Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue screen error after installing program


  • Please log in to reply
55 replies to this topic

#1 duffsparky

duffsparky

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 31 December 2014 - 04:52 PM

I've created some problems on a friends Acer laptop running Vista, including possible malware/virus infection. I requested assistance from Bleeping Computer, see here and here, for which I am very grateful.

 

The malware/virus repairs were going OK but then I downloaded and installed the program "getiPlayer" to watch BBC TV programs. The installation caused the laptop to blue screen. Upon restart the only option was to try a "Startup Repair" which failed. Subsequent "Normal" restarts fail with a blue screen error. Restarting in "Safe Mode" also results in a blue screen error. One of the blue screen errors gave the code "Stop: 0x000000F4 (0x00000003, 0x81FA7490, 0x81FA75DC, 0x85460C30)"

 

I've tried System Restore but this also fails.

 

I have the ACER recovery disks if needed but according to the Acer website at http://acer--uk.custhelp.com/app/answers/detail/a_id/29925/~/use-acer-erecovery-management-to-restore-your-system-or-create-recovery-media my only option will cause personal data loss.

 

I am sending this message from the same laptop using the MiniXP Environment from FalconFour's Ultimate Boot CD ver 4.6 loaded on a USB stick.

 

I can access the laptop hard disk using the MiniXP Environment and I ran its chkdsk (check only); it returned "Errors found. Chkdsk cannot continue in read-only mode."   Would it be worth re-running chkdsk with "Fix errors on the disk (chkdsk /f /v c:)" or "Fix errors and perform full surface scan (chkdsk /r c:) enabled, where c: is the correct drive letter for the Windows installation?

 

My friend is obviously not too happy with me and I'd be grateful for any assistance in resolving this issue. Hopefully, I can then get back to fixing the malware/virus problem.

 

Many thanks.


Edited by duffsparky, 31 December 2014 - 05:14 PM.


BC AdBot (Login to Remove)

 


#2 Havachat

Havachat

  • Members
  • 1,044 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:12:37 AM

Posted 31 December 2014 - 06:33 PM

First thing i would do is save any Data you need before anything else.

 

Remove the faulty or infected drive and Slave it to a working PC or laptop and boot Knoppix from that and save data.

 

I personally use Knoppix , burnt to disc and boot from it to access the drive and retrieve data through exploring the infected drive and just copy and paste to the working PC drive { Create a Folder } eg Saved Data.

 

Once you have saved what you can or need ,  replace the drive backin the Laptop and do a full restore from discs , when done update MS Updates , install an antivirus { Avast } , remove unwanted programs not really required and when completed with everything run Ccleaner to cleanup temps etc.

 

Then i would Image the C:\ to a backup drive,  to save you going through the full process again.

Plenty of Backup/ Image  Progs around i use Acronis , you may prefer something else.

 

If the drive is large on Laptop just partition the drive and create a D:\ for backups.

 

Option 2 / Install Win7 after saving all data and leave Vista where it belongs { In the Bin } never liked it.



#3 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 01 January 2015 - 06:40 AM

Unfortunately I don't have access to another working PC



#4 JohnC_21

JohnC_21

  • Members
  • 22,971 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 01 January 2015 - 06:37 PM

Vista periodically saves the registry Hives to the regback folder in C:\Windows\System32\config\regback.

 

If the registry Hives have not been updated you could copy them to C:\Windows\System32\config\.

 

I would rename the the Hives in the config folder to

 

Software   to   Software.BAK

Security   to   Security.BAK

Default    to    Default.BAK

SAM    to    SAM.BAK

Default    to    Default.BAK

 

Then copy, not move, the registry Hives from the regback folder to the config folder using your rescue USB flash drive. Reboot. Depending on when the Registry Hives in Regback were created, you may have to do some registry fixes in the malware removal forum but this may get you to a bootable state.



#5 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 02 January 2015 - 11:25 AM

Thank you JohnC-21 your solution worked  :clapping: :bananas: :clapping:

 

I can get back to the original problem now see http://www.bleepingcomputer.com/forums/t/560434/installuninstall-security/

 

Just one point, in your message above you list "Default    to    Default.BAK" twice. Was this a typo or did you mean something else?

 

Have a great New Year and 2015/



#6 JohnC_21

JohnC_21

  • Members
  • 22,971 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 02 January 2015 - 11:31 AM

Yes, that was an error on my part. I typed Default twice. Glad it worked out. You also have a Happy and Peaceful New Year.

 

Edit: You will probably need to runs scans again as your registry is from an earilier date. I would suggest you reference this thread to nasdaq.


Edited by JohnC_21, 02 January 2015 - 11:44 AM.


#7 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 02 January 2015 - 11:50 AM

OK thanks again.

 

I've referenced your instructions/suggestions to nasdaq


Edited by duffsparky, 02 January 2015 - 04:10 PM.


#8 JohnC_21

JohnC_21

  • Members
  • 22,971 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 02 January 2015 - 11:51 AM

Yes, that was a typo. I typed it twice.



#9 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 04 January 2015 - 09:27 AM

Hi JohnC-21,

 

Since restarting the malware/virus removal, with BC member nasdaq's assistance, the laptop has blue screened again after trying to switch from the User account to an admin account. Starup Repair failed and I'm back to where I was before, namely the boot stop error 0x000000F4.

 

Nasdaq suggests I re-impliment your hive fix but to check with you as there may be other issues, see http://www.bleepingcomputer.com/forums/t/560434/installuninstall-security/page-2 from post dated Yesterday, Jan 04 2015 @ 07:28 PM

 

Before implimenting the hive fix first time, I made copies of the original Software, Security, Default and SAM files found in the regback folder, therfore, hopefully I still have those non-updated files to reuse.

 

I have not yet reused the hive fix, should I go ahead and give it a try?


Edited by duffsparky, 04 January 2015 - 09:40 AM.


#10 JohnC_21

JohnC_21

  • Members
  • 22,971 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 04 January 2015 - 10:14 AM

In my typed instructions, I forgot one other registry hive. The System Hive. That is why I typed Default twice. It should have been the System Hive. I would also make a backup of the System Hive and copy it over to the config folder but make sure the dates have not changed.

 

The F4 stop error is usually due to a hard drive, cable or controller issue. Also a bad driver.  I am wondering if somehow this is causing the registry to become corrupted and throwing a blue screen.

 

If you get the computer to boot again. Download Bluescreen view and use it to check your .dmp file in C:\Windows.

 

Edit: You can either delete the registry Hives in the config folder, the ones without the .bak extension, or change their names to something like Defaulta.bak. Add an "a" suffix to the names with a bak extension.

 

Edit Edit: Another reason for the stop error could be bad RAM. If you can get the computer to boot, run the memtest+ program and let it run for at least 6 passes. The problem is you are in a User account and you need an admin account to burn the bootable iso file, unless you can use the recovery USB you have to burn an iso file. Your recovery USB may also have a memory test utility available. I would check that.


Edited by JohnC_21, 04 January 2015 - 10:23 AM.


#11 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 04 January 2015 - 11:05 AM

The regback System hive file had been updated to yesterday's date so I left the System hive file in the config folder alone and just copied and renamed the other four, which enable the laptop to reboot. I'm real glad I made a copy of the regback hives.

 

I've now booted the laptop into the hidden Administrator account.

 

Since rebooting the regback System hive file has updated to todays date.Presumeably this hive file is good so I'll copy and rename it as I did the others. Can this be done when it is running or must I do it from separate instance of Windows i.e. from my USB MiniXP boot stick.

 

I'll carry out your instructions above but before I do a "Windows has recovered from an unexpected shutdown" warning message has popped up asking if Windows should check online for a solution. Should I allow Windows to make this check?

 

The problem details taken from the popup warning are as follows in blue text:

 

Problem signature:
  Problem Event Name:    BlueScreen
  OS Version:    6.0.6002.2.2.0.768.3
  Locale ID:    2057

Additional information about the problem:
  BCCode:    f4
  BCP1:    00000003
  BCP2:    93FAA7C8
  BCP3:    93FAA914
  BCP4:    8543CC30
  OS Version:    6_0_6002
  Service Pack:    2_0
  Product:    768_1

Files that help describe the problem:
  C:\Windows\Minidump\Mini010415-01.dmp
  C:\Users\Administrator\AppData\Local\Temp\WER-85909-0.sysdata.xml
  C:\Users\Administrator\AppData\Local\Temp\WER74A2.tmp.version.txt

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409


Edited by duffsparky, 04 January 2015 - 11:09 AM.


#12 JohnC_21

JohnC_21

  • Members
  • 22,971 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:37 AM

Posted 04 January 2015 - 11:54 AM

I would use Bluescreen View to check that minidmp file.   C:\Windows\Minidump\Mini010415-01.dmp

 

That should give you a good idea on what caused the Bluescreen.

 

If you booted to the Hidden Administrator account, you can create a new admin account. Log into that and see if you get a bluescreen. But, I would check Bluescreen View first.

 

You should be able to simply copy those Hive Files to a USB key.



#13 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 04 January 2015 - 12:23 PM

 


Edited by duffsparky, 04 January 2015 - 12:28 PM.


#14 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 04 January 2015 - 12:27 PM

I'm having some difficulty posting, please bear with me.

Edited by duffsparky, 04 January 2015 - 12:31 PM.


#15 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 04 January 2015 - 12:29 PM

Still having difficulties


Edited by duffsparky, 04 January 2015 - 12:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users