Jump to content

After Install / uninstall on win 10 cannot boot except to safe mode


jfii
Go to solution Solved by jfii,

Recommended Posts

downloaded latest version of MB and Installed ran till trial up and uninstalled on windows 10 machine  ver 10.0.19041.508

Now i can only boot machine to safe mode with command prompt.

tried system restore of image 2 days before - same

tried system restore of image 2 weeks before - same

in save mode the driver for md are still there and CANNOT be remove even after MB uninstall program report app is removed

sfc and dism fail 

output after running the below commands in sequence attached

dism /online /Cleanup-Image /StartComponentCleanup
sfc /scannow
sfc /scannow
dism /online /cleanup-image /checkhealth
dism /online /cleanup-image /scanhealth
dism /online /cleanup-image /restorehealth
sfc /scannow
sfc /scannow
 

I have downloaded a couple of windows installer cd and  extracted win 10 pro (6) and converted the install.esd to install.win and extracted the sources folders but they didn't seem to have the correct versions of the reported (CBS.LOG - bottom) corrupt dll's. I think i did find the correct dll's in KB4571756. 

I am asking for any assistance you can offer before i move forward to at least assist me with getting MB removed from the machine before i return to chasing my tail

Thank you

dism.log cbs.log

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

I'm sorry you experienced this issue.  It sounds like the self-protection driver may still be active, preventing Malwarebytes' files from being removed.  Please see if running the following from Safe Mode alleviates the problems:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here

Please let us know how it goes.

Thanks

Link to post
Share on other sites

  • Root Admin

Hello @jfii

We won't need the MBST log at this time. We'll need to remove our driver first. Then we can look at what might be causing the issue.

Please run the following for us.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

I am running  the 64bit version FRST The reason I uninstalled MB was because of the nag.

The machine will only boot to save mode with command prompt.

The file that sfc keeps stumbling on Windows.StateRepository.dll clip below

I all looked at first like the drive was failing but whenever i tried to boot normally the only app that seemed to start after login was the MB installer wanting to install an update. It didn't matter if i Clicked YES and waited a few hours or NO. There would be a blue spinning circle and if i clicked on the screen it would flash CTRL-ALT-DEL only allowed logoff or switch user. Task manager would not start. I could do a Shift-Restart. Safe mode with or without networking would never come up. the only way i have access is Save-Mode command prompt. I have also restored two different sets but the MB Installer would still show.

I eventually used NIRsoft utilities to try and uninstall and went as far as renaming the folders (and renamed them back) the chameleon process could not be removed or disabled . 

I paid more attention to the sfc/dism logs   and the permission messages re: ...system32\drivers\en-US  taking ownership and icacls reset and those errors went away along with the chameleon process. however the services entries still exist and i am sure i can remove them with sc ao i am back to my spinning blue circle (no longer trying to do a MB update) and  my corrupt  Windows.StateRepository.dll

I have gotten myself a bit deeps and lost not knowing how i got here.

FRST is finished is there a non public box i can send them?

Thanks for your response if you can offer direction it would be appreciated.

-John

 

 

 

 

 

2020-10-09 15:56:27, Error                 CSI    000001a1@2020/10/9:19:56:27.297 (F) onecore\base\wcp\sil\ntsystem.cpp(3674): Error c0000242 [Error,Facility=(system),Code=578 (0x0242)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2020-10-09 15:56:27, Info                  CBS    Could not get active session for current session file logging [HRESULT = 0x80004003 - E_POINTER]
2020-10-09 15:56:27, Info                  CBS    Could not get file name for current session file logging [HRESULT = 0x80004003 - E_POINTER]
2020-10-09 15:56:27, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CBS.log to WER report.
2020-10-09 15:56:27, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CbsPersist_20201005153427.cab to WER report.
2020-10-09 15:56:27, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CbsPersist_20201005101637.cab to WER report.
2020-10-09 15:56:27, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CbsPersist_20201001210639.cab to WER report.
2020-10-09 15:56:27, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CbsPersist_20200929201611.cab to WER report.
2020-10-09 15:56:27, Info                  CBS    Not able to add pending.xml to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2020-10-09 15:56:27, Info                  CBS    Not able to add pending.xml.bad to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2020-10-09 15:56:27, Info                  CBS    Not able to add poqexec.log to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2020-10-09 15:56:27, Info                  CBS    Not able to add SCM.EVM to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2020-10-09 15:56:27, Error                 CSI    000001a2 (F) c0000242 [Error,Facility=(system),Code=578 (0x0242)] #19868279# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = 708 ('\Device\HarddiskVolume3\Windows\WinSxS\amd64_windows-staterepository_31bf3856ad364e35_10.0.19041.508_none_dad6dd3627c4da6b\Windows.StateRepository.dll'), evt = 0, apcr = NULL, apcc = NULL, iosb = @0xb11afbb50, data = {l:0 b:}, byteoffset = 0, key = (null))
[gle=0xd0000242]
2020-10-09 15:56:27, Error                 CSI    000001a3 (F) c0000242 [Error,Facility=(system),Code=578 (0x0242)] #19868278# from Windows::Rtl::SystemImplementation::CFile::ReadFile(Flags = 3, Buffer = {l:0 ml:4194304 b:}, Offset = 0, Disposition = 0)[gle=0xd0000242]
 

Link to post
Share on other sites

23 hours ago, exile360 said:

Greetings,

I'm sorry you experienced this issue.  It sounds like the self-protection driver may still be active, preventing Malwarebytes' files from being removed.  Please see if running the following from Safe Mode alleviates the problems:

 

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here

 

Please let us know how it goes.

Thanks

Sorry, I missed this i am running now=. It is asking for a ticket number should i just ignore?

 

Link to post
Share on other sites

*** Update *** 


I was able to copy the needed files from boot media except for StateRepository which I had to disable via Regedit in safe mode 


Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StateRepository 
Change Start to 4 (disable)

I was then able to get a desktop and a task manager - but as of yet, no explorer, no start button, no bar. But I can click on the desktop icons or start apps in the task manager.

Errors are AppXSvc crying about the State Repository not started and


Faulting application name: explorer.exe, version: 10.0.19041.488, time stamp: 0xb1a44bf9
Faulting module name: ucrtbase.dll, version: 10.0.19041.488, time stamp: 0x0d8057d8
Exception code: 0xc0000409
Fault offset: 0x000000000007287e
Faulting process id: 0xaa8
Faulting application start time: 0x01d6a5d2b6d60f91
Faulting application path: C:\WINDOWS\explorer.exe
Faulting module path: C:\WINDOWS\System32\ucrtbase.dll
Report Id: 21cfaa66-05d0-4322-ba16-b16033d06723
Faulting package full name: 
Faulting package-relative application ID: 
 

Link to post
Share on other sites

  • Root Admin

Using an elevated Admin command prompt please try the following.

 

chkdsk c: /f

sfc /scannow

DISM.exe /Online /Cleanup-image /Restorehealth

If SFC gave errors before DISM then run SFC again

sfc /scannow

bootrec /fixmbr

bootrec /fixboot

bootrec /rebuildbcd

bcdboot c:\windows /s c:

 

Link to post
Share on other sites

  • 2 weeks later...
  • Solution

Thanks for everyone's help. Its pretty obvious its no fault of MB's You were the only ones who tried to help. 

I wasted a lot of time looking only at the admin events and cbs.log and not at full event "picture" which indicated the start of a disk failure and probably started the snowball.

I imaged the drive with clonezilla using its "recovery" option.
Of course i still had some currupted files

The files i was trying to recover were not in the standard build a cd  there had been and update applied
KB4571756 was one of the Win 10 2004 updates 


I was running 

    DISM /Online /Cleanup-Image /CheckHealth
    DISM /Online /Cleanup-Image /ScanHealth
    DISM /Online /Cleanup-Image /RestoreHealth
    sfc /scannow
    sfc /scannow
    sfc /scannow

In the time I spend attempting different options my restore points were overwritten. So I restored the drive from the image. 

I used DISM to reapply kb4571756 which it did. (example below)

    DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:F:\Sources\install.wim:1 /LimitAccess
    (i actually had to extract the correct index into its own file for the wim:1 to work lost cmd in restore)
    DISM.exe /Online /Add-Package /PackagePath:X:\temp\Windows10.0-KB4571756-x64_PSFX.cab


The issue was still there so I began uninstalling anything that had installed a couple of days before I started having issues including windows updates and kb4571756 rebooted.

StateRepository was disabled through all so set it to manual
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StateRepository\start =3 

I got a desktop but a spinning circle on the start/task bar - so with a ctrl-alt-del i was able to run a task manager and got to a command prompt again

Then ran :
    DISM /Online /Cleanup-Image /CheckHealth
    DISM /Online /Cleanup-Image /ScanHealth
    DISM /Online /Cleanup-Image /RestoreHealth
    sfc /scannow
    sfc /scannow
    sfc /scannow

CBS.LOG showed it fixed a couple of corrupt files but the errors I was getting earlier did not show.
rebooted and I am now at  Version 10.0.19041.450
My machine is now back working.


    dism /online /get-packages /format:table
    dism /online /get-packageinfo /packagename:"Package_for_KB4577266~31bf3856ad364e35~amd64~~19041.504.1.2"
    dism /Online /Remove-Package /PackageName:Package_for_KB4577266~31bf3856ad364e35~amd64~~19041.504.1.2
    
    
Resource 
    https://www.repairwin.com/how-to-remove-windows-updates-using-wusa-and-dism-commands/
    https://chefkochblog.wordpress.com/2018/02/24/fix-all-update-kb-related-issue-via-dism/

Thanks again 

Link to post
Share on other sites

  • 1 month later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.