Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Boot in Safe Mode, normal mode ok XP ?


  • Please log in to reply
8 replies to this topic

#1 HotRock

HotRock

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 25 May 2012 - 09:37 AM

Hi
I have a HP media centre PC with Windows XP on the C: and recovery drive on the E: . I have also borrowed a copy of XP Professional SP3 to try and solve my problem.

It all began when a window popped up saying " Are you sure you want to navigate away from this page" , I clicked yes and then bitdefender started to pop up with alerts about the registry being changed. I managed to defeat some sort of malware by running spybot, malware bytes, bit defender and others, but Pc has been left scared from the attack.

The main problem I now get is I cannot boot in safe mode, it just goes in to a loop. When I disable the automatic reboot, it gives the following BLUE SCREEN with error code-
0x0000007E (0xc0000005, 0xF7590211, 0xF78DA700, 0xF78DA3FC).

I can boot in to normal windows ok, 1 or 2 programs have given the NO Disk error, but I just reinstalled them. Windows update also failed to update X64 Error, so I completely uninstalled all the net framework, and put it all back on again, Now it works fine and updates.

The last real problem is the safe mode loop which is driving me crazy, I have run the CHKDSK, and the sfc /scan now which wouldn’t quite complete as it asks for xp Pro disk 2, which does not exist, and I changed the registry to point to the CD instead, but still no joy with that, although it did replace some files.

I have checked the error log, but not sure how to diagnose it, as I have some errors that seem to repeat. Cannot view start up log file, as this does not work in safe mode, and i can boot normally fine with no errors. In msconfig I have 1 wrong boot path, which is to the recovery console, and when I try to change to minimal drivers it says " you do not have permission, and need to be a administrator" which I have narrowed down to bitdefender protecting itself from being turned off at start.

I have done all I can think of including running ASO 3 to fix the registry, and was thinking of just doing a repair, but know that is really going to screw up all my programs, and I’ll have to install them all again, as well as the 150 + Windows updates !!!

I hope someone can help me with this problem that seems to have been caused by some sort of malware attack, without having to do a reboot or full on repair, which really is a last resort on XP!!

I have not replaced the MRB or boot sector yet, should I consider that?

My system is WinXP media centre edition 2002, SP3- I did not have system restore on at the time of the attack, so no system restore.
Many thanks for any help in advance!

Hotrock

Edited by hamluis, 25 May 2012 - 11:48 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 PM

Posted 25 May 2012 - 02:53 PM

Let us see if we can get Safe mode to run.
Vista users my need to save it to the desktop first then right-click the icon and choose "Run as Administrator".

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 HotRock

HotRock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 25 May 2012 - 06:52 PM

Ok, I tryed that, it ran for about 3 mins, then I restarted only to be faced with the same BSOD, and same error message as in my first post. Thanks for trying, do you have any other suggestions ?

Thanks again,
Hotrock

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 PM

Posted 25 May 2012 - 08:29 PM

Next
Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 HotRock

HotRock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 26 May 2012 - 12:05 PM

Hi
Here are the scans, they look quite normal I think ?

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
BitDefender Internet Security 2008
Jetico Personal Firewall 1.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java™ 6 Update 31
Out of date Java installed!
Adobe Flash Player 11.2.202.233
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Jetico Jetico Personal Firewall fwsrv.exe
BitDefender BitDefender 2008 bdagent.exe
Common Files BitDefender BitDefender Communicator xcommsvr.exe
Common Files BitDefender BitDefender Update Service livesrv.exe
BitDefender BitDefender 2008 vsserv.exe
``````````End of Log````````````




next:

Farbar Service Scanner Version: 25-05-2012
Ran by HP_Administrator (administrator) on 26-05-2012 at 18:00:57
Running from "C:\Documents and Settings\HP_Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit


**** End of log ****

Thanks
HotRock

#6 HotRock

HotRock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 28 May 2012 - 05:40 AM

hi,
I have since scanned again after updating the java to the latest version, as scan said it was out of date. I cannot update to IE8 and here is the scan log from the windows folder for installing IE8. I hope you have time to take a look,
kind regards
Rob
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
BitDefender Internet Security 2008
Jetico Personal Firewall 1.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
SUPERAntiSpyware
Java™ 6 Update 32
Out of date Java installed!
Adobe Flash Player 11.2.202.233
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Jetico Jetico Personal Firewall fwsrv.exe
Common Files BitDefender BitDefender Communicator xcommsvr.exe
Common Files BitDefender BitDefender Update Service livesrv.exe
BitDefender BitDefender 2008 vsserv.exe
BitDefender BitDefender 2008 bdagent.exe
``````````End of Log````````````


[ie8.log]
0.188: ================================================================================
0.188: 2012/05/22 19:38:52.937 (local)
0.188: c:\5bf661b47702cf89e1c1957b\update\update.exe (version 6.3.15.0)
0.219: Failed To Enable SE_SHUTDOWN_PRIVILEGE
0.219: Hotfix started with following command line: /quiet /norestart /er /log:C:\WINDOWS
0.219: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2
0.235: IECUSTOM: Scanning for proper registry permissions...
0.704: IECUSTOM: Scanning for proper registry permissions...
0.813: IECUSTOM: Unwriteable key HKCR\.xbm
0.829: IECUSTOM: Scanning for proper registry permissions...
0.938: IECUSTOM: Unwriteable key HKCR\.xbm
1.016: IECUSTOM: Unwriteable key HKCR\mailto
1.047: IECUSTOM: Unwriteable key HKLM\SOFTWARE\Classes\mailto
1.094: IECUSTOM: Backing up registry permissions...
1.094: IECUSTOM: Unable to backup DACLs HKCR\.xbm
1.094: IECUSTOM: Finished backing up registry permissions...
1.094: IECUSTOM: An error occured verifying registry permissions. ERROR: 0x80070005
1.094: DoInstallation: CustomizeCall Failed: 0x3f5
1.094: IECUSTOM: Restoring registry permissions...
1.094: IECUSTOM: Unable to restore DACLs HKCR\.xbm
1.094: IECUSTOM: Unable to restore DACLs HKCR\.xbm
1.094: IECUSTOM: Finished restoring registry permissions...
1.094: The configuration registry key could not be written.
1.094: Internet Explorer 8 installation did not complete.
1.094: Update.exe extended error code = 0x3f5

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 PM

Posted 28 May 2012 - 11:13 PM

Can you run SFC?


Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 HotRock

HotRock
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 29 May 2012 - 09:38 AM

Hi

I have run the SFC Program and it was asking for windows pro sp3 disk, which fortuantaly I managed to borrow from a friend, as my computer came with no disk, as xp backup is installed as a recovery on the E: partition. It gets nearly all the way through the scan then it asks for xp pro disk 2, which does not exist, so I have to skip a few files at the end, approximatley 6 files in all. Not sure why it does this, and I have tryed a few work arounds, like redirecting in regedit as to where the computer looks for the i386 files, but it does not help !

I also downloaded sp3 and pointed SFC to look there for the files, but is still says "wrong cd". It did how ever correct some stuff, but it still wont boot in safe mode with same error message !!
thanks
Hotrock

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 PM

Posted 30 May 2012 - 07:29 PM

Hello, sorry for yhe delay,but I cannot find any thing else. So The next step is to repost in the Malware forum and with a deeper look they should see the issue,

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users