instead of the Welcome screen.

Here is the txt log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by SYSTEM (10-01-2018 04:04:22) Run:2
Running from h:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
LastRegBack: 2017-11-18 20:47 
End
*****************

DEFAULT => copied successfully to System32\config\HiveBackup
DEFAULT => restored successfully from registry back up
SAM => copied successfully to System32\config\HiveBackup
SAM => restored successfully from registry back up
SECURITY => copied successfully to System32\config\HiveBackup
SECURITY => restored successfully from registry back up
SOFTWARE => copied successfully to System32\config\HiveBackup
SOFTWARE => restored successfully from registry back up
SYSTEM => copied successfully to System32\config\HiveBackup
SYSTEM => restored successfully from registry back up

==== End of Fixlog 04:04:31 ====

 

Link to post
Share on other sites

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

fixlist.txt

Edited by kevinf80
typing error
Link to post
Share on other sites

1 hour ago, kevinf80 said:

From your spare PC Save the attached file fixlist.txt to your flash drive, same place as FRST.

Plug Flashdrive back into Sick PC, Run System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Does your PC boot ok now...?

Thank you,

Kevin...

fixlist.txt

Hello again. Unfortunately, the PC is still booting to a black screen :( Here's the log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by SYSTEM (10-01-2018 17:44:19) Run:3
Running from h:\
Boot Mode: Recovery
==============================================

fixlist content:
*****************
Start
S0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [252232 2017-11-23] ()
C:\Windows\System32\Drivers\mbamswissarmy.sys
End
*****************

"HKLM\System\ControlSet001\Services\MBAMSwissArmy" => removed successfully
MBAMSwissArmy => service removed successfully
C:\Windows\System32\Drivers\mbamswissarmy.sys => moved successfully

==== End of Fixlog 17:44:19 ====

Link to post
Share on other sites

On 1/10/2018 at 5:58 PM, kevinf80 said:

The best way forward is to REFRESH your system, https://www.tenforums.com/tutorials/4090-refresh-windows-10-a.html

Let me know the outcome...

FINALLY!!!!! I've booted successfully :D AHH!

Sorry for the delay but it took a few attempts. The REFRESH option wasn't workable so I used the REPAIR INSTALL option instead, booting via usb. Regardless, I'm back in.

Thanks for all your help!

Link to post
Share on other sites

Thanks for the update, good to hear you are back on track... Will be good idea to clean install Malwarebytes to make sure issue does not return..

Totally Remove Malwarebytes from your system:

Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice.
 
  • Close all open applications
  • Double-click and run mb-clean.exe
  • A prompt with an option to clean up the system will appear:



Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended)
No - will exit the utility

Once the cleanup process is completed, a prompt will appear:

Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended)
No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended)

We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s).

Upon reboot, a prompt will appear:

Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended)
No - will exit the utility and the cleanup process is complete...

A log file ("mb-clean-results.txt") will be on your desktop, no need to post that...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.