[Siraphic]

Once I click normal mode, and the computer begins to reboot, it shuts off.

[Advertisements]

Hi Siraphic,

Try this one:

How to Start To Normal Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Normal Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Normal Mode (or equivalent) from the startup menu,
*press Enter
*Windows starts in Normal Startup mode.


Regards,

Trevuren

[Trevuren]

Hi Siraphic,

Try this one:

How to Start To Normal Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Normal Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Normal Mode (or equivalent) from the startup menu,
*press Enter
*Windows starts in Normal Startup mode.


Regards,

Trevuren

[Siraphic]

I understand how to start up in normal mode, but whatever way I try to get there the computer automatically shuts down.

I appreciate your patience

[Trevuren]

Hi Siraphic,

Sorry. I do not have the know-how to fix this problem for you. My specialty is malware.

I suggest you now consult with the boys here: http://www.geekstogo...5_98_ME-f3.html

and quote your thread.

Good Luck and get back to me once they get you up and running again.

Regards,

Trevuren

[Siraphic]

Alright. I'm back in normal mode. It seems that the problem was relating to the two anti-virus software I had. unfortunately, Ad-aware still won't run.

I ran SpSeHjfix in Safe, then the Shredder. Here is my log from normal.

Logfile of HijackThis v1.99.1
Scan saved at 12:13:41 AM, on 5/21/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Y357RXj7j] IR4IAG.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409

[Trevuren]

Hi Siraphic,

How is the puter running now?


Regards,

Trevuren

Edited by Trevuren, 21 May 2005 - 12:14 AM.

[Siraphic]

Seems to run fine as long I don't run a full-system scan with Ad-aware.

[Trevuren]

Hi Siraphic,

Please try to UNINSTALL then REINSTALL Ad-Aware and tell me if it worked.

If it doesn't, I'll continue digging at my end to find a solution.


Regards,


Trevuren

[Siraphic]

Did as directed, and adjusted Ad-aware setting to those specified in the link provided on the following site:

http://forum.malware...wtopic.php?t=13

Unfortunately, two files remain that Ad-aware cannot delete, even at startup:

C:\_Restore\Temp\A0073349.1
C:\_Restore\Temp\A0073430.1

both are coolweb related.

They seem to be causing more coolweb stuff to attack my system. I tried running SpSeHjfix and the Shredder in SAFE mode, but the Shredder did not detect these two files.

We certainly are nearing the close of this whole ordeal. Thank you kindly.

[Trevuren]

Hi Siraphic,

Those infections are located in your System Restore Cache. Usually we don't clean the cache until everything is finished because you lose all restore point by doing so and have nothing to fall back on. Your restore is so corrupted that we wouldn't want to restore back to it.

1. Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Right-click My Computer and then click Properties.
2. On the Performance tab, click File System
3. On the Troubleshooting tab, click to select Disable System Restore
4. Click OK twice
5. Restart your computer.

6. Right-click My Computer and again click Properties
7. On the Performance tab, click File System
8. Clear the check mark in Disable System Restore check box.
9. System Restore is now be active again.

2. Run Ad-Aware again and REBOOT your system if it finds anything.

3. Post a fresh HJT log.

Regards,

Trevuren

[Siraphic]

Ad-aware deleted the files and works well.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:18 PM, on 5/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\SECURITY ASSORTED\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Y357RXj7j] IR4IAG.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409

[Trevuren]

Hi Siraphic,

We definitively have to stop meeting like this. If I haven't already asked you to do this, please run an on-line scan at panda and note what it says needs fixing.

http://www.pandasoft...1&Ref=PR-AS-107

It is still that file that is perplexing me.


Regards,

Trevuren

[Siraphic]

Here is the result of the Panda Scan. I appreciate your continued patience.

Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM\msiaih.dll
Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM\msglji.gif
Spyware:Spyware/Omi No disinfected C:\WINDOWS\SYSTEM\msfdje.gif
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\bundles\2504040901.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\bundles\thin-8-1-x-x.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bundles\bs5-vwqouc.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Virus:Trj/Downloader.AEE Disinfected C:\Files that Might be important\counter.cab

[Trevuren]

Hi Siraphic,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\SYSTEM\msiaih.dll
C:\WINDOWS\SYSTEM\msglji.gif
C:\WINDOWS\SYSTEM\msfdje.gif
C:\WINDOWS\bundles\2504040901.exe
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\bundles\thin-8-1-x-x.exe
C:\WINDOWS\bundles\bs5-vwqouc.exe
C:\WINDOWS\SYSMON.EXE

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

Regards,

Trevuren

[Siraphic]

Did as directed. Then ran the following tests:

Spybot: no threats
Ad-Aware: no threats
Panda: no threats

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:26:22 PM, on 5/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\SECURITY ASSORTED\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Y357RXj7j] IR4IAG.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab