Win 98 ONLY starts in safe mode..Pls help!

Lisa2005 · 04-20-2005, 09:00 AM

Hi all,

I had a hacker attach to my laptop running Windows 98, I.E. &.01 and Mozilla Firefox 1.0.2 (I saw the MCAfee Firewall window saying I was under a SYN port scan from an IP address). I had my Firefox browser opened at that time, and I saw mouse pointer closing the browser.
SO I decided to shutdown immediately my machine.
When I restart, the only way to start my Windows 98 is in safe mode: See HiJackThis log here below.
Is there anybody who can help me fix this?
Thanks a lot in advance

Lisa

-------------
Logfile of HijackThis v1.99.1
Scan saved at 15.32.27, on 20/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Avast4\ashServ.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll

greyknight17 · 04-20-2005, 02:32 PM

Welcome to TSF.

Let's try getting you out of safe mode first and then see if you have any trojans that may exist in your system.

Have you tried restarting and hitting the F8 (or in some systems F5) key repeatedly until a menu shows up and then choose Normal Mode?

Lisa2005 · 04-21-2005, 07:06 AM

Hi greyknight17,

thanks for your reply. Unfortunately

the system does not start in Normal mode, but ONLY in safe mode... I also tried all possible combination of starting step-by-step (w or w-out autoexec.bat, config.sys, enabling the .dll one by one..) but the only possible start is in safe mode.

I understand that my hijackthis log does not help so much, because formally everything seems correct; (in fact system starts in safe mode and the log refers to this starting mode) but I'm really desperate (that PC contains a lot of important apps I useD daily) and don't know what to do!

There are no conflicts in device drivers, as far as I see, and no problems in "Check system files" under Microsoft System Information under Utilities (translation may vary since the OS in in italian).

By the way, everytime I switch the PC on since then and Safe mode is automatically choosen, Scandisk starts as if I closed the PC incorrectly. (!)

Do you need any win file to investigate further?

Bye and thanks,
Lisa

greyknight17 · 04-21-2005, 07:55 AM

Let's try this. Go to Start->Run and type in msconfig and hit OK. Click on the Advanced button and then check the box that says Enable Startup Menu. Restart and hit F8 key again. See if Normal Mode is listed there.

Give us your boot.ini file instead. You might have to show hidden files/folders to see it.

Lisa2005 · 04-21-2005, 09:50 AM

Hi greyknight17,

the machine runs Windows 98, therefore I don't have any boot.ini file.
Maybe I have not been clear before: the startup menu already shows everytime, but if I choose Normal mode the OS tries to boot, then shows the startup menu again preselecting by default option 3 (Safe mode).
NO WAY TO BOOT in Normal mode.

If I boot step-by-step the drivers shown ready for load are:
vnetsup.vxd
ndis.vxd
ndis2sup.vxd
javasup.vxd
c:\windows\system\vrtwd.386
c:\windows\system\vfixd.vxd
vnetbios.vxd
vredir.vxd
dfs.vxd
msmouse.vxd

Any attempt I make to boot selectively loading any of the above, result in a Startup menu shown with option 3 suggested as valid.

Any other idea?
Bye,
Lisa

greyknight17 · 04-21-2005, 10:03 AM

OK, go back into msconfig. Select Normal Startup. Hit OK and restart. Any success now?

Lisa2005 · 04-21-2005, 10:51 AM

No, unfortunately the OS always suggest Safe mode... there must be something preventing it to run in Normal mode.. but I don't know what!

Lisa

greyknight17 · 04-21-2005, 12:03 PM

I'm out of ideas here.

I will move this thread to the Windows 98 section. Our Windows experts there should better assist you.

Lisa2005 · 04-21-2005, 12:12 PM

Thank you anyway.

Lisa

Geekgirl · 04-21-2005, 12:20 PM

This article may help you

http://support.microsoft.com/default...N-US;Q188867#3

04-20-2005, 09:00 AM	#1 (permalink)
Lisa2005 Registered User Join Date: Apr 2005 Location: Italy Posts: 5 OS: Windows 98/Windows 2000 Professional	Win 98 ONLY starts in safe mode..Pls help! Hi all, I had a hacker attach to my laptop running Windows 98, I.E. &.01 and Mozilla Firefox 1.0.2 (I saw the MCAfee Firewall window saying I was under a SYN port scan from an IP address). I had my Firefox browser opened at that time, and I saw mouse pointer closing the browser. SO I decided to shutdown immediately my machine. When I restart, the only way to start my Windows 98 is in safe mode: See HiJackThis log here below. Is there anybody who can help me fix this? Thanks a lot in advance Lisa ------------- Logfile of HijackThis v1.99.1 Scan saved at 15.32.27, on 20/04/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\DOWNLOAD\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\AVAST4\ASHWEBSV.EXE O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\AVAST4\ashmaisv.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [avast!] C:\Programmi\Avast4\ashServ.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll

04-20-2005, 02:32 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Let's try getting you out of safe mode first and then see if you have any trojans that may exist in your system. Have you tried restarting and hitting the F8 (or in some systems F5) key repeatedly until a menu shows up and then choose Normal Mode? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-21-2005, 07:55 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Let's try this. Go to Start->Run and type in msconfig and hit OK. Click on the Advanced button and then check the box that says Enable Startup Menu. Restart and hit F8 key again. See if Normal Mode is listed there. Give us your boot.ini file instead. You might have to show hidden files/folders to see it. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-21-2005, 10:03 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	OK, go back into msconfig. Select Normal Startup. Hit OK and restart. Any success now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-21-2005, 10:51 AM	#7 (permalink)
Lisa2005 Registered User Join Date: Apr 2005 Location: Italy Posts: 5 OS: Windows 98/Windows 2000 Professional	No success!!! No, unfortunately the OS always suggest Safe mode... there must be something preventing it to run in Normal mode.. but I don't know what! Lisa

04-21-2005, 07:06 AM	#3 (permalink)
Lisa2005 Registered User Join Date: Apr 2005 Location: Italy Posts: 5 OS: Windows 98/Windows 2000 Professional	Hi greyknight17, thanks for your reply. Unfortunately the system does not start in Normal mode, but ONLY in safe mode... I also tried all possible combination of starting step-by-step (w or w-out autoexec.bat, config.sys, enabling the .dll one by one..) but the only possible start is in safe mode. I understand that my hijackthis log does not help so much, because formally everything seems correct; (in fact system starts in safe mode and the log refers to this starting mode) but I'm really desperate (that PC contains a lot of important apps I useD daily) and don't know what to do! There are no conflicts in device drivers, as far as I see, and no problems in "Check system files" under Microsoft System Information under Utilities (translation may vary since the OS in in italian). By the way, everytime I switch the PC on since then and Safe mode is automatically choosen, Scandisk starts as if I closed the PC incorrectly. (!) Do you need any win file to investigate further? Bye and thanks, Lisa

04-21-2005, 09:50 AM	#5 (permalink)
Lisa2005 Registered User Join Date: Apr 2005 Location: Italy Posts: 5 OS: Windows 98/Windows 2000 Professional	Hi greyknight17, the machine runs Windows 98, therefore I don't have any boot.ini file. Maybe I have not been clear before: the startup menu already shows everytime, but if I choose Normal mode the OS tries to boot, then shows the startup menu again preselecting by default option 3 (Safe mode). NO WAY TO BOOT in Normal mode. If I boot step-by-step the drivers shown ready for load are: vnetsup.vxd ndis.vxd ndis2sup.vxd javasup.vxd c:\windows\system\vrtwd.386 c:\windows\system\vfixd.vxd vnetbios.vxd vredir.vxd dfs.vxd msmouse.vxd Any attempt I make to boot selectively loading any of the above, result in a Startup menu shown with option 3 suggested as valid. Any other idea? Bye, Lisa

04-21-2005, 12:03 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	I'm out of ideas here. I will move this thread to the Windows 98 section. Our Windows experts there should better assist you. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-21-2005, 12:12 PM	#9 (permalink)
Lisa2005 Registered User Join Date: Apr 2005 Location: Italy Posts: 5 OS: Windows 98/Windows 2000 Professional	Thank you anyway Thank you anyway. Lisa

04-21-2005, 12:20 PM	#10 (permalink)
Geekgirl Assistant Manager, Microsoft Support Join Date: Jan 2005 Location: Six-burgh, Pennsylvania Posts: 14,163 OS: XP Home SP3/XP Pro SP3/Vista Ultimate SP2/Windows 7 Professional	This article may help you http://support.microsoft.com/default...N-US;Q188867#3 __________________ Compare NOD32 to your current antivirus and anti-spyware solution, HERE How to back up and restore the registry in Windows XP and Windows Vista Or Windows 7 How to back up and restore the registry in Windows 98/ ME / NT 4.0 / 2000 I DO NOT ACCEPT EMAILS AND WILL NOT REPLY TO THEM !!!!! TSF DOES NOT SUPPORT ASSISTANCE THROUGH EMAIL OR PRIVATE MESSAGES, PLEASE KEEP ALL QUESTIONS IN THE OPEN FORUM *The Pittsburgh Steelers - 6 X Superbowl Champions !!!!!!!* *The Pittsburgh Penguins - 2009 Stanley Cup Champions !!!!!!!*