[SOLVED] BlueScreen Error: Stop Code - Critical Structure Corruption

Toggle sidebar Toggle sidebar
S

sadperson

Honorable
Mar 15, 2018
17
0
10,510
Hello Everyone,

Recently BlueScreen error messages start to occur and it destroyed all my unsaved and even saved work I am doing. Extremely annoying and I am very much worried because it could occur next time just about anywhen, although it occurs usually once per 90 minutes. My os is Windows 10 64bit.

The content of bluescreen error is: "Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you." There is also an increasing %complete counter and when it hits 100%, pc restarts and destroys all the work I have done. It happened that even if the work is saved, it still destroys it. I have wasted tens of hours of my lost work done. It also says "For more information about this issue and possible fixes visit windows.com/stopcode" and ''Stop Code: CRITICAL STRUCTURE CORRUPTION"

I uploaded .dmp file from Minidumps (or something like that) folder on the following link:

https://www.sendspace.com/file/hqbpc6

Already did a lot of research this and found that main cause could be outdated drivers so I updated them all. Each and every driver is successfully updated but it doesn't help. I was on malware cleaning forum where expert reviewed my case, did a lot of potential malware/viruses scan and everything is clean. Used many cleaning programs. All is clean.

Also did the following in cmd.exe:
sfc.exe /scannow
and then
dism.exe /online /cleanup-image /restorehealth

didn't help. Not even after reboot.

Also tried to clear cookies, even flash cookies (cache), also cleaned registry. Nothing helps.

I also runned Memory Test using bootable USB Key. No errors were found. Done many researches on my own but now i have to ask for your help. It is getting so urgent and severity of the problem is so high that I have no other choice anymore.

What else could I do? I have tons of work to do on my computer and cannot move further because of this bluescreen error. Please if someone could help me what to do, i would appreciate a lot!

EDIT: I noticed noone has helped. Could anyone please tell poor and sad kid like me how to solve this?
 
Solution
J
to run the dism.exe command you actually need to run powershell or cmd.exe as an admin to get to a shell
then run
dism.exe /online /cleanup-image /restorehealth

it this command has not been disabled it will fix the modified windows kernel and modified windows interface files.
often malware will replace the file or make a change to block it from running.

it will be a key to getting your system working correctly. note: there is even a way to use this tool by booting a USB image of windows then telling the tool to fix the binaries on your c: drive. This means you can do a fix even if the local copy has been disabled. but try the local copy of dism.exe first.


you can google how to use dism.exe to repair a windows 10 image
or...
Sort by date Sort by votes
MERGED QUESTION
Question from sadperson : "ntkrnlmp.exe, ntoskrnl.exe (0x109) - computer crashed"

Hi,

I already opened previous topic but didn't get any replies so i decided to ask for assistance please on a little bit different description of actually the same problem.

MemTest, drivers update, chkdsk, malware cleaning, registry/cookies cleaning, device manager (no ?s or !s), sfc.exe /scannow, etc didn't work. Neither of them.

Software WhoCrashed provided my the following three reports if someone could please help (windows 10 64bit):

On Sun 18.3.2018 15:15:53 your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\031818-31609-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x175510)
Bugcheck code: 0x109 (0xA39FE35AAD28B70A, 0xB3B6EFE0FFA8C339, 0xFFFFA4021399D040, 0x5)
Error: CRITICAL_STRUCTURE_CORRUPTION
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This might be a case of memory corruption. This may be because of a hardware issue such as faulty RAM, overheating (thermal issue) or because of a buggy driver. This problem might also be caused because of overheating (thermal issue).
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Sun 18.3.2018 15:15:53 your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\MEMORY.DMP
This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x109 (0xA39FE35AAD28B70A, 0xB3B6EFE0FFA8C339, 0xFFFFA4021399D040, 0x5)
Error: CRITICAL_STRUCTURE_CORRUPTION
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This might be a case of memory corruption. This may be because of a hardware issue such as faulty RAM, overheating (thermal issue) or because of a buggy driver. This problem might also be caused because of overheating (thermal issue).
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Sun 18.3.2018 13:37:57 your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\031818-33265-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x175510)
Bugcheck code: 0x109 (0xA39FCB5C87012510, 0xB3B6D7E2D982D82B, 0xFFFF8C03E898B040, 0x5)
Error: CRITICAL_STRUCTURE_CORRUPTION
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This might be a case of memory corruption. This may be because of a hardware issue such as faulty RAM, overheating (thermal issue) or because of a buggy driver. This problem might also be caused because of overheating (thermal issue).
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
 
Upvote 0 Downvote
I will get someone to read the dump files you attached in 1st post. Who crashed just shows what crashed but not why.

ntoskrnl * ntkrnlmp are both part of the windows kernel. It handles all driver requests, power management, and memory management. It sits between Hardware and Applications. It got blamed but its not the cause

So SFC found nothing wrong?

parameter 4 = 0x5 = A type-2 process list corruption. Its likely be caused by a driver or overheating - is PC running at normal temps?
 
Upvote 0 Downvote
Hi, I ran the dump file through the debugger and got the following information: https://pste.eu/p/XBWI.html

File: 031318-33515-01.dmp (Mar 13 2018 - 03:23:34)
BugCheck: [CRITICAL_STRUCTURE_CORRUPTION (109)]
Probably caused by: Unknown_Image (Process: csrss.exe)
Uptime: 0 Day(s), 10 Hour(s), 47 Min(s), and 18 Sec(s)

System: Lenovo ThinkCentre M93p
I was unable to find the page on the Lenovo site for your system but I only did a quick search. I was going to see if you have the latest BIOS version. You have version: FBKT79AUS which is dated 04/17/2014.

I was unable to find descriptions for the following 2 drivers on your system:
lcqbkrtw.sys
vsnoivlmo.sys
Search your PC for these 2 files. If you find them, right click on them choose properties and provide information about them here. File description, Product name, and Copyright would be useful.

I can't help you with this. Wait for additional replies. Good luck.
 
Upvote 0 Downvote
try some of the things below and after your next bugcheck provide the kernel memory dump
c:\windows\memory.dmp
it will show what is running on all of the cpu cores and will provide more info on the other running drivers and internal error logs.
------------
I would reinstall the GPU driver including the GPU sound driver directly from the graphics vendors website then reboot.

then go to your motherboard vendors website and update the motherboard sound driver.

I would remove the 3rd party MP3 drivers because of the old file date.
I say this because of the stack problem shown in the bugcheck are often related to the sound drivers.

I would uninstall the old RawDisk Driver (see below)



vsnoivlmo.sys Wed Jan 17 04:49:02 2018 (assume it is part of the mp3 player driver)
you should find out what this is for. it is bad news if you can not find the driver name on google or bing.

you also have Avnex Ltd. Virtual Audio Device
SystemRoot\system32\DRIVERS\vcsvad.sys Sun Nov 16 01:51:18 2008

https://mp3-player.audio4fun.com/free-audio-software.htm
I assume it is related to the other driver. I would uninstall the program.

this driver is very old also:
EldoS Corporation RawDisk Driver
\C:\WINDOWS\system32\drivers\rsdrvx64.sys Thu Feb 12 05:01:49 2009
http://www.callbacktechnologies.com/cbfsdirect/
(good chance this is the source of the bugchecks)

 
Upvote 0 Downvote
Have you run anti virus/malwarescans? I see you have Malwarebytes installed.

PC web site - https://pcsupport.lenovo.com/au/en/products/desktops-and-all-in-ones/thinkcentre-m-series-desktops/thinkcentre-m93p/downloads - try running the aut update on site unless you have already.
Latest BIOS is FBKTCUA dated Feb 27th 2017, updating to this could help fix the errors - might be caused by newer drivers sending commands the old bios doesn't recognise.

csrss.exe = user client.

Anything older than 2015 isn't a win 10 Driver, and may cause BSOD

NvStreamKms.sys dated Oct 31 2014 seems way too old for it be a current Nvidia driver
ckldrv.sys dated Mar 17 2008 is way old. its description is CrypKey License or NetworkX driver
vcsvad.sys dated Nov 16 2009 is way too old. Its description is Virtual Audio Device (Avnex or AVSOFT)
rsdrvx64.sys dated Feb 12 2009 is way too old. Its descirbed as RawDisk driver (EldoS) http://www.eldos.com/

Two unknown drivers could be viruses (maybe - can usually find some references to files, these show none - even after removing .sys from file names. They both appear to be from 2018 so only new.)

John beat me too it :)
 
Upvote 0 Downvote
Colif: Correct, SFC found nothing wrong. I don't do any overclocking/overheating. I don't even know what this is. I did malware cleaning and pc is safe. I have never heard about ''updating bios'' No idea how could I do that and I assume this is some very big task to be done. I think ''bios'' is application that looks like ''ms dos'' on very old computers occurring (if entering it) before Desktop occurs. Not sure what you meant to say with those filenames - whatever they are.

gardenman: I am also not able to find those files that you mentioned. Neither of them. I already have ''show hidden files and folders'' enabled.

johnbl: I found the file you mentioned in exact extension but it is very big: 1,08GB. On which website could I upload it for you? The reason for asking this is because I want to make sure that I don't start uploading (due to large file, it takes a lot of time) and then you would say that website, according to your opinion, is not safe to download from. Please kindly tell me where to download this big file. I don't know what ''gpu driver'' is. Sound driver is working fine. I just checked device manager and no ''?'' or ''!''. Also it is in updated version. As I mentioned to user ''gardenman'', I don't have the file named ''vsnoivlmo''. I am not sure what you meant with:

vcsvad.sys
''free audio software'' (i don't think i have any program named like that!)
rsdrvx64.sys

johnbl, I would appreciate if you could please tell me more directly what to do because i cannot just assume from what you mention. The Critical Structure Corruption is being occurred for like one month and entire work (job) is on hold. I am seriously worried for my income for this month because I haven't done anything (work related).





 
Upvote 0 Downvote
Hi sadperson, for the memory.dmp file, it would best if you can compress it first. Copy it to your documents folder, right click on it and choose Send To -> Compressed Folder. This should cut the filesize down. It will then be called Memory.zip. Upload it to any place that will accept large files.

Apparently https://files.fm/ will accept such large memory.dmp files. See the 7th or so message down here: http://www.tomshardware.com/answers/id-3649861/facing-bsods-build-pleas.html

I think GoogleDrive will also handle the larger files.
 
Upvote 0 Downvote
I have a pretty fast internet connection. I can do the download pretty fast. you can put it on any website that will take the file. google docs, Microsoft onedrive, mediafire. best to use a website that does not try to install malware.

also, if you compress the file use a .zip compression so I can use windows to uncompress.

updating a bios is pretty easy for machines made in the last 7 years. Each motherboard vendor has their own tools and method of updating the bios so you have to go to the motherboard vendors website and read on how to do the update.

the BIOS is a monitor ROM program, that is used to do the initial setup of the electronics of the machine before control is handed off to a operating system. Each hardware device is set up in the electronics, when windows loads it loads a device driver that takes control of specific hardware. The problem is the specification for the interface gets changed over the years. The BIOS specifications need to match the specifications for the device driver that is installed. if you just update the driver and not the bios you will start to have certain problems when major specifications are changed.





 
Upvote 0 Downvote
I used winrar for memory.dmp file and reduced the size of uploading (and your downloading) from 1,08gb to 156mb. Downloading link is here:

http://www.mediafire.com/file/9h1w9373fbhvx9d/memoryfile.rar

I am also providing, just in case if needed, in depth report about my computer. It is created using Everest program and report can be opened with any internet browser:

http://www.mediafire.com/file/wzft2p0ai4t8a24/Report.htm

I will provide translations to English language on request. The most basic translation I am providing in advance is ''Neznano'' which means ''Unknown''.

 
Upvote 0 Downvote
basically, your windows version is infected. 2 key windows files have been modified (the kernel and the key windows interface file)
you have 2 unknown drivers installed (crypto currency miner? iqoption.exe)
you need to wipe the machine and reinstall from a new, known good version of windows. IE get a copy directly from a Microsoft server.

also, you have two virus scanners installed and windows defender disabled. Generally it is best to only have one running at a time. I use windows defender and do a Malwarebytes scan with out keeping it installed.
--------


5180 errors : win32k (ffff9065c0efdfff-ffff9065c0effdff)
7 errors : nt (fffff80061291778-fffff80061291782)

(try to find out what these drivers do)
zrndqnien.sys Wed Jan 17 04:49:02 2018
C:\WINDOWS\system32\drivers\juwxvzqj.sys Fri Feb 23 22:28:42 2018


\SystemRoot\system32\DRIVERS\vcsvad.sys Sun Nov 16 01:51:18 2008
C:\WINDOWS\system32\drivers\rsdrvx64.sys Thu Feb 12 05:01:49 2009

this NVidia driver does not match the other 3 Nvidia drivers (that are current)
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys Fri Oct 31 16:04:56 2014

HeciServer.exe running (intel)
asgt.exe running (asus GPU tweak utility, remove )

\SystemRoot\system32\drivers\ScreamingBAudio64.sys Sat May 14 11:49:07 2016 (
running 2 virus scanners:
Norton Internet Security, and malwarebytes




 
Upvote 0 Downvote
johnbl thank you again for your reply. I deleted software related to iqoption.com and also deleted Norton Internet Security. Before I posted my forum topic (first message), I had been doing a lot of research and analysis work to try my best to solve the problem on my own. It didn't work. So I had to come here. While doing my research, I found and used (still using it) program Emsisoft Anti Malware which seems to be special software for cleaning malware related to drivers. It cleaned some driver files but it seems like not everything.

I don't understand what where you referring to in your post. Cannot know what did you mean with those paths and filenames. The only file i recognize from your mentioned ones is ScreamingBAudio64.sys. I doubt this would be a malware but i can be wrong too. I have never heard about other 6 files. Would appreciate if you could please tell me what to do - which steps.
 
Upvote 0 Downvote
since your windows binaries have been modified you are just forced to do a clean install of windows from a known good source of windows. Otherwise you will never know what the modifications are loading or preventing virus detectors from seeing. Best to format the drive, then be more selective on what you install or run.

the filenames are taken from the windows memory dump you provided. the windows debugger can show what special drivers are being loaded and from where. in the case of the two files with errors the windows debugger can check for modifications to the windows code and shows the error in the debugger. Malware can insert their own code into the windows file and when windows runs the function it causes the malware to executed instead of the correct windows code.



 
Upvote 0 Downvote
I have too many important data, my life depends on, located on hard drive to do a clean install or even format entire hard drive. Besides this, I don't have Windows CD because when i bought my computer, Windows 10 64bit were already installed. Cannot format or reinstall OS. Not that I would disrespect or doubt your instructions (knowledge) but the data on hard drive is too important and it cannot be backed up. Some applications contain custom settings where i need to open it, work on them in order to be saved. Impossible to have them as a back up.

There must be some other alternative. E.g. some software to work with kernel data or drivers, whatever. Please don't say there is no other way. BSOD Critical Structure Corruption has been occurring for weeks and cannot do anything. Every moment i am worried that it could occur first next second. Even right now when typing this message, it can occur and i will waste everything i typed so far. No way for me to reinstall/format. Perhaps something like that:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

or

https://www.solvusoft.com/en/files/bsod-blue-screen-error/sys/windows/avnex-ltd/avnex-ltd-virtual-audio-device-wdm/vcsvad-sys/

or

http://www.fixpcdll.com/repair-dll-exe-errors/vcsvad.sys-fix-vcsvad.sys-error.html

There surely is some software that could help even if drivers or kernel (whatever this is) are/is corrupted.
 
Upvote 0 Downvote
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
this tool can be very useful in fixing problems that you are having.
run it as an admin, you can select the drivers tab and uncheck driver you don't want to load so they will not be loaded on the next boot up. (or your can delete the entry)

you can see the list of startup items and removed ones you don't want to run. uncheck will prevent the run or you can delete the item if you are sure you don't want it.

you can select the services tab, then go to the hide Microsoft entries menu item and it will just show the extra entries you have on your system
---------
the first like is a link to the debugger which I use to look at memory dump files.
the second two links are ads generated off of keywords used during searches on google or bing.
they are just want you to install a driver installer.

you can do repairs but it is pretty tricky. often these malware will have drivers installed just keep making sure that the malware is installed. for example even if you remove something, when you shutdown the program can trigger and reinstall before the shutdown is completed. often you have to make changes then cut the power off to your machine to get around the reinstall.

for example, you could try this: boot up windows, go to control panel and turn off virtual memory and reboot so some malware will not have a place to hide in the hidden pagefile.sys

download and run rammap64.exe and empty the working set (in case something is hiding in standby memory)
download and run autoruns.exe and look at the list of non Microsoft program and where they are running from. (stop suspected programs from running)
these tools are from Microsoft located here:https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns



then task manager and kill any scheduled task that should not be running. delete the task from the scheduler.

then run cmd.exe as an admin and run
dism.exe /online /cleanup-image /restorehealth
then run a Malwarebytes scan.

now cut power to the machine rather than doing a shutdown.
boot up and run the dism.exe command again.
often malware will undo your fixes a few seconds after you do them.

after you get some of the files cleaned up, you would turn on virtual memory again.

generally, malware will often disable a lot of the common programs that are used to make repairs.
for example, they delete restore points, replace the dism.exe command, replace the hidden backup copies of system files in the driverstore. schedule tasks to reinstall malware every few hours or at least once a day. gets pretty tricky trying to undo things and if you miss something the problems comes back.

it can be done but I don't think I could make all of the correct guesses to be get good results.

malware will often disable your firewall or open ports in it so your machine can be remotely accessed.



 
Upvote 0 Downvote
The tool in your first like is based on the list of applications (programs)/services/etc that are being runned upon (re)booting of computer. From your reply I understand that the tool clearly defines which entries are drivers. The ''Drivers tab'' as you said.

You are futher saying to delete the driver entries that I don't want. With this you are telling me that according to your opinion, the one and only problem of blue screen error Critical Structure Corruption is problem with driver: either malware or drive incompatibility. Perhaps some third cause related to driver. Here i delete only to prevent it being runned upon system (re)boot. This means driver related problem (e.g. malware) will remain on hard drive. It just won't be runned on (re)boot. So that means it will not help solving blue screen error? How about that?

Also, still talking about the same tool (your first link in latest message): you are saying the only criteria of decision to delete the entry (meaning disabling it from being auto-runned on system [re]boot and NOT deleting it from hard drive!) is whether or not i am sure i don't need it. Having said that, in ideal situation everything what I don't need would ideally cause problems of any kind (e.g. malware). Why? Because since i would disable everything what i don't need, every problematic driver would also be disabled from (re)boot auto-run but not deleted from hard drive. The problematic driver can still cause problem even if is not runned. Or am I wrong? I used here question mark because i would need your comment on this too.

How about deleting them from hard drive after i delete them from the tool's list meaning disabling them being auto runned?

And most important: Are you saying I should remove from list (Drivers tab) everything where that is NOT Microsoft? This automatically means everything, NOT Microsoft, could cause problem and also means that I don't need anything with name other than Microsoft.

My main purpose of this message is to get an idea how to decide what is needed and what not because most likely i won't recognize 90% of driver names there.
 
Upvote 0 Downvote
malware, viruses, rootkits, adware, spyware attack and modify data used by core windows files. Microsoft in a effort to stop them has started to check the data structures for data corruption. it now will write data then later go back and test it to see if it has been modified. if it has then it will call a bugcheck.

your system had modified windows files, it will continue to bugcheck until these files are replaced with the correct versions. This has to be done with a repair image. This is what the DISM.exe command with the /online option will attempt to do. IE get a replacement copy from a Microsoft server. This is to stop the bugcheck.

the next step is to find the software that modified your system files in the first place. this is where you use the autoruns tool. Microsoft does not hack its own files with its own drivers. this is why you focus on the third party drivers rather than looking at all of the drivers. I gave you a list of suspect drivers you should look at simply because I have probably looked at over 30,000 memory dumps in my lifetime and have never seen the drivers before.
you can just use the tool and uncheck the driver name (not all of the drivers, just the suspect ones) this will prevent them from being loaded by windows. if a driver is not loaded it will have no effect on windows. if you boot and find you needed the driver for some reason you just go back in the tool and check the driver name and reboot. the driver will be loaded on the as the system boots up.

the tool can be used to remove startup items that are suspect, and scheduled tasks that are suspect.

if you are not sure about what to remove you will have to google the driver name and figure out what it does and decide to remove it or not.

you will also use the tool to look at the services and try to figure out if you have a service running that should not be running.

all this is done to prevent the malware from running again.

you will also need to check your firewall settings since malware often opens ports thru your firewall so your machine can be accessed via the internet or stolen data can be sent to a server and read by someone.

for most people this whole process takes too much time, they don't know how to use the tools and would only do this if they really had no choice. ie no backups, no original disks, and most of the time they have business data that is at risk and have to get the system working. This happened to my neighbor's business computer. A tax accountant, with 7 years of client records that were only backed up to the same machine. he really had to get his data back.
we were able but there was a lot of luck involved.

for most people the best option is buy a new drive, remove the original one, install the new drive, install windows and get the system running then attempt to extract the needed data from the original drive.

but you wanted to know how to do it the hard way via repairing the changes that the malware has done.
and to do that you have to fix the windows files and make sure the malware is not running and does not get reinstalled.
and block the network access to your machine so new malware is not installed.




 
Upvote 0 Downvote
Although I don't have Windows 10 cd (OS was already installed when i bought pc), i got one idea what could i do to avoid having to reinstall OS or even format hard drive. You are talking about drivers problem a lot so i assume blue screen error is surely because of some problems with drivers - it doesn't necessary be malware. I have external hard drive available and i could just install windows 10 entire OS (if i had cd!!!) on this external hard drive. Before doing this, i would move files to some other hard drive and then format this external hard drive so it is ready and empty for windows 10 64bit installation. After OS would be installed on that external hard drive, i would go and replace ( * ) each suspicious driver name on problematic internal hard drive with fresh driver name on external hard drive with just installed windows 10 (if i had cd but i don't!). Then after completing all the work, i could format external hard drive, copy back files that were previously on it and delete those files from temporary storage location. Do you think such ''Replace Only'' work of problematic drivers would be good idea? Would it work? But here are two problems:

1. missing CD. I don't know where to get it and if i try to download windows 10 64bit online, it could contain infection files and i would be in even bigger problem.

2. possible misunderstanding which drivers are ''unknown enough'' or ''suspicious enough'' in order to be replaced. But just like you said, i can solve that with googling every single driver and to which application it is related. Then i would hopefully recognize application and would judge on my own if application is needed (driver to NOT be deleted from auto-run on [re]boot) or not needed (driver to be deleted).

*why am i saying ''replacing'' one driver (filename) with another? Why not delete directly and copy on same folder fresh file, identical one, from external hard drive? Because most likely system would not let me delete the file. However I don't know what happens with older file once it gets replaced with new one (in this case new one from external hard drive). It may not get auto deleted.

Do you think such plan with replacing same name filenames (suspicious/unknown drivers) would work? If i give you screenshot from the tool, would you also be able to know which file is suspicious enough to be considered for replacement?

Additional idea I got is to hire for one month or preferable one week remote computer (rdp/vps) and request on purchase order that it must have Windows 10 64bit installed. Fresh computer, unused. Then i could copy needed files from there but some of them may be missing if same drivers are not installed there as they are on my computer. But the bad thing is that the biggest companies and most trustworthy ( ** ) in such ''Remote Computer Lending'' business such as Aminserve ( *** ) all have older versions of Windows OS.

**trustworthy from aspect of computer being clean without any malware problems.

***hopefully this is not against this forum's rules and won't be considered as advertising. I am just using example of such business.
 
Upvote 0 Downvote
here is a website you can use to try to figure out the owner of a driver by the driver name.
for example vcsvad.sys
is listed as Avnex Ltd. Virtual Audio Device (and there is a link to the website for updates)
http://www.carrona.org/drivers/driver.php?id=vcsvad.sys
---------
on old versions of windows you can just copy a new windows file over and reboot and it will take effect.
the problem is virus were doing this so Microsoft decided to make a hidden driverstore on your local drive. When the system reboots if a file has been modified then the driver from the driver store is copied over the file that was modified.
This worked ok but now malware and virus writers know about the driverstore and make changes to that back up copy.

since you had modified windows kernel file your system is infected.
you can download windows 10 directly from Microsoft. these will not be infected with malware.
Microsoft only sells the key, anyone can download the copy of windows 10 without charge.

you can download the .iso file and burn a CD or build a USB thumb drive to boot windows from
https://www.microsoft.com/en-us/software-download/windows10
this download is from Microsoft trusted source (windows update server)
you can install this and it will activate if your old version was activated. (no key will be required)
if your old version used a activation hack or a pirate key then the new version will not activate and will expire after 90 days I think. (not sure what the current policy is)

We are not only talking about drivers, some of the changes were to the user interface file and the windows kernel which is the code used to load device drivers.

there are other technical reasons that it can be hard to just replace a windows file. the file system can track the owner of the file and the owner is a security identifier that is generated when the system is installed. When you boot another image of windows the security identifier will not match, so when you do the replacement the system will detect the change and stop windows from loading the file. The system is designed so you can takeownership of a file and assign the new security identifier but there is not supposed to be a way to give owenership of a file. (id force the use of the old security identifier.

better to get the dism.exe command to try to repair the corrupted kernel from a online copy.
you could also try running cmd.exe as an admin then
sfc.exe /scannow
and see if it can make a repair from the local hidden copy. most malware will disable this fix.









 
Upvote 0 Downvote
Thank you for telling me that replacing infected or potentially infected driver (suspicious filename) with safe one from external hard drive won't solve the problem. This may not be what I wanted to hear BUT rather getting bad news than wasting time with no success or even more damage.

sfc.exe /scannow is what I did already and it didn't help. It actually even corrupted my computer because it didn't let me to go to Desktop anymore.

Also tried to open ''dism.exe'' file but nothing happened. Actually command prompt black window got opened for less than 0.1 second and auto closed itself immediately.

Windows 10 64bit are 100% legal/legitimate/original installed on hard drive when i bought computer but as far as i remember the company who sold me computer, didn't provide CD, neither license key BUT if I go to My Computer icon\right mouse click\Properties\I see ''product id'' at the bottom and this is most likely my original activation key. Since you said Windows OS without a license key is free of charge, this could mean downloading it + my available original activation key could let me reinstall the OS but from the first message wrote above for you Johnbl, i have been saying i want to AVOID reinstalling or/and even formatting. I have too important data which cannot be backed up and in order to bring it back after reinstallation, it would take hundreds of hours. Cannot even risk possibility of losing anything.

So I believe i will try the following combination:

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

+

http://www.carrona.org/drivers/ (driver research work)

At least i have some background to start on. Then if not recognizing application name, i will do some custom research about the application. In any case, if i decide to delete particular file (infected driver), its copy will be created by me to usb key. So i can have reserve if pc will start acting weird (or major problem) due to particular missing file. Its pointless to just delete file (driver), which may cause bluescreen error, just because of not recognizing application name. Thats why further googling is needed.

I definitely won't reinstall or format. Since you said to not replace files (potentially infected one with identical file from external hard drive if i had win 10 installed there), i will do what i said above in two links. Since I am pretty much sure my computer doesn't have any malware, i assume it is some driver incompatibility problem destroying my work and rebooting computer. You can imagine how hard it is if you need to be worried, even right now when typing this text, that every second bluescreen Critical Structure Corruption could occur. I don't know how fix anything related to Kernel.

I believe there is a big difference between ''Kernel problem'' and ''driver problem'' because for driver problem i now have at least some plan what to do and how to do. But for Kernel, i know nothing and i said i won't be reinstalling or formatting.

Hopefully using both links said above and ending up with deleting file (potentially infected/corrupted driver) in case if i get negative research feedback about unrecognized (at the time of looking at Autoruns) application, will be enough to get rid of bluescreen error. I can only hope it is driver problem. More possibilities about the cause could surely prevent me to do the work on my own. Wouldn't know how.

Thank you again for your suggestion - mainly referring to those two links i repeated from you.

If you know any automated software that could deal with corrupted/infected drivers, please tell me. So far I know only ''Emsisoft Anti Malware'' which is special software for drivers and it seems to solve some corruption too and not just malware but unfortunately not enough to solve the problem.



 
Upvote 0 Downvote
to run the dism.exe command you actually need to run powershell or cmd.exe as an admin to get to a shell
then run
dism.exe /online /cleanup-image /restorehealth

it this command has not been disabled it will fix the modified windows kernel and modified windows interface files.
often malware will replace the file or make a change to block it from running.

it will be a key to getting your system working correctly. note: there is even a way to use this tool by booting a USB image of windows then telling the tool to fix the binaries on your c: drive. This means you can do a fix even if the local copy has been disabled. but try the local copy of dism.exe first.


you can google how to use dism.exe to repair a windows 10 image
or maybe look at this:
https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image


 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom