c0000135 BSoD but AVG never on system

[Jeffk]

I'm not sure if this should be here or in the microsoft windows forum....

got a novatech PC (Win 7 64-bit) that is in a continuous reboot loop. it gets as far as the windows splash screen then restarts...

system restore files are missing
there's no system recovery image
system recovery option > startup repair fails
customer doesn't have W7 install discs

I disabled the auto restart on system failure>>>BSoD when it tries to reboot: "STOP: c0000135 the program can't start because %hs is missing from computer. try reinstalling the program to fix"

I know this is often caused by AVG, but this PC's never had AVG on it. It has had loadsa malware on it as the customer is completely indiscriminate about what they download (see attached jpeg)

This problem happened after running a full scan of SuperAntiSpyware. It found around 8 trojans which it removed. maybe one of the malwares patched itself into the start-up and while the file has been removed the registry entry hasn't (or vice versa)? unfortunately nothing suggested so far has worked.

trying to avoid complete OS reinstall (have to try to get install disc from Novatech) & customer has data on there

anyone come across this prob not related to AVG? any suggestions welcome

 

[TLE]

I'm not sure if this should be here or in the microsoft windows forum....

got a novatech PC (Win 7 64-bit) that is in a continuous reboot loop. it gets as far as the windows splash screen then restarts...

system restore files are missing
there's no system recovery image
system recovery option > startup repair fails
customer doesn't have W7 install discs

I disabled the auto restart on system failure>>>BSoD when it tries to reboot: "STOP: c0000135 the program can't start because %hs is missing from computer. try reinstalling the program to fix"

I know this is often caused by AVG, but this PC's never had AVG on it. It has had loadsa malware on it as the customer is completely indiscriminate about what they download (see attached jpeg)

This problem happened after running a full scan of SuperAntiSpyware. It found around 8 trojans which it removed. maybe one of the malwares patched itself into the start-up and while the file has been removed the registry entry hasn't (or vice versa)? unfortunately nothing suggested so far has worked.

trying to avoid complete OS reinstall (have to try to get install disc from Novatech) & customer has data on there

anyone come across this prob not related to AVG? any suggestions welcome

Slave the drive to another PC, dig out the SuperAntiSpyware logs and see what was removed. Does the system start in Safe Mode?

 

[Jeffk]

good idea slaving to another PC, unfortunately ....

update: i tried system recovery options > reinstall windows ....>>"windows could not determine the language to use for setup. Error code: 0x80004005"
......................................................
safe mode: it starts to load windows files, gets as far as windows\system32\drivers\disk.sys then starts rebooting
......................................................
good idea slaving to another PC, unfortunately it's still under warranty & the side panel of the case has a 'lock' so i can't access the HDD physically

.....looks like it might have to be a reinstall from disc, unless ther's any other suggestions.

The good news is that there's no data they're concerned about losing after all

 

[ZenTree]

Have you tried an offline sfc ?

 

[Jeffk]

sfc?

sfc = System File Checker?

if so, the other tech here says he's tried that already & it didn't work. it gave error message 'Windows Resource Protection could not start the repair service'

 

[TLE]

there's no system recovery image
system recovery option > startup repair fails
customer doesn't have W7 install discs

Have they lost the CD, or did they never get one. It's against the EULA to supply a PC with out a recovery partition or media to perform a re-installation.

 

[Xander]

If you can't slave it, boot from a live CD and access the SAS logs that way.

 

[ZenTree]

sfc = System File Checker?

if so, the other tech here says he's tried that already & it didn't work. it gave error message 'Windows Resource Protection could not start the repair service'

The service should start fine if you're loading off a disk, are you sure he is using the right parameters?

It's not "sfc /scannow" like on a live system, it's

sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows

 

[Jeffk]

c0000135 BSoD, continued

Have they lost the CD, or did they never get one. It's against the EULA to supply a PC with out a recovery partition or media to perform a re-installation.

The comp did have a recovery partition, but there's something wrong there too: When I try system recovery options > reinstall windows ....>>"windows could not determine the language to use for setup. Error code: 0x80004005".

As it's a separate partition, this couldn't have been affected by malware, could it? Maybe the recovery files just weren't installed properly in the first place.

If you can't slave it, boot from a live CD and access the SAS logs that way.

I ran Ubuntu 11.1 as a live CD, navigated to SAS logs folder, but it’s empty. I can create new files or folders there & they're visible, so it’s not that Ubuntu’s not recognising file types.

There’s a quarantine.db (SQLite3 database (application/x-sqlite3)) file in the quarantine folder, but “no application installed for SQLite3 files“.

There's a "superAntiSpyware-11-24-2011( 17-11-5).sdb" file in the AppLogs folder, but if I open it I get code which I can’t read or understand.

The service should start fine if you're loading off a disk, are you sure he is using the right parameters?

It's not "sfc /scannow" like on a live system, it's

sfc /SCANNOW /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows

He says that’s what he used - I wasn’t there, & as he’s my boss & I’m the trainee, I don’t feel I can question him too much

 

[ZenTree]

lol fair enough. if data is not important and no weird programs that you can't reinstall, I'd go ahead and wipe it. The tech in you may wince because you just GOTTA know what caused it but sometimes it's better to just nuke and pave and get the customer up and running asap.

edit: whoa okay just reread original post. You didn't mention whether you tried a chkdsk? Always worth a look, if only to get to the next step of the fix.

 

[coastcomputer]

try this
The fix for this problem requires a registry edit to remove a reference to the consrv.dll file that was a virus and was removed. edit registry offline.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems

Under theses keys, edit the data in the Value Name “Windows”, changing the text “consrv” to “winsrv”. This is a long string so just parse through it and make the one change, here is what a good entry looks like:

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

I have bolded the entry that previously said “consrv”
this was a fix a few years ago for a fake av trojan

source a couple weeks ago:
http://blog.crosbydrive.com/?p=245

 

[Jeffk]

nothing seems to work

The tech in you may wince because you just GOTTA know what caused it

absolutely!! i could have saved myself all this work if i'd just wiped/reinstalled...but where's the fun in that!!?? & there's the learning too...i probably will have to wipe, but i have learned quite a bit from this process. Cool!

You didn't mention whether you tried a chkdsk?

in command line, which I can only get to via the system recovery options, the prompt is X:\> instead of C:\>..........i’ve never seen that before, i’m guessing it’s because i’ve accessed cmd via sytem recovery. (i tried to change to C: i.e. X:\>cd c: & C:\ appeared but with X:\> below it)

Anyway, from X:\>.......

• i ran chkdsk /f & get “type of file system is NTFS. cannot lock current drive. windows cannot run disk checking on this volume because it is write protected”
  
• i ran without the /f switch & it warns me that “F parameter not specified. running chkdsk in read-only-mode” then doesn’t find anything significant, as far as i can tell

is there any way to get it to let me use /f i.e. how can i lock the drive?
…..............................................................................................................

try this
The fix for this problem requires a registry edit to remove a reference to the consrv.dll file that was a virus and was removed. edit registry offline.

there’s a ControlSet001 & a CurrentControlSet (no ControlSet002) ....i navigated to SubSystems but neither had “consrv”, both were set at winserv already
…..............................................................................................................
in case it’s useful...

startup repair > "...cannot repair this comp automatically"
Problem signature:
problem event name: startup repair offline
problem signature 01: 6.1.7600.16385
problem signature 02: 6.1.7600.16385
problem signature 03: unknown
problem signature 04: 21200412
problem signature 05: AutoFailover
problem signature 06: 15
problem signature 07: NoRootCause
OS version: 6.1.7601.2.1.0.256.1
LocaleID: 1033
…..............................................................................................................
Also, there’s a new BSoD appeared - STOP: 0x000007B (0xFFFFF880009A97E8, 0xFFFFFFFFC0000034, 0x0000000000000000, 0x0000000000000000)

does that mean anything to anyone? (I think I’ve copied all the zeros!)
…..............................................................................................................
cheers all

 

[ZenTree]

in command line, which I can only get to via the system recovery options, the prompt is X:\> instead of C:\>..........i’ve never seen that before, i’m guessing it’s because i’ve accessed cmd via sytem recovery. (i tried to change to C: i.e. X:\>cd c: & C:\ appeared but with X:\> below it)

Anyway, from X:\>.......

• i ran chkdsk /f & get “type of file system is NTFS. cannot lock current drive. windows cannot run disk checking on this volume because it is write protected”
  

• 
  
  To change to the C drive just type in :
  
  C:
  
  No offense but this is 101 stuff. Even if you didn't know it, a quick google would show it. We don't mind helping out troubleshooting things you've tried and things to try but we shouldn't be having to explain how to do each step.
  
  edit: re the new stop code, have you looked into that, what have you tried from what you found?

 

[Jeffk]

Point taken

To change to the C drive just type in :

C:

No offense but this is 101 stuff. Even if you didn't know it, a quick google would show it. We don't mind helping out troubleshooting things you've tried and things to try but we shouldn't be having to explain how to do each step.

Point taken. I actually made that post in a hurry, immediately before leaving work & had got 5 min down the road when i remembered that c: was all i needed to do.

saying that, as an amateur just starting to train as a pro tech, my knowledge isn't just patchy, it's fishnet like! so sometimes i do have really basic questions. i look forward to being able to contribute more here by offering help & advice to others.

edit: re the new stop code, have you looked into that, what have you tried from what you found?

I googled both the specific stop code & "windows 7 stop codes" but found nothing that's helped me, so far. lots of links to pages that have nothing to do with stop codes, or to pages about that code, but that made suggestions based on being able to get into windows, etc. next time i'm in the workshop i'll go to c: & try chkdsk /f again, maybe it'll work from there.

I've attached a photo of the new BSoD, in case there's something there i'm missing.
...............................................................................................
at the risk of asking a 101 question again, was i correct in thinking that the prompt was X:\> because i'd accessed cmd via sytem recovery instead of from windows? if not...any clues why? I have googled it, with no success.

Thanks for all the help!

 

[ZenTree]

Yes you were right in thinking that. Which is also why you got a write protection error when trying to chkdsk the drive.

There's nothing wrong with asking as long as you show that you've tried looking stuff up before.

on another hint, you may find that chkdsk /f doesn't work from the recovery console, if my tired mind remembers correctly, you will have to use chkdsk /r which is more verbose and therefore takes a fair bit longer. chkdsk /f is valid from within windows, but not from the recovery console.

 

[Jeffk]

.....on another hint, you may find that chkdsk /f doesn't work from the recovery console, if my tired mind remembers correctly, you will have to use chkdsk /r which is more verbose and therefore takes a fair bit longer. chkdsk /f is valid from within windows, but not from the recovery console.

I'll be trying that on Friday, when I'm next in. I'm wondering if there'll be any difference between running chkdsk from the c:\ prompt & from the x:\ prompt, which I did before..........or doesn't it matter?

update: I ran Ubuntu 11.1 as a live CD, navigated to SAS logs folder, but it’s empty. I could see files in other folders, that ubuntu couldn't open & I can create new files or folders in SAS logs folder & they're visible, so it's not that only ubuntu files are visible. Either the PCs owner disabled automatic logging in SAS or something's deleted them.

When I try to boot in safe mode it starts to load windows files, gets as far as windows\.......\disk.sys then reboots. When I tried this on another PC (also Win7 home prem.) the next file after disk.sys was Classpnp.sys which seems to be a "SCSI Class System dll". I assume that'd be in any W7 system boot so I'm guessing that’s the corrupted file.

Any advice on how to replace it with a healthy version welcomed - I’m pottering around the edges of my knowledge here! (but I'm learning loads!!)

 

[gazza]

Why did the customer bring it to you if it was under warranty?

If you are a trainee then why aren't you asking your supervisor these questions?

How long are you going to keep this computer from the customer?

Part of being a good tech is also having the ability to know what is best for the customer, you had the answer in the first jpeg you uploaded.

As the computer was under warranty, I would have done some simple diagnostics on the computer without voiding the warranty, if unable to solve problem I would have then arranged to have the computer shipped to Novatech on behalf of the customer. Stop wasting the customers time.

 

[Jeffk]

Why did the customer bring it to you if it was under warranty?

I don't know - I'm not the boss. I imagine the warranty is for hardware only. He bought it from my boss originally so I guess he's aked us to try to sort it out 1st.

If you are a trainee then why aren't you asking your supervisor these questions?

I've asked him some, but I think part of learning is to do some research myself & look in a variety of sources

How long are you going to keep this computer from the customer?

When the replacement OS disc arrives from Novatech the OS will be reinstalled, unless it's been solved & sorted before then.

I'm continuing for the moment as (a) there's nothing else to do for it until the disc arrives (b) it's a useful learning exercise for me & (c) i might just find an answer by asking other more experienced techs

Part of being a good tech is also having the ability to know what is best for the customer, you had the answer in the first jpeg you uploaded.

What's in the jpeg you mention is why it was running so slowly in the first place, not the cause of the current issue, which we think was caused by SuperAntiSpyware removing something that had attached itself to a vital file

As the computer was under warranty, I would have done some simple diagnostics on the computer without voiding the warranty, if unable to solve problem I would have then arranged to have the computer shipped to Novatech on behalf of the customer. Stop wasting the customers time.

As explained already, I think the warranty's for the hardware only. We're not wasting the customers time.



Now, I've got a couple of questions for you: who do you think you are 'talking' to me like that? Do you think that because I'm just a trainee you've got the right to treat me like a child? Not that I think people should treat kids in the way you addressed me.

I imagine others have looked at the thread, not felt they had anything to add or didn't want to join in, for whatever reason, & so have not said anything. If you don't have anything constructive to say then don't bother saying anything & mind your own business.

I don't know what your problem is, whether you're just having a bad day or are always like that, but whichever it is keep it to yourself!

 

[gazza]

But you are a trainee!, harden up mate.

First thing you should have done was image the drive before attempting any work on it. That way you can at least go back to the original state if things go wrong which they did.

A couple of things you could do while your waiting,

If you think the drive is infected then scan the drive with a Kaspersky or Avira Live CD.

Invest in a offline boot cd such as ActiveBoot Disk http://www.ntfs.com/boot-disk.htm and try manually scanning the registry for malware. I have also found that I get better results with their version of Chkdsk when trying to fix file errors on drives. It would also be a handy tool to have in your trainee toolkit.

 

[ZenTree]

I wouldn't take the tone of Gazza's post to heart Jeff, though I can understand why you might. A lot people here are going to be straight to the point and may seem a bit "in your face" but, their own way, they are trying to help. From my own personal reading of the forums I would say that Gazza is probably one of the best examples of this. That's not to say he doesn't know what he's doing or doesn't want to help.
Whilst on the topic though kudos for sticking up for yourself, I'm sure you kids will get on just fine

chkdsk would make a difference in your example as it will try to check the disk of the currently selected drive and only that one.

Imaging is a good point that no-one here has made, especially where wipes are involved it's a good way to cover yourself in case you miss something on the backup. If you have no experience with imaging then this would be a good opportunity whilst you wait for the recovery disk. There are plenty of threads on here recommending different products