Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 - User Profile Service error followed by BSOD, now unable to boot


  • Please log in to reply
7 replies to this topic

#1 purat111

purat111

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 16 January 2017 - 02:55 AM

Hi there,

I'm fairly convinced this isn't a male are issue so have posted it here. Over the last week our computer began having issues where the keyboard would randomly stop working, but this was fixed by a restart. Then yesterday one of the two user accounts became corrupted(?) and gave a User Profile Service unable to load error. While I was looking up a solution from the other profile, the computer went BSOD and now goes straight to Automatic Repair when trying to boot in safe or normal mode. System restore also fails because System Protection is not enabled. The computer is a desktop with an x64 OEM installation and is about 4 years old. We upgraded from Windows 8.1 to 10 last spring.

This appears to be similar to the problems I experienced a couple of years ago here: https://www.bleepingcomputer.com/forums/t/526687/boot-failure-malware-infection/

Any ideas on how to fix this?

Thanks a lot!

Edit: I'm unable to run the tools required in recovery mode, however I ran FRST just to check and some system files weren't verified as authentic. Also sfc gives a Windows Resource Protection could not start the repair service error - does this indicate an underlying problem?

Edit 2: the computer is now booting after a registry restore but is stuck in a Getting Things Ready loop after the login screen

Edited by purat111, 16 January 2017 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:12 PM

Posted 19 January 2017 - 08:40 AM

There's not much that you can do if you can't boot into Windows.

You can spend a lot of time trying to fix this - but in the end you still wont' be sure that you got everything.

I'd suggest backing up your stuff, then wiping the hard drive and installing W10 "clean"

 

But, if you still want to try, here's some things to try (from a generic list I made - so some of the steps may not work outside of Windows):

 

NOTE:  Try a clean boot to see if the problem clears up that way:  http://www.thewindowsclub.com/what-is-clean-boot-state-in-windows
If it does, then different troubleshooting steps are called for.

Here's some repair/recovery/restore options (in this order).   Be sure to backup your stuff if you don't want to take the chance of losing it.:

1 - Startup Repair.  Run it 3 times, rebooting in between tries.

2 - System Restore to a point before this started happening.

3 - DISM/SFC repair (DISM doesn't work with W7, although SFC does)  - doesn't work if you're not able to boot to Windows (Offline method listed below this quote box in another Quote box)
    

Then please run the following DISM commands to see if there's any problems with the system (from an elevated (Run as administrator) Command Prompt).  Press Enter after typing it:
   
Dism /Online /Cleanup-Image /RestoreHealth

    FYI - I have repaired systems using the last command even though problems weren't found with the first 2 - so I suggest running them all.

    From this article: http://technet.microsoft.com/en-us/library/hh824869.aspx

    You can also run sfc.exe /scannow from an elevated (Run as administrator) Command Prompt to check for further corruption. Include the CBS log (located at C:\Windows\Logs\CBS\CBS.log) if you'd like to have a Windows Update expert check it (I don't check them because I can't read them)


4 - RESET using the "Keep My Files" option (W8 calls this a REFRESH; W7 and earlier doesn't have this function)

5 - Repair install of the OS (Thanks to FreeBooter!):
   

"How To Perform a Repair Installation For Windows 8, 8.1 and 10"
    https://www.winhelp.us/non-destructive-reinstall-of-windows-8-and-8-1.html

    "How to Do a Repair Install to Fix Windows 7"
    http://www.sevenforums.com/tutorials/3413-repair-install.html

    "How To Perform a Repair Installation For Vista"
    http://www.vistax64.com/tutorials/88236-repair-install-vista.html

    "Non-destructive reinstall of Windows XP"
    https://www.winhelp.us/non-destructive-reinstall-of-windows-xp.html


6 - RESET using the "Remove Everything" option (W8 calls this a RESET; W7 and earlier doesn't have this function)

If using W7 or earlier, this can be accomplished by resetting the system by use of the recovery partition/recovery disks/recovery drive.
If you don't have them, you can usually order them from the OEM manufacturer of your system ( US points of contact here:  http://www.carrona.org/recdisc.html )

7 - Wipe and reinstall from the Recovery Partition (if so equipped)

8 - Wipe and reinstall from Recovery Media - to include deleting all partitions.
If you don't have them, you can usually order them from the OEM manufacturer of your system ( US points of contact here:  http://www.carrona.org/recdisc.html )

 

Offline DISM:

 

DISM /Online should only be used when running from within Windows. Run this command instead:

Dism /Image:C:\ /Cleanup-Image /RestoreHealth

Did you also try doing SFC scan while booting off of Recovery Environment or Install Disk? In those cases, the commands are slightly different:
sfc.exe /scannow /offbootdir=c:\ /offwindir=c:\windows

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 purat111

purat111
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 19 January 2017 - 02:04 PM

Hi, thanks for the reply.

 

I've managed to boot into Windows and access all user accounts using a registry backup, and have uploaded the files as requested in the sticky thread. However, in all user accounts, all I get after logging in is a black screen and it seems that user settings have been reset (all programs seem to work fine if accessed via Task Manager). However I can't get into any 'new-style' apps, which includes Windows Update. SFC won't run but DISM /checkhealth doesn't report any corruption.

 

Thanks!

Attached Files



#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:12 PM

Posted 20 January 2017 - 12:17 PM

The User Profile issue is most often a malware problem - and the fix is to revert the registry to a previous (unaffected) version.

The problem is that the malware renames a good profile key, then substitutes it's own key in it's place.
The manual fix is to delete the bad key and rename the good key back to it's original name.

 

One thing that may work is to try a System Restore point - but the more advanced malware knows to delete the System Restore points, so that doesn't work very often.

See if you can run appwiz.cpl - and uninstall Kaspersky and MalwareBytes.  There's a lot of traces of them in the dump files (this is just a hunch).

 

II would strongly suggest that you consider backing up your stuff - then wiping the drive clean and reinstalling W10.
This will go a lot quicker than attempting to repair the system (and, black screen problems are rarely fixed without a wipe and reinstall)

The operating system seems to be very damaged (from the number of errors in the WER section of the MSFINO32 report).

 

I've got to go offline now.  I'll be back later today or in the morning with a more detailed analysis of the reports that you've uploaded.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:12 PM

Posted 20 January 2017 - 01:14 PM

Your UEFI/BIOS (version 8.14) dates from 2013.  Please check at the manufacturer's website to see if there are any UEFI/BIOS updates available for your system.  If you are able to install the update through Windows (without booting from an external drive), then go ahead and update it.  WARNING - if the computer might shut down during this procedure, please don't do it, as this may physically damage the computer and prevent it from booting.
FYI - W8 and W10 communicate more with the UEFI/BIOS than previous versions of Windows, so it's important to ensure that the UEFI/BIOS is kept up to date (and that outdated UEFI/BIOS' may be the cause of some compatibility issues).

Although you appear to have a reasonable number of Windows Update hotfixes for this version of your OS, please double check for any new Windows Updates.  It only takes one update to cause a problem, so it's essential that you have all of them.  The actual number is not important.  Rather it's important that you checked manually, installed any available updates, and didn't experience any errors when checking or updating.

This device needs it's drivers installed:

 

Not Available    SW\{CFD669F1-9BC2-11D0-8299-0000F822FE8A}\{0A4252A0-7E70-11D0-A5D6-28DB04C10000}    The drivers for this device are not installed.

This appears to be this device:  Microsoft Streaming Tee/Sink-to-Sink Converter SW\{CFD669F1-9BC2-11D0-8299-0000F822FE8A}\{CF1DDA2C-9743-11D0-A3EE-00A0C9223196}

To fix this, please right click on the device in Device Manager and uninstall it.  Then reboot and immediately run Windows Update.  If that doesn't fix it, please post back for further suggestions.

 

The more I look at this, the more I wonder if the OS is severely corrupted - or that there's something that's causing the system to behave differently (anti-malware tools for example).

 

In the analysis below, please note the number of drivers that have date stamps before W10 was released (29 July 2015).
Please try and update them to the latest, W10 compatible version.  If unable to update them, then uninstall those that you can safely remove.  Post back for suggestions about the rest.

 

Analysis:
The following is for information purposes only. The following information contains the relevant information from the blue screen analysis:
**************************Sun Jan 15 15:52:54.468 2017 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\011617-243328-01.dmp]
Windows 10 Kernel Version 14393 MP (4 procs) Free x64
Built by: 14393.693.amd64fre.rs1_release.161220-1747
System Uptime:0 days 5:25:27.253
Probably caused by :Unknown_Image ( PAGE_HASH_ERRORS_INPAGE )
BugCheck 1A, {3f, 1e7d, e6d2f0d9, a852d5d3}
BugCheck Info: MEMORY_MANAGEMENT (1a)
Arguments:
Arg1: 000000000000003f, The subtype of the bugcheck.
Arg2: 0000000000001e7d
Arg3: 00000000e6d2f0d9
Arg4: 00000000a852d5d3
BUGCHECK_STR:  0x1a_3f
PROCESS_NAME:  MemCompression
FAILURE_BUCKET_ID: PAGE_HASH_ERRORS_0x1a_3f
CPUID:        "Intel® Core™ i5-3330S CPU @ 2.70GHz"
MaxSpeed:     2700
CurrentSpeed: 2694
  BIOS Version                  8.14
  BIOS Release Date             06/10/2013
  Manufacturer                  Hewlett-Packard
  Product Name                  23-d233ea
  Baseboard Product             2ADC
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Tue Nov  8 04:32:19.082 2016 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\110816-288765-01.dmp]
Windows 10 Kernel Version 14393 MP (4 procs) Free x64
Built by: 14393.351.amd64fre.rs1_release_inmarket.161014-1755
System Uptime:7 days 12:47:43.869
Probably caused by :Unknown_Image ( PAGE_HASH_ERRORS_INPAGE )
BugCheck 1A, {3f, b686, b5ff28b4, 855df2e7}
BugCheck Info: MEMORY_MANAGEMENT (1a)
Arguments:
Arg1: 000000000000003f, The subtype of the bugcheck.
Arg2: 000000000000b686
Arg3: 00000000b5ff28b4
Arg4: 00000000855df2e7
BUGCHECK_STR:  0x1a_3f
PROCESS_NAME:  MemCompression
FAILURE_BUCKET_ID: PAGE_HASH_ERRORS_0x1a_3f
CPUID:        "Intel® Core™ i5-3330S CPU @ 2.70GHz"
MaxSpeed:     2700
CurrentSpeed: 2694
  BIOS Version                  8.14
  BIOS Release Date             06/10/2013
  Manufacturer                  Hewlett-Packard
  Product Name                  23-d233ea
  Baseboard Product             2ADC
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``

3rd Party Drivers:
The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:

**************************Sun Jan 15 15:52:54.468 2017 (UTC - 5:00)**************************
CLVirtualDrive.sys          Mon Dec 26 08:26:47 2011 (4EF87617)
GEARAspiWDM.sys             Thu May  3 15:56:17 2012 (4FA2E2E1)
stwrt64.sys                 Mon Nov 12 21:09:35 2012 (50A1ABDF)
HECIx64.sys                 Mon Dec 17 14:32:21 2012 (50CF7345)
iaStorA.sys                 Wed Aug 28 18:13:22 2013 (521E7602)
CLBUDF.SYS                  Mon Sep 23 23:47:37 2013 (52410B59)
CLBStor.SYS                 Mon Sep 23 23:47:42 2013 (52410B5E)
000.fcl                     Fri Oct 18 03:16:31 2013 (5260E04F)
000.fcl                     Fri Oct 18 03:16:31 2013 (5260E04F)
CLVirtualBus01.sys          Wed Nov  5 04:11:18 2014 (5459E9B6)
rt640x64.sys                Tue May  5 12:21:03 2015 (5548EDEF)
RtsPStor.sys                Fri May 15 03:11:41 2015 (55559C2D)
netr28x.sys                 Fri May 29 07:26:59 2015 (55684D03)
klmouflt.sys                Tue Jun  2 08:36:12 2015 (556DA33C)
klbackupdisk.sys            Tue Jun  2 16:18:33 2015 (556E0F99)
kl1.sys                     Thu Jun 18 14:58:13 2015 (558314C5)
cm_km.sys                   Wed Jul  1 14:08:29 2015 (55942C9D)
TIxHCIufilter.sys           Fri Jul 17 15:42:11 2015 (55A95A93)
TIxHCIlfilter.sys           Fri Jul 17 15:42:27 2015 (55A95AA3)
 

**Windows 10 released on 29 July 2015**
 

klkbdflt.sys                Tue Oct 27 21:23:45 2015 (563023A1)
atikmpag.sys                Wed Nov  4 16:16:43 2015 (563A75BB)
atikmdag.sys                Wed Nov  4 16:39:32 2015 (563A7B14)
kldisk.sys                  Tue Nov 10 08:38:35 2015 (5641F35B)
kneps.sys                   Mon Nov 23 04:19:35 2015 (5652DA27)
klbackupflt.sys             Thu Nov 26 04:59:25 2015 (5656D7FD)
klpd.sys                    Thu Dec  3 11:35:34 2015 (56606F56)
klflt.sys                   Fri Dec  4 08:27:50 2015 (566194D6)
klim6.sys                   Fri Feb 26 08:38:37 2016 (56D0555D)
klwfp.sys                   Fri Apr 15 07:26:03 2016 (5710CFCB)
klids.sys                   Wed May  4 02:41:24 2016 (57299994)
intelppm.sys                Fri Jul 15 22:10:43 2016 (578997A3)
hiber_storport.sys          Fri Jul 15 22:21:57 2016 (57899A45)
klif.sys                    Thu Jul 28 09:36:20 2016 (579A0A54)
klwtp.sys                   Fri Aug  5 12:00:43 2016 (57A4B82B)
klhk.sys                    Mon Aug 15 10:22:59 2016 (57B1D043)
MBAMSwissArmy.sys           Wed Nov  9 09:21:05 2016 (582330D1)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Tue Nov  8 04:32:19.082 2016 (UTC - 5:00)**************************
klhk.sys                    Fri Jul 29 13:56:00 2016 (579B98B0)


http://www.carrona.org/drivers/driver.php?id=CLVirtualDrive.sys
http://www.carrona.org/drivers/driver.php?id=GEARAspiWDM.sys
http://www.carrona.org/drivers/driver.php?id=stwrt64.sys
http://www.carrona.org/drivers/driver.php?id=HECIx64.sys
http://www.carrona.org/drivers/driver.php?id=iaStorA.sys
http://www.carrona.org/drivers/driver.php?id=CLBUDF.SYS
http://www.carrona.org/drivers/driver.php?id=CLBStor.SYS
http://www.carrona.org/drivers/driver.php?id=000.fcl
http://www.carrona.org/drivers/driver.php?id=000.fcl
CLVirtualBus01.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=rt640x64.sys
http://www.carrona.org/drivers/driver.php?id=RtsPStor.sys
http://www.carrona.org/drivers/driver.php?id=netr28x.sys
http://www.carrona.org/drivers/driver.php?id=klmouflt.sys
http://www.carrona.org/drivers/driver.php?id=klbackupdisk.sys
http://www.carrona.org/drivers/driver.php?id=kl1.sys
http://www.carrona.org/drivers/driver.php?id=cm_km.sys
TIxHCIufilter.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
TIxHCIlfilter.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=klkbdflt.sys
http://www.carrona.org/drivers/driver.php?id=atikmpag.sys
http://www.carrona.org/drivers/driver.php?id=atikmdag.sys
http://www.carrona.org/drivers/driver.php?id=kldisk.sys
http://www.carrona.org/drivers/driver.php?id=kneps.sys
http://www.carrona.org/drivers/driver.php?id=klbackupflt.sys
http://www.carrona.org/drivers/driver.php?id=klpd.sys
http://www.carrona.org/drivers/driver.php?id=klflt.sys
http://www.carrona.org/drivers/driver.php?id=klim6.sys
http://www.carrona.org/drivers/driver.php?id=klwfp.sys
klids.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=hiber_storport.sys
http://www.carrona.org/drivers/driver.php?id=klif.sys
http://www.carrona.org/drivers/driver.php?id=klwtp.sys
http://www.carrona.org/drivers/driver.php?id=klhk.sys
http://www.carrona.org/drivers/driver.php?id=MBAMSwissArmy.sys
http://www.carrona.org/drivers/driver.php?id=klhk.sys
 
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 purat111

purat111
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 January 2017 - 01:18 PM

Thanks for the info. The desktop is now loading on both profiles, but the Start Menu still crashes. All data has been backed up but all system restore points before the incident have been deleted - do you think I should start a thread in the malware removal section? One thing that I'm confused about is that Kaspersky is reporting everything working fine yet Action Centre shows that there is no firewall present, could this also indicate malware?

Edit: Just saw your most recent post. Will se eif drivers can be updated


Edited by purat111, 20 January 2017 - 01:23 PM.


#7 purat111

purat111
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 January 2017 - 02:22 PM

I've checked the HP website and it says:

 

 

HP does not provide Windows 10 drivers on HP.com for HP computers sold prior to August 2013. Microsoft has made most of the component drivers for these products available via Device Manager once the product is running Windows 10 with an active Internet connection

I installed all updates once Windows 10 was installed in April last year, so I don't think there are any driver updates available anymore. There are more recent updates for Windows 8.1 - should I give them a try?


Edited by purat111, 20 January 2017 - 02:23 PM.


#8 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:04:12 PM

Posted 21 January 2017 - 06:19 AM

Windows may not recognize the Kaspersky firewall.  I suspect that this may be due to some damage to the OS from the malware.

I would ask over in the Am I Infected forums to see if they can offer any additional assistance.

 

The crashing start menu, the profile issues, the firewall not being recognized, and the lack of updates for so many drivers/programs all suggest to me that you'll be best served by backing up your data, wiping the hard drive clean, and installing Windows 10 fresh.  See what the folks over in the Am I Infected forums have to say.

 

Good luck!


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users