Help with HijackThis log

I am having major problems with internet browsing (can't change home page, can't log into sites that I am a member of, etc.). I did Spybot S&D and got rid of some things. I tried Ad-Aware but I am totally lost as to what I should fix or not fix. For some reason my Symnatec AntiVirus Corporate Edition won't run so I have been going to trendmicro for scans as my IT guy doesn't have time for me. Please look at my log file and let me know if you can help! Thanks!

Logfile of HijackThis v1.98.0
Scan saved at 8:39:30 AM, on 7/22/2004
{deleted as log redone, see below}

 

Make sure you update them both. You can rid yourself of everything they both find.

 

I updated both Spybot and Ad-aware before I scanned. So I can get rid of all 70 items that Ad-aware found? There isn't anything that will go wrong if I do?

Thanks for your help!

Kirsten

 

Yes, you can get rid of them all. Then do another housecall scan.

Then post another log.

 

Okay. I did all of that and now here is my latest HijackThis log.

I have my home page back but I still cannot log into my internet providers online access to e-mail, I just keep getting redirected to the login page for some reason. My Symantec and DirecWay still don't work either but things are getting better.

Thanks again!

Logfile of HijackThis v1.98.0
Scan saved at 10:44:06 AM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\f0r0r\dirote.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\WINDOWS\System32\f0r0r\ppi.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\antispyware\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwmahp.hudsonphysicians.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37AD3159-E417-2EC4-8156-64550DA67949} - C:\WINDOWS\System32\uvqdp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe "
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe "
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsofts Updates] q.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] q.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsofts Updates] q.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: startup.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\Software\..\Telephony: DomainName = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: NameServer = 66.82.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com

 

Welcome to WindowsBBS Nitmast.

Well, your anti-virus has probably been disabled by these processes, C:\WINDOWS\System32\f0r0r\dirote.exe, C:\WINDOWS\System32\f0r0r\ppi.exe, a nasty infection known as Hacker Defender. Not sure why it wasn't picked up by the Trend Micro scan, but I believe Panda ActiveScan will recognize and remove it.

Additionally, I haven't found any information on the two following entries, which are suspicious, but don't 'appear' to be running.

O4 - HKLM\..\Run: [Microsofts Updates] q.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] q.exe

Being a networked machine, with at least control panel restrictions, you may be limited as to what you are able to do to clean up this PC. There are several other things that need removed, but lets get the Hacker Defender and any others found out of the way first.

I would also like for you to scan the PC with RAV (after Panda). Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Okay. I did all that. Here are all the reports and such. I checked the Autoclean box for the RAV scan but I am not sure that it cleaned them up after it found them. I rebooted my computer after I did all that and the antivirus still didn't work and I got a window titled "Error" that said "Execution of the specified command has failed ". I don't know if that info helps or not.

I appreciate all your help. I guess my computer is a network machine but since I work from home I am not actually linked to the network. My IT guy is only one person trying to upgrade an entire medical clinic to the computerized technology age and he never has time for things like this so we are left to our own devices and since my job tends to involve some amount of researching terms and info on the internet I guess I am vulnerable to all kinds of stuff I never knew was out there until the wheels fell off my computer, so to speak.

Panda gave me this report:

Incident Status Location

Virus:W32/Randon Disinfected Operating system
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
Virus:Trj/StartPage.EU Disinfected C:\WINDOWS\SYSTEM32\olehelp.exe
Virus:W32/Sdbot.AFP.worm Disinfected C:\WINDOWS\SYSTEM32\wuamgrd.exe


RAV gave me this one:

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP59\A0006302.exe->(UPXW) - Backdoor:Win32/MotivFTP.1_2 -> Infected
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP59\A0006308.exe - Trojan:Win32/StartPage.IT -> Infected
C:\WINDOWS\SYSTEM32\go.exe - Win32/Korgo.A.worm.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23\WksPatch[1].exe - Win32/HLLW.Nachi.B.dam#2 -> Infected

Scanned
============================
Objects: 72333
Directories: 3366
Archives: 3506
Size(Kb): 1343938
Infected files: 4

Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 111



And here is my latest HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 7:10:46 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wwmahp.hudsonphysicians.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wwmahp.hudsonphysicians.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37AD3159-E417-2EC4-8156-64550DA67949} - C:\WINDOWS\System32\uvqdp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe "
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe "
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe "
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Microsofts Updates] q.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] q.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsofts Updates] q.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: startup.bat
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\Software\..\Telephony: DomainName = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3149C28F-9F86-4CE3-BC76-B9C74032B0E8}: NameServer = 66.44.144.10 65.222.44.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A397E56E-5CF1-45C7-890A-E98BA561965A}: NameServer = 66.82.4.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3149C28F-9F86-4CE3-BC76-B9C74032B0E8}: NameServer = 66.44.144.10 65.222.44.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = WWMAHP.hudsonphysicians.com

 

Looks MUCH better.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O2 - BHO: (no name) - {37AD3159-E417-2EC4-8156-64550DA67949} - C:\WINDOWS\System32\uvqdp.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe

Think you should fix these also, unless you know what they represent, then disable the service in the Services console. To get there, go to start>run and type services.msc, then hit enter. Locate the entry in the list (*note: this is not Automatic Updates service! It is Microsoft Updates, and I believe it to be a fake, as I've found no information for it.), right click and choose properties, stop and set to disabled. Apply and OK out. You should also search the drive for q.exe and rename to q.old. Would you also right click the file, if found, and select properties then let us know any/all information available? You will probably need to do this while showing hidden files.
O4 - HKLM\..\Run: [Microsofts Updates] q.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] q.exe
O4 - HKCU\..\Run: [Microsofts Updates] q.exe

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Now in safe mode, you will need to show hidden files and folders.

Open C:\WINDOWS\system32 and delete the file go.exe, and the folder f0r0r.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, scan again with RAV. Let us know what is found and post a new HJT log.

 

Just saw your added comment. You should uninstall, then reinstall and update your AV program for it to work properly again. Some of the files may be damaged or missing. Could be that, or the left over run entries from the infection causing the error.

 

Uh-oh. I misunderstood the instructions and might have goofed.

I thought that you meant for me to remove the Microsofts Updates files when I was in HijackThis. So now of course when I try to do the rest of the instructions these files aren't anywhere to be found. I stopped before turning the System Restore off just in case.

Oh, one more thing. I can't seem to uninstall the antivirus for the life of me. Nowhere on the Start menu does it have an uninstall nor when I open the program. I tried to go to Add/Remove programs and remove it there but it says "removing program" and then nothing happens. I am afraid I have hit the end of my line of knowledge.

 

If referring to these entries,
O4 - HKLM\..\Run: [Microsofts Updates] q.exe
O4 - HKLM\..\RunServices: [Microsofts Updates] q.exe
O4 - HKCU\..\Run: [Microsofts Updates] q.exe
Yes, that's what I meant. Fix them with HJT. If you did already, they won't be there on subsequent scans. You did fine.

You will probably need to run Symantec's uninstaller tool, then reinstall. I'll dig up a link and post it for you. What version do you have?

 

Phew. Okay. I will continue on with the rest of the instructions then and get back to you with those results.

Out of curiosity which virus/worm/trojan was the one that was interfering with my antivirus?

I have Symantec AntiVirus Corporate Edition program version 8.00.9374.

Once I uninstall it then I have the instructions from my IT guy on how to connect to the server at the office and download it over again. I could just never get to the uninstall part.

Thanks,

Kirsten

 

Um, hate to be a pain in the neck but I hit a snag. My work computer is set up so that when it first starts you have to hit ctrl-alt-delete and then enter your username and password. Well now that it is in safe mode it won't accept them.

I guess it is a good thing that I still have my personal computer to be able to get back here for help!

 

For removing Norton AV, first check the program's folder for unwise.exe and if you find it, run it. It will be the uninstaller. Even if you find it and it does seem to work, there will be sludge left over you want to get rid of. For that (or for the full removal if unwise.exe isn't there)
How-to use symclean.exe and a link toward the lower part of the page to an ftp site where you can download the app.

Safe Mode - it wants the local administartor account and your IT guy should be able to tell you what that is.

And your practice might want to seriously consider hiring your IT guy some help.

 

Probably this one, Virus:W32/Randon, which I believe is the one I pointed out in my first post, but could be any of them. Not sure without researching each one to see it's effects.

Sorry, didn't find a tool.
How to manually uninstall Symantec AntiVirus Corporate Edition 8.x Client on Windows NT/2000/XP

 

So is there any way to get my computer back out of safe mode so that I can still work on it tonight as my IT guy won't be reachable until the morning?

As for getting him more help, well, I am just a peon and we have no say and without getting into the office politics our department's needs are always last on the list. If my equipment doesn't work, then I don't work and I have to take vacation time or not get paid at all until the IT guy has time to fix it. All I can do is muddle along trying to keep it working.

But I do really appreciate the help I am receiving in getting everything straightened out.

 

After you press Ctrl+Alt+Del, you should get a login box. By default it probably has Administrator in the username box. You should be able to highlight and type in your name and password to login.

 

No it actually has my username already there. I have tried retyping all of it but still get the error message. I guess I will have to wait for the IT guy to get in in the morning.

 

Okay, now I am frustrated. According to my IT guy my username was set up as an administrator on the computer so it shouldn't be refusing me. He is stumped and says he has to think about it and get back to me later. Is there any way to get the computer back out of safe mode so I can fix the login problem? The login window is also supposedly missing a field. There should be one for something like domain but I only have username and password.

Anyone have any ideas how to get out of this bind? Should I post this part in another forum too?

Thanks again,

Kirsten

 

Can you select the Administrator account? If it was never passworded, just type in Administrator and hit enter. I've yet to see this happen before, so I am looking for a workaround now. Sorry!