ztr Posted February 3, 2018 ID:1212097 Share Posted February 3, 2018 hi, i've tried helping my dad with his computer - i think i've made some progress, but thought i'd post logs here to be certain. long story short: my dad was/is having issues with blue screening on his computer not sure specifically what causes the blue screens, i can attach the minidumps if you want those. first thing i started with was downloading latest drivers for his motherboard because he mentioned he had a warning in device manager about pci simple communication (or something) i googled this and found installing intel management engine interface resolved it, i then left it a few days for him to use hoping that was the problem, but nope. a few hours ago i thought i'd do some stress tests, i used furmark to stress test the GPU and CPU individually, that didn't cause a blue screen the blue screen also happens when NOT doing anything intense - i was (re)installing some motherboard drivers, when i came to reinstall intel management engine interface the PC crashed during the install. when the computer restarted it got tot he windows logo screen and instantly blue screened it did this every restart. fortunately i was able to boot into safe mode - in there i went into device manager and uninstalled intel management engine interface and restarted, that fixed those blue screens... now i'm back in normal mode, i thought id transfer some tools ive seen here, adwcleaner, rkill, roguekiller, emisoft emergency kit and FRST started off with RKILL, that found nothing. next i ran roguekiller, this found 3 things i think, 2 of which where reimage and PC protect web shield - i'll can attach the file below now when it came to adwcleaner it found quite a few things, i cleaned em all and then i ran into another issue on restart... black screen and cursor only - i restart into safe mode again i ran some of the the tools again and restarted back to normal mode, now i'm back to normal windows desktop i decided i'd run FRST and have you guys check the logs thanks AdwCleaner[C0].txt AdwCleaner[S0].txt AdwCleaner[S1].txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted February 3, 2018 ID:1212174 Share Posted February 3, 2018 Hello ztr and welcome to Malwarebytes, Open Malwarebytes Anti-Malware. On the Settings tab > Protection Scroll to and make sure the following are selected:Scan for RootkitsScan within Archives Scroll further to Potential Threat Protection make sure the following are set as follows:Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended) Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following: Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Zip up and attach this folder: C:\Windows\Minidump Thank you, Kevin... Link to post Share on other sites More sharing options...
ztr Posted February 4, 2018 Author ID:1212272 Share Posted February 4, 2018 hi Kevin, thanks for the reply when i first booted the pc windows wanted to install updates but it failed to do so - i checked windows update history and all recent updates have failed i installed and ran malwarebytes as instructed but i ran into some issues near the end of the scan the computer blue screened and restarted after restarting it blue screened again on the welcome screen next restart it got past the welcome screen but stayed on a black screen with a cursor for about 1-2 mins then the desktop and icons finally shown up also one of the fans is quite loud just on desktop now, i think it's the cpu fan. malwarebytes scan log didn't save due to the crash it seems, the reports section is blank - it found 25 threats when i last seen where it was upto i will attach minidumps for now minidump.zip Link to post Share on other sites More sharing options...
ztr Posted February 4, 2018 Author ID:1212273 Share Posted February 4, 2018 (edited) update: i tried another scan with MBAM and this time it succeeded (26 threats) MBAM log.txt Edited February 4, 2018 by ztr thought i was editing my previous post, turns out it was a new reply, oops Link to post Share on other sites More sharing options...
kevinf80 Posted February 4, 2018 ID:1212302 Share Posted February 4, 2018 Thanks for those logs, the mini dumps are not indicative of a specific driver fault. One thing I note from Malwarebytes logs is the use of 3rd part driver update programs. Do not use such software, especially free versions, they are unreliable and may come bundled with unwanted extras.... Run another scan with Malwarebytes, same settings as before, post that log... Next, Click on Start > All Programs > Accessories: Right-click on the Command Prompt entry Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, typeCHKDSK C: /R hit the Enter key. You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot. The CHKDSK may take a few hours depending on the size of the drive, so be patient! After the CHKDSK has run use the following instructions to find the log: Check Disk report: Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK. In the left panel, expand Windows Logs and then click on Application. Now, on the right side, click on Filter Current Log. Under Event Sources, check only Wininit and click OK. You mayl be presented with one or multiple Wininit logs. Click on an entry corresponding to the date and time of the disk check. On the top main menu, click Action > Copy > Copy Details as Text. Paste the contents into your next reply. Next, Now run SFC. SFC -System File Checker - Instructions Click on Start > All Programs > Accessories Right-click on the Command Prompt entry Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, typeSFC /SCANNOW hit the Enter key Wait for the scan to finish - make a note of any error messages - and then reboot. Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply. Let me see those logs in your reply... Any improvement..? Thanks, Kevin.. Link to post Share on other sites More sharing options...
ztr Posted February 4, 2018 Author ID:1212339 Share Posted February 4, 2018 (edited) i think we're making progress, SFC found some issues - it reported corrupt files but unable to repair. i'll post chkdsk scan below and attach MBAM report and CBS.log Log Name: Application Source: Microsoft-Windows-Wininit Date: 04/02/2018 13:13:54 Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: home-PC Description: Checking file system on C: The type of the file system is NTFS. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... 230400 file records processed. File verification completed. 876 large file records processed. 0 bad file records processed. 2 EA records processed. 48 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 287906 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 230400 file SDs/SIDs processed. Cleaning up 247 unused index entries from index $SII of file 0x9. Cleaning up 247 unused index entries from index $SDH of file 0x9. Cleaning up 247 unused security descriptors. Security descriptor verification completed. 28754 data files processed. CHKDSK is verifying Usn Journal... 34337344 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 230384 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 213355116 free clusters processed. Free space verification is complete. Windows has checked the file system and found no problems. 976657407 KB total disk space. 122769664 KB in 144249 files. 104696 KB in 28755 indexes. 0 KB in bad sectors. 362583 KB in use by the system. 65536 KB occupied by the log file. 853420464 KB available on disk. 4096 bytes in each allocation unit. 244164351 total allocation units on disk. 213355116 allocation units available on disk. Internal Info: 00 84 03 00 d7 a3 02 00 b7 24 05 00 00 00 00 00 .........$...... b2 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 ....0........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="16384">1001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-02-04T13:13:54.000000000Z" /> <EventRecordID>14985</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>home-PC</Computer> <Security /> </System> <EventData> <Data> Checking file system on C: The type of the file system is NTFS. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 5)... 230400 file records processed. File verification completed. 876 large file records processed. 0 bad file records processed. 2 EA records processed. 48 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 287906 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 230400 file SDs/SIDs processed. Cleaning up 247 unused index entries from index $SII of file 0x9. Cleaning up 247 unused index entries from index $SDH of file 0x9. Cleaning up 247 unused security descriptors. Security descriptor verification completed. 28754 data files processed. CHKDSK is verifying Usn Journal... 34337344 USN bytes processed. Usn Journal verification completed. CHKDSK is verifying file data (stage 4 of 5)... 230384 files processed. File data verification completed. CHKDSK is verifying free space (stage 5 of 5)... 213355116 free clusters processed. Free space verification is complete. Windows has checked the file system and found no problems. 976657407 KB total disk space. 122769664 KB in 144249 files. 104696 KB in 28755 indexes. 0 KB in bad sectors. 362583 KB in use by the system. 65536 KB occupied by the log file. 853420464 KB available on disk. 4096 bytes in each allocation unit. 244164351 total allocation units on disk. 213355116 allocation units available on disk. Internal Info: 00 84 03 00 d7 a3 02 00 b7 24 05 00 00 00 00 00 .........$...... b2 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 ....0........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts. </Data> </EventData> </Event> CBS.log MBAM report.txt Edited February 4, 2018 by ztr Link to post Share on other sites More sharing options...
kevinf80 Posted February 4, 2018 ID:1212349 Share Posted February 4, 2018 Please download VEW by Vino Rosso from HERE and save it to your Desktop. Double-click VEW.exe. to start, Vista and Windows 7/8 users Right Click and select "Run as Administrator" Under 'Select log to query...check the boxes for both Application and System. Under 'Select type to list... select both Error and Critical. Click the radio button for 'Number of events...Type 15 in the 1 to 20 box. Then click the Run button. Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient. Please post the Output log in your next reply. Link to post Share on other sites More sharing options...
ztr Posted February 4, 2018 Author ID:1212352 Share Posted February 4, 2018 hi Kevin quick update before i do what you requested after doing the previous things i went to shutdown his PC and windows wanted to install 4 updates i started his PC back up to make sure it went well, i got to the desktop, went to windows update n i believe 2/4 were successful so i thought i'd restart and make sure the computer is in a usable state for my dad to use it then i got some issues, blue screen on startup, restarted, blue screen again, restarted... tried safe mode, even that blue screened where it loads drivers (different error code i think, it ended in 24 everything else was 0's) when safe mode blue screened i thought oh no, that isn't good... i turned the pc off, left it about a minute, started it again, i got an options for automatic repair, i chose that windows found disk errors and it seemed to have repaired what it founded - restarted and now back to desktop i'm scared to even shutdown his PC now after all this blue screening i will do VEW and get back to you Link to post Share on other sites More sharing options...
ztr Posted February 4, 2018 Author ID:1212357 Share Posted February 4, 2018 (edited) windows gave a popup about recovering, i copied the info it gave it also produced 2 files, i will attach them for you Problem signature: Problem Event Name: BlueScreen OS Version: 6.1.7601.2.1.0.256.1 Locale ID: 2057 Additional information about the problem: BCCode: 24 BCP1: 00000000001904FB BCP2: FFFFF880009AFC58 BCP3: FFFFF880009AF4C0 BCP4: FFFFF80002C361FF OS Version: 6_1_7601 Service Pack: 1_0 Product: 256_1 Files that help describe the problem: C:\Windows\Minidump\020418-15796-01.dmp C:\Users\admin\AppData\Local\Temp\WER-50484-0.sysdata.xml here is VEW output Vino's Event Viewer v01c run on Windows 2008 in English Report run at 04/02/2018 14:24:36 Note: All dates below are in the format dd/mm/yyyy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'Application' Log - Critical Type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'Application' Log - Error Type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Log: 'Application' Date/Time: 04/02/2018 14:22:46 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 14:22:46 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 14:16:37 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 14:16:37 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 14:12:48 Type: Error Category: 100 Event: 1000 Source: Application Error Faulting application name: mbamtray.exe, version: 3.0.0.1284, time stamp: 0x5a15a98e Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00 Exception code: 0xc0000005 Fault offset: 0x0018de83 Faulting process id: 0x8b4 Faulting application start time: 0x01d39dc239283e12 Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll Report Id: 79c16c50-09b5-11e8-a4b1-001cc0bf17de Log: 'Application' Date/Time: 04/02/2018 13:47:29 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 13:47:29 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 13:22:39 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 13:22:39 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 13:17:45 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 13:17:45 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 11:00:04 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 11:00:04 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. Log: 'Application' Date/Time: 04/02/2018 09:07:56 Type: Error Category: 0 Event: 3011 Source: Microsoft-Windows-LoadPerf Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code. Log: 'Application' Date/Time: 04/02/2018 09:07:56 Type: Error Category: 0 Event: 3012 Source: Microsoft-Windows-LoadPerf The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'System' Log - Critical Type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Log: 'System' Date/Time: 04/02/2018 14:12:05 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 04/02/2018 14:04:04 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 04/02/2018 09:35:56 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 04/02/2018 04:58:30 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 04/02/2018 04:32:08 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 21:08:36 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 20:01:19 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 19:32:25 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 19:00:52 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 18:53:48 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 07:53:52 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 03/02/2018 07:04:46 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 02/02/2018 13:46:00 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 02/02/2018 00:13:04 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Log: 'System' Date/Time: 01/02/2018 17:26:42 Type: Critical Category: 63 Event: 41 Source: Microsoft-Windows-Kernel-Power The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'System' Log - Error Type ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Log: 'System' Date/Time: 04/02/2018 14:12:15 Type: Error Category: 0 Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting The computer has rebooted from a bugcheck. The bugcheck was: 0x00000024 (0x00000000001904fb, 0xfffff880009afc58, 0xfffff880009af4c0, 0xfffff80002c361ff). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 020418-15796-01. Log: 'System' Date/Time: 04/02/2018 14:04:13 Type: Error Category: 0 Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c000001d, 0xfffff800036858d0, 0xfffff88006c7ef30, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 020418-16687-01. Log: 'System' Date/Time: 04/02/2018 13:50:21 Type: Error Category: 1 Event: 20 Source: Microsoft-Windows-WindowsUpdateClient Installation Failure: Windows failed to install the following update with error 0x80070308: Security Update for Windows 7 for x64-based Systems (KB3075226). Log: 'System' Date/Time: 04/02/2018 09:36:08 Type: Error Category: 0 Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xfffff685bc800000, 0x0000000000000000, 0xfffff8000362995a, 0x0000000000000005). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: . Log: 'System' Date/Time: 04/02/2018 09:36:08 Type: Error Category: 0 Event: 1005 Source: Microsoft-Windows-WER-SystemErrorReporting Unable to produce a minidump file from the full dump file. Log: 'System' Date/Time: 04/02/2018 09:36:07 Type: Error Category: 0 Event: 6008 Source: EventLog The previous system shutdown at 09:15:29 on ?04/?02/?2018 was unexpected. Log: 'System' Date/Time: 04/02/2018 05:07:49 Type: Error Category: 0 Event: 3 Source: HECIx64 HECI driver has failed to perform handshake with the Firmware. Log: 'System' Date/Time: 04/02/2018 04:58:32 Type: Error Category: 0 Event: 3 Source: HECIx64 HECI driver has failed to perform handshake with the Firmware. Log: 'System' Date/Time: 04/02/2018 04:48:03 Type: Error Category: 0 Event: 3 Source: HECIx64 HECI driver has failed to perform handshake with the Firmware. Log: 'System' Date/Time: 04/02/2018 04:32:12 Type: Error Category: 0 Event: 3 Source: HECIx64 HECI driver has failed to perform handshake with the Firmware. Log: 'System' Date/Time: 04/02/2018 04:32:20 Type: Error Category: 0 Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050033, 0x00000000000406f8, 0xfffff8800125847f). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 020418-17406-01. Log: 'System' Date/Time: 04/02/2018 04:32:19 Type: Error Category: 0 Event: 6008 Source: EventLog The previous system shutdown at 04:30:42 on ?04/?02/?2018 was unexpected. Log: 'System' Date/Time: 04/02/2018 03:46:42 Type: Error Category: 1 Event: 20 Source: Microsoft-Windows-WindowsUpdateClient Installation Failure: Windows failed to install the following update with error 0x80070308: Security Update for Windows 7 for x64-based Systems (KB3075226). Log: 'System' Date/Time: 04/02/2018 03:46:37 Type: Error Category: 1 Event: 20 Source: Microsoft-Windows-WindowsUpdateClient Installation Failure: Windows failed to install the following update with error 0x80070308: 2018-01 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4056894). Log: 'System' Date/Time: 04/02/2018 03:45:59 Type: Error Category: 1 Event: 20 Source: Microsoft-Windows-WindowsUpdateClient Installation Failure: Windows failed to install the following update with error 0x80070308: Update for Windows 7 for x64-based Systems (KB2923545). i can't find "C:\Users\admin\AppData\Local\Temp\WER-50484-0.sysdata.xml" 020418-15796-01.dmp edit: i will attach a different one which is dated like 24 minutes ago (had to zip it first, the extension wasn't allowed) also probably worth mentioning - malwarebytes keeps reporting real time protection is turned off (web protection only i believe) WER-40812-0.sysdata.xml.zip Edited February 4, 2018 by ztr Link to post Share on other sites More sharing options...
kevinf80 Posted February 4, 2018 ID:1212409 Share Posted February 4, 2018 Make a clean install of Malwarebytes, see if that helps.. Totally Remove Malwarebytes from your system: Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice. Close all open applications Double-click and run mb-clean.exe A prompt with an option to clean up the system will appear: Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended)No - will exit the utility Once the cleanup process is completed, a prompt will appear:Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended)No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended) We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s). Upon reboot, a prompt will appear:Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended)No - will exit the utility and the cleanup process is complete... A log file ("mb-clean-results.txt") will be on your desktop Next, Make a scan with Malwarebytes, lets see if it completes: Open Malwarebytes Anti-Malware. On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected: Scan for RootkitsScan within Archives Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended) Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following: Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Thanks, Kevin.. Link to post Share on other sites More sharing options...
ztr Posted February 5, 2018 Author ID:1212460 Share Posted February 5, 2018 hi Kevin, the note about malwarebytes real time protection was just a side note, only a trial after all i think the blue screens are being caused by something more severe, maybe hardware i'm not sure you didn't mention what to do with mb-clean-results, i'll attach it and paste mbam threat report (found nothing) Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/5/18 Scan Time: 6:04 AM Log File: 6d16fd82-0a3a-11e8-8dfd-001cc0bf17de.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3869 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: home-PC\admin -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 225200 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 5 min, 43 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) mb-clean-results.txt Link to post Share on other sites More sharing options...
kevinf80 Posted February 5, 2018 ID:1212480 Share Posted February 5, 2018 I did not really need to see the md-clean log, I wanted a fresh install to see if this provoked a BSOD after/during a scan. There were references to MB files in previous event logs... The next step is to run Driver Verifier, full instructions here: If verifier causes a BSOD get the latest minidump file and zip/attach to your reply... Thanks, Kevin.. Link to post Share on other sites More sharing options...
ztr Posted February 5, 2018 Author ID:1212486 Share Posted February 5, 2018 (edited) i've set up driver verifier as instructed then rebooted to desktop, no blue screen occurred i typed "verifier /querysettings" into command prompt and got: C:\Windows\system32>verifier /querysettings Special pool: Enabled Pool tracking: Enabled Force IRQL checking: Enabled I/O verification: Disabled Deadlock detection: Enabled DMA checking: Disabled Security checks: Enabled Force pending I/O requests: Disabled Low resources simulation: Disabled IRP Logging: Disabled Miscellaneous checks: Enabled Verified drivers: amdxata.sys mbamswissarmy.sys hwinfo64a.sys mbae64.sys nvlddmkm.sys hecix64.sys e1e6232e.sys ndis.sys smb_driver_intel.sys nvhda64v.sys rtkvhd64.sys dump_dumpata.sys dump_atapi.sys dump_dumpfve.sys mbamchameleon.sys farflt.sys mbam.sys C:\Windows\system32> also not long before doing this, i was transferring some game saves from his computer to a USB stick and about half way through the PC crashed error code 1A (i think it mentioned memory management too), though this time there was 3 long beeps from the motherboard speaker and the computer refused to post multiple times some tries later it managed to post i chose start normally it crashed again, same error code shutdown booted chose automatic repair, this also blue screened few restarts later got automatic repair again, this time it managed to succeed, clicked finished and restarted back to desktop tried copying files to USB stick again and no crash this time, went to shutdown and windows wanted to update, we let it do it restarted fine and then i carried out the instructions you requested Edited February 5, 2018 by ztr Link to post Share on other sites More sharing options...
kevinf80 Posted February 5, 2018 ID:1212489 Share Posted February 5, 2018 Hello again ztr, What make is computer, 3 short beeps is normally ram (memory) pending failure... or total failure if system fails to boot.. Thanks, Kevin Link to post Share on other sites More sharing options...
ztr Posted February 5, 2018 Author ID:1212490 Share Posted February 5, 2018 (edited) it was custom built at a pc shop, though its been modified since then (mobo+cpu swap) it has a mix of RAM sticks i will get you some info info i got with hwinfo64: mobo - DQ3JO CPU - E8400 RAM - 2x 2GB PC2-6400 DDR2 & 2x 1GB PC2-6400 DDR2 (6GB total) they're 2 sets each 2GB sticks are Princeton Technology, the 1GB sticks are Samsung M3 all sticks are running at same speed and timings (he's used these sticks for years) how would i go about diagnosing RAM issues? Edited February 5, 2018 by ztr Link to post Share on other sites More sharing options...
kevinf80 Posted February 5, 2018 ID:1212491 Share Posted February 5, 2018 (edited) I would recommend having the memory checked, https://www.sysnative.com/forums/hardware-tutorials/3909-test-ram-memtest86.html#post28391 ***Edit*** Make sure to turn off driver verifier. Open elevated command prompt, type or copy paste: verifier /reset then re-boot Edited February 5, 2018 by kevinf80 Link to post Share on other sites More sharing options...
ztr Posted February 5, 2018 Author ID:1212492 Share Posted February 5, 2018 (edited) Kevin, i followed the instructions from here https://www.sysnative.com/forums/hardware-tutorials/24300-test-ram-passmark-memtest86.html but the PC refuses to boot from USB i double checked the BIOS and both boot from USB and UEFI are enabled, i will test it on my PC to make sure its not the stick edit: works fine on my system - still doesn't boot from stick on my dad's PC i tried with UEFI disabled and enabled edit2: i'll try original memtest instead Edited February 5, 2018 by ztr Link to post Share on other sites More sharing options...
ztr Posted February 5, 2018 Author ID:1212494 Share Posted February 5, 2018 can't edit my post i got "Download - Auto-installer for USB Key (Win 9x/2k/xp/7) *NEW!*" extracted and installed to 2 different USB sticks and neither of them work the contents of the USB is just "Copying" "mt86plus" "readme.txt" and "syslinux.cfg" Link to post Share on other sites More sharing options...
kevinf80 Posted February 5, 2018 ID:1212699 Share Posted February 5, 2018 Have you tried using a CD instead of a USB stick... Link to post Share on other sites More sharing options...
ztr Posted February 6, 2018 Author ID:1212814 Share Posted February 6, 2018 (edited) hi Kevin, i have great news, i decided to take the 2 1GB sticks out (leaving the 2 2GB sticks in) the computer was on for a few hours before it was shutdown to remove the sticks, when the 2 sticks were removed one of them was much cooler in comparison to the other, does this indicate anything, such as that stick was faulty? (i can't remember what stick it is now tho, i mixed them up after taking them out) booting with the 2 2GB sticks in the computer worked flawlessly for over half an hour whilst on a game which would've guaranteed a crash usually, we was happy with this result as we finally found the root cause. my dad remembered he had 2 extra sticks of that RAM from when he bought the bundle so we put those 2 sticks in and the computer has been fine since. thank you very much for your help Kevin, much appreciated. side question: i can boot to USB with FreeDOS on it (via Rufus USB tool), is there a DOS memtest i could use this way? Edited February 6, 2018 by ztr Link to post Share on other sites More sharing options...
kevinf80 Posted February 6, 2018 ID:1212827 Share Posted February 6, 2018 Yes really good news to hear you`ve located the fault to Ram, heat values can be a good indicator of Ram health. Have read at the following link: https://turbofuture.com/computers/5-Symptoms-of-a-RAM-Problem-and-How-to-Fix-It Regarding Memtest86, as far as i`m aware it can only be used either by CD or USB from the free version. There is a Pro version available at a cost, not sure what extras are included.... If no remaining issues or concerns run the following to clean up: Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted February 6, 2018 ID:1213091 Share Posted February 6, 2018 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts