Can't enter password in Safe Mode

[Paul Jacobson]

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7C25000 \WINDOWS\system32\KDCOM.DLL
0xF7B35000 \WINDOWS\system32\BOOTVID.dll
0xF76D6000 ACPI.sys
0xF7C27000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF76C5000 pci.sys
0xF7725000 isapnp.sys
0xF7CED000 PCIIde.sys
0xF79A5000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7C29000 intelide.sys
0xF7735000 MountMgr.sys
0xF76A6000 ftdisk.sys
0xF7C2B000 dmload.sys
0xF7680000 dmio.sys
0xF79AD000 PartMgr.sys
0xF7745000 VolSnap.sys
0xF7668000 atapi.sys
0xF7755000 disk.sys
0xF7765000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7648000 fltmgr.sys
0xF7636000 sr.sys
0xF7775000 PxHelp20.sys
0xF761F000 KSecDD.sys
0xF7592000 Ntfs.sys
0xF7565000 NDIS.sys
0xF754B000 Mup.sys
0xF7935000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF742C000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF7418000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7A3D000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF73F4000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7A45000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF73C0000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF739D000 \SystemRoot\System32\DRIVERS\ks.sys
0xF729E000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF71F7000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF7A4D000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7945000 \SystemRoot\System32\DRIVERS\bcm4sbxp.sys
0xF7A55000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7955000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7A5D000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7965000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7BDD000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF71E3000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7975000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7985000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF71C4000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF7A65000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7995000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF713E000 \SystemRoot\system32\drivers\smwdm.sys
0xF711A000 \SystemRoot\system32\drivers\portcls.sys
0xF7795000 \SystemRoot\system32\drivers\drmk.sys
0xF7C49000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7D0D000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF77A5000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF7BE9000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7103000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF77B5000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF77C5000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7A6D000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF70F2000 \SystemRoot\System32\DRIVERS\psched.sys
0xF77D5000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7A75000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7A7D000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF70C2000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF77E5000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7A85000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7C4B000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF703C000 \SystemRoot\System32\DRIVERS\update.sys
0xF7C05000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7A8D000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF77F5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7815000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF7C4D000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF750E000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF7A95000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xED7DF000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7BB5000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF7845000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF7AA5000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF7E45000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF7E46000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF7C59000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E47000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C5B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7AB5000 \SystemRoot\System32\drivers\vga.sys
0xF7C5D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C5F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xED784000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF7ABD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7AC5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xED73F000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF7BC5000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xED71A000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xED6C1000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xED699000 \SystemRoot\System32\DRIVERS\netbt.sys
0xED677000 \SystemRoot\System32\drivers\afd.sys
0xF7855000 \SystemRoot\System32\DRIVERS\netbios.sys
0xED64C000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xED5B4000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7875000 \SystemRoot\System32\Drivers\Fips.SYS
0xED58E000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7885000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF7ACD000 \SystemRoot\System32\drivers\hphius11.sys
0xF70B2000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF7895000 \SystemRoot\System32\DRIVERS\hphid411.sys
0xF78A5000 \SystemRoot\System32\Drivers\hphs2k11.sys
0xF70AE000 \SystemRoot\System32\DRIVERS\hphipr11.sys
0xF78C5000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED4AE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7C6B000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEE74A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7AD5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E1E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF06B000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xED39A000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xED0E9000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7CA1000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xED1D2000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xED01A000 \SystemRoot\System32\DRIVERS\srv.sys
0xECD5D000 \SystemRoot\system32\drivers\wdmaud.sys
0xED196000 \SystemRoot\system32\drivers\sysaudio.sys
0xEC7EE000 \SystemRoot\System32\Drivers\HTTP.sys
0xEC5C2000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 31):
0 System Idle Process
4 System
584 C:\WINDOWS\system32\smss.exe
652 csrss.exe
676 C:\WINDOWS\system32\winlogon.exe
720 C:\WINDOWS\system32\services.exe
732 C:\WINDOWS\system32\lsass.exe
892 C:\WINDOWS\system32\svchost.exe
968 svchost.exe
1064 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1100 C:\WINDOWS\system32\svchost.exe
1172 svchost.exe
1336 svchost.exe
1520 C:\WINDOWS\system32\spoolsv.exe
1636 svchost.exe
1672 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1688 C:\Program Files\Bonjour\mDNSResponder.exe
1784 C:\Program Files\Java\jre6\bin\jqs.exe
1960 C:\WINDOWS\system32\svchost.exe
2008 C:\Program Files\Canon\CAL\CALMAIN.exe
2944 alg.exe
3236 C:\WINDOWS\system32\hphipm11.exe
3416 C:\Program Files\iPod\bin\iPodService.exe
1144 C:\WINDOWS\explorer.exe
3996 C:\WINDOWS\system32\hphmon04.exe
3924 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3940 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3956 C:\Program Files\Microsoft Security Essentials\msseces.exe
3620 C:\Program Files\iTunes\iTunesHelper.exe
1796 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4092 C:\Documents and Settings\Paul\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)

PhysicalDrive0 Model Number: WDCWD400BB-75DEA0, Rev: 05.03E05

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[Blade81]

Hi,

Please run the following test:
1. Run ComboFix.
2. Reboot into safe mode and log in.
3. Reboot back into normal mode and log in. Do nothing else but restart machine back into safe mode. Does the keyboard work?

 

[Paul Jacobson]

In step 2 the keyboard did not work and I could not log on. I couldn't log on in safe mode in step 3 either.

Something interesting happened since my last post. I had logged off (as an administrator) and left the machine running for 2-3 hours. When I came back and tried to log back on (still in normal mode) the password windows would open up, but the keyboard would not work. All I could do was shutdown. That's happened before, but not in the last week. (See one of my first 2 or 3 posts) I've logged off and on in normal mode several times. So, it looks like I still have an intermittent problem with the keyboard in normal log on.
Thanks again for your help!

 

[Blade81]

Hi,

Are you able to borrow usb keyboard to see if it behaves in the same way?

 

[Paul Jacobson]

Ah-hah, so now were making some progress!

I've done lots of testing and I've discovered that the problem has to do with pressing the F8 key during start up.

It takes 2 to 3 seconds for the Dell "splash screen" (the one with the progress bar that moves from left to right) to appear after I power on. If I press the F8 key BEFORE the splash screen appears it will NEVER allow the keyboard to work at the sign on screen. If I wait 2 to 3 seconds until the splash screen appears, and THEN press the F8 key, the keyboard works fine. That's why most of the time it would not work . . . I started pressing the F8 key too soon!

I've tested it from hard boot and restart - it works the same either way. To my knowledge, pressing the F8 key before the splash screen appears should not make any difference. Should it?

I can probably borrow a USB keyboard for testing if you think it would help. But it will take a day or two for me to get one.

 

[Blade81]

Hi,

Pretty interesting reason behind the issue then

I've tested it from hard boot and restart - it works the same either way. To my knowledge, pressing the F8 key before the splash screen appears should not make any difference. Should it?

It's possible that some systems are more sensitive about F8 pressing than others.

I can probably borrow a USB keyboard for testing if you think it would help.

I don't think there's not necessarily need to test USB keyboard now since we have the issue narrowed down.

Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
• Download and run Secunia Personal Software Inspector (PSI) and fix its findings.
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

 

[Paul Jacobson]

I'm not having any other problems that I know of.

OTC.exe didn't do a very good job of cleaning up. It appeared to complete normally, including a reboot. I ran it twice.
I still have MBRCheck.exe, ATF-Cleaner.exe, RKUnhookerLE.exe, HijackThis.exe and the shortcut to ERUNT.exe on my desktop.

I can uninstall ERUNT from the start menu or from the add or remove programs.
I can uninstall HijackThis only from the add or remove programs.
I can delete the other programs from my desktop, but I don't know how to uninstall them. Would it be helpful to keep any of these programs? How do you suggest I remove them? Please advise.

Also, I still have Microsoft Windows Recovery Console installed. Is this something that is beneficial to keep, or can it be downloaded again when needed? If I remove it I will need some help as I don't see any uninstall option.

My hosts file currently has thousands of entries. I use Spybot Search & Destroy to update my hosts file and to run an occasional virus check. Would it be better to download the hosts file you suggest? I don't run the Spybot online monitor because I know it will conflict with Microsoft Security Essentials. I use Firefox (with Adblock Plus) instead of Internet Explorer because I've heard that IE is not so secure. I run Firefox in a private browsing session.

I also use the standard Windows Firewall. For my firewall settings I have a local area connection, but no services or ICMP are enabled. Windows is blocking all incoming connections except bonjour service, iTunes, and network diagnostics for windows xp. I THINK I'm pretty secure with that setup. You stress a 3rd party firewall. I've used a 3rd party firewall in the past, but always seem to have problems of conflict with virus and malware programs. I'm a rather unsophisticated user . . . don't play online games and I don't do much downloading of files. Do you think I really need a 3rd party firewall?

I log in as administrator only when I need administrator functions. I usually log in as a user.
Do you have any additional suggestions/ideas for improvement?
Thanks for your help,
PJ

 

[Blade81]

Hi,

I still have MBRCheck.exe, ATF-Cleaner.exe, RKUnhookerLE.exe, HijackThis.exe and the shortcut to ERUNT.exe on my desktop.

I can uninstall ERUNT from the start menu or from the add or remove programs.
I can uninstall HijackThis only from the add or remove programs.
I can delete the other programs from my desktop, but I don't know how to uninstall them. Would it be helpful to keep any of these programs? How do you suggest I remove them? Please advise.

Delete MBRCheck.exe, ATF-Cleaner.exe, RKUnhookerLE.exe manually and ERUNT + HijackThis via add/remove programs (delete HijackThis leftovers manually).

Also, I still have Microsoft Windows Recovery Console installed. Is this something that is beneficial to keep, or can it be downloaded again when needed? If I remove it I will need some help as I don't see any uninstall option.

If system comes unbootable Recovery Console may prove out to be valuable addition. I'd definitely leave it installed.

My hosts file currently has thousands of entries. I use Spybot Search & Destroy to update my hosts file and to run an occasional virus check. Would it be better to download the hosts file you suggest? I don't run the Spybot online monitor because I know it will conflict with Microsoft Security Essentials. I use Firefox (with Adblock Plus) instead of Internet Explorer because I've heard that IE is not so secure. I run Firefox in a private browsing session.

Having Spybot to update hosts file is ok.

I also use the standard Windows Firewall. For my firewall settings I have a local area connection, but no services or ICMP are enabled. Windows is blocking all incoming connections except bonjour service, iTunes, and network diagnostics for windows xp. I THINK I'm pretty secure with that setup. You stress a 3rd party firewall. I've used a 3rd party firewall in the past, but always seem to have problems of conflict with virus and malware programs. I'm a rather unsophisticated user . . . don't play online games and I don't do much downloading of files. Do you think I really need a 3rd party firewall?

XP own firewall isn't that good at monitoring outbound traffic that's why 3rd party firewall would be a recommendation.

 

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.