safe mode only

Discussion in 'adware, spyware & hijack cleaning' started by klw, Feb 27, 2004.

Thread Status:
Not open for further replies.
  1. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    You were so helpful in solving the hijacking of our main computer. Now, however, our son's computer will only start in safe mode. We're not able to go online so I can't run any diagnostics from your site. The computer runs on Windows ME and is linked to the internet via a wireless router. It does have SpyBot installed and after running that program it found 2 instances of visicom.searchcentric. Could this computer also have been hijacked? What can I do to start IE so that I can link to your site from that computer? Thanks for any help you can give. o_O

    klw
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi klw,

    Can you put HijackThis on a floppy and run it on that computer? Then write the log to the same floppy and post it from your computer.

    Regards,

    Pieter
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Follow Pieter's instructions first..but this may help later



    When it only goes into this safe mode do you get any error messages also ?

    if so start with this.

    Download that dll from here and register it

    http://www.dll-files.com





    Do you have WinME startup diskette?

    If you haven't, go here http://www.bootdisk.com/bootdisk.htm and download the Windows ME (OEM version).

    Download the file to your C: drive, put a fresh disk in your A: drive, then click on the file to create the bootdisk.

    Then, you can try

    Scanning your system from DOS:

    Boot from the startup disk you just created and at the prompt type:

    scandisk

    Press enter, wait for the process to finish and reboot WITHOUT the disk.

    No luck?

    Try a registry repair:

    Boot from a startup disk and at the prompt type:

    scanreg /fix (note the space between g and /)

    Press enter, wait for the process to finish and reboot WITHOUT the disk.

    If still this doesn't work, try a registry restore:

    Again, boot from a startup disk, and at the prompt type:

    scanreg /restore (note the space between g and /)

    Enter. Select a date prior to the problem and let the process finish.

    Reboot WITHOUT the disk.

    Oof... No luck?

    Try a System Restore:

    Start > Programs > Accessories > System Tools > System Restore

    Select "Restore my computer to an earlier date"

    Click "Next"

    Select the first System Check Point PRIOR to your problem . Click "Next". Let the process finish.

    Any luck?




    If you're unsuccessful achieving "System Restore" as recommended you could try the following link and restore from DOS.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;279736


    You'll need a Startup disk for your A Drive, available
    from www.bootdisk.com,
    or,if you still have a 2nd computer(Win Me), try this:

    Start > Settings > Control Panel > click 'Add/Remove Programs' > click 'Startup Disk' tab.
     
  4. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Okay, I copied hijackthis to floppy, but it won't open on that computer. It just keeps asking what I want to do: open, save, cancel... Maybe it's because winzip isn't functioning? I checked the disk on this computer and it opens fine. Shall I start the next string of suggestions listed after your first post?

    I did try system restore earlier, but 3 attempts were unsuccessful. Somehow the computer wouldn't make it happen :(

    klw
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    ME has it's own built-in "unzipper", so it shouldn't even need winzip.
    Can you copy the file to the HD?
    Or if that doesn't work put the unzipped hijackthis.exe on the floppy.

    @ Primrose,

    Did you forget a bit in your post? I can't make out which .dll you are referring to in the beginning.

    Regards,

    Pieter
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    If when that PC is first turned on and it goes into the safe mode..if there are not any error shown also.. then that first link for the .dll would not be needed..but if you find any that are missing that is one link you can get the one(s) you need.
     
  7. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    I saved hijackthis to the HD but it still won't open on the infected computer. Sorry, how do I get the unzipped version?

    Also, I'm pretty ignorant about dll so I'm not sure what you mean. In my previous post I was referring to the infected computer (with ME) not being able to run hijackthis from the floppy. I also couldn't get sys restore to work on the ME computer.
     
  8. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Then this info that is in this link on ME system restore might help..

    http://forum.emsisoft.com/viewtopic.php?t=837
     
  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  10. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Terrific. The exe. link worked. Here is the hijacked log.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:10:37 PM, on 2/27/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    A:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\SYSTEM\WZHELPER.DLL
    O2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\SYSTEM\BARBHO.DLL
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL
    O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [brifazim] C:\WINDOWS\SYSTEM\rurhexfg.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WebMoney (HKLM)
    O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
    O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
    O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
    O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.britator.com/micab/dialerweb.cab
    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
    O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/bridge.cab
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I will let Pieter do you hijacklog but since you can Boot into Safe Mode did you RUN SCANREGW to check your current registry.
    (Go to Start>run> type in Scanregw)

    If it is damaged, you could try restoring a prior days registry if you still have it. Windows only stores the five prior day's Registry.

    The fact that you get to the Desktop indicates that it is not a system DLL or driver causing the problem. But you need to track down where in the boot process it is running into problems. In Safe Mode, run MSCONFIG and enable Normal start up if that does not work for you then do the same thing but this time Selective startup.
    Then un-check all of the items below it and click APPLY. Exit and reboot. If it boots OK, start down the list adding one group at a time until you find the group that is causing the problem. Once you find it, put checks back in all boxes, and set Normal startup.

    The problem could be a corrupted System.INI file or WIN.INI or any a number of data files or corrupted programs.
     
  12. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi klw,

    hmmm.... there are too many i could find... malwares, spywares....

    FIX these in HijackThis ( umm... Let Pieter gives confirmation to be 100% sure) , reboot and then post a fresh Hijack log

    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL

    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    (it's a Twaintech adware BHO)

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FB-EF60B19DA02A} - C:\WINDOWS\SYSTEM\WZHELPER.DLL

    O2 - BHO: (no name) - {CD2A865B-6C0F-44F9-BAA1-7CDB31E04BC8} - C:\WINDOWS\SYSTEM\BARBHO.DLL

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL

    O3 - Toolbar: WEBALIZE - {4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} - C:\WINDOWS\SYSTEM\WEBALIZE.DLL
    (information here http://www.pestpatrol.com/pestinfo/s/searchcentrix.asp)

    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - C:\PROGRAM FILES\IESEARCHBAR\IESEARCHBAR.DLL

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load

    O4 - HKLM\..\Run: [systray]C:\WINDOWS\SYSTEM\A.EXE
    then delete The A.Exe file from the System folder.

    O4 - HKLM\..\Run: [brifazim] C:\WINDOWS\SYSTEM\rurhexfg.exe

    O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} (IntRuboskizo Class) - http://www.britator.com/micab/dialerweb.cab

    O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx

    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab

    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/98ME/bridge.cab

    thx
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Fix the ones subratam listed.

    Can you then try to uninstall S4F in Add/Remove Software?

    Then reboot and post a new log.

    Regards,

    Pieter
     
  14. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Thanks for your reply. I hope I can get back into the system to apply your suggestions.

    Here's the situation: I followed the steps outlined by primrose in post #10. The scanregw is fine. However, when going to msconfig I received this message: "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system." I clicked ok and went to selective startup and began the process. With Load Static VxDs selected the reboot crashed to a black screen somewhere in the startup process so I rebooted manually at the cpu. Then with the next item on the list selected (sorry, I don't know the name), the reboot crashed during startup to a black screen (and continues to do so at every attempt) with the reboot nearly complete but just before I can possible type in msconfig again. It appears to be enabling startup devices as the icons begin to appear on the toolbar at the lower right corner of the screen. The last icon to appear before the crash is the norton anti-virus (with a red X through it).

    I made a boot disk but I'm not sure how to reboot with it. What must I do other than insert in the drive?

    Sorry for this mess I've passed to you. Hopefully your wisdom can help me sort through it.

    klw :doubt:
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I thought you would do the hijack this clean first. But if you really did follow these instructions to make that boot disk...
    *********
    Do you have WinME startup diskette?

    If you haven't, go here http://www.bootdisk.com/bootdisk.htm and download the Windows ME (OEM version).

    Download the file to your C: drive, put a fresh disk in your A: drive, then click on the file to create the bootdisk.

    Then, you can try

    Scanning your system from DOS:

    Boot from the startup disk you just created and at the prompt type:

    scandisk

    Press enter, wait for the process to finish and reboot WITHOUT the disk.
    *********


    then the answer is Yes..all you do is first put in that disk.turn on the PC and it will sense that this time it must boot up from that A drive floppy.
     
  16. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    IU did read what you wrote above but it is not evident what did happen when your did this first of all ??


    The fact that you get to the Desktop indicates that it is not a system DLL or driver causing the problem. But you need to track down where in the boot process it is running into problems. In Safe Mode, run MSCONFIG and enable "Normal start" up if that does not work

    when you got the message "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system."

    did you then try to enable a normal start up?? or did that come before ?
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Your other option is this but it is not easy to do for some.

    ******
    From: Kan Yabumoto tech@xxcopy.com
    To: XXCOPY user
    Subject: A better boot diskette for Win9x/ME
    Date: 2001-08-18
    ====================================================================

    Introduction:

    One thing really annoying with Windows ME is that the "Start UP"
    diskette which WinME creates as part of the initial installation
    (the so-called Emergency Boot Disk, or EBD) is quite useless.

    It does not allow you to enter the windows ME environment at all.
    All it gives you is a pseudo DOS environment with/without the
    support of the CD-ROM drive (Oh, yes, it gives you a Help menu).

    It seems that when something goes wrong with the few key files
    in the root directory and/or the master boot record (MBR), the
    only option you have is to re-install the whole Windows ME.
    This is also true even with our favorate environment, Win98SE.

    There are times when you are installing another OS (sucha s
    Windows 2000 as a dual boot system and something goes wrong
    with the set up, or a virus attack. The complicated steps in
    the boot up process, especially with a dual-boot system, if any
    of the many files are even slightly corrupted, you can't enter
    Windows 9X or ME. With this regard, Windows ME was one step
    backward from Win 9x where at least you have a DOS environment
    where you can fix things and enter the Windows environment.


    Enter the Quick Boot Diskette:

    Anyway, here's a technique that works quite well to enter the
    Windows ME world without using any file in the root directory
    of the C: drive. The disketter you prepare with this technique
    is useful even for a dual-boot system (e.g., 98SE and XP) as
    long as the disk was installed with a Windows ME system.

    It seems too simple to be true.

    Assume that you are running a healthy WinME system
    Here's how to create the "Windows Quick Boot" diskette:

    1. Open a DOS Box inside WinME(or its DOS counterpart).
    2. FORMAT A:
    3. XXCOPY16 C:\IO.SYS A:\ /H
    4. XXCOPY16 C:\MSDOS.SYS A:\ /H

    Note: if you don't have XXCOPY16, use the standard ATTIRB
    and COPY command to copy the hidden files. The two files
    listed above are essential. Optionally, you may copy the
    following files if they are present in the root directory
    (but not mandatory)

    5. XXCOPY16 C:\CONFIG.SYS A:\
    6. XXCOPY16 C:\AUTOEXEC.BAT A:\

    That is it!!!

    The diskette is a bootable diskette which does not rely on any
    file in the root directory of the C: drive.

    If you are not familiar with XXCOPY16, it is available in the
    XXCOPY Freeware package.


    The MSDOS.SYS file:

    Of course, the contents of the MSDOS.SYS file should be carefully
    controlled. The following text shows a typical MSDOS.SYS fie.
    (Note: the Windows ME system directory is assumed to be name
    as C:\WINDOWS. If it is different, make adjustments as needed.)

    ----------------------------------------------------------

    [Paths]
    WinDir=C:\WINDOWS
    WinBootDir=C:\WINDOWS
    HostWinBootDrv=C

    [Options]
    AutoScan=0
    BootDelay=0
    BootMulti=0
    BootGUI=1
    BootMenu=0
    BootMenuDefault=1
    BootMenuDelay=4
    DoubleBuffer=1
    Logo=0
    DblSpace=0
    DrvSpace=0
    DisableLog=1
    WinVer=4.90.3000
    ;
    ;The following lines are required for compatibility...
    :Do not remove them (MSDOS.SYS needs to be >1024 bytes).
    ;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ; ...

    -----------------------------------------------------------

    The most important thing with the MSDOS.SYS file is that
    the copy in the diskette should have the following line in
    the [Options] section of the file.

    DisableLog=1

    If the line reads "DisableLog=0", then, the log file (BOOTLOG.TXT)
    will be created on the diskette which makes the boot up procedure
    painfully slow. (In Win ME, the log file will be created only
    when you choose Safe Mode or manually select Logged mode. Still,
    for the floppy based operation, you don't want the log file.)

    Note: If your windows directory is not "C:\WINDOWS",
        make adjustments as needed.

        Here, some non-default settings are chosen:

        AutoScan=0 (1 to carry out ScanDisk)
        Logo=0 (1 to hide the screen by the log image)
        DisableLog=1 (0 to generate BOOTLOG.TXT)
        DblSpace=0 (1 to load DBLSPACE.BIN automatically)
        DrvSpace=0 (1 to load DRVSPACE.BIN automatically)

    The WinVer value should reflect the version of Windows:

        WinVer=4.00.0950 // Windows 95
        WinVer=4.00.1111 // Windows 95 OSR2
        WinVer=4.10.1998 // Windows 98
        WinVer=4.10.2222 // Windows 98 SE
        WinVer=4.90.3000 // Windows ME


    In case of trouble:

    1. With WinME, the Quick boot diskette should go right into
    the Windows screen without letting you to stay in DOS.
    This procedure does not use any of the files in the root
    directory of the system disk (C:).

    On the other hand, with Win9x (Non-ME), the boot menu gives
    you the familiar option to stay at the command prompt.

    2. If your system is too corrupted to come back alive using
    the Quick-restart diskette, you should use the Windows
    Emergency Recovery diskette that you made in the installation
    step.

    3. Run FDISK to make sure that the Master boot record (MBR)
    has the proper master boot code.

    FDISK /MBR (it runs in non-interactive mode).

    Then, run FDISK in interactive mode (without an argument)
    and from the FDISK menu, make sure that the Primary DOS
    Partition is active.

    4. Run the SYS command to refresh the boot sector (the first
    sector of the active partition) has proper boot program.

    SYS C:

    This program initializes the boot sector of C: drive and
    also copies the IO.SYS, MSDOS.SYS and DRVSPACE.BIN files.

    Caution: If your system is configured as dual-boot with
    Windows NT/2000/XP, this procedure will make it Win9x-only
    system (However, after making it Win9X-only boot first,
    you may run the FIXBOOT command inside the Recovery Console,
    to make it dual-boot again).

    5. If you suspect that the system registry settings (especially
    for essential device drivers) are badly configured, you
    may reestore the key files from the system backup directory.
    First, see how many backup sets have been captured.

    DIR C:\WINDOWS\SYSBCKUP\*.CAB

    Here's an example of what you see:

    RB000 CAB 1,888,538 05-21-01 5:36a rb000.cab
    RB003 CAB 1,889,721 05-22-01 7:38a rb003.cab
    RBBAD CAB 1,834,739 01-26-01 3:28p rbbad.cab
    RB002 CAB 1,892,943 05-20-01 12:45p rb002.cab

    Note that the file number and the file dates are not in
    a particular order. Yesterday's copy is usually good.
    Don't pick the one with RBBAD.CAB which is a bad one!
    Once you decide which of the .CAB files to restore

    You may increase the number of backup sets stored in the
    SYSBCKUP directory by editing the C:\WINDOWS\SCANREG.INI
    file (e.g., specify MaxBackupCopies=10 for ten sets).

    6. Once you decide which backup set to restore, run:

    EXTRACT C:\WINDOWS\SYSBCKUP\RB002.CAB /L C:\WINDOWS /E /Y

    Here, the RB002.CAB was chosen as an example. The directory
    name following the /L switch specifies the location of the
    the extracted files. The /E switch extracts all files.
    The /Y switch suppresses the overwrite prompts.

    In the case of Windows ME, the following files are expected
    to be restored:

    C:\WINDOWS\SYSTEM.DAT
    C:\WINDOWS\USER.DAT
    C:\WINDOWS\CLASSES.DAT
    C:\WINDOWS\WIN.INI
    C:\WINDOWS\SYSTEM.INI

    7. After the FDISK, SYS and EXTRACT procedures described above,
    you can try again with the Quick Boot diskette to reboot.
    Also, note that the files that are on the Quick Boot diskette
    were originally from the root directory of the system disk (C:).
    Therefore, you may restore them by copying the files back to
    the root directory if need:

    XXCOPY16 A:\*.* C:\ /H /R /Y


    Tip:

    Although the Quick Boot diskette needs only a handful of files,
    if you add the few utility programs into the diskette, it will
    make the diskette useful in case of trouble.

    IO.SYS ; essential for boot up
    MSDOS.SYS ; needed to boot up into the GUI environment
    CONFIG.SYS ; optional for boot up
    AUTOEXEC.BAT ; optional for boot up

    FDISK.EXE ; to make the hard disk bootable
    SYS.COM ; to make the hard disk bootable
    FORMAT.COM ; to start over
    XXCOPY16.EXE ; good idea
    XXCOPY.EXE ; if you have room


    Epilog:

    I have tested the technique described in this article using
    a computer with Win98, Win98SE and WinME. I believe the same
    technique should work on Win95 and Win95-OSR2.

    Let me know if you encounter problems with the techniques
    described in this article.

    Kan Yabumoto

    For a similar technique in creating a better boot diskette for
    WinNT/2000/XP, see XXTB #33.



    © Copyright 2003 Pixelab, Inc. All rights reserved.
     
  18. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    First, thanks for the time you've spent and help you have been with this problem. There has been some progress, fortunately. Here is an update:

    While in safe mode I ran a thorough scandisk (it took about 18 hours!). When it appeared to be almost finished the system froze and ultimately crashed. From a minimal boot I tryed to run it again but it flashed for an instant and the message said there were disk problems. I'm assuming the previous thorough scan must have been completed (?).

    In tracking one of your links to the microsoft me help site from my healthy computer, I discovered this bulletin that seems to address at least part of my problem:

    http://support.microsoft.com/default.aspx?scid=305671

    After following these instructions I am now able to start the computer in normal mode. When I undo these instructions it only starts in safe mode again.

    Norton Anti-virus (2001) does not start, however, and when I try to start it from the programs file it says I must restart the computer in order to run norton. I was receiving this message before all these problems, but the norton icon was appearing at that time in the startup toolbar so I could open it from there. So, I am not able to scan the computer for viruses. Also, the wireless modem will not start--saying it is disconnected.

    I'm wondering if I should uninstall and reinstall both Norton and the D-Link wireless?

    Next, I was able to successfully remove the recommendations you suggested in hijackthis by using the program on floppy. I just ran a new scan and here are the results:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:15:05 PM, on 3/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
    C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
    C:\PROGRAM FILES\ALPHA NETWORKS\ANIWZCS SERVICE\WZCSLDR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\S4F\INSTALL\S4FTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    A:\HIJACKTHIS.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WebMoney (HKLM)
    O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
    O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
    O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
    O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB


    Pieter suggested uninstalling S4P. This is an internet filtering program and to remove it I must contact the supplier for instructions. Do you still want me to do this?

    So summarize, I am able to start in normal mode (under select startup following the procedure in Microsoft bulletin 305671). The computer is not able to access the internet nor run Norton Anti-virus.

    Any additional suggestions would be greatly appreciated.

    klw
     
  19. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Oh, one more thing re: Primrose's question--

    I continue to get the "Unable to synchronize environmental variables in Windows Registry with environmental variables in legacy files AUTOEXEC.Bat and/or config. system" message whenever I run msconfig. That seems to be a constant.

    Thanks.
     
  20. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi klw,

    fix these three

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {6986A6CF-9D58-11D6-91C2-00E02964E8E3} (IntPagomaster Class) - http://www.livecamx.com/sexo99/pagomast.cab

    and then post a new log
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi klw,

    Have a look here.

    Regards,

    Pieter
     
  22. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Ok, new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:56:02 PM, on 3/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
    C:\PROGRAM FILES\ALPHA NETWORKS\ANIWZCS SERVICE\WZCSLDR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\S4F\INSTALL\S4FTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    A:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\INSTALL\S4FTray.exe" -i
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\PROGRAM FILES\D-LINK\AIR UTILITY\AIRCFG.EXE
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WebMoney (HKLM)
    O9 - Extra 'Tools' menuitem: WebMoney (HKLM)
    O10 - Broken Internet access because of LSP provider 'wins4f.dll' missing
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/WRActiveX/FileXfer.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab
    O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {AAD68411-5B98-11D3-9B52-00001C0007B3} (EonX 3.0.0) - http://www.realityobjects.com/download/3_0_2/eonx.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/plugins/en_US/DjVuControl.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://attmotive.broadband.att.com/prequal/files/MotivePreQual.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.6.35/HiwireBF.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37667.6260532407
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: {1A6BB370-9DB8-44d8-A336-C8F707E80A70} (Toolbar WMButton Download) - http://www.wmtransfer.com/wmbutton.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
     
  23. klw

    klw Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    13
    Pieter, I went to the site you suggested in Reply#20 above. Looks easy enough, however, there is nothing listed when I select the environment tab--no "TEMP" option. So I can't get to the "variable value box" to check for empty spaces.

    I checked the ME knowledge base article also (264214). I can open the files suggested in notepad, but I have no idea what the "unnecessary entries" might be. So, I've posted them below. Can anyone make an assessment re: what is unnecessary in these files?

    AUTOEXEC.BAT file contents:

    @ECHO OFF
    set EXPAND=YES
    SET DIRCMD=/O:N
    cls
    set temp=c:\
    set tmp=c:\
    path=C:\WINDOWS;C:\WINDOWS\COMMAND;a:\

    IF "%config%"=="NOCD" GOTO QUIT
    rem - By Windows Setup - LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:eek:emcd001 /L:D

    echo.
    IF "%config%"=="SETUP_CD" goto AUTOSETUP
    GOTO QUIT

    :AUTOSETUP
    set CDROM=FOO23
    FINDCD.EXE
    if "%CDROM%"=="FOO23" goto NOCDROM
    path=C:\WINDOWS;C:\WINDOWS\COMMAND;a:\;%CDROM%\
    %CDROM%
    cd \WIN98
    echo.
    OEMSETUP.EXE
    goto QUIT

    :NOCDROM
    echo.
    echo The Windows 98 Setup files were not found.
    echo.

    :QUIT


    CONFIG.SYS file contents:

    [menu]
    menuitem=SETUP_CD, Start Windows 98 Setup from CD-ROM.
    menuitem=CD, Start computer with CD-ROM support.
    menuitem=NOCD, Start computer without CD-ROM support.
    menudefault=SETUP_CD,30
    menucolor=7,0

    [SETUP_CD]
    device=C:\WINDOWS\himem.sys /testmem:eek:ff
    device=oakcdrom.sys /D:eek:emcd001
    device=btdosm.sys
    device=flashpt.sys
    device=btcdrom.sys /D:eek:emcd001
    rem device=aspi2dos.sys
    rem device=aspi8dos.sys
    rem device=aspi4dos.sys
    rem device=aspi8u2.sys
    rem device=aspicd.sys /D:eek:emcd001

    [CD]
    device=C:\WINDOWS\himem.sys /testmem:eek:ff
    device=oakcdrom.sys /D:eek:emcd001
    device=btdosm.sys
    device=flashpt.sys
    device=btcdrom.sys /D:eek:emcd001
    rem device=aspi2dos.sys
    rem device=aspi8dos.sys
    rem device=aspi4dos.sys
    rem device=aspi8u2.sys
    rem device=aspicd.sys /D:eek:emcd001

    [NOCD]
    device=C:\WINDOWS\himem.sys /testmem:eek:ff

    [COMMON]
    files=60
    dos=high,umb
    lastdrive=z



    thanks,

    klw
     
Thread Status:
Not open for further replies.