Jump to content

Archived

This topic is now archived and is closed to further replies.

Momber

Blue Screen after uninstalling Nod32

Recommended Posts

This is on Windows 7, 32bit. I uninstalled Nod32 using its own uninstaller in the start menu group. Since then, I cannot start Windows anymore, not even in safe mode (BSOD). That means I also can't use the esetuninstaller.exe tool, either. Please help, I don't have a recent backup image of my system drive.

TIA!

Share this post


Link to post
Share on other sites

You could try installing the same version of your ESET product on another machine, booting from a live medium (e.g. SysRescue USB) and copying C:\Windows\System32\drivers\edevmon.sys from the other machine to yours in the same location.

Share this post


Link to post
Share on other sites

Thanks for your reply. Could you perhaps furbish me with edevmon.sys instead? I don't have another machine to install Nod32 x86 on :(

Share this post


Link to post
Share on other sites

Did you have v13, v12 or older installed?

Share this post


Link to post
Share on other sites

That's a really good question lol. I can't honestly say. But my licence was valid until a few days ago and I always installed version upgrades when they were offered.

Share this post


Link to post
Share on other sites

Could you boot from a live boot medium and check if C:\Windows\System32\drivers\edevmon.sys is actually missing? You could provide me with "C:\Program Files\ESET\ESET Security\ekrn.exe" to determine the version of the driver you would need.

Share this post


Link to post
Share on other sites

edevmon.sys is indeed missing from \system32\drivers, as are any other files from Eset. Unfortunately there is also no ESET folder in \Program Files anymore. The only ESET related file I could find is a crashdump named ekrn.exe.956.dmp which is located in System32\config\systemprofile\AppData\Local\CrashDumps. It dates around the time I uninstalled Nod32 and is 2.6 MB in size.

Share this post


Link to post
Share on other sites

There is also an eset temporary folder in my temp dir. It contains a file named _InstData.xml. The file begins with

<PRODUCT NAME="home" MAJOR="000B0001" MINOR="00360000" />

Share this post


Link to post
Share on other sites

You can download v13.0.24 x86 edevmon.sys from https://we.tl/t-fttOb2aARS. After booting from a live boot medium, copy it to C:\Windows\System32\drivers. If it doesn't resolve the issue, try to get a dump from the crash for perusal. If it helps, remove ESET in safe mode using the Uninstall tool as per https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool.

Share this post


Link to post
Share on other sites

This incident reminds me of the very first time I installed Eset back in 2014. That also was on Win 7; but 64 bit  version. Same behavior - blue screen at boot time.

I never did figure out what caused this. Lucky for me, I had an image backup that I restored from. Not wanting to abandon Eset entirely and primarily because I had already purchased a license, I again tried to install Eset. No problems thereafter and like issue has never occurred again.

Share this post


Link to post
Share on other sites

Unfortunately copying edevmon.sys changed nothing. Still can't boot, not even in safe mode. And I seem to be unable to create a ntbtlog as well. I enable logging but no log gets written to HDD. Not sure if there are any options left for me to pursue now :(

Share this post


Link to post
Share on other sites

The only case when ESET can cause BSOD while booting to safe mode is when edevmon.sys is uninstalled / removed from the disk but remains registered in the registry device chain. Copying edevmon.sys to the windows/system32/drivers folder resolves BSOD in such case. Would it be possible to get a dump from BSOD?

Share this post


Link to post
Share on other sites
Quote

Would it be possible to get a dump from BSOD?

As I mentioned above, I am unable to create a ntbtlog, not sure why. It just won't do it.

The file in C:\Windows\Minidump is from May of last year so that's not helpful and there is no MEMORY.DMP file in C:\Windows at all :(

Share this post


Link to post
Share on other sites

Have you tried to perform a Win 7 Start Up Repair?

Ref: https://www.technorms.com/33940/startup-repair-windows-7

Quote

Keep in mind that it can take two to three runs of the system repair tool in Windows 7 to correct all issues. We recommend running it at least twice, see how your OS does, and then running it a third time if necessary for maximum results and repair.

 

Share this post


Link to post
Share on other sites
13 minutes ago, itman said:

Have you tried to perform a Win 7 Start Up Repair?

Thanks, yes I have. It fails after a few minutes with an undisclosed reason ("Cannot perform automatic repair. Okay thanks bye.")

Share this post


Link to post
Share on other sites

Thank you for your assistance, but I already tried all that. "Last known good" fails (BSOD) and I don't have any system restore data because I had this function turned off.

Share this post


Link to post
Share on other sites
On 3/12/2020 at 4:59 AM, Marcos said:

The only case when ESET can cause BSOD while booting to safe mode is when edevmon.sys is uninstalled / removed from the disk but remains registered in the registry device chain. Copying edevmon.sys to the windows/system32/drivers folder resolves BSOD in such case. Would it be possible to get a dump from BSOD?

@Marcos post the regsvr32.exe command to unregister the service associated with edevmon.sys; believe that is edevmon. Then OP can run this from the command line option in Win 7 recovery environment.

Hopefully Eset self-protections will not be in effect in recovery mode?

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

@Marcos post the regsvr32.exe command to unregister the service associated with edevmon.sys; believe that is edevmon. Then OP can run this from the command line option in Win 7 recovery environment.

Hopefully Eset self-protections will not be in effect in recovery mode?

Wishfully thinking on my part as far the as the above is concerned.

Regedit is all that can be used in Win 7 recovery environment and the applicable registry hive must be loaded. Then service settings modified accordingly. Procedure is detailed here: https://support.microsoft.com/en-us/help/927525/after-you-install-a-device-or-update-a-driver-for-a-device-windows-vis

Share this post


Link to post
Share on other sites
10 minutes ago, itman said:

Wishfully thinking on my part as far the as the above is concerned.

Regedit is all that can be used in Win 7 recovery environment and the applicable registry hive must be loaded. Then service settings modified accordingly. Procedure is detailed here: https://support.microsoft.com/en-us/help/927525/after-you-install-a-device-or-update-a-driver-for-a-device-windows-vis

I'm afraid this wouldn't work since it would not affect the upperfilter and lowerfilter values of other filters registered in a filter chain in the system which is what causes BSOD if edevmon.sys (or another filter with its driver) is missing on the disk or if the driver is corrupt.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

I'm afraid this wouldn't work since it would not affect the upperfilter and lowerfilter values of other filters registered in a filter chain in the system which is what causes BSOD if edevmon.sys (or another filter with its driver) is missing on the disk or if the driver is corrupt.

Seems to me this still could be useful.

Load the HKLM registry hive and navigate to Services key per Microsoft linked article. Open it up and determine if the following Eset services entries exist;

  • eamonm
  • ehdrv
  • ekbddflt
  • ekrn
  • ekrnEpfw
  • epfw
  • epfwwfp
  • epfwlwf ?

Then do a; cd C:\Windows\System32\drivers. Then enter, dir.

Next for all the above Eset services present in the Services key, verify that a corresponding .sys file exists in C:\Windows\System32\drivers.

At least this will show what Eset driver is missing from C:\Windows\System32\drivers if that is indeed the issue.

Share this post


Link to post
Share on other sites

@Marcos if the problem is in the Registry as you seem to be indicating, how about restoring the registry from its backup?

This article is for Win 10 but the author indicates it should work for Win 7: https://pureinfotech.com/restore-registry-backup-windows-10/

Further confirmed in this Microsoft TechNet discussion:

-EDIT and Important- Ignore the Repair option given below. Repair on Win 7 is anything but straightforward as I recollect. The installation media version must match what ver. of Win 7 you have installed; e.g. SP2 media if Win 7 SP2 is installed..

Quote

These instructions apply only to Windows 7

1. Turn on your computer and press F1 or F2 to go into BIOS settings.  On "Booting" section set your computer to boot from your cd/dvd drive.  Insert the Windows 7 installation CD or DVD (either full or upgrade version) into the drive and save your new settings and exit BIOS mode.  When your computer starts again it will ask you to press any key to reboot from the disk.  You will be taken to the Windows 7 screen.  Once on this screen, you will be given the choice to install windows or to repair it.  Choose repair it. 

If your problem is not solved try it again and this time when you choose "Repair" you should get some of the following choices: Repair Windows, Repair Using a Mirror copy previously made, Diagnose System hardware, or Display DOS command prompt or something similar.

2. Choose DOS command prompt.

3. Once on the command prompt window, type "C:" less the quote marks and hit enter.

4. Type the following commands into the DOS command prompt. Each one of these statements copy the original registry files to the current registry directory;

copy C:\windows\system32\config\regback\system c:\windows\system32\config\system

copy C:\windows\system32\config\regback\software c:\windows\system32\config\software

copy C:\windows\system32\config\regback\security c:\windows\system32\config\security

copy C:\windows\system32\config\regback\sam c:\windows\system32\config\sam

copy C:\windows\system32\config\regback\default c:\windows\system32\config\default

5. Press the "Y" key after each copied file. This confirms that you want to overwrite the existing registry files.

6. Remove the Windows 7 installation disc (either full or upgrade version) from the drive and reboot the machine.

7. Press F1 or F2 right after restarting your machine to go back to the BIOS settings and set your machine to boot from the "C" drive.

The registry is now restored with original settings.

https://social.technet.microsoft.com/Forums/windows/en-US/50c51ee9-f25a-4286-9c8c-657b1c6f9868/recovering-windows-7-registry-hivesfiles

Share this post


Link to post
Share on other sites

Thanks again for your continuing assistance. Is the above the recommended course of action or are you pitching ideas to Marcos?

Share this post


Link to post
Share on other sites
5 hours ago, Momber said:

or are you pitching ideas to Marcos?

This at the present time.

I believe the upperfilter and lowerfilter driver values he previously referenced are stored in the Registry. Hence, the Registry restore idea. However, I don't know when and how often Win 7 backup's the Registry. If for example it was done after Eset was uninstalled, then restoring the Registry from a backup would accomplish nothing.

What you can do via command prompt option from Win 7 recovery enviroment is to check the dates of hive backup files stored in this directory: C:\windows\system32\config\regback\

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...