Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP sp3 will only start in safe mode


  • This topic is locked This topic is locked
21 replies to this topic

#1 100222

100222

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 10:35 AM

I have XPsp3, McAfee protected.
I can load into safe mode but never to a user profile.
Extract from ntblog.txt reads
........Loaded driver NDIS.sys
Loaded driver RapportKELL.sys
Loaded driver Mup.sys
Loaded driver McPvDrv.sys
Did not load driver ACPI Uniprocessor PC
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
...........
I am conviced its the McPvDrv at fault but cannot seem to disable it. It is the correct file and is signed. I can even rename it to somethng else to no effect.
have run malwareBytes which only shows two errors - machine is using Mcaffee - which seems ok as they refer to windows security - and the Windows firewall is switched off.
This one has floored me - cannot seem to clean it up !

Anyhelp would be appreciated

BC AdBot (Login to Remove)

 


#2 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:04 AM

Posted 02 September 2011 - 10:44 AM

So just to clarify, you can start the computer in Safe Mode and log into the user profile?

Are you receiving any error messages when you try to boot the machine normally and login? Or is it just hanging at startup? How long have you waited?

What kind of scan did you run with MalwareBytes? When you say errors, what did it say exactly?

What was the original issue? and what steps have you taken so far to fix it?

This information will help us provide more detailed assistance for you.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#3 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 11:04 AM

Thanks for the quick response..
Yes, login as any user I wish - but only in safe mode. If I attempt normal startup then I get a black screen (I have left it for 1/2 hour to no effect) and no disc activity

I have done a full scan with malwarebytes and got two errors, referring to disabling windows firewall (pc uses McAfee) and turning off anti-Virus warnings - again as per McAfee (I will post log after this post)

Steps taken so far:
boot logging: extract is as initial post:
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver RapportKELL.sys
Loaded driver Mup.sys
Loaded driver McPvDrv.sys
Did not load driver ACPI Uniprocessor PC
Did not load driver Audio Codecs
Did not load driver Legacy Audio Drivers
Did not load driver Media Control Devices
Did not load driver Legacy Video Capture Dev

interestingly mcpvdrv loads - but nothing after that!

I have cleared temp internet files
I have tried to disable some start items in msconfig: but get an Access denied warning
From another post I learned of issue with HP software - PML Driver HPZ12 - so have edited registry to mark as disabled - this has NOT fixed the issue

I have downloaded HiJackThis - but cannt see anything that appears bad
and am running out of things to try next !!

thanks again
Mike

#4 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:04 AM

Posted 02 September 2011 - 11:46 AM

Were you installing any software or updates before this started occurring? Before we make any changes a System Restore may be appropriate, using a date before the issue started happening.

If System Restore does not work, and since you are able to boot into safe mode, open up MSCONFIG and choose Diagnostic Startup. You may receive the same "Access Denied" message from before, and after hitting Apply the radio button may switch back to Selective Startup - for now just save the changes and see if you can reboot the computer normally. If you are able to access Windows, we can review the entries in the services tab and start re-enabling them until we find the culprit.

Best of luck, and let me know if I can provide any additional info!
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#5 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 11:56 AM

Its not my pc so unsure what software maybe caused it

Tried a system restore to last week (it was ok then) - no effect

Tried Diagnostic Startup - yes - access denied but it stayed on that option so... tried to start windows normally, blank screen again , no response and no activity as before

#6 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 12:16 PM

malwarebytes full scan is now clear (no errors found)

#7 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:04 AM

Posted 02 September 2011 - 12:24 PM

Do you have the original Windows CD? Please boot to the Recovery Console and run CHKDSK to ensure there are not any disk errors. A corrupted file could be preventing the machine from starting up.

From Microsoft's website:

CHKDSK

chkdsk drive /p /r
The chkdsk command checks the specified drive and repairs or recovers the drive if the drive requires it. The command also marks any bad sectors and it recovers readable information.

You can use the following options: /p Does an exhaustive check of the drive and corrects any errors.
/r Locates bad sectors and recovers readable information. Note If you specify the /r option, the /p option is implied. When you specify the chkdsk command without arguments, the command checks the current drive with no options in effect.


Once CHKDSK is complete it will log an event in the Windows Event Viewer under Application with a source of Winlogon. Go to Start > Run > eventvwr.msc (or access through Control Panel > Administrative Tools > Event Viewer) in safe mode and post up the results.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#8 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 12:57 PM

I had run this before from safe mode, it fixed a couple of things but made no difference
Just run in recovery console and it suggests "the volume appears to be in good condition and was not checked - use /p tocheck anyway.
Before I run it - info from owner suggests it was fine until a mcafee update went on yesterday and invited a reboot - yesterday - I have already restored to last week but this sounds suspicious. I am still concerned at that mcpvsrv.sys - all seems to stop after that ???
Shall I run chkdsk /p ?

#9 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 01:15 PM

hecking file system on \DosDevices\C:
The type of the file system is NTFS.

Cleaning up 94 unused index entries from index $SII of file 0x9.
Cleaning up 94 unused index entries from index $SDH of file 0x9.
Cleaning up 94 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

156199994 KB total disk space.
21674644 KB in 103412 files.
41724 KB in 11594 indexes.
0 KB in bad sectors.
517526 KB in use by the system.
65536 KB occupied by the log file.
133966100 KB available on disk.

4096 bytes in each allocation unit.
39049998 total allocation units on disk.
33491525 allocation units available on disk.

Internal Info:
f0 6d 04 00 4a c1 01 00 93 77 02 00 00 00 00 00 .m..J....w......
87 02 00 00 00 00 00 00 b7 08 00 00 00 00 00 00 ................
12 1c 4b 04 00 00 00 00 92 7c 7e 40 00 00 00 00 ..K......|~@....
56 a2 9e 2c 00 00 00 00 00 00 00 00 00 00 00 00 V..,............
00 00 00 00 00 00 00 00 f4 ef c1 72 00 00 00 00 ...........r....
99 9e 36 00 00 00 00 00 e8 37 07 00 f4 93 01 00 ..6......7......
00 00 00 00 00 50 ea 2a 05 00 00 00 4a 2d 00 00 .....P.*....J-..

#10 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:07:04 AM

Posted 02 September 2011 - 01:21 PM

I would run it one more time just to make sure the volume is clean, I've had to run it 2-3 times before it fixed everything before.

Also, since you already have Hijackthis installed, please upload the following logs: system scan, startup list, and uninstall list (instructions below).

System Scan

Open HijackThis, click Do a system scan and save a logfile
Post the entire contents of the log in your next reply.

Startup List

Click Config...
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Copy and paste the results after the system scan.
More information with a screenshot, can be found here.

Uninstall List

Click Open Uninstall Manager...
Click Save List... and choose a location to save uninstall_list.txt
Click Save, a Notepad file will open, copy and paste the results after the startup list.
More information with a screenshot, can be found here.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#11 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 01:48 PM

<log removed to keep topic in current location>

Edited by elise025, 02 September 2011 - 02:51 PM.


#12 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 01:50 PM

<log removed to keep topic in current location>

Edited by elise025, 02 September 2011 - 02:52 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:04 PM

Posted 02 September 2011 - 02:53 PM

Hello 10022,

I have removed the two logs you posted as they are only allowed in the Malware Removal forum. As this problem does not seem to be caused by malware, I think it is better to keep it here.

Please completely uninstall McAfee using the following tool

Dowload and save McAfee Removal Tool to your desktop.

Run it to remove McAfee. After this, please restart your computer.

Can you boot in normal mode afterwards?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 04:16 PM

I removed in control panel - incomplete
Used MCPR - could not get permissions (3 times) and whilst it said a logfile was being produced - another process had prevented it either being created or saved!
Used MCREM2 - removed McAfee in one shot

but still no logon !!

#15 100222

100222
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 02 September 2011 - 04:20 PM

mmmm... I still have McAfee anti-theft installed.
If I think back, that is the Mcpvsrv.sys file that I thought was the culprit at the start
AS well as losing 18 months of McAfee subscription !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users