# cant start XP in safe mode



## thymekiller (Jan 29, 2004)

I have been working on a computer running Win XP. Originally, the computer had a display issue, and I was able to reinstall the display adapter drivers in safe mode, and reboot normally. However, I need to reset the system configuration utility changes I made, and so I tried to reboot in safe mode, but the computer hangs after loading this -windows\system32\drivers\ipvnmon.sys. I checked the log, and the next drivers that failed to load were audio codecs. After that is a long list of other drivers that did not load. Any ideas on how to proceed?? The computer seems to run fine now when I boot normally.
thymekiller


----------



## thymekiller (Jan 29, 2004)

*bump*


----------



## MFDnNC (Sep 7, 2004)

Sounds like you need to do a repair from the install CD


----------



## thymekiller (Jan 29, 2004)

can I use any install cd, or do I have to have the one installed on that computer?? The guy that owns it bought it used and XP was already installed. He didnt recieve the disk, either.


----------



## thymekiller (Jan 29, 2004)

*bump*


----------



## thymekiller (Jan 29, 2004)

the other issue here is that since I cant boot into safe mode, I dont currently have access to the admin account, which makes it very difficult to work on...


----------



## Rollin' Rog (Dec 9, 2000)

The audio codecs don't need to load, at least they don't on my system. The last successful load, I believe, should be:

agp440.sys

This is all I can find about the file you mentioned:

http://groups.google.com/[email protected]&rnum=3

It's not a default file, I don't have it at all.


----------



## dai (Mar 7, 2003)

you can set it to boot in safe mode in msconfig/bootini/safeboot


----------



## thymekiller (Jan 29, 2004)

I cant boot to safe mode command prompt-it just hangs after loading the ipvnmon.sys file. The guy that owns the computer gave me the wrong password, so I am back to square one again...


----------



## HappyHacker (Nov 9, 2003)

What kinda computer is it? 

Some have the restore (XP restore) partitions hidden, that you could restore from.


----------



## thymekiller (Jan 29, 2004)

after talking to the owner again, he was finally able to give me the right password, and I was able to log on with priveleges. I went into system configuration utility to make things right again, and got in a hurry, and changed a setting in the boot.ini file, and upon rebooting, the computer went into a loop, and just kept restarting itself at the loading Windows screen. I used an XP CD to boot to recovery console, and with the proper permissions, I ran bootcfg /rebuild, and was finally able to start normally. Now I have 2 boot options, and I would like to remove the one that was bad, but I am not sure how to do that. Also, theres a program in there-SBC Yahoo DSL, that was on there when the guy bought the computer, that he wants removed, but it wont remove in Add/remove programs. Is there another way to remove it??? This guy doesnt even plan on going on the internet at all. I have run Ad-aware, and Spy-bot, and cleaned all the spyware out. Should I post a hijack this log, to make sure I get everything out?? There was quite a large amount of spyware in this machine...Thanks for all the great help so far!!!!!!


----------



## dai (Mar 7, 2003)

yes let one of the experts check it


----------



## RADCOM (Dec 1, 2004)

Some programs don't remove well from add remove programs. You could try Add remove plus or try deleting the SBC Yahoo DSL folder if it exists ( probably in program files ) and then running a registry cleaning program such as regvac or regclean. 
To delete the offending boot option you will need to edit the boot.ini in the root of C:\. you may need to show hidden files in explorer>tools>options first.
Feel free to post your hijack this log there are very good analysts on this forum.


----------



## thymekiller (Jan 29, 2004)

Here is the Hijsack This log for this machine:

Logfile of HijackThis v1.98.2
Scan saved at 8:39:47 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\OnSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\AChkr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Paul\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockportpilot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O1 - Hosts: 207.44.240.65 images.trafficmp.com
O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
O1 - Hosts: 207.44.240.65 media1.fastclick.net
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: V.dd - {00F16DC8-1B2A-42F4-B18B-E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: E.HH - {F0192C73-E569-42AB-BDF2-ED3BAB388DDE} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\JServ\IEService.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [qozjklzvfvzdw] C:\WINDOWS\System32\odnwlc.exe
O4 - HKLM\..\Run: [OnSv] C:\WINDOWS\System32\OnSv.exe
O4 - HKLM\..\Run: [OnSrv] C:\WINDOWS\System32\OnSrvr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: - 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SearchAssistant=
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/445/webolr/OCX/FlashAX.cab

I see lots of stuff I think needs to go, but I'm no expert. Thanks for the assistance!!!!!

thyme


----------



## Rollin' Rog (Dec 9, 2000)

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.intermute.com/spysubtract/cwshredder_download.html

Then:

*1 >> Restart in Safe Mode:* http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

*2 >> In Safe Mode run the CoolWebShredder* and have it "fix" detected problems. *Then run HijackThis* and check and "fix" the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O1 - Hosts: 207.44.240.65 images.trafficmp.com
O1 - Hosts: 207.44.240.65 adfarm.mediaplex.com
O1 - Hosts: 207.44.240.65 media1.fastclick.net
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: V.dd - {00F16DC8-1B2A-42F4-B18B-E21DA9D2D7FD} - C:\PROGRA~1\COMMON~1\IESERV~1\01A00.dll

O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll

^^ delete the IESERVICE* folder in c:\Documents and Settings\All Users\Application Data

O2 - BHO: E.HH - {F0192C73-E569-42AB-BDF2-ED3BAB388DDE} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\JServ\IEService.dll

^^ do the same for the *JServ* folder

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [qozjklzvfvzdw] O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [qozjklzvfvzdw] C:\WINDOWS\System32\odnwlc.exe
O4 - HKLM\..\Run: [OnSv] C:\WINDOWS\System32\OnSv.exe
O4 - HKLM\..\Run: [OnSrv] C:\WINDOWS\System32\OnSrvr.exe

O8 - Extra context menu item: - 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O14 - IERESET.INF: SearchAssistant=

*Go To Start > Run* and enter *cmd* and a command shell will open. At the prompt carefully type and enter each line:

*del C:\WINDOWS\System32\odnwlc.exe
del C:\WINDOWS\System32\OnSv.exe
del C:\WINDOWS\System32\OnSrvr.exe
del C:\WINDOWS\System32\AChkr.exe*

(not all of these files may be present)

*Additional cleanup instructions:* Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content.

Go to Start > Run, enter *%temp%* and then click Edit > Select All. Right click on the selected files and folders and delete them

*Reboot and do the following*

>> Download, unzip and run Hoster.exe and have it restore your original Hosts file:

Hoster: http://members.aol.com/toadbee/hoster.zip

>> Install, UPDATE, and run a full drive Ad-aware SE scan and include the VX2 plugin:

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

Reboot and post a new Scanlog. I'll move this to Security for followups.


----------



## thymekiller (Jan 29, 2004)

I printed the directions, since I am working off another machine. I got to the part where I restart in safe mode-and it wont start in safe mode. I still have the original problem, and apparently a few more. When I tried to restart in safe mode, it did all the same things-loaded the ipvnmon.sys file, then restarted itself. Any suggestions??


----------



## dai (Mar 7, 2003)

try pressing f8 when booting and from the boot options choose
last known good configuration


----------



## thymekiller (Jan 29, 2004)

when I do that, all I get is the Windows loading screen for about a minute, then the computer restarts itself. When it does that, and I dont push F8, then it will boot normally. should I run CWShredder in normal mode?????


----------



## dai (Mar 7, 2003)

you are tapping f8 to late and missing the entry


----------



## thymekiller (Jan 29, 2004)

no, I am getting to the advanced options screen-I selected last known good configuration, after selecting safe mode, which resulted in a restart. Last known good configuration runs to the Windows loading screen, then restarts itself. I can only boot normally...


----------



## dai (Mar 7, 2003)

when in normal mode go into ms config/boot ini and select the safe mode box and reboot and see if that gets you into safe,to do what rollinrog wants done


----------



## thymekiller (Jan 29, 2004)

The last time I did that, I couldnt boot to anything-not even normally-the computer just kept restarting endlessly, and I had to go into recovery console to get back to a normal boot. Thats what is so frustrating about all this-I have never worked on a machine that refused to boot into safe mode...


----------



## thymekiller (Jan 29, 2004)

BTW, I ran AVG the other day, and it found 3 trojans, one of which wasnt repairable, and coud not be deleted, or quarantined. This morning, while AVG was running, it found 21 more infected files, and its still running. The guy that owns this computer bought it used from someone else, and has had nothing but trouble ever since. I cant get that machine online, as its made for dial-up, and I have a cable modem, so I cant go run an online virus scan. Maybe this info will help...


----------



## thymekiller (Jan 29, 2004)

AVG just finished, and it shows to have deleted all infected files except for 2-located in C:\System volume information\restore.


----------



## dai (Mar 7, 2003)

turn off system restore to clean them out of there
check out the bottom item here
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20978648.html#11019520


----------



## thymekiller (Jan 29, 2004)

Ok, I am trying to work my way thru this, but now, all of a sudden, this machine insists that it needs reactivated, because of hardware changes.All I have done to it is install a CMOS battery. This Win XP thing is really getting to me...but this machine has been here for 3 days now, and this is the first time I have seen this message. What in the world could be causing this????? What could trigger reactivation if no hardware has been changed?? And will I be able to reactivate without the number??? The owner of this machine doesnt even plan on using the internet. He bought it used several months ago, and he hasnt altered the hardware any either. I dont believe he had the original product key either. I've done some research on the activation process, but I dont understand why this paticular machine requires reactivation now...


----------



## dai (Mar 7, 2003)

is the number on the side or back of the case


----------



## thymekiller (Jan 29, 2004)

the machine is a Compaq 5190, originally came with Win 98 (which I do miss dearly right now...) as far as I can tell, Xp was installed at least a year ago, maybe longer. Apparently it was activated at one time, because its still running.


----------



## dai (Mar 7, 2003)

you cannot run a computer for long without the system disk being required


----------



## thymekiller (Jan 29, 2004)

I dont understand...what do you mean by that??? My own XP machine has run fine foer a year anbd a half, and I did not recieve a system disk with it...


----------



## dai (Mar 7, 2003)

did you get a set of restore disks with it,you usually find everything is going along rosy and wham,you need the disk and check your email


----------



## thymekiller (Jan 29, 2004)

no, I didnt recieve any restore discs-I bought the machine from HP, with Win XP installed. I recieved no supplemental software, however, I have a recovery partiton built in to my hard drive.


----------

