[ibroussard]

I'm running W2K Server SP2. Yesterday, I picked up s browser hijacker, most likely a coolwebsearch hijacker (SMSSU.EXE, tmntsrv32.exe, etc.). I plan on trying many of the techniques listed in the malware forum to get rid of it. However, almost all of them require me to reboot and get into safe mode at some point. I just realized that I can't get into safe mode for some reason.

I never see the black and white startup screen with the "bars" at the bottom saying windows is starting up. I know what it looks like because it shows up on my laptops running W2K Pro. I start tapping F8 immediately after the "configuration" screen (using the current configuration), but it never recognizes it. I've also tried holding down F8, but it doesn't go into safe mode that way either.

I don't know if it matters, but the machine is set up for "auto logon" so it can be restarted without supplying a user ID and password.

Any ideas why I can't get into safe mode? The machine runs okay except that my homepage is hijacked by a webcruiser site. Also, the machine is now running out of virtual memory after being idle for a while. I think that is caused by SMSSU.EXE or tmntsrv32.exe because if I kill the process, the virtual memory used goes down quite a bit, then starts building again when they restart themselves. I guess I will worry about the virtual memory problem if it continues after I remove the hijacker.

Thanks,
Ira

[Advertisements]

Hello and welcome to Geeks to Go! I'm kool808 .

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

If this wont work read this: http://www.pchell.co.../safemode.shtml

===============================

Please read THIS first before posting.

We'll need you to use a free diagnostic tool HiJackThis, read the short tutorial HERE

Post a log as a new topic in the Malware Removal Forum. It will get a better response there from the people most qualified to analyze logs.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[kool808]

Hello and welcome to Geeks to Go! I'm kool808 .

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

If this wont work read this: http://www.pchell.co.../safemode.shtml

===============================

Please read THIS first before posting.

We'll need you to use a free diagnostic tool HiJackThis, read the short tutorial HERE

Post a log as a new topic in the Malware Removal Forum. It will get a better response there from the people most qualified to analyze logs.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

[ibroussard]

Thanks for the suggestions. I tried running MSCONFIG, but it isn't on the infected PC. I searched all drives and couldn't find it. I came across the "SAFEBOOT" option for the boot.ini file, so I created another startup option and added /SAFEBOOT:MINIMAL to it. When I selected that, it came up in safe mode. However, I still don't know why F8 won't work during "normal" startup.

After all the hardware "stuff" messages, my boot process is as follows...

1. Black and white screen with "OS Loader V4.00" at the top for about three seconds.

2. B&W screen showing the boot.ini selections. I select the "normal" entry, which results in a quick message at the bottom of this screen saying "Ntdetect V4.0 checking hardware..."

3. After a few seconds, the screen from (2) is replaced with a B&W screen with only the phrase "OS Loader V4.00..." at the top. This screen lasts a few seconds.

4. Next screen is a B&W screen with the "Press spacebar now to..." message at the top. It lasts a few seconds, then goes away.

5. Next screen is a B&W screen entitled "Hardware/Profile configuration recovery menu". It gives me time to choose a hardware configuration. I choose the default one.

6. Next screen is a B&W screen with no text, just increasing "....." for a few seconds.

7. Next screen is a color screen with the Windows 2000 Server logo and small startup progress bar, stating it is starting.

Note that I never see the B&W screen with the startup bar that goes almost all the way across the bottom of the screen and says "Press F8..."

Thanks,
Ira

[gerryf]

Ira,

refresh my memory as I do not have a win2k machine in front of me at the moment....

is there a file called c:\msdos.sys?

Open it in notepad....what is in there?

[ibroussard]

gerryf,

I did a file search on msdos.sys on all drives and came up empty.

Regards,
Ira