safe mode only

You were so helpful in solving the hijacking of our main computer. Now, however, our son's computer will only start in safe mode. We're not able to go online so I can't run any diagnostics from your site. The computer runs on Windows ME and is linked to the internet via a wireless router. It does have SpyBot installed and after running that program it found 2 instances of visicom.searchcentric. Could this computer also have been hijacked? What can I do to start IE so that I can link to your site from that computer? Thanks for any help you can give.

klw

 

Hi klw,

Can you put HijackThis on a floppy and run it on that computer? Then write the log to the same floppy and post it from your computer.

Regards,

Pieter

 

Follow Pieter's instructions first..but this may help later



When it only goes into this safe mode do you get any error messages also ?

if so start with this.

Download that dll from here and register it

http://www.dll-files.com





Do you have WinME startup diskette?

If you haven't, go here http://www.bootdisk.com/bootdisk.htm and download the Windows ME (OEM version).

Download the file to your C: drive, put a fresh disk in your A: drive, then click on the file to create the bootdisk.

Then, you can try

Scanning your system from DOS:

Boot from the startup disk you just created and at the prompt type:

scandisk

Press enter, wait for the process to finish and reboot WITHOUT the disk.

No luck?

Try a registry repair:

Boot from a startup disk and at the prompt type:

scanreg /fix (note the space between g and /)

Press enter, wait for the process to finish and reboot WITHOUT the disk.

If still this doesn't work, try a registry restore:

Again, boot from a startup disk, and at the prompt type:

scanreg /restore (note the space between g and /)

Enter. Select a date prior to the problem and let the process finish.

Reboot WITHOUT the disk.

Oof... No luck?

Try a System Restore:

Start > Programs > Accessories > System Tools > System Restore

Select "Restore my computer to an earlier date"

Click "Next"

Select the first System Check Point PRIOR to your problem . Click "Next". Let the process finish.

Any luck?




If you're unsuccessful achieving "System Restore" as recommended you could try the following link and restore from DOS.

http://support.microsoft.com/default.aspx?scid=kb;en-us;279736


You'll need a Startup disk for your A Drive, available
from www.bootdisk.com,
or,if you still have a 2nd computer(Win Me), try this:

Start > Settings > Control Panel > click 'Add/Remove Programs' > click 'Startup Disk' tab.

 

Okay, I copied hijackthis to floppy, but it won't open on that computer. It just keeps asking what I want to do: open, save, cancel... Maybe it's because winzip isn't functioning? I checked the disk on this computer and it opens fine. Shall I start the next string of suggestions listed after your first post?

I did try system restore earlier, but 3 attempts were unsuccessful. Somehow the computer wouldn't make it happen

klw

 

ME has it's own built-in "unzipper", so it shouldn't even need winzip.
Can you copy the file to the HD?
Or if that doesn't work put the unzipped hijackthis.exe on the floppy.

@ Primrose,

Did you forget a bit in your post? I can't make out which .dll you are referring to in the beginning.

Regards,

Pieter

 

If when that PC is first turned on and it goes into the safe mode..if there are not any error shown also.. then that first link for the .dll would not be needed..but if you find any that are missing that is one link you can get the one(s) you need.

 

I saved hijackthis to the HD but it still won't open on the infected computer. Sorry, how do I get the unzipped version?

Also, I'm pretty ignorant about dll so I'm not sure what you mean. In my previous post I was referring to the infected computer (with ME) not being able to run hijackthis from the floppy. I also couldn't get sys restore to work on the ME computer.

 

Then this info that is in this link on ME system restore might help..

http://forum.emsisoft.com/viewtopic.php?t=837

 

Try this link for just the .exe file of hijackthis.


http://forum.gladiator-antivirus.com/index.php?act=Attach&type=post&id=37191

 

Terrific. The exe. link worked. Here is the hijacked log.

Logfile of HijackThis v1.97.7
Scan saved at 7:10:37 PM, on 2/27/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\SYSTEM\WZHELPER.DLL
O2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\SYSTEM\BARBHO.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL
O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [brifazim] C:\WINDOWS\SYSTEM\rurhexfg.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMoney (HKLM)
O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.britator.com/micab/dialerweb.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/bridge.cab

 

I will let Pieter do you hijacklog but since you can Boot into Safe Mode did you RUN SCANREGW to check your current registry.
(Go to Start>run> type in Scanregw)

If it is damaged, you could try restoring a prior days registry if you still have it. Windows only stores the five prior day's Registry.

The fact that you get to the Desktop indicates that it is not a system DLL or driver causing the problem. But you need to track down where in the boot process it is running into problems. In Safe Mode, run MSCONFIG and enable Normal start up if that does not work for you then do the same thing but this time Selective startup.
Then un-check all of the items below it and click APPLY. Exit and reboot. If it boots OK, start down the list adding one group at a time until you find the group that is causing the problem. Once you find it, put checks back in all boxes, and set Normal startup.

The problem could be a corrupted System.INI file or WIN.INI or any a number of data files or corrupted programs.

 

Hi klw,

hmmm.... there are too many i could find... malwares, spywares....

FIX these in HijackThis ( umm... Let Pieter gives confirmation to be 100% sure) , reboot and then post a fresh Hijack log

R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL

O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
(it's a Twaintech adware BHO)

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\SYSTEM\WZHELPER.DLL

O2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\SYSTEM\BARBHO.DLL

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL

O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
(information here http://www.pestpatrol.com/pestinfo/s/searchcentrix.asp)

O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load

O4 - HKLM\..\Run: [systray]C:\WINDOWS\SYSTEM\A.EXE
then delete The A.Exe file from the System folder.

O4 - HKLM\..\Run: [brifazim] C:\WINDOWS\SYSTEM\rurhexfg.exe

O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.britator.com/micab/dialerweb.cab

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/bridge.cab

thx

 

Fix the ones subratam listed.

Can you then try to uninstall S4F in Add/Remove Software?

Then reboot and post a new log.

Regards,

Pieter

 

Thanks for your reply. I hope I can get back into the system to apply your suggestions.

Here's the situation: I followed the steps outlined by primrose in post #10. The scanregw is fine. However, when going to msconfig I received this message: "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system." I clicked ok and went to selective startup and began the process. With Load Static VxDs selected the reboot crashed to a black screen somewhere in the startup process so I rebooted manually at the cpu. Then with the next item on the list selected (sorry, I don't know the name), the reboot crashed during startup to a black screen (and continues to do so at every attempt) with the reboot nearly complete but just before I can possible type in msconfig again. It appears to be enabling startup devices as the icons begin to appear on the toolbar at the lower right corner of the screen. The last icon to appear before the crash is the norton anti-virus (with a red X through it).

I made a boot disk but I'm not sure how to reboot with it. What must I do other than insert in the drive?

Sorry for this mess I've passed to you. Hopefully your wisdom can help me sort through it.

klw

 

I thought you would do the hijack this clean first. But if you really did follow these instructions to make that boot disk...
*********
Do you have WinME startup diskette?

If you haven't, go here http://www.bootdisk.com/bootdisk.htm and download the Windows ME (OEM version).

Download the file to your C: drive, put a fresh disk in your A: drive, then click on the file to create the bootdisk.

Then, you can try

Scanning your system from DOS:

Boot from the startup disk you just created and at the prompt type:

scandisk

Press enter, wait for the process to finish and reboot WITHOUT the disk.
*********


then the answer is Yes..all you do is first put in that disk.turn on the PC and it will sense that this time it must boot up from that A drive floppy.

 

IU did read what you wrote above but it is not evident what did happen when your did this first of all ??


The fact that you get to the Desktop indicates that it is not a system DLL or driver causing the problem. But you need to track down where in the boot process it is running into problems. In Safe Mode, run MSCONFIG and enable "Normal start" up if that does not work

when you got the message "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system."

did you then try to enable a normal start up?? or did that come before ?

 

Your other option is this but it is not easy to do for some.

******
From: Kan Yabumoto tech@xxcopy.com
To: XXCOPY user
Subject: A better boot diskette for Win9x/ME
Date: 2001-08-18
====================================================================

Introduction:

One thing really annoying with Windows ME is that the "Start UP"
diskette which WinME creates as part of the initial installation
(the so-called Emergency Boot Disk, or EBD) is quite useless.

It does not allow you to enter the windows ME environment at all.
All it gives you is a pseudo DOS environment with/without the
support of the CD-ROM drive (Oh, yes, it gives you a Help menu).

It seems that when something goes wrong with the few key files
in the root directory and/or the master boot record (MBR), the
only option you have is to re-install the whole Windows ME.
This is also true even with our favorate environment, Win98SE.

There are times when you are installing another OS (sucha s
Windows 2000 as a dual boot system and something goes wrong
with the set up, or a virus attack. The complicated steps in
the boot up process, especially with a dual-boot system, if any
of the many files are even slightly corrupted, you can't enter
Windows 9X or ME. With this regard, Windows ME was one step
backward from Win 9x where at least you have a DOS environment
where you can fix things and enter the Windows environment.


Enter the Quick Boot Diskette:

Anyway, here's a technique that works quite well to enter the
Windows ME world without using any file in the root directory
of the C: drive. The disketter you prepare with this technique
is useful even for a dual-boot system (e.g., 98SE and XP) as
long as the disk was installed with a Windows ME system.

It seems too simple to be true.

Assume that you are running a healthy WinME system
Here's how to create the "Windows Quick Boot" diskette:

1. Open a DOS Box inside WinME(or its DOS counterpart).
2. FORMAT A:
3. XXCOPY16 C:\IO.SYS A:\ /H
4. XXCOPY16 C:\MSDOS.SYS A:\ /H

Note: if you don't have XXCOPY16, use the standard ATTIRB
and COPY command to copy the hidden files. The two files
listed above are essential. Optionally, you may copy the
following files if they are present in the root directory
(but not mandatory)

5. XXCOPY16 C:\CONFIG.SYS A:\
6. XXCOPY16 C:\AUTOEXEC.BAT A:\

That is it!!!

The diskette is a bootable diskette which does not rely on any
file in the root directory of the C: drive.

If you are not familiar with XXCOPY16, it is available in the
XXCOPY Freeware package.


The MSDOS.SYS file:

Of course, the contents of the MSDOS.SYS file should be carefully
controlled. The following text shows a typical MSDOS.SYS fie.
(Note: the Windows ME system directory is assumed to be name
as C:\WINDOWS. If it is different, make adjustments as needed.)

----------------------------------------------------------

[Paths]
WinDir=C:\WINDOWS
WinBootDir=C:\WINDOWS
HostWinBootDrv=C

[Options]
AutoScan=0
BootDelay=0
BootMulti=0
BootGUI=1
BootMenu=0
BootMenuDefault=1
BootMenuDelay=4
DoubleBuffer=1
Logo=0
DblSpace=0
DrvSpace=0
DisableLog=1
WinVer=4.90.3000
;
;The following lines are required for compatibility...
o not remove them (MSDOS.SYS needs to be >1024 bytes).
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
; ...

-----------------------------------------------------------

The most important thing with the MSDOS.SYS file is that
the copy in the diskette should have the following line in
the [Options] section of the file.

DisableLog=1

If the line reads "DisableLog=0", then, the log file (BOOTLOG.TXT)
will be created on the diskette which makes the boot up procedure
painfully slow. (In Win ME, the log file will be created only
when you choose Safe Mode or manually select Logged mode. Still,
for the floppy based operation, you don't want the log file.)

Note: If your windows directory is not "C:\WINDOWS",
    make adjustments as needed.

    Here, some non-default settings are chosen:

    AutoScan=0 (1 to carry out ScanDisk)
    Logo=0 (1 to hide the screen by the log image)
    DisableLog=1 (0 to generate BOOTLOG.TXT)
    DblSpace=0 (1 to load DBLSPACE.BIN automatically)
    DrvSpace=0 (1 to load DRVSPACE.BIN automatically)

The WinVer value should reflect the version of Windows:

    WinVer=4.00.0950 // Windows 95
    WinVer=4.00.1111 // Windows 95 OSR2
    WinVer=4.10.1998 // Windows 98
    WinVer=4.10.2222 // Windows 98 SE
    WinVer=4.90.3000 // Windows ME


In case of trouble:

1. With WinME, the Quick boot diskette should go right into
the Windows screen without letting you to stay in DOS.
This procedure does not use any of the files in the root
directory of the system disk (C.

On the other hand, with Win9x (Non-ME), the boot menu gives
you the familiar option to stay at the command prompt.

2. If your system is too corrupted to come back alive using
the Quick-restart diskette, you should use the Windows
Emergency Recovery diskette that you made in the installation
step.

3. Run FDISK to make sure that the Master boot record (MBR)
has the proper master boot code.

FDISK /MBR (it runs in non-interactive mode).

Then, run FDISK in interactive mode (without an argument)
and from the FDISK menu, make sure that the Primary DOS
Partition is active.

4. Run the SYS command to refresh the boot sector (the first
sector of the active partition) has proper boot program.

SYS C:

This program initializes the boot sector of C: drive and
also copies the IO.SYS, MSDOS.SYS and DRVSPACE.BIN files.

Caution: If your system is configured as dual-boot with
Windows NT/2000/XP, this procedure will make it Win9x-only
system (However, after making it Win9X-only boot first,
you may run the FIXBOOT command inside the Recovery Console,
to make it dual-boot again).

5. If you suspect that the system registry settings (especially
for essential device drivers) are badly configured, you
may reestore the key files from the system backup directory.
First, see how many backup sets have been captured.

DIR C:\WINDOWS\SYSBCKUP\*.CAB

Here's an example of what you see:

RB000 CAB 1,888,538 05-21-01 5:36a rb000.cab
RB003 CAB 1,889,721 05-22-01 7:38a rb003.cab
RBBAD CAB 1,834,739 01-26-01 3:28p rbbad.cab
RB002 CAB 1,892,943 05-20-01 12:45p rb002.cab

Note that the file number and the file dates are not in
a particular order. Yesterday's copy is usually good.
Don't pick the one with RBBAD.CAB which is a bad one!
Once you decide which of the .CAB files to restore

You may increase the number of backup sets stored in the
SYSBCKUP directory by editing the C:\WINDOWS\SCANREG.INI
file (e.g., specify MaxBackupCopies=10 for ten sets).

6. Once you decide which backup set to restore, run:

EXTRACT C:\WINDOWS\SYSBCKUP\RB002.CAB /L C:\WINDOWS /E /Y

Here, the RB002.CAB was chosen as an example. The directory
name following the /L switch specifies the location of the
the extracted files. The /E switch extracts all files.
The /Y switch suppresses the overwrite prompts.

In the case of Windows ME, the following files are expected
to be restored:

C:\WINDOWS\SYSTEM.DAT
C:\WINDOWS\USER.DAT
C:\WINDOWS\CLASSES.DAT
C:\WINDOWS\WIN.INI
C:\WINDOWS\SYSTEM.INI

7. After the FDISK, SYS and EXTRACT procedures described above,
you can try again with the Quick Boot diskette to reboot.
Also, note that the files that are on the Quick Boot diskette
were originally from the root directory of the system disk (C.
Therefore, you may restore them by copying the files back to
the root directory if need:

XXCOPY16 A:\*.* C:\ /H /R /Y


Tip:

Although the Quick Boot diskette needs only a handful of files,
if you add the few utility programs into the diskette, it will
make the diskette useful in case of trouble.

IO.SYS ; essential for boot up
MSDOS.SYS ; needed to boot up into the GUI environment
CONFIG.SYS ; optional for boot up
AUTOEXEC.BAT ; optional for boot up

FDISK.EXE ; to make the hard disk bootable
SYS.COM ; to make the hard disk bootable
FORMAT.COM ; to start over
XXCOPY16.EXE ; good idea
XXCOPY.EXE ; if you have room


Epilog:

I have tested the technique described in this article using
a computer with Win98, Win98SE and WinME. I believe the same
technique should work on Win95 and Win95-OSR2.

Let me know if you encounter problems with the techniques
described in this article.

Kan Yabumoto

For a similar technique in creating a better boot diskette for
WinNT/2000/XP, see XXTB #33.



© Copyright 2003 Pixelab, Inc. All rights reserved.

 

First, thanks for the time you've spent and help you have been with this problem. There has been some progress, fortunately. Here is an update:

While in safe mode I ran a thorough scandisk (it took about 18 hours!). When it appeared to be almost finished the system froze and ultimately crashed. From a minimal boot I tryed to run it again but it flashed for an instant and the message said there were disk problems. I'm assuming the previous thorough scan must have been completed (?).

In tracking one of your links to the microsoft me help site from my healthy computer, I discovered this bulletin that seems to address at least part of my problem:

http://support.microsoft.com/default.aspx?scid=305671

After following these instructions I am now able to start the computer in normal mode. When I undo these instructions it only starts in safe mode again.

Norton Anti-virus (2001) does not start, however, and when I try to start it from the programs file it says I must restart the computer in order to run norton. I was receiving this message before all these problems, but the norton icon was appearing at that time in the startup toolbar so I could open it from there. So, I am not able to scan the computer for viruses. Also, the wireless modem will not start--saying it is disconnected.

I'm wondering if I should uninstall and reinstall both Norton and the D-Link wireless?

Next, I was able to successfully remove the recommendations you suggested in hijackthis by using the program on floppy. I just ran a new scan and here are the results:

Logfile of HijackThis v1.97.7
Scan saved at 1:15:05 PM, on 3/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\ALPHA NETWORKS\ANIWZCS SERVICE\WZCSLDR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\INSTALL\S4FTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
A:\HIJACKTHIS.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMoney (HKLM)
O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB


Pieter suggested uninstalling S4P. This is an internet filtering program and to remove it I must contact the supplier for instructions. Do you still want me to do this?

So summarize, I am able to start in normal mode (under select startup following the procedure in Microsoft bulletin 305671). The computer is not able to access the internet nor run Norton Anti-virus.

Any additional suggestions would be greatly appreciated.

klw

 

Oh, one more thing re: Primrose's question--

I continue to get the "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system" message whenever I run msconfig. That seems to be a constant.

Thanks.

 

Hi klw,

fix these three

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab

and then post a new log

 

Hi klw,

Have a look here.

Regards,

Pieter

 

Ok, new log:

Logfile of HijackThis v1.97.7
Scan saved at 2:56:02 PM, on 3/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\ALPHA NETWORKS\ANIWZCS SERVICE\WZCSLDR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\S4F\INSTALL\S4FTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMoney (HKLM)
O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

Pieter, I went to the site you suggested in Reply#20 above. Looks easy enough, however, there is nothing listed when I select the environment tab--no "TEMP" option. So I can't get to the "variable value box" to check for empty spaces.

I checked the ME knowledge base article also (264214). I can open the files suggested in notepad, but I have no idea what the "unnecessary entries" might be. So, I've posted them below. Can anyone make an assessment re: what is unnecessary in these files?

AUTOEXEC.BAT file contents:

@ECHO OFF
set EXPAND=YES
SET DIRCMD=/O:N
cls
set temp=c:\
set tmp=c:\
path=C:\WINDOWS;C:\WINDOWS\COMMAND;a:\

IF "%config%"=="NOCD" GOTO QUIT
rem - By Windows Setup - LH C:\WINDOWS\COMMAND\MSCDEX.EXE /Demcd001 /L

echo.
IF "%config%"=="SETUP_CD" goto AUTOSETUP
GOTO QUIT

:AUTOSETUP
set CDROM=FOO23
FINDCD.EXE
if "%CDROM%"=="FOO23" goto NOCDROM
path=C:\WINDOWS;C:\WINDOWS\COMMAND;a:\;%CDROM%\
%CDROM%
cd \WIN98
echo.
OEMSETUP.EXE
goto QUIT

:NOCDROM
echo.
echo The Windows 98 Setup files were not found.
echo.

:QUIT


CONFIG.SYS file contents:

[menu]
menuitem=SETUP_CD, Start Windows 98 Setup from CD-ROM.
menuitem=CD, Start computer with CD-ROM support.
menuitem=NOCD, Start computer without CD-ROM support.
menudefault=SETUP_CD,30
menucolor=7,0

[SETUP_CD]
device=C:\WINDOWS\himem.sys /testmemff
device=oakcdrom.sys /Demcd001
device=btdosm.sys
device=flashpt.sys
device=btcdrom.sys /Demcd001
rem device=aspi2dos.sys
rem device=aspi8dos.sys
rem device=aspi4dos.sys
rem device=aspi8u2.sys
rem device=aspicd.sys /Demcd001

[CD]
device=C:\WINDOWS\himem.sys /testmemff
device=oakcdrom.sys /Demcd001
device=btdosm.sys
device=flashpt.sys
device=btcdrom.sys /Demcd001
rem device=aspi2dos.sys
rem device=aspi8dos.sys
rem device=aspi4dos.sys
rem device=aspi8u2.sys
rem device=aspicd.sys /Demcd001

[NOCD]
device=C:\WINDOWS\himem.sys /testmemff

[COMMON]
files=60
dos=high,umb
lastdrive=z



thanks,

klw