Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista SP2 won't boot, except to Safe Mode


  • Please log in to reply
12 replies to this topic

#1 Aargghh

Aargghh

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 24 February 2011 - 05:15 PM

I'd like to get this Safe Mode only HDD back to good working order, if possible.
Here's the history of the problem:
My problems began when my HDD failed to come out of sleep mode--and was no longer recognized as existing in the BIOS.
It was caused by a known firmware defect with my Seagate HDD and that problem was resolved.
I thought that I had better backup the data immediately before anything else could go wrong.
I put the HDD into another same make and model computer, which has a disk cloning program installed (Acronis True Image Home 2011) and it booted up--but to the drive that had been unrecognized before, instead of the computer's own HDD.
Upon booting the message appeared that windows had not been shut down properly earlier (since it hadn't).
I left the room for a few minutes and returned to find it running checkdisk. Checkdisk reported that there are only 4KB of info in bad sectors and 0 bad file records.
I let it finish running and next it claimed to need to run Startup repair, so I allowed it to do that.
Apparently, my choices were unwise and I rue the fact that I didn't just put the HDD back in it's own computer first.
The result of this is that the computer with the HDD cloning program's HDD wants to continually reboot and the HDD that recovered from the firmware problem will only boot into safe mode. (I killed 2 HDDs with 1 stone!)
I was able to clone the "Safe Mode only" HDD, just so I have a copy of all the data to work with, should anything else go wrong, the rebooter was cloned prior to the problem and the clone is working fine.

There had been a trojan horse program on the HDD but that was removed by MalwareBytes.
Restoring to an earlier known good configuration did not work.
After reading online I had made an ISO Startup Repair Disc and ran it, but it reported that it was unable to fix the problem.
I had run sfc /scannow, but it reported that "Windows Resource Protection found corrupt files but was unable to fix some of them."

I have no clue where to go from here.
Thanks, in advance.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 AM

Posted 24 February 2011 - 05:21 PM

Can you access the log file created by Malwarebytes?

#3 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 24 February 2011 - 06:18 PM

Cryptodan, thanks for replying.
Yes, the log states that 1 registry value and 1 registry data item had been infected, but were then successfully quarantined and deleted.
The items are the registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application

The registry data was identical, except for ending with Application, instead of bak_Application

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 AM

Posted 24 February 2011 - 06:39 PM

Can you please show the full log.

#5 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 24 February 2011 - 11:41 PM

Sorry for the delayed reply, as I was out for several hours.
I don't know how to add it as an attachment, so I've copied and pasted it below.
Maybe something is physically wrong with the "Safe Mode only" HDD, rather than with the software stored on it.
Why think that?
I installed the clone of the "Safe Mode only" HDD in the computer, so I could access the MalwareBytes log and it booted into Windows, rather than Safe Mode--though I don't know if all the programs function normally or not.
I'm a bit wary of doing anything with the cloned HDD, since maybe any malware would require a shutdown in order for it to fully mess with the system.
Again, thanks for your help.
Here's the MalwareBytes log:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5792

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18999

2/18/2011 5:40:22 AM
mbam-log-2011-02-18 (05-40-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 581501
Time elapsed: 1 hour(s), 38 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Aargghh, 24 February 2011 - 11:42 PM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 AM

Posted 25 February 2011 - 12:39 AM

Can you update and rerun the scan and post the new log?

#7 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 February 2011 - 12:54 AM

Thanks for keeping up with the posts.
I have already updated MalwareBytes and the scan has been running for nearly an hour, so it still has a while longer to run.
I will gladly post the new log as soon as it is finished.

#8 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 February 2011 - 01:51 AM

Here is the latest scan log of the clone.
I scanned every "drive" that MalwareBytes detected, even though I believe they are all dvd and usb ports.
There is only 1 HDD in this computer (the clone of the original one).
I don't know if it makes any difference, but I had tried a "clean boot" , unsuccessfully on the original and this drive is still in clean boot mode.
Clean boot as I understand it is to disable all services except for Microsoft services, selected through msconfig.
There had been a very odd item in either startup or services (can't recall, presently), which was listed as "Microsoft Windows Operating System", and I don't believe it actually was Vista, since I don't think that would be listed as a service or startup item.
Would this have been what the earlier trojan had inserted?
Why would it be absent from the clone drive, but present on the original?
I'm trying to learn.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5873

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

2/25/2011 1:34:50 AM
mbam-log-2011-02-25 (01-34-50).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 591940
Time elapsed: 1 hour(s), 44 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 AM

Posted 25 February 2011 - 01:56 AM

Is that service still listed? If so can you take a screenshot of the properties of the service?

#10 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 February 2011 - 02:49 AM

Yes, it is still listed in the startup items, but it was disabled by me on the original HDD before I cloned it, so it is still disabled on this clone HDD.
I don't know how to view its properties, since both left and right clicking on it does nothing, just as it does nothing with any other startup item in msconfig.
I can tell you that its name is exactly as I had recalled, it is supposedly by Microsoft Corporation and its command is listed as:
C:\Windows\ehome\ehTray.exe
What isn't clear to me is how it could be inactivated by me in msconfig on the original drive, but seems to have still been running on that drive--assuming the boot problems were caused by it--but has not impaired the clone HDD, perhaps because it has never been run on the clone.

Edited by Aargghh, 25 February 2011 - 02:50 AM.


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:47 AM

Posted 25 February 2011 - 09:20 AM

eHtray - What is ehtray.exe?

#12 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 25 February 2011 - 10:48 AM

Cryptodan, thanks so much for your help!
I would have thought that Microsoft would have labeled it as "ehtray", instead of calling it "Microsoft Windows Operating System".

#13 Aargghh

Aargghh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 February 2011 - 05:51 PM

I went to the Seagate site, downloaded, burned to CD and ran Seagate Tools.
It turns out that the HDD has physical problems, so that's apparently what has prevented it from booting into anything other than Safe Mode.
Fortunately, this HDD was successfully cloned by Acronis True Image Home and so I've got my data on a working HDD.
The original will be going back to Seagate for replacement.

Edited by Aargghh, 28 February 2011 - 05:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users