Scanning in Safe mode

Discussion in 'ESET NOD32 Antivirus' started by toodle, Nov 26, 2011.

Thread Status:
Not open for further replies.
  1. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    I searched the forum but couldn't find this. I apologize if duplicating a question.


    I have an HP DV6 laptop Windows 7 64 bit. I am running nod32 5 antivirus. The laptop has started randomly locking up. I've run malwarebytes scan and the nod32 with no virus/trojans showing. I would like to run a scan in safe mode. I see it opens a dos window. I've looked at various posts. Some seem to say that something must be downloaded to run in safe mode. Is this true or do I simply reboot into safe mode then open the nod32.Will the scan run and have information in that window? Also approximately how long will it take the scan to run in safe mode?

    Thank you for helping. I am a novice and trying to learn as I go.
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Nov 26, 2011
  3. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    I can get to safe mode with no problem. After going to safe mode, I click on Nod32, it asks if I want to scan. When I select yes, a dos box opens. There are messages about something not opening then it seems as if it isn't doing anything. Am I simply not allowing enough time for the scan?

    Regardless of how I run a scan there are numerous "error opening" messages. I ran it in normal mode after booting up and had many "error opening" messages. Is this normal?

    see below

    Scan Log
    Version of virus signature database: 6662 (20111126)
    Date: 11/26/2011 Time: 5:20:41 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector:D:\Boot sector;F:\Boot sector;C:\:D:\;F:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\SwSetup\HPDOC_dv6\NoteB1.cab » CAB » pdf_25 - next archive volume not found
    C:\System Volume Information\Syscache.hve - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG1 - error opening [4]
    C:\System Volume Information\Syscache.hve.LOG2 - error opening [4]
    C:\System Volume Information\{15ad6bda-0f73-11e1-804e-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa08-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa2a-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa42-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa5d-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa75-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{1ef7fa79-175b-11e1-85a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{47014a99-184e-11e1-98ca-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{5bf3ed02-09fa-11e1-82a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{5bf3ed33-09fa-11e1-82a9-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{73d00b5a-0c62-11e1-80c3-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{7a673c1a-11dd-11e1-b8e7-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{afc4bc5a-186f-11e1-8936-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{b87ea689-1844-11e1-a456-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{c32e932d-0a34-11e1-9865-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{c32e9333-0a34-11e1-9865-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d77ff15e-150a-11e1-8533-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{f96aafff-0c90-11e1-8086-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{f96ab019-0c90-11e1-8086-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{f96ab031-0c90-11e1-8086-2c27d7a835f1}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\MSS.log - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\IMpService925A3ACA-C353-458A-AC8D-A7E5EB378092.lock - error opening [4]
    C:\Users\All Users\Microsoft\Windows Defender\Scans\History\CacheManager\MpSfc.bin - error opening [4]
    C:\Users\Terresa\ntuser.dat - error opening [4]
    C:\Users\Terresa\ntuser.dat.LOG1 - error opening [4]
    C:\Users\Terresa\ntuser.dat.LOG2 - error opening [4]
    C:\Users\Terresa\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\Terresa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\Terresa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Users\Terresa\AppData\Local\Microsoft\Windows Live Mail\Sentinel\WLMailSearchSentinel.eml » MIME - is OK (internal scanning not performed)
    C:\Users\Terresa\AppData\Local\Temp\JETD078.tmp - error opening [4]
    C:\Users\Terresa\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    C:\Users\Terresa\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    C:\Users\Terresa\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Users\Terresa\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    C:\Users\Terresa\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    C:\Users\Terresa\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Windows\ServiceProfiles\LocalService\ntuser.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\4b4ed19c116db8e3e1ebf252c5df5841f2ff7d31.HomeGroupClassifier\bd995144539ca5583bf840ac90de105b\grouping\db.mdb - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\4b4ed19c116db8e3e1ebf252c5df5841f2ff7d31.HomeGroupClassifier\bd995144539ca5583bf840ac90de105b\grouping\edb.log - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\4b4ed19c116db8e3e1ebf252c5df5841f2ff7d31.HomeGroupClassifier\bd995144539ca5583bf840ac90de105b\grouping\tmp.edb - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\ntuser.dat - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\System32\log.txt - error opening [4]
    C:\Windows\System32\catroot2\edb.log - error opening [4]
    C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb - error opening [4]
    C:\Windows\SysWOW64\log.txt - error opening [4]
    Number of scanned objects: 499352
    Number of threats found: 0
    Time of completion: 5:48:32 PM Total scanning time: 1671 sec (00:27:51)

    Notes:
    [4] Object cannot be opened. It may be in use by another application or operating system.
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello toodle,
    some files not being able to be scanned is normal.
    see the note at the bottom of your scan log which you pasted here.
     
  5. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    As lodore says, this is normal:

    NOD32 shows many files with "error opening - (File locked) [4]" what does this mean?

    NOD32 passes information from the Operating System regarding which files can not be accessed for scanning. Typically these files are in use by
    the Operating System itself and can not be scanned. Files may also be encrypted (or password protected), not allowing access (i.e. Adaware,
    SpyBot S&D and other security programs).

    This is normal for any On Demand scanning antivirus program. Why do you need to see it? If NOD32 was downloaded to an infected system, some files may be
    inaccessible (infected, or the infection itself) through normal windows. This will help in the troubleshooting process if needed. Well-trained eyes can diagnose
    the issue to help recover the system to a non-infected state.

    Rebooting into safe mode and running a Scan & Clean will generally eliminate the threat.
    Always disable System Restore when attempting to clean an already infected system. This will eliminate the ability of System Restore to put the infected file(s)
    back during the boot process after a Scan & Clean has been performed and a reboot is necessary.

    Here are some examples of Operating System files (or encrypted/password protected) that are in use and can not be accessed for scanning.

    C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
    C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\default - error opening (File locked) [4]
    C:\WINDOWS\system32\config\DEFAULT.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
    C:\WINDOWS\system32\config\system - error opening (File locked) [4]
    C:\WINDOWS\system32\config\SYSTEM.ALT - error opening (File locked) [4]
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file


    Above was taken from this very useful FAQ page.

    philby
     
  6. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    Thanks for answering me. I am scanning because my 3 month old HP laptop has been loocking up. I don't think it is infected but I am trying to troubleshoot the issue so running malware and antivirus scans. I have gone into safe mode. When I click on the nod32 it opens a window that looks like a dos screen. Is it running when that opens? It doesn't appear to be doing anything so I closed it. HP wants to restore to "out of the box" status but I want to verify all other avenues have been explored first.

    Thanks again.
     
  7. philby

    philby Registered Member

    Joined:
    Jan 10, 2008
    Posts:
    940
    When I used NOD32, the standard GUI didn't appear in safe mode, if I recall, so I don't think that's odd...

    Maybe give Hitman Pro, MBAM etc a spin anyway and see if you do indeed have undesirables on your machine.

    For the continual lockups though, I'd also explore Event Viewer and Process Explorer to check for failures, hangs and hogs...

    philby
     
  8. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    I ran Malwarebytes free in safe mode. It found 232 "infections". All are backdoor.bredavi associated to my wireless Epson printer. I don't know if these are actual threats or not. Is this a legitimate infection? I again tried to run the Nod32 antivirus scan in safe mode. It has opened the DOS window.
    Starts with
    Command line: /auto

    Scan Started at : 11/28/11 18:29:27
    name="C:\hiberfil.sys" threat="", action="", infor="error opening"
    name="C:\pagefile.sys" threat="", action="", infor="error opening"

    I have no idea if it is running a scan. EDIT>>>>it is scanning in the DOS window. If there is a backdoor trojan, shouldn't the antivirus have stopped or identified it?
     
    Last edited: Nov 28, 2011
  9. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    The Malwarebytes was a false positive. No other issues on the nod32 scans or malwarebytes. Will take other avenues.

    Thanks for all the help.
     
  10. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    If you are running in safe mode, you have to leave it alone for a long time. The time will depend on how large your hard drive and how many files are being scanned. The two files you see can't be opened because they are system files that are in use. Good to know that the Malwarebytes detections were false positives. That's unusual with Malwarebytes, but it can happen with any malware scanner.
     
  11. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Are you certain the problem is software-related? Perhaps the Hewlett Packard dv6 notebook computer is locking up for a different reason, such as overheating.

    Regards,

    Aryeh Goretsky
     
  12. toodle

    toodle Registered Member

    Joined:
    Nov 26, 2011
    Posts:
    12
    Location:
    United States
    Sorry not to reply sooner. I didn't really think it was software related. All this was being done because HP customer service requested. They wouldn't acknowlege the possibility that it was the hardware. Their response was to run all the scans then if nothing showed up in scans, they would help me restore the laptop to "out of the box" condition. I told them I believed it was a hardware issue. How do I check for heating issues?

    Thanks for the response.
     
  13. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    I just thought it might be a hardware issue, since I see the same report almost every day when I'm browsing various tech support web sites, plus the ~64,000 hits returned in this search on Bing when using "hp dv6 laptop overheating" as the query. Of course, your notebook could be working fine and just happen to have a software problem.

    In any case, I would first suggest that you ask Hewlett-Packard's technical support department for recommended means of monitoring your system's temperature. If they do not have anything to suggest, you could try a program like BurnInTest, CoreTemp, CPU Thermometer, SpeedFan or TMonitor. I have not used these programs myself, so I am unsure of how well they will work. I am not sure if hardware monitoring programs like these can conflict with each other if you run multiple ones at the same time, but it may be a good idea to uninstall between trying each one, just to avoid any potential complications or inaccurate results.

    Regards,

    Aryeh Goretsky
     
    Last edited: Dec 9, 2011
Thread Status:
Not open for further replies.