Jump to content
Winson

Ran malwarebytes on Windows 10, now won't boot

Recommended Posts

Hi, its still remain the same issues. The Hives files is look like identical files in my C:\Windows\System32\config 

Share this post


Link to post
Share on other sites

 

image.thumb.png.d9a874454f9854af039977c292636f10.png

 

This file I open under malwarebytes\Scanfile folder, it is showing some of system regKey was quarantine. How the regKey i can found it back anywhere? 

Share this post


Link to post
Share on other sites

That was a scheduled task. That cannot stop Windows from starting.

What error do you get when it won't start? What happens?
What about Safe Mode? It won't start in Safe Mode either?

Do you have access to another computer that runs a similar version of Windows?

 

Share this post


Link to post
Share on other sites

This is the only BSOD screen after that reboot automatically stop at Automatic Repair screen. I can't go into Safe Mode too. Yes I have another PC is running Windows 10.

IMG_20190718_235409.jpg

Share this post


Link to post
Share on other sites

Actually I may try using data recovery software to recover all missing files that in quarantine. Manually put the files to correct file path or location. Is this the last option that can save my system?

Share this post


Link to post
Share on other sites

You're welcome to try, but I would not expect that to work. Let me know how it goes. I'll try to help you again tomorrow if I can, otherwise on Monday.

I want to see if we can get Windows to boot using other hives. We'll need to backup what is there already though so we don't shoot ourselves in the foot so to speak.

Ron

 

 

Share this post


Link to post
Share on other sites

Wonder to know if all malwarebyte quarantine item that is under this folder which is save in .json file? Coz I see another folder that is name as Quarantine too.

C:\ProgramData\Malwarebytes\MBAMService\ScanResults

Share this post


Link to post
Share on other sites

Hi, just now I run FSRT program on another laptop there. So I can copy the hives files from here to another system that won't boot? Izit will have issues when run new version files from C:\FSRM\hives? 

Share this post


Link to post
Share on other sites

No, we don't just want to copy and overwrite what is there.

Rename or add an extension like .oem to the SYSTEM hive

ie. Change C:\Windows\System32\config\system to C:\Windows\System32\config\system.oem

Then copy the one from the other computer to C:\Windows\System32\config\

Then see if it will boot up or if it BSOD as well

 

Share this post


Link to post
Share on other sites
5 hours ago, AdvancedSetup said:

No, we don't just want to copy and overwrite what is there.

Rename or add an extension like .oem to the SYSTEM hive

ie. Change C:\Windows\System32\config\system to C:\Windows\System32\config\system.oem

Then copy the one from the other computer to C:\Windows\System32\config\

Then see if it will boot up or if it BSOD as well

 

Hi Ron, overwrite one file only SYSTEM hive or overwrite all the files in folder hives to C:\Windows\System32\config ?

Using CMD to overwrite or using FSRM fixlist.txt?

 

Share this post


Link to post
Share on other sites

Only the 1 file. SYSTEM

If you're capable of doing it from the command line on your own please try. If not let me know and I'll assist you

There is no overwrite as you're renaming the current SYSTEM to SYSTEM.OEM

If you overwrite you won't be able to put back and then you might as well to a REPAIR

Share this post


Link to post
Share on other sites
46 minutes ago, AdvancedSetup said:

Only the 1 file. SYSTEM

If you're capable of doing it from the command line on your own please try. If not let me know and I'll assist you

There is no overwrite as you're renaming the current SYSTEM to SYSTEM.OEM

If you overwrite you won't be able to put back and then you might as well to a REPAIR

Yes, please assist me way to do.

Share this post


Link to post
Share on other sites

From the working computer you ran FRST on - it should have a file C:\FRST\Hives\SYSTEM

Copy that SYSTEM file to the root of your USB drive where FRST64 is located.

I'm going to write the script assuming that E:\ is your boot drive in Recovery Console as that is what the log says and that C:\Windows is also the correct drive again as that is what the current log says. Sometimes the drives are changed around is all.

 

Download and the save this new FIXLIST.TXT file to the root of your e:\ USB drive where FRST64 is located. Also, make sure the SYSTEM file is there too.

Then boot into the Recovery Console on the other affected computer and run FRST64 and click the FIX button.

That will rename the current SYSTEM file and then copy the one from the E:\ drive to the affected computer and reboot.

Let me know how it goes

 

fixlist.txt

Thanks

Ron

 

Share this post


Link to post
Share on other sites

It seem like problems not fix. Refer to first image below successful rename the SYSTEM.OEM file and copy new SYSTEM file to the directory. After reboot same BSOD and I open CMD second image, I notice the file size same as original SYSTEM.OEM

 

 

 

IMG_20190724_002346.jpg

IMG_20190724_002307.jpg

Share this post


Link to post
Share on other sites

Yes, the system is going to process the file and attempt a restore from it's backup.

At this point this is probably your best way to get the system running again.

How to Reset Windows 10
https://www.tenforums.com/tutorials/4130-reset-windows-10-a.html

Choose to keep your data.

Yes, you will have to reinstall some software and customize the system again, but it will back running again and your data will still be there.
 

Share this post


Link to post
Share on other sites

But how I can backup my Google Chrome bookmarks, system environment like before?

 

Share this post


Link to post
Share on other sites

In theory it should not remove them, but you can go to the following folder and copy the folders to an external drive.

C:\Users\<your user name>

That is your entire profile, or you can browse and pick what you want to copy. But again if done properly it should not remove your data.

If  you do have space on an external drive though I would go ahead and copy the entire folder to the external drive.

Google Chrome bookmark file should be located here:
C:\Users\<user name>\AppData\Local\Google\Chrome\User Data\Default\bookmarks

Do you have a large external USB drive?

 

 

 

Share this post


Link to post
Share on other sites

How to backup installed software? I have an external HDD to do backup.

Share this post


Link to post
Share on other sites

You cannot backup installed software. It must be reinstalled.

You can use this method to backup data
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/rescue-files-when-windows-wont-start/862c143f-9239-4e63-8968-635e8ba9efd6

You could also use this software to build a USB disk to have a GUI for copying files. Don't expect it can fix Windows - you can try but if Windows can't repair itself then I don't think this software will either. We just want it for the GUI to copy files to your external hard drive.
https://www.paragon-software.com/free/rk-free/

 

 

Share this post


Link to post
Share on other sites

Hi, how i can check and know what was removed or quarantine by malwarebytes?

Share this post


Link to post
Share on other sites

As i see there got one folder called Quarantine. What is the data in the Quarantine folder? Is there a way to open to view?

Share this post


Link to post
Share on other sites

No there is not. The data is encrypted. Windows needs to be running in order to remove items from quarantine

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.