Impossible to boot windows Vista - blue screen

Dear, it's my first time i write here because it's the first time I'm experiencing such problem.
i will start from the beggining:
My pc is not able to boot anymore. after i have disabled the automatic restart on system failure i got the following blue screen:

STOP: c0000135 – The program can’t start because consrv is missing. Try resintalling the program.
http://forums.malwarebytes.org/uploads/monthly_11_2011/post-100055-0-63079800-1321438987.jpg

I have tried to search the net and it seems to be an effect of ZeroAccess MAX++
i have tried to get access to system registry with a windows vista installation dvd
but the problem is that after the pc loaded windows files from the dvd
http://forums.malwarebytes.org/uploads/monthly_11_2011/post-100055-0-06707000-1321439231.gif
it start to load windows
http://forums.malwarebytes.org/uploads/monthly_11_2011/post-100055-0-79868800-1321439234.png
but then it stuck on a black screen. and nothing more happen.

at this point i really don't what to do to try to solve this problem.

please help me.
i wish to thanks anyone who will spend time to help me.

 

It's likely the hard drive on your PC is either dead or dying. If things freeze up during a repair or reinstall attempt, the most common cause is read/write issues with a failing hard drive.

Replace the drive then reinstall Windows. This should solve the problem.

 

You probably have a rootkit. You are going to have to edit the registry offline, get the computer to boot so that the people in the Malware Removal Forum can help. Loading the registry remotely will require UBCD4 windows. You can also do it with Hirens boot CD.

http://triplescomputers.com/blog/?p=72

 

looking on the net it seems that i could possibly have zeroaccess max++
i'm just trying to create a ubcd4win to try to get access to registry.

still i don't know if i'm able to manage to get access. i don't know if i have the knowleadge to use ubcd effectivey...

i will let you know...

p.s http://triplescomputers.com/blog/?p=72 yes it is exactly what i have founded...

 

I think you would have an easier time with Hirens Boot CD. I just booted it and had a very easy time editing the registry offline with regedit pe. Another option is PCregedit. A linux based bootable CD that lets you edit the registry. I would use those two options before UBCD4 windows if you do not have much experience. I can walk you through on what to do if you wish. Hirens Boot CD is about 500MB and PCregedit is not very large.

 

i'm downloading pcregedit...
just to be sure, it is a bootable cd right?
anyway i will try it to boot the pc and get access to registry, then i will follow triplescomputers indication do modify my registry...
i will keep you update
and of course thank you for help...

by the way i was trying to create a cd with ubcd4win, and i dont know it seems to get stucks at this point
queueing file: \\ubcd4win\plugin\driverpacks.net\massstorage\massstorage.sif" to \\ubcd4win\bartpe\i386\txtsetup.sif"
section: setvalue

probably it is only really slow...
it just added a new line

section: setvalue.2600

anyway i think that one of the biggest problem of ubcd is that it's not user friendly (for example it doesn't give a clue about progress) and it's really hard, at least for me, understand all his plugins...

 

ubcd just finished and it gives me 2 errors
it doesnt find fltmgr.sys and fltlib.dll

any clue??

 

PCregedit is an iso file which you will have to burn with Imgburn or Nero. You cannot just copy the iso file to the CD or it will not boot.

When you first boot the program, it will open up the config folder in %SystemRoot%\system32\. Then select "System" in the config folder. You will get a screen that shows root. Click on it and navigate to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems.

You will see a partial entry for %SystemRoot%\system32\csrss.exe..... because the screen cannot show that whole key. Just double click it and edit the key.

 

I am not sure about those errors. Did you download PCregedit?

This will be the easiest of the programs to use next to Hirens Boot CD.

Edit: I found this regarding those errors.

http://ubcd4win.com/forum/index.php?showtopic=14851

 

ehehe sure, thank you, i'm not quite confident about getting access to system registry, but i'm not completly noob, but thanks for you kindness..

i will probably try pcregedit on monday, becasue my actual burner is not working well so i need to use another pc...

 

Yea, sorry about that. I should of edited my post. I knew you were not a noob as soon as you said you were building UBCD4 Windows. You should not have any problem with PCregedit.

 

don't worry about that, i really appreciate your help...

by the way i have tryed pcregedit... but without success, what i mean is that after it loads, i'm not able to see windows system folder, actually it seems that i'm not able to see anything...here a screenshot (sorry for the quality)

https://mail.google.com/mail/?ui=2&ik=1904740dcb&view=att&th=133c82b4e386541a&attid=0.1&disp=inline&realattid=f_gva10bt31&zw

 

Very nice find, tgell.

Here is another thread you guys may be interested in (looks related): BSOD Windows Vista 64 consrv file missing

 

by the way i have just solved the consrv.dll problem (in a really simple way).

i got access to the hd using xPud, and then i created a copy of winsrv.dll into folder system32 (where winsrv.dll was stored) and i named it consrv.dll (so that i have into system32 both files).


to found out that now i can boot the pc, but it reboots automatically after a short time. i can just load the login screen of windows (where i can choose the user) and input the password of my account it starts to load and then the time finish and the pc reboot (he reboot also if i stay on the log screen) (the rebooting seems to be connected to a matter of time)...

 

Can you go into safe mode and then select "Disable automatic Restart on System Failure"? Did you try the registry fix using PCregedit?

 

there is no system failure actually. it's like a timer, when you run out your time the pc reboot itself...

into pcregedit i'm not able to do anything.
i see the windows that you see, and it ask me to choose a file.
but there is no file to choose.
i didn't see other option..., but i will look better if you say so.

 

When PCregedit starts it asks for a file. You should get a window with an open folder called config. Scroll down until you see "System" Then you should select "System" and then press okay. If this does not work for you I suggest you download Hirens Boot Cd and edit the registry with that. How long of a time till the system reboots?

 

right now, i have dont know what to do into registry.
i have already solved what it's suggested into triples blog.
i have just renamed the file winsrv.dll as consrv.dll

and so, i have stoped the blue screen error.

but then i have found out that the pc reboot (just like a time bomb...you finish the time available and then it reboots)

in the best case i just have time to type the password of the account and try to log in, while windows is loading the desktop, it reboots. (but if i'm slow and i take my time to type the password it just reboots before i log in)

 

I do not think renaming the file will solve the problem. I believe you still have to edit the registry key and rename consrv to winsrv as stated in that blog. Their are actually two registry keys that should be changed. Maybe this is affecting the reboot cycle. And, you may also have a rootkit affecting your MBR also. Since you cannot get into the system, you would have to use a bootable anti-malware repair disk or use another program to rewrite the MBR.

A good program for that would be DR. Web Live CD. It will give the option to rewrite the MBR if it finds an infection.

This is the latest as of November 21.
http://mackey.drweb.com/pub/drweb/livecd/drweb-livecd-600.iso

 

Another link to reference: http://www.bleepingcomputer.com/forums/topic428388.html

 

yes it is always me.

 

Oh.. Hi! LOL

Sorry I didn't see that you were posting here too heh.

Are you still having issues?

I see that elise025 is wanting a CF log.

 

yes actually, i'm not able to run combofix, it starts to extract and when it starts to create the folder it blocks itself and the pc, elise025 suggested me to "Press Windows key + R, type combofix /killall and press enter. See if it runs that way. "
but i didn't understand when i'm supposed to type this command.
i should type when combofix get stucked and then relaunch combofix?
(because if i type it while combofix is not running at all, it says that it's not able to find combofix)
but if i have to type while combofix get stucked i dont know if im able, because explorere get stucked too and i'm not able to click anything on my desktop and i need to restart the pc (but maybe if i press Windows key + R the pc will do something, i dont know, eventually i have to try this)

 

Nevermind; I see that you are still experiencing problems.

I will follow your thread

 

No!

Yes that's because the desktop folder isn't specified. If ComboFix is on your desktop (as it should be), then the below command should work:

• "%userprofile%\desktop\combofix" /killall

 

i have to put also the % and " in the command?

 

Yes, copy it exactly how it's formatted above.

 

hi. using comand combofix /killall i was able to launch it. but when it finished to install itself the pc crashed again as of when i tried ddr.scr. so with a blue screen where it says dumping physical memory to disk.

pleease help thank you for everythings you are doing

 

last update

i have run combofix /nombr --> pc crashed (dump crash)
restart in normal mode --> pc does something like a scandisk (i think is combofix)
restart in normal mode --> the pc keep rebooting with no reason after a really short period of time
restart in safe mode -> run tddskiller (attached the log)
in safe mode i plan a scandisk (chkdsk /r) --> pc crashed (dump crash)
when i restart no scandisk starts.

 

I saw

Which STOP error code are you receiving when the PC crashes?

http://img585.imageshack.us/img585/148/techinfo.jpg
Is it the same every time?

The logs from it are in c:\windows\minidump

 

bsod c000021a
problems with winlogon.exe and/or csrss.exe

 

so i have deactivate the automatic reboot on system failure and this his the blue screen i got:
stop: c000021a [fatal system error] the windows subsystem system process terminated unexpectedly with a status of 0xc0000005 (0x77b1f34a 0x016def90). the system has been shut down.

attached you can also find all the dump crash report i founded into windows/minidump

 

you are really fast

but what does it means???

 

I'm pretty sure in your case something is still wrong with the csrss.exe file. Perhaps something in the Subsystems key was not fully successful.

Remember that you modified some string (REG_EXPAND_SZ) data that references to csrss.exe?

Maybe the actual csrss.exe file is damaged/corrupt and needs to be replaced with a clean copy.

Here is your BSOD dump file / why I think it's csrss.exe related.

Code:

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000 

DEBUG_FLR_IMAGE_TIMESTAMP:  0

PROCESS_OBJECT: fffffa8005478510

IMAGE_NAME:  [B][COLOR="Red"]csrss.exe[/COLOR][/B]

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xF4

CURRENT_IRQL:  0

STACK_TEXT:  
fffffa60`02149b28 fffff800`023b0853 : 00000000`000000f4 00000000`00000003 fffffa80`05478510 fffffa80`05478748 : nt+0x55410
fffffa60`02149b30 00000000`000000f4 : 00000000`00000003 fffffa80`05478510 fffffa80`05478748 fffff800`0234b790 : nt+0x35b853
fffffa60`02149b38 00000000`00000003 : fffffa80`05478510 fffffa80`05478748 fffff800`0234b790 fffffa60`02149c20 : 0xf4
fffffa60`02149b40 fffffa80`05478510 : fffffa80`05478748 fffff800`0234b790 fffffa60`02149c20 fffffa80`05478510 : 0x3
fffffa60`02149b48 fffffa80`05478748 : fffff800`0234b790 fffffa60`02149c20 fffffa80`05478510 fffff800`02352fb4 : 0xfffffa80`05478510
fffffa60`02149b50 fffff800`0234b790 : fffffa60`02149c20 fffffa80`05478510 fffff800`02352fb4 fffffa80`054965c0 : 0xfffffa80`05478748
fffffa60`02149b58 fffffa60`02149c20 : fffffa80`05478510 fffff800`02352fb4 fffffa80`054965c0 fffffa80`054965c0 : nt+0x2f6790
fffffa60`02149b60 fffffa80`05478510 : fffff800`02352fb4 fffffa80`054965c0 fffffa80`054965c0 00000000`00f3fc90 : 0xfffffa60`02149c20
fffffa60`02149b68 fffff800`02352fb4 : fffffa80`054965c0 fffffa80`054965c0 00000000`00f3fc90 00000000`000066ef : 0xfffffa80`05478510
fffffa60`02149b70 fffffa80`054965c0 : fffffa80`054965c0 00000000`00f3fc90 00000000`000066ef ffffffff`ffffffff : nt+0x2fdfb4
fffffa60`02149b78 fffffa80`054965c0 : 00000000`00f3fc90 00000000`000066ef ffffffff`ffffffff 00000000`c0000005 : 0xfffffa80`054965c0
fffffa60`02149b80 00000000`00f3fc90 : 00000000`000066ef ffffffff`ffffffff 00000000`c0000005 fffffa80`05478510 : 0xfffffa80`054965c0
fffffa60`02149b88 00000000`000066ef : ffffffff`ffffffff 00000000`c0000005 fffffa80`05478510 fffffa80`05478510 : 0xf3fc90
fffffa60`02149b90 ffffffff`ffffffff : 00000000`c0000005 fffffa80`05478510 fffffa80`05478510 fffffa80`054965c0 : 0x66ef
fffffa60`02149b98 00000000`c0000005 : fffffa80`05478510 fffffa80`05478510 fffffa80`054965c0 fffff800`02307ca0 : 0xffffffff`ffffffff
fffffa60`02149ba0 fffffa80`05478510 : fffffa80`05478510 fffffa80`054965c0 fffff800`02307ca0 fffffa80`054965c0 : 0xc0000005
fffffa60`02149ba8 fffffa80`05478510 : fffffa80`054965c0 fffff800`02307ca0 fffffa80`054965c0 00000000`00000008 : 0xfffffa80`05478510
fffffa60`02149bb0 fffffa80`054965c0 : fffff800`02307ca0 fffffa80`054965c0 00000000`00000008 00000000`00f3fc90 : 0xfffffa80`05478510
fffffa60`02149bb8 fffff800`02307ca0 : fffffa80`054965c0 00000000`00000008 00000000`00f3fc90 00000000`00000008 : 0xfffffa80`054965c0
fffffa60`02149bc0 fffffa80`054965c0 : 00000000`00000008 00000000`00f3fc90 00000000`00000008 fffffa60`02149c20 : nt+0x2b2ca0
fffffa60`02149bc8 00000000`00000008 : 00000000`00f3fc90 00000000`00000008 fffffa60`02149c20 00000000`00000000 : 0xfffffa80`054965c0
fffffa60`02149bd0 00000000`00f3fc90 : 00000000`00000008 fffffa60`02149c20 00000000`00000000 00000000`00f3f690 : 0x8
fffffa60`02149bd8 00000000`00000008 : fffffa60`02149c20 00000000`00000000 00000000`00f3f690 000007fe`fd6c0000 : 0xf3fc90
fffffa60`02149be0 fffffa60`02149c20 : 00000000`00000000 00000000`00f3f690 000007fe`fd6c0000 00000000`000066ef : 0x8
fffffa60`02149be8 00000000`00000000 : 00000000`00f3f690 000007fe`fd6c0000 00000000`000066ef 000007fe`fd6cb314 : 0xfffffa60`02149c20


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner

 

Well i didnt modify any string.actually i never open the registry of my pc.so probably it is corrupted .eventually where i can find a clean copy of csrss.exe?
by the way i wont be home during the week end so i will update you on sunday evening

 

SubSystems: [Windows] ==> ZeroAccess
That modifies that string. It may not be messed up as it looks like fixed your immediate boot problem. I'm simply brainstorming

http://www.bleepingcomputer.com/forums/topic428388.html/page__view__findpost__p__2486393

Respond to that :cool

 

I didnt wont to be rude . i know you are sharing ideas and im so grateful to everyone is helping me. anyway i didnt used that command string. i solved my first boot problem copying winsrv.dll and then i renamed as conserv.dll.

Sunday we will see what will coming next

 

None taken

I think the Elise @ BleepingComputer thinks you used the SubSystems: [Windows] ==> ZeroAccess command while in FSRT -- and if you didn't that may be causing some confusion.

Technically you should only be doing what she and other helpers there ask you otherwise it just delays the process of whoever is helping you troubleshoot your remaining computer issues.

Elise is more than qualified (she does really good work there actually) to help you get back up and running so just follow her advice from now on

You may want to come clean about never doing the above command in FSRT as she requested as that may speed up the process.

Good luck / see you Sunday :wave

 

i have seen that you keep yourself updated about my pc problem, i really appreciate this,
i jsut answered the last request of elise. but im not able to check if filefind.txt is correct. so if you see something wrong please tell me so that i would post it again...

 

It's not empty.

Code:

Search results for consrv.dll

2d94e4ce322f12061d3fa7dbe65e9ac5  /mnt/sda1/Windows/consrv.dll
      439.5K Apr 20  2011 

2d94e4ce322f12061d3fa7dbe65e9ac5  /mnt/sda1/Windows/System32/consrv.dll
      439.5K Apr 20  2011 

 

Did you search for winsrv.dll too?

 

Ye i search for both but it seems to overwrite i will search again and i will post two file

 

Hi Thisisu

as you have seen for sure, at this point we have solved booting problem of my pc, for sure the pc is not clean and i'm waiting to see what elise will suggest to do. by the way, just for keeping sharing ideas. i still have this problem

so i'm still not able to load windows dvd, so i'm not quite sure about, if necessary. how to format and reinstall windows..

:wave

 

Is it only this bootable media that has problems? Is this a full Windows Vista DVD or just the recovery console CD/DVD?

 

well i didnt try many bootable product.

i have tried:
pcregedit --> it loads but then i don't see correctly the folder (as i posted previously in this thread. i have tried during my initial boot problem)
avg bootable recovery --> worked perfectly
xpud --> worked perfectly
windows vista full version dvd x86 --> it loads then get stuck
windows vista full version dvd x64 --> it loads then get stuck

 

I'm guessing something is wrong with the discs.

How do you have both x86 and x64 versions of Vista DVD? These are legit copies correct?

 

well i didnt have the original disks . So i have asked a copy to my office information service. so i trust they arent corrupted i have also tried on other pc and the works...

 

Maybe there's just a slight problem with your CD/DVD reader on the infected machine or the CD/DVDs were burned at a high speed.

 

After combofix the dvd booted normally
on bleeping computers i have posted a MBAM log cause it finds a troian.agent and a backdoor.bot. About the rest we seems to have solved all

 

Nice :cool