Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem - booting in safe mode


  • This topic is locked This topic is locked
56 replies to this topic

#1 goodday

goodday

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 29 June 2010 - 11:38 AM

Thanks in advance for any help and please tell me if I am on the wrong forum, but I thought that my problem may be with a privacy produce ...... namely the HP Credential Manager.

My problem starts with finding the AV Security virus this morning on my HP laptop.

I got on my desktop to find a fix for the problem and go back to the laptop to start it in safe mode and all is well until I get to the "HP Credential Manager" and it will not take my password or even allow me to type the password. I called HP support and the tech person that I talked to was of no help at all and knew no way for me to get past the Credential Manager to get into my Windows XP in safe mode.

I am somewhat computer tech challenged and have worked only a few times in safe mode before, but how do I work around my HP Credential Manager get to my start button to finish up my work in safe mode to clear up the AV Security virus problem?

Thanks ~ Dan

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 01 July 2010 - 10:58 PM

Hello Dan.

This sounds like a bad interaction between an infection and a security software.

Am I correct in assuming that you have access to the machine in normal mode?

If so, you should attempt to uninstall Credential manager via Add/Remove Programs in normal mode. If successful, attempt the Safe Mode boot again and see if your obstacle has been removed.

If this fails, let me know and I'll walk you through removing the infection in an alternative manner.

~Blade

Edited by Blade Zephon, 01 July 2010 - 10:59 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 July 2010 - 05:00 PM

Hi Blade,

Thanks a bunch for answering my request.

No I can not get on line after I found that I have the "AV Security virus" as it will not let me even go to malwarebytes or any other clean up utility.

I have a second computer that is not infected that I am communicating on currently. I found a fix for the "AV Security virus", but it requires me to work in safe mode. Now the problem is that the computer that is infected has the HP Credential Manager, but when I get to the sign in in safe mode HP Credential Manager will not take my password or I can not even type anything in the space where I generally type in my password and therefore can not open my computer to get to the start (lower left) button to execute the clean up.

I hope that I have explained what my problem is, but I think that if I could run the fix in safe mode that all would be will be well and you can bet that the HP Credential Manager is going to be uninstalled as soon as possible when I can get rid of the AV Security virus that dominates everything currently.

Thanks again ........ Dan

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 02 July 2010 - 05:54 PM

Sorry. . . I should have been more clear about exactly what my main question was.

Can you, or can you not, log into the machine using Normal Mode? Not talking about being able to run any programs or anything. I just need to know if HP Credential Manager is stopping you in Normal Mode and Safe Mode, or if it is only causing issues in Safe Mode.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 July 2010 - 06:30 PM

Blade,

Yes I can log on HP Credential Manager in Normal Mode, but then instead of going to my home page the "AV Security virus" page is all that appears and also when I try to go to my normal favorite sites it keeps directing me back to the same AV Security page which is a virus as I understand through research.

I am at your mercy so I will try what ever you suggest, but again when I start in safe mode all is well until I get to the HP Credential Manager and it will not even allow me to type my password into the box. If I could work around that I have the instructions on how to defeat the "AV Security virus" as mentioned in safe mode or you may have a much better solution and I will await your answers.

Again I really appreciate what you people do in assisting with your vast knowledge about these matters. I am a retired Industrial Tech. teacher and feel helpless as I suppose some of my students did until I helped them gain confidence.

Thanks Again ~ Dan

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 02 July 2010 - 07:24 PM

Hello Dan.

Okay. . . I'm shifting this topic to the specialized Malware Removal forum, where we'll get you up and running again.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Since you are unable to use the internet on the infected computer, download requested files using a clean computer and transfer them to the infected machine using a CD or Flash drive. Also, you can use the same method to move requested logs from the infected computer to your clean computer so that you can post them here. If you choose to use a flash drive, please run the following program on your clean computer before proceeding. Note that, unless otherwise specified, all other tools I ask you to run should be run on the infected computer.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. <-- THIS IS IMPORTANT!!!
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

***************************************************
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.
***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
GMER log

Edited by Blade Zephon, 02 July 2010 - 10:54 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 02 July 2010 - 08:44 PM

Blade,

I thank you sir.................

Man I feel like I have a "teacher" that can get me back on track and thanks for the very concise instructions, but your student (me) needs to re-read your message a few more times, go to my wife's office tomorrow and copy your instructions as my printer is on the fritz, I need to purchase another flash drive tomorrow, and then get back on this project tomorrow afternoon and attempt to follow your instructions. Again Blade ........ thanks man....... I slipped over and took a look at your profile and my birthday is October 10 as ours are close to each other, but I am an old codger in my 60s and see you are 22. I think this is great that I get to take the role of the student for a change after having about 2000 plus students when I taught back when the rocks were soft (1970-1985) .......anyhoos I digress ........I will get tooled up and try and get back on this matter tomorrow afternoon.

Blade ........... I live in SW MO and if you ever get in my neck of the woods please throw out the anchor and I will buy the steaks or an appropriate meal. My email is oldtriumphs<at>hotmail<dot>com ............ the Triumphs part of the email are vintage motorcycles by the same name.......

Thanks again ~ Dan

Edited by goodday, 02 July 2010 - 08:45 PM.


#8 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 03 July 2010 - 04:29 PM

Blade ....... I sent you an email with a question. Thanks ~ Dan

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 05 July 2010 - 01:53 PM

Hello Dan.

I replied to the email. In the future please feel free to ask all questions in this topic, so that all the info is in one place for me to look at. smile.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 July 2010 - 02:41 PM

Hi Blade,

Sorry for getting off track. I purchased a new flash drive and ran the Flash Disinfector and saved the files off of the clean computer which is what I believe you asked me to do, but here is where I am confused .......you said "If you choose to use a flash drive, please run the following program (Flash Disinfector) on your clean computer before proceeding. Note that, unless otherwise specified, all other tools I ask you to run should be run on the infected computer." .............. Please forgive my thickheadness, but I suppose you want me to download GMER to the desktop of my clean computer and I do not find a way to do that. ................then if it were on the desktop of my clean computer am I to download it to the flash drive or am I to run the GMER on my clean computer?

Also part of my confusion is you asked "Note that, unless otherwise specified, all other tools I ask you to run should be run on the infected computer" .......... obviously I can not download GMER or anything on it as it is in-operable.......

Sorry for the confusion.

Dan

Edited by goodday, 05 July 2010 - 02:45 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 05 July 2010 - 03:18 PM

Ah I see.

sorry for the confusion.

Here's what I meant.

On clean computer
1. Download Flash disinfector.
2. Run Flash disinfector.
3. Download OTL and GMER; save them to your flash drive.
4. Copy the custom scan below to a Notepad file; save it to your flash drive.
QUOTE
netsvc
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav



On the infected computer
5. Put flash drive in infected computer.
6. Copy all above files to the desktop of the computer, and run them using the instructions above.
7. Save the resultant logs to the flash drive.

On the clean computer
8. Post the logs in your next reply via copy/paste.



Does this make more sense?

~Blade

Edited by Blade Zephon, 05 July 2010 - 03:20 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 July 2010 - 05:11 PM

Hi Blade,

Yes it now makes more sense and anyone with basic computer skills worth a hoot should have known and it is all my fault for not being more knowledgeable concerning basic computer tech.

I hope to have you a couple of lists shortly from the infected computer.............thanks again.

Dan

Edited by goodday, 05 July 2010 - 05:12 PM.


#13 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 July 2010 - 05:36 PM

Blade.......I put the flash drive in & turn the infected computer on and get a message: "Windows could not start because the following file is missing or corrupt: \windows\SYSTEM32\CONFIG\SYSTEM.
You can attempt to repair this file by starting Windows Setup using the original Set up CD-ROM. Select 'r' at the first screen to start repair."

I was given this HP Compaq NX 7400 laptop by a close friend that lives 2 hours from here and do not have the original set up CD.

What next coach........... thanks again. ~ Dan



#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:17 PM

Posted 05 July 2010 - 05:40 PM

hello goodday. . . does this occur only if the flash drive is inserted? or is this happening regardless of whether the flash drive is inserted.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 goodday

goodday
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 05 July 2010 - 05:45 PM

Blade .......... same message either way with or without flash drive.

Thanks ~ Dan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users