jfii Posted October 12, 2020 ID:1413739 Share Posted October 12, 2020 downloaded latest version of MB and Installed ran till trial up and uninstalled on windows 10 machine ver 10.0.19041.508 Now i can only boot machine to safe mode with command prompt. tried system restore of image 2 days before - same tried system restore of image 2 weeks before - same in save mode the driver for md are still there and CANNOT be remove even after MB uninstall program report app is removed sfc and dism fail output after running the below commands in sequence attached dism /online /Cleanup-Image /StartComponentCleanup sfc /scannow sfc /scannow dism /online /cleanup-image /checkhealth dism /online /cleanup-image /scanhealth dism /online /cleanup-image /restorehealth sfc /scannow sfc /scannow I have downloaded a couple of windows installer cd and extracted win 10 pro (6) and converted the install.esd to install.win and extracted the sources folders but they didn't seem to have the correct versions of the reported (CBS.LOG - bottom) corrupt dll's. I think i did find the correct dll's in KB4571756. I am asking for any assistance you can offer before i move forward to at least assist me with getting MB removed from the machine before i return to chasing my tail Thank you dism.log cbs.log Link to post Share on other sites More sharing options...
Staff Malwarebytes Posted October 12, 2020 Staff ID:1413740 Share Posted October 12, 2020 ***This is an automated reply*** Hi, Thanks for posting in the Malwarebytes for Windows Help forum. If you are having technical issues with our Windows product, please do the following: Malwarebytes Support Tool - Advanced Options This feature is designed for the following reasons: For use when you are on the forums and need to provide logs for assistance For use when you don't need or want to create a ticket with Malwarebytes For use when you want to perform local troubleshooting on your own How to use the Advanced Options: Spoiler Download Malwarebytes Support Tool Double-click mb-support-X.X.X.XXXX.exe to run the program You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next Navigate to the Advanced tab The Advanced menu page contains four categories: Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand. Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot. Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent. Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program. To provide logs for review click the Gather Logs button Upon completion, click OK A file named mbst-grab-results.zip will be saved to your Desktop Please attach the file in your next reply. To uninstall all Malwarebytes Products, click the Clean button. Click the Yes button to proceed. Save all your work and click OK when you are ready to reboot. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows. Select Yes to install Malwarebytes. Malwarebytes for Windows will open once the installation completes successfully. Screenshots: Spoiler Spoiler If you are having licensing issues, please do the following: Spoiler For any of these issues: Renewals Refunds (including double billing) Cancellations Update Billing Info Multiple Transactions Consumer Purchases Transaction Receipt Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help If you need help looking up your license details, please head here: Find my premium license key Thanks in advance for your patience. -The Malwarebytes Forum Team Link to post Share on other sites More sharing options...
exile360 Posted October 12, 2020 ID:1413751 Share Posted October 12, 2020 Greetings, I'm sorry you experienced this issue. It sounds like the self-protection driver may still be active, preventing Malwarebytes' files from being removed. Please see if running the following from Safe Mode alleviates the problems: Download and run the Malwarebytes Support ToolAccept the EULA and click Advanced tab on the left (not Start Repair)Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here Please let us know how it goes. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 12, 2020 Root Admin ID:1413755 Share Posted October 12, 2020 Hello @jfii We won't need the MBST log at this time. We'll need to remove our driver first. Then we can look at what might be causing the issue. Please run the following for us. Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Thank you Link to post Share on other sites More sharing options...
jfii Posted October 13, 2020 Author ID:1413952 Share Posted October 13, 2020 I am running the 64bit version FRST The reason I uninstalled MB was because of the nag. The machine will only boot to save mode with command prompt. The file that sfc keeps stumbling on Windows.StateRepository.dll clip below I all looked at first like the drive was failing but whenever i tried to boot normally the only app that seemed to start after login was the MB installer wanting to install an update. It didn't matter if i Clicked YES and waited a few hours or NO. There would be a blue spinning circle and if i clicked on the screen it would flash CTRL-ALT-DEL only allowed logoff or switch user. Task manager would not start. I could do a Shift-Restart. Safe mode with or without networking would never come up. the only way i have access is Save-Mode command prompt. I have also restored two different sets but the MB Installer would still show. I eventually used NIRsoft utilities to try and uninstall and went as far as renaming the folders (and renamed them back) the chameleon process could not be removed or disabled . I paid more attention to the sfc/dism logs and the permission messages re: ...system32\drivers\en-US taking ownership and icacls reset and those errors went away along with the chameleon process. however the services entries still exist and i am sure i can remove them with sc ao i am back to my spinning blue circle (no longer trying to do a MB update) and my corrupt Windows.StateRepository.dll I have gotten myself a bit deeps and lost not knowing how i got here. FRST is finished is there a non public box i can send them? Thanks for your response if you can offer direction it would be appreciated. -John 2020-10-09 15:56:27, Error CSI 000001a1@2020/10/9:19:56:27.297 (F) onecore\base\wcp\sil\ntsystem.cpp(3674): Error c0000242 [Error,Facility=(system),Code=578 (0x0242)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null) [gle=0x80004005] 2020-10-09 15:56:27, Info CBS Could not get active session for current session file logging [HRESULT = 0x80004003 - E_POINTER] 2020-10-09 15:56:27, Info CBS Could not get file name for current session file logging [HRESULT = 0x80004003 - E_POINTER] 2020-10-09 15:56:27, Info CBS Added C:\WINDOWS\Logs\CBS\CBS.log to WER report. 2020-10-09 15:56:27, Info CBS Added C:\WINDOWS\Logs\CBS\CbsPersist_20201005153427.cab to WER report. 2020-10-09 15:56:27, Info CBS Added C:\WINDOWS\Logs\CBS\CbsPersist_20201005101637.cab to WER report. 2020-10-09 15:56:27, Info CBS Added C:\WINDOWS\Logs\CBS\CbsPersist_20201001210639.cab to WER report. 2020-10-09 15:56:27, Info CBS Added C:\WINDOWS\Logs\CBS\CbsPersist_20200929201611.cab to WER report. 2020-10-09 15:56:27, Info CBS Not able to add pending.xml to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND] 2020-10-09 15:56:27, Info CBS Not able to add pending.xml.bad to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND] 2020-10-09 15:56:27, Info CBS Not able to add poqexec.log to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND] 2020-10-09 15:56:27, Info CBS Not able to add SCM.EVM to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND] 2020-10-09 15:56:27, Error CSI 000001a2 (F) c0000242 [Error,Facility=(system),Code=578 (0x0242)] #19868279# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = 708 ('\Device\HarddiskVolume3\Windows\WinSxS\amd64_windows-staterepository_31bf3856ad364e35_10.0.19041.508_none_dad6dd3627c4da6b\Windows.StateRepository.dll'), evt = 0, apcr = NULL, apcc = NULL, iosb = @0xb11afbb50, data = {l:0 b:}, byteoffset = 0, key = (null)) [gle=0xd0000242] 2020-10-09 15:56:27, Error CSI 000001a3 (F) c0000242 [Error,Facility=(system),Code=578 (0x0242)] #19868278# from Windows::Rtl::SystemImplementation::CFile::ReadFile(Flags = 3, Buffer = {l:0 ml:4194304 b:}, Offset = 0, Disposition = 0)[gle=0xd0000242] Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 13, 2020 Root Admin ID:1413957 Share Posted October 13, 2020 Please send me a Private Message with logs. @jfii Thank you Link to post Share on other sites More sharing options...
jfii Posted October 13, 2020 Author ID:1413977 Share Posted October 13, 2020 23 hours ago, exile360 said: Greetings, I'm sorry you experienced this issue. It sounds like the self-protection driver may still be active, preventing Malwarebytes' files from being removed. Please see if running the following from Safe Mode alleviates the problems: Download and run the Malwarebytes Support Tool Accept the EULA and click Advanced tab on the left (not Start Repair) Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here Please let us know how it goes. Thanks Sorry, I missed this i am running now=. It is asking for a ticket number should i just ignore? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 13, 2020 Root Admin ID:1413979 Share Posted October 13, 2020 No need for the MBST tool at this time. I have replied with a script to run via Private Message Link to post Share on other sites More sharing options...
jfii Posted October 17, 2020 Author ID:1414907 Share Posted October 17, 2020 Still at it Link to post Share on other sites More sharing options...
jfii Posted October 19, 2020 Author ID:1415019 Share Posted October 19, 2020 *** Update *** I was able to copy the needed files from boot media except for StateRepository which I had to disable via Regedit in safe mode Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StateRepository Change Start to 4 (disable) I was then able to get a desktop and a task manager - but as of yet, no explorer, no start button, no bar. But I can click on the desktop icons or start apps in the task manager. Errors are AppXSvc crying about the State Repository not started and Faulting application name: explorer.exe, version: 10.0.19041.488, time stamp: 0xb1a44bf9 Faulting module name: ucrtbase.dll, version: 10.0.19041.488, time stamp: 0x0d8057d8 Exception code: 0xc0000409 Fault offset: 0x000000000007287e Faulting process id: 0xaa8 Faulting application start time: 0x01d6a5d2b6d60f91 Faulting application path: C:\WINDOWS\explorer.exe Faulting module path: C:\WINDOWS\System32\ucrtbase.dll Report Id: 21cfaa66-05d0-4322-ba16-b16033d06723 Faulting package full name: Faulting package-relative application ID: Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 19, 2020 Root Admin ID:1415037 Share Posted October 19, 2020 Using an elevated Admin command prompt please try the following. chkdsk c: /f sfc /scannow DISM.exe /Online /Cleanup-image /Restorehealth If SFC gave errors before DISM then run SFC again sfc /scannow bootrec /fixmbr bootrec /fixboot bootrec /rebuildbcd bcdboot c:\windows /s c: Link to post Share on other sites More sharing options...
Solution jfii Posted November 2, 2020 Author Solution ID:1417916 Share Posted November 2, 2020 Thanks for everyone's help. Its pretty obvious its no fault of MB's You were the only ones who tried to help. I wasted a lot of time looking only at the admin events and cbs.log and not at full event "picture" which indicated the start of a disk failure and probably started the snowball. I imaged the drive with clonezilla using its "recovery" option. Of course i still had some currupted files The files i was trying to recover were not in the standard build a cd there had been and update applied KB4571756 was one of the Win 10 2004 updates I was running DISM /Online /Cleanup-Image /CheckHealth DISM /Online /Cleanup-Image /ScanHealth DISM /Online /Cleanup-Image /RestoreHealth sfc /scannow sfc /scannow sfc /scannow In the time I spend attempting different options my restore points were overwritten. So I restored the drive from the image. I used DISM to reapply kb4571756 which it did. (example below) DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:F:\Sources\install.wim:1 /LimitAccess (i actually had to extract the correct index into its own file for the wim:1 to work lost cmd in restore) DISM.exe /Online /Add-Package /PackagePath:X:\temp\Windows10.0-KB4571756-x64_PSFX.cab The issue was still there so I began uninstalling anything that had installed a couple of days before I started having issues including windows updates and kb4571756 rebooted. StateRepository was disabled through all so set it to manual Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StateRepository\start =3 I got a desktop but a spinning circle on the start/task bar - so with a ctrl-alt-del i was able to run a task manager and got to a command prompt again Then ran : DISM /Online /Cleanup-Image /CheckHealth DISM /Online /Cleanup-Image /ScanHealth DISM /Online /Cleanup-Image /RestoreHealth sfc /scannow sfc /scannow sfc /scannow CBS.LOG showed it fixed a couple of corrupt files but the errors I was getting earlier did not show. rebooted and I am now at Version 10.0.19041.450 My machine is now back working. dism /online /get-packages /format:table dism /online /get-packageinfo /packagename:"Package_for_KB4577266~31bf3856ad364e35~amd64~~19041.504.1.2" dism /Online /Remove-Package /PackageName:Package_for_KB4577266~31bf3856ad364e35~amd64~~19041.504.1.2 Resource https://www.repairwin.com/how-to-remove-windows-updates-using-wusa-and-dism-commands/ https://chefkochblog.wordpress.com/2018/02/24/fix-all-update-kb-related-issue-via-dism/ Thanks again Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 2, 2020 Root Admin ID:1418078 Share Posted November 2, 2020 Excellent, very glad to hear you were able to resolve the issue @jfii Thank you for posting a follow up with the links as well Hope you have a great week Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 27, 2020 ID:1429413 Share Posted December 27, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts