Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD: c0000135 %hs is missing from your computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 Izlandi

Izlandi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 November 2012 - 01:01 PM

Hi!

Over the past few days, my computer running Windows 7 has started to act up. It has all the latest updates from Windows Update installed. I also made sure to update all my drivers. Sometimes when I would boot, it simply would not. It would quickly restart, and show me the menu where I can choose to go into "repair mode (can't recall the exact name in English)", and give me the option to boot normally. If I went into repair mode, Windows would try to fix the problem, reported that It couldn't, and then reboot which then would work. Booting took a bit more time than usual though.

So I figured I had gotten infected, so I ran a full scan with SUPERAntiSpyware which found plenty of cookies and something else. I made it quarantine it and remove it. Now after the suggested restart I always get to a bluescreen saying: c0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix this problem. All safe mode options yield the same result.

After some googling and reading a few threads here and on MajorGeeks I figured I'd do a FarBar scan. After some minor issues pertaining to my old laptop being a Mac, I finally made it produce a log which is attached.

I don't know if this is related or not, but during the past month or so, it has very slow. Sometimes freezing up while in chrome, pausing playback for 2-3 seconds in foobar (media player), and feels generally more sluggish than before. Also, while playing high-end games such as Skyrim or Guild Wars 2 the screen would sometimes go pitch black and the monitor would power off. The game would still be running, but I would not be able to shut it down. Background programs such as Skype would still be running as usual, but nothing seemed to be able to get the screen back on. A hard restart would solve the issue though. This has happened a few times in the past, several months ago, which leads to me to believe it has sometime to do with my graphics gard. It has started to happen more frequently the past month or so though. This is a minor issue for now, right now I want to get my computer up and running again. Any help would be appreciated! My system language is in Swedish and I noticed parts of the log is too, but I couldn't seem to change language before running the scan.

Thank you for your time!

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 04 November 2012 - 03:00 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ATTENTION! ====> ZeroAccess
2 AMService; C:\Windows\TEMP\rvlavb\setup.exe run [46080 2012-05-18] () ATTENTION! ====> Celas
2 Sunkfiltp; C:\Windows\System32\awhost32.dll [6656 2009-07-14] (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\TEMP\rvlavb\setup.exe
C:\Windows\System32\awhost32.dll
NETSVC: Sunkfiltp -> C:\Windows\system32\awhost32.dll (Oak Technology Inc.) ATTENTION! ====> ZeroAccess
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 November 2012 - 04:48 PM

Hi!

Thanks for the reply.

After running FRST I was able to boot, but I did run into a different bluescreen (much more text at this one, and it seemed to take a memory dump). It rebooted by itself and was then able to start normally. I then ran ComboFix which took quite the time. Attached is the log for ComboFix and the fixlog, and I'll most likely go to bed now to continue this matter tomorrow. Thanks for your excellent help this far. :)

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 04 November 2012 - 05:09 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 04 November 2012 - 05:47 PM

Hi!

I downloaded and ran AdwCleaner, and then was promted to reboot. I was then met with a new blue screen (different one, seemed to be identical to the one I mentioned in my second post). If needed I can take a picture of the blue screen. Anyhow, since neither last working configuration nor any of the safe modes worked I'm back with a new FRST.txt. I was unsure whether or not I could use the same fixlist, but I decided it's better to be safe than sorry. I attatched the log for review. Thanks!

Attached Files

  • Attached File  FRST.txt   69.66KB   2 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 04 November 2012 - 05:58 PM

yes, please post the content of the blue screen

try the following in the order they are posted:

reboot and tap F8 upon start up until an option menu appears > arrow up to "Last Known Good Configuration" > press enter

if that doesn't get you in, then try the following:

ComboFix would have made a restore point before it's run, try restoring back to that restore point:

  • Restart the computer > tap F8 repeatedly to boot into the Advanced Boot Options screen
  • Select Repair your computer and press Enter
  • Select your keyboard language preferences and click on Next
  • Select your user name and type in the password, and then click on OK (if there is no password set, just hit enter)
  • On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • System Image Recovery
    • Windows Memory Diagnostic
    • Command Prompt
  • Select System Restore, click on the Next button
  • Select a restore point in the list of restore points available(choose the restore point made by ComboFix)
  • NOTE: Check the Show other restore points box to see any restore points (older) that may not be listed there.
  • your computer should now restore to the chosen restore point


if still no luck, then run the following (this will restore the infection again most likely, so you will need to post a fresh FRST scan afterwards)


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Last Boot: 2012-10-26 18:34
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Reboot Normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 05 November 2012 - 11:24 AM

Seems like Last Known Good Configuration worked this time around (second try though). When it booted, the Adw-log popped up so I guess it worked in a way. I've attached the logs from Adw, Mbam and ESET. ESET didn't remove any of the threats however (two which seemed to be the quarantined ones from FRST and the other I suspect is a false positive). I suspect there might be a few steps left before I'm completely done, so I'm patiently waiting for a reply. :)

Since I've been unable to produce the second blue screen again, I only have this extremely blurry picture of it that I took first time it appeared. Since now everything seems to be working okay, it might be good for future reference or something. http://i.imgur.com/CBop4.jpg

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 05 November 2012 - 11:53 AM

Yes the ESET detection C:\Users\Hugo\Downloads\DTLite4454-0316.exe is just alerting that there is adware bundled with the installer, if you no longer need it, then delete it.

The stop error you received is generally an indication of a hardware issue.

Please run the following:


Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Posted Image

Once that is done then go to step 3 and allow it to run SFC

Posted Image

On the the Start Repairs tab => Click the Start

Posted Image

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.



NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 05 November 2012 - 03:41 PM

Okay, I ran disk check which took roughly 2 hours. It fixed several errors. It booted up, and I was met with the blue screen again (the one I posted a picture of). This time the automatic reboot fixed it and it was able to boot normally. Then when trying to run SFC it stopped and analyzing at 26% saying it could not continue. I then proceeded with the next Start Repairs step. It ran through all the way, and rebooted. Upon boot it ran CHKDSK again, this time only taking a few minutes but still fixing a few errors. I've tried running SFC several times since, it always fails at 26%. I've run CHKDSK one more time since, last time I don't think it fixed any errors, however upon boot I did come to a third blue screen. I did not manage to get a picture, I do have the details though:

BCCode: 1000007e
BCP1: FFFFFFFFC0000006
BCP2: FFFFF8000486966B
BCP3: FFFFF8800A8466E8
BCP4: FFFFF8800A845F40
OS Version: 6_1_7601
Service Pack: 1_0
Product: 256_1

C:\Windows\Minidump\110512-43461-01.dmp
C:\Users\Hugo\AppData\Local\Temp\WER-57611-0.sysdata.xml


I did some brief googling on the error code and it seems that it might be pertaining to hardware. Any further advice would be appreciated. I have yet to try and run and heavy applications (only chrome/foobar this far).

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 05 November 2012 - 08:11 PM

I don't believe the issue is related to malware any longer, as the blue screens do appear to be hardware related. There may be some corruption of the OS due to removing the malware and that may be why sfc will not complete.

let's see what ESET services repair can accomplish.


If the situation doesn't improve and you continue to get blue screens, then I suggest backing up all your important data while you can as one of these times the system might crash and you wont be able to recover from it.

Then start a new topic in our hardware section to see if the techs there can run some tests to narrow down the problem,

try this:


Download the ESET services repair tool, extract the file to your desktop.

  • Double-click ServicesRepair.exe,
  • If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
  • Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
  • a log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 06 November 2012 - 01:32 AM

I've attached the log for ESET Service Repair. Boot was significantly faster now than before, also no blue screens thus far. I did try to run SFC again, with it stalling at 26% yet again. Is there anything left to do or should I go ahead and create a thread in the hardware forum? Also, do you believe the problem I explained in my main post (last paragraph) is hardware related too? Thanks.

Attached Files



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 06 November 2012 - 08:43 AM

Have a look in Device Manager and see if there are any conflicts reported.

There may be drivers that need updating.

Beyond that, you will need the help from the hardware techs as it may be a bad stick of RAM or other piece of hardware that is causing the remaining issues.

ESET appears to have resolved some issues, but I have no answer as to why sfc stalls out at 26%

make certain you have all of the windows critical updates installed. Check and make sure you have all the latest versions of any Adobe products and Java installed and remove the older versions.

In the meantime, I will give you the cleanup routine to clean up our tools


You can delete the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    PC Safety and Security--What Do I Need?.
  • Simple and easy ways to keep your computer safe and secure on the Internet


Let me know how it goes

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Izlandi

Izlandi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 06 November 2012 - 12:50 PM

I've uninstalled the cleaners and run TLC, updated Windows (only two updates) as well as Flash & Java. I cleaned out old Java-versions with JavaRa, I also went ahead and ran CCleaner. The tips were good, I skipped those that are irrelevant for me (since I don't use IE at all) but did (or will do) the others. So far I've encountered zero problems, no blue screens or anything. From what I can tell my drivers are up to date, and there appears to be no conflicts in the device manager - there are however two "unidentified" posts. Tried SFC yet again, still cancels by itself at 26% during the first phase (verifying).

I think this topic can be closed, unless there are any more steps you want me to go through. If I encounter any blue screens (like the ones before) I'll go ahead and ask in the hardware forum. As a thank you, I've donated a small sum to your Paypal account. It's not much, but as a student it's all I can afford for now. Once again, thank you for your patience and professional help! :thumbsup:

Edited by Izlandi, 06 November 2012 - 12:57 PM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 06 November 2012 - 06:06 PM

you are welcome

stay safe

~CB

(thanks very much for the donation, much appreciated :))

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:49 AM

Posted 06 November 2012 - 06:06 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users