MyWinLocker causing blue screen, can't access system restore

I have a pretty new Acer laptop running Windows 7. It came with this program preinstalled called "MyWinLocker" which is some sort of encryption program. About two weeks ago I started getting continuous BSODs. Today I figured out that it was caused by MyWinLocker. I tried to uninstall it but would get a BSOD every time, and I couldn't remove it. I found some forums online with others having the same issues with MyWinLocker. I followed some advice to remove it, but now I get a different blue screen that says:
CRITICAL_SERVICE_FAILED

I have a Windows 7 disk and I can boot to the system recovery options so I have access to a command prompt. However, I can't run the system restore from the disk because when I try I get a different BSOD that says:
ntfs.sys
PAGE_FAULT_IN_NONPAGED-AREA

When I run the Startup Repair feature from the Win7 disk it says that it didn't detect anything wrong with my startup.

I can boot the computer into safe mode with networking without any issue.

I do have my data backed up but I would really like to try to get this fixed so I don't have to reformat.

Any ideas for me?
Thank you!

 

Here is a link to the original thread where I found info on removing MyWinLocker. My symptoms were/are identical to the user on this forum. Every time I tried to remove MyWinlocker I would get a BSOD.

http://windows7forums.com/blue-scre...od-some-reason-pc-works-fine-safe-mode-2.html

 

Here are some minidump files if it will help

 

Matt,

My first idea is that if Acer installed a program that is known to be incompatible with Win7, I'd be asking them to fix it. I looked at the link you provided and it's a doozy of a problem.

Have you looked for the problem in various Acer Forums on the 'net? Seems as if it would show up in one of them if the problem is common. Here's a link to one forum at Notebook Review. http://forum.notebookreview.com/acer/

I looked at the Acer site itself and it appears that Acer doesn't have a support forum, only paid support. Boooooo.

If no one here has any ideas, maybe someone at the above Acer Forum does.

Good luck.

 

I don't see any Antivirus listed in the dumps I looked at, did I miss it?

Did you ever use MyWinlocker on any files or folders?

I haven't looked for the original of this comment:

The above thread ended with 0x5a's just like your latest BSOD's.

Looking at your dumps, the older ones were all 0x50's:

I ran the latest of these through Windbg:

Code:

Debug session time: Thu Mar  8 20:37:19.320 2012 (UTC + 0:00)
System Uptime: 0 days 0:03:50.740
Loading Kernel Symbols
...............................................................
................................................................
...........................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff98113f82698, 0, fffff88001233460, 5}


Could not read faulting driver name
Probably caused by : Ntfs.sys ( Ntfs!memcpy+250 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff98113f82698, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88001233460, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003303100
GetUlongFromAddress: unable to read from fffff800033031c0
 fffff98113f82698 

FAULTING_IP: 
Ntfs!memcpy+250
fffff880`01233460 488b440af8      mov     rax,qword ptr [rdx+rcx-8]

MM_INTERNAL_CODE:  5

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  [B]WIN7_DRIVER_FAULT[/B]

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

CURRENT_IRQL:  0

TRAP_FRAME:  fffff88002f49da0 -- (.trap 0xfffff88002f49da0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000020 rbx=0000000000000000 rcx=fffff98113f826c8
rdx=ffffffffffffffd8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001233460 rsp=fffff88002f49f38 rbp=fffff98013f82718
 r8=00000000ffffff68  r9=0000000007fffffb r10=0000000000000001
r11=fffff98013f82760 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
Ntfs!memcpy+0x250:
fffff880`01233460 488b440af8      mov     rax,qword ptr [rdx+rcx-8] ds:fffff981`13f82698=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000307b3bf to fffff800030d0c40

STACK_TEXT:  
fffff880`02f49c38 fffff800`0307b3bf : 00000000`00000050 fffff981`13f82698 00000000`00000000 fffff880`02f49da0 : nt!KeBugCheckEx
fffff880`02f49c40 fffff800`030ced6e : 00000000`00000000 fffff981`13f82698 00000000`00000000 00000000`00000028 : nt! ?? ::FNODOBFM::`string'+0x44791
fffff880`02f49da0 fffff880`01233460 : fffff880`012bf5a8 00000000`00000028 fffff880`02f49f90 fffff8a0`00000400 : nt!KiPageFault+0x16e
fffff880`02f49f38 fffff880`012bf5a8 : 00000000`00000028 fffff880`02f49f90 fffff8a0`00000400 00000000`00000001 : Ntfs!memcpy+0x250
fffff880`02f49f40 fffff880`012bf740 : fffff8a0`04ed6800 fffff800`03271260 fffff8a0`04ed6800 fffff980`13f82400 : Ntfs!NtfsRestartInsertSimpleRoot+0x50
fffff880`02f49f80 fffff880`012e3a2f : fffffa80`03758e40 fffffa80`0375a180 fffff880`02f4a118 fffff880`02f4a150 : Ntfs!InsertSimpleRoot+0xb8
fffff880`02f4a050 fffff880`0129ad3b : 00000000`00000000 fffff8a0`04ed6800 fffff880`02f4a118 fffff880`02f4a1a8 : Ntfs!AddToIndex+0xcf
fffff880`02f4a0d0 fffff880`012b6da5 : fffffa80`03758e40 fffff8a0`04ed6800 fffff8a0`05adc738 fffffa80`00000000 : Ntfs!NtOfsAddRecords+0x167
fffff880`02f4a2b0 fffff880`012e7520 : fffffa80`03758e40 fffff8a0`05adc730 00000000`00109b3c 00000000`00109b40 : Ntfs!GetSecurityIdFromSecurityDescriptorUnsafe+0x1fd
fffff880`02f4a360 fffff880`01296532 : fffffa80`03758e40 fffffa80`0375a180 00000000`00000000 fffff980`13f82d00 : Ntfs!NtfsCacheSharedSecurityByDescriptor+0xa0
fffff880`02f4a3b0 fffff880`012ae5ed : fffffa80`03758e40 fffffa80`0375a180 fffff800`03271260 00000000`00000000 : Ntfs! ?? ::NNGAKEGL::`string'+0x11530
fffff880`02f4a430 fffff880`01241b0c : fffffa80`03758e40 fffff880`0126ba00 fffffa80`03758e40 fffff8a0`04543a90 : [B]Ntfs!NtfsUpdateFcbInfoFromDisk[/B]+0x4fe
fffff880`02f4a580 fffff880`0130c592 : fffffa80`03758e40 00000000`00000000 00000000`00000000 fffff8a0`04543a90 : [B]Ntfs!NtfsInitializeDirectory[/B]+0x254
fffff880`02f4a690 fffff880`013063fa : fffffa80`03758e40 fffffa80`0375a180 00000000`00000000 fffffa80`0375a180 : [B]Ntfs!NtfsInitializeExtendDirectory[/B]+0x3d6
fffff880`02f4a850 fffff880`012a180d : 00000000`00000000 fffffa80`0375ec10 00000000`00000001 00000000`00000000 : [B]Ntfs!NtfsMountVolume[/B]+0x1691
fffff880`02f4ab90 fffff880`01228985 : 00000000`00000000 00000000`00000000 fffffa80`03758e40 fffff800`030d8f93 : Ntfs!NtfsCommonFileSystemControl+0x59
fffff880`02f4abd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsFspDispatch+0x2ad


STACK_COMMAND:  kb

FOLLOWUP_IP: 
Ntfs!memcpy+250
fffff880`01233460 488b440af8      mov     rax,qword ptr [rdx+rcx-8]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  Ntfs!memcpy+250

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4d79997b

FAILURE_BUCKET_ID:  [B]X64_0x50_Ntfs!memcpy[/B]+250

BUCKET_ID:  X64_0x50_Ntfs!memcpy+250

Followup: MachineOwner
---------

Looking at the Stack Text listed, it feels like this is related to some encryption or virtual drive mounting, possibly bad data on a non-System drive or partition.

And the latest have been 0x5a's:

No usual cause listed, I guess the Critical Service Failed says enough Here's a quick analysis of the most recent dump:

Code:

System Uptime: 0 days 0:00:07.987
Loading Kernel Symbols
....................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 5A, {1, 1, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!CmBootLastKnownGood+2f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_SERVICE_FAILED (5a)
Arguments:
Arg1: 0000000000000001
Arg2: 0000000000000001
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x5A

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff8000340785f to fffff80003093c40

STACK_TEXT:  
fffff880`009a9698 fffff800`0340785f : 00000000`0000005a 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeBugCheckEx
fffff880`009a96a0 fffff800`0347b3b1 : fffffa80`045e1900 00000000`00000000 00000000`c0000034 00000000`00000002 : nt!CmBootLastKnownGood+0x2f
fffff880`009a96e0 fffff800`035c12b6 : fffffa80`045e1988 fffffa80`045e1988 fffffa80`045e1980 fffff8a0`00000028 : nt!IopLoadDriver+0xd61
fffff880`009a99b0 fffff800`035c2472 : fffff800`00000000 fffff8a0`00259440 ffffffff`800000c4 fffff8a0`001e36f0 : nt!IopInitializeSystemDrivers+0x1d6
fffff880`009a9a40 fffff800`035c54ca : 00000000`00000000 00000000`00000010 ffffffff`8000002c fffff800`00812a40 : nt!IoInitSystem+0x9b2
fffff880`009a9b40 fffff800`03515979 : 00000000`00000000 fffffa80`033c7b60 00000000`00000080 fffffa80`033c7040 : nt!Phase1InitializationDiscard+0x129a
fffff880`009a9d10 fffff800`0332efee : 00000000`00000000 00000000`00000080 00000000`00000000 fffff800`030855d9 : nt!Phase1Initialization+0x9
fffff880`009a9d40 fffff800`030855e6 : fffff800`03209e80 fffffa80`033c7b60 fffff800`03217cc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`009a9d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!CmBootLastKnownGood+2f
fffff800`0340785f cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!CmBootLastKnownGood+2f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3

FAILURE_BUCKET_ID:  X64_0x5A_nt!CmBootLastKnownGood+2f

BUCKET_ID:  X64_0x5A_nt!CmBootLastKnownGood+2f

Followup: MachineOwner
---------

It doesn't give me anything to go on; I'd suggest the best plan would be to pull off any vital data via a USB converter or direct internal connection of the hard drive to another computer. Once you know the data is safe, fully test all hardware using the page here as a reference.

Once you are sure the hardware is all good, wipe and reinstall Windows from the Recovery discs or recovery partition, uninstall anything like MyWinlocker and eDataSecurity then install MSE, fully update Windows and all hardware drivers before importing your old data from backups.

 

Have you tried the uninstall tool. Second from top 33.6KB.
http://www.egistec.com/oid0x0100cid0Alidenpid196609sid02/mwl-update.aspx
My two cents.

Cheers..

 

Apparently what I linked to above fixes some errors. You will need to uninstall from add/remove after running the utility.

http://www.dslreports.com/forum/r25221396-WIN7-How-do-I-Uninstall-MyWinLocker-Suite

Cheers..

 

Thanks everyone. I'll take the majority advice here and reformat. Ugh.

I appreciate the time and efforts!

 

Matt,

If you're going to reinstall the OS from a recovery partition or recovery CDs, there's a good chance that MWL will be installed again, just in case you didn't know. In theory, a recovery puts the computer back to the same place it was when you first booted it, including preloaded software. I don't know exactly what Acer does. Perhaps someone here knows.

I hope you get it worked out, whatever happens.