I'm running Windows 98SE.

I'm not sure whether this is Hardware or Software related.
A couple of times recently, while in the middle of surfing, the monitor screen suddenly goes black, and the PC restarts.

Is this a sign of impending trouble, or nothing to worry about.

Malware would be my best shot at what is wrong. The first thing I would exclude in any case.

Have just completed up-to-date scans with:-

AVG AntiVirus. ('Clean')
Spybot. ('Clean')
AdAware. This detected two 'objects', both pertaining to a single 'Data Miner', a "Possible Browser Hijack Attempt." Last activity reported as 16 May.

In addition I have 'Spyware Guard' installed, but it's invariably AVG that comes up with practically all received alerts. The last 'intrusion' was detected by AVG, a Trojan Horse called 'Startpage.4.BO', located in my TIF folder. I did a short search on Google, but nothing seemed to be listed for it. Maybe it's a new one.

On occasions, Spybot and AdAware has detected things that Spyware Guard says nothing about. 'Spyware Guard' showed no alert to the Data Miner mentioned above.

I wouldn't be without my AVG - regularly updated of course!

And if a thorough check for malware(possibly including a HiJack This log posted here after the other applications are run), I would think an overheating cpu is the next likely possibility followed by the power supply being on it's way out.

Some things that can cause restarting:

-Everything not completely seated on the motherboard.
Reseat everything.

-Overheating(As suggested by Quantax)
Check the system and CPU's temps either in BIOS or with temperature monitoring software.
If the system temp gets over 45 deg. C, then make sure the computer's fans are running, the vents are open, the computer is not located in an enclosed space or near a heat source, and there is no internal dust build up.
If those are ok, then remove the computer's cover, and run an external fan. If this fixes things, then install additional case fans. Recommended locations are lower front and upper rear of the case.
If the CPU gets over 60 deg. C, then make sure there is thermal compound between it and the heat sink. If that's ok, then replace the compound with Arctic Silver3.
If no luck, then install a higher capacity heat sink fan.
If still no luck, then replace the heatsink with a more efficient unit.

-Overtaxed or bad power supply(As suggested by Quantax)
Swap it out with a different(preferably higher wattage) unit.

-Bad memory
Remove and reinsert the memory a few times, try it in different slots, do not use any optimal settings for the memory in BIOS, run Memtest-86, and swap it out with known good memory.
Also, do not mix parity and non-parity memory.

-Bad video card.
Swap it out with a known good card.

-Bad MB.
Swap it out with a known good MB.

-IRQ conflict with a network card.
If no problems show up for the NIC in Device Manager, then remove it from DM, shut down, uninstall the card, and restart.

-Kazaa.

I Recommend a FULL Security Scan.

1) Download, install and update Spybot. (http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button)

2) Download, install and update Adaware. (http://download.com.com/3000-8022-10214379.html?tag=lst-0-2)

3) Create a folder called HJT.

4) Download and install HijackThis (http://download.com.com/3000-8022-10227352.html?tag=lst-0-4) in the HJT folder.

5) Run Spybot and fix everything it finds in red.

6) Shutdown your computer. Full shutdown DO NOT re-start.

7) Run Adaware and fix everything it finds.

8) Shutdown your computer. Full Shutdown DO NOT re-start.

9) Run an on line scan from Trend Micro (http://housecall.trendmicro.com/) and or Bitdefender. (http://www.bitdefender.com/scan/licence.php)

10) Run HijackThis from HJT folder. Do not run it from the TEMP or Temporary Internet Files folder as you will be unable to restore the backups created by HJT. After the scan is complete create a log file. DO NOT fix anything unless instructed to by an expert here.

11) Post the contents of the log and the results from the previous scans back here for evaluation.

Mike:

Did you recently download and install any programs or software from the net?

If so, did you log off the net and shut down your AV between download and install? When you shut down the machine between spyware runs do you wait a full two minutes before restarting (...as Classico was saying --don't use the restart, use the full shut down --and I always wait two minutes before reboot).

Did you recently downlaod and install the SpyBot v. 1.3. Some of us have been having similar problems from that--various color (gray, black, blue) Screens Of Death (SOD), and getting logged out of programs unexpectedly. If so, uninstall it and see if things improve.

Are you running any Norton software, Norton System Works, Norton Utilities, particularly Clean Sweep? This would get in the way of my downloads, even though I would shut it down using the shutdown option on the navbar, it would still be active, and eventually I figured out that I had to uninstall the Uilities--Clean Sweep was the culprit--every
time I needed to downlaod something. I would get similar symptoms to what you describe until I figured out it was Clean Sweep...various color SODs and uncalled-for log-outs and restarts.

ski: I'm not one for rooting around inside my PC, although it's well overdue for an internal spring-clean!
As previously stated, it's only happened a couple of times, so maybe it's just one of those unexplained PC mysteries. A short time ago while typing this reply, and spending about five minutes on it, suddenly IE6 just shut down without warning, leaving me staring at the Desktop. I'll put my replies into Notepad first in future!

I did install monitoring software, but wondered if it was really necessary - it was yet another item running in the System Tray. My PC has been in the same spot for the past couple of years and, at present, the weather's not really hot. Even so, a blocked fan would have a detrimental effect.

classicsoftware: My installations of Spybot, AdAware, and AVG get updated frequently. In the case of AVG, every couple of days. I also did online Scans with Trend Micro and Bitdefender - both gave a clean bill of health.

Donn: My Spybot is version 1.2, didn't realise they have brought out a later one. As for recent Software - I'm always downloading programs from the net! A compulsive 'twiddler'!! But no installed programs from Norton at all.
Your question of "did you log off the net and shut down your AV between download and install." I've tried shutting down AVG, both from the System Tray and Ctrl/Alt/Del, but it never closes completely. A certain element always remains, that can throw up virus alerts even when 'shut down' (?).

Here is the Highjack Logfile:--

Logfile of HijackThis v1.97.7
Scan saved at 21:03:40, on 17/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDUL2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ACRONIS\TRUEIMAGE\TRUEIMAGEMONITOR.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\HIGHCRITERIA\TOTALRECORDER\TOTRECSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CPAL\CPBRWTCH.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\CPAL\CPAL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {3D2C1DA4-BCD3-4317-9548-2E08BD222FF0} - C:\PROGRA~1\POPUPR~1\POPUPS~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Acronis_True_Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cookie Pal] "C:\PROGRAM FILES\CPAL\CPBrWtch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38052.722962963
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

Your log looks clean to me. Please post a full list of your system specs. You have a alot going on here. You might not have the resources to runn all of the stuff you have running. I am safety conscious, but you seem paranoid. Is there any spyware program you are not running at all times?

Let's see your system specs and we can go from there.

You should have HJT fix the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

And...

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

It is a Coulomb Dialer Variant.

I'm a little confused about this item:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 entries are usually a start or search page. Why it's indicating Microsoft Internet Explorer I don't know. You should probably fix it. Others will be along who might be able to explain it... ;)

Originally posted by mike2002

Donn:
Your question of "did you log off the net and shut down your AV between download and install." I've tried shutting down AVG, both from the System Tray and Ctrl/Alt/Del, but it never closes completely. A certain element always remains, that can throw up virus alerts even when 'shut down' (?).

Mike:

If it were my situation I would uninstall and reinstall AVG, right off. Clicking off "Shut down AVG control center" in the tray and then closing program by crtl alt delete should shut it down. If you do that make sure to close all other windows and programs before the download. You keep TIF and TEMP clean, right? Defrag lately?

Have you tried something simple like system restore to your last clean operating point?

Steve: Item:--

"O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

It's strange that none of the scans detected this.

classicsoftware: System specs are as follows:-
Windows 98SE
Intel Pentium 111, 100MHz
248MB RAM
69% system resources free
Windows-managed swap file on drive C (787MB free)

Is there any other info you require?
I may uninstall SpywareGuard, it hasn't alerted me to anything important. Nothing threw up any warnings about the Coulomb Dialer Variant. I'm not exactly paranoid - just want a program that does the job! ;)

Donn: As I'm running 98SE there is no System Restore, but I can restore the whole C: partition from a backup disk. The question is - how 'clean' was the backup when I made it??

69% of your resources is way toooooo low.

When you boot up it should be over 80%

I would get rid of the Spywareguard

I would unload the Adaware and the Spybot from memory.

I would install Spyware Blaster (http://www.javacoolsoftware.com/sbdownload.html).

I would update and and scan with Spybot and adaware regularly.

Does Rambooster really improve performance that much?

Follow these steps and see where your resources get up to.

Oh, sorry 'bout that, I acquired the idea somewhere that SE had system restore. As far as restoring from the back-up disk...no comment. But seriously consider uninstall, clean out all remaining files, and then reinstall of AVG. If it isn't working the way it should on something as simple as disabling it, that might indicate other inadaquacies from a bad download.

:cool:

It's strange that none of the scans detected this.

I guess so. SpywareBlaster has protected against it since March. AdAware added it to it's list in Dec.03. (I think)

Here (http://www.pestpatrol.com/PestInfo/c/coulomb_dialer.asp) is some info on it. As you can see, the CLSID is a solid match.

I'm a little confused about this item:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
It's normal but may not always be present in the HKCU slot. It just the name that appears in the Title Bar of IE - often customised by ISPs etc to read "Microsoft Internet Explorer supplied by XXXX".

Thanks Paul...:)

OK.

Steve: As yet, I haven't removed the RO - HKEY etc items. No other references to Columb exist in the Registry
except the entry O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}, which appears in the Registry as HKLM/software/microsoft/code store database/distribution units {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}.

I've always clicked "NO" to the usual Columb pop-up boxes, saying "you must click yes to continue", If it's capable of downloading its wares regardless, a program which prevents this is highly desirable. But these people are getting cleverer!

classicsoftware: I've removed Spywareguard, seeing that it hardly alets me to anything.

I would unload the Adaware and the Spybot from memory
Regarding Spybot, would this be the Highjack entry -
'O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL' (?).

Rambooster: My memory often goes down to zero when performing anti-virus scans etc, also when recording radio programs
and saving them to disk in WAV format. Rambooster recovers the memory back to its maximum lever, only to drop down to, say, 1% in the next operation.

Regarding the Highjack This log, as far as I can tell, I can delete these the following items, as I never access the particular program via the right-click menu.

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

I don't see any reason why you shouldn't fix the 08 items. Others might know of a reason.

As far as that 016 item, it's there. The activex control seems to be on your machine. You can check in the "Downloaded Program Files" folder and see if it is really there.

Steve: I've removed the entry in Highjack This. In addition, while having a general 'snoop' in C:/Program Files, I discovered two items, both named 'backup-20040518-223105-647' relating to it. One had the .inf extension, and contained the following:-

[Setup Hooks]
hook1=hook1
[hook1]
run=%EXTRACT_DIR%\loader.exe
FileVersion=1,0,0,2
[Version]
Signature=$CHICAGO$
AdvancedInf=2.0

The other one, when opened in NotePad, contained this info:--

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}]
"SystemComponent"=dword:00000000
"Installer"="MSICD"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\DownloadInformation]
"CODEBASE"="http://dload.ipbill.com/del/loader.cab"
"INF"="C:\\WINDOWS\\Downloaded Program Files\\installer.inf"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\InstalledVersion]
@="0,0,0,1"
"LastModified"="Wed, 18 Feb 2004 13:34:22 GMT"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD}\Contains]

I removed them both. Sometimes it pays to snoop around inside folders.
You can often spot something different that wasn't there previously.
Also, going into an item's Properties can reveal its origins.

Those backup items sound like the backups that HJT makes, incase you need to restore them. Seeing that you were sure you wanted to get rid of it, deleting the backups is fine.

So THAT'S what they were!

Didn't realise they came from HJT. But, in HJT's Config/Backup setting, no backups are shown, and I couldn't figure out where they were.

I now have Spyware Blaster installed, and configured to offer I.E6 (total?) protection. But just now, by going into my Program Files folder, AVG Anti-Virus has just thrown up an alert to a Trojan Horse called 'Downloader.Small.6.1', having a the file name of PL.

Just like I said earlier on - it's inevitably AVG that does the job, although, to be fair, it's probably not classed as Spyware - or is it?. ;)

At present, AVG is not removing this item to its 'Virus Vault'. I do have a right-click option in the 'DOS-Delete' program to remove a files in DOS. In this instance it doesn't work, as AVG won't let me right-click without throwing up an alert.

Trojan Horse - the continuing story.

I tried a simple Delete function but, again, AVG threw up repeated alerts, before giving up. When the screen cleared, the Delete confirmation box was visible, enabling me to send the offender to the Recycle Bin. Once it is there, you think it's simply a matter of emptying the Recycle Bin. But no, AVG won't let this happen. In these cases, I Restart and use the Deltree command in DOS mode to delete the Recycle Bin and everything in it. ;)

Is your Motherboard an ABIT BX133 RAID? By any chance.

No, it's a Gigabyte GA-6VEM Series, 370 Socket.

Since my first message in this thread, the PC hasn't restarted by itself again. Hopefully they were just a couple of isolated incidents.

S'ok - Just wondered because I know of a known issue with the BX133 RAID that a batch of about 2 million of them were shipped out with dodgy capacitors on them. After about 6-8 Months of use the board does exactly as your saying because of several capacitors by the processor leaking.

.....Could be the case with your board, never seen it on a gigabyte but hey, its a possibility no harm in checking. Have a look and see if any of the capictors are leaking white stuff or are raised in anyway.


Ben