Glad to be here at all .............Scary stuff! I don't know if I was successful following your directions or not ... and my machine was acting pretty wierd, but here's what happened.
Already had KillBox from an earlier set of your instructions so I didn't download it; I used the one I had. (Note: I'm doing this in regular mode - not safe - because I couldn't shut down.)
I copied and pasted the three file names you sent and hit the delete file button. I then got a small window that said "test" with OK being the only choice. I hit OK.
Each time I deleted one of the three files, I got a message that told me I'd have to reboot, but by pressing "yes", the only choice, I believe, it didn't reboot.
So after the deleting the third file, I did a shutdown and restarted it, and stuck at the Windows 98 screen - it didn't go through the normal "white words on black screen" start up procedure. And it was stuck! I was afraid I was in toaster land. No password to enter window or anything - just stuck. And my printer started kicking out paper with a repetitive message:
Windows could not upgrade the file from : Alcor Micro Au9472 UB Self-powered hub setup utility Ver 1.06a etc. etc. Please wait while Setup updates your configuration files. This may take a few minutes ..... Windows could not upgrade the file.
So I hit CTRL/ALT/DEL to get some movement, and it always came back to the Windows 98 screen - stuck. Did that several times (3?). The 4th time I tried to get it into Safe Mode, and the screen read:
Windows could not upgrade one or more system files before starting. Windows may not start or run properly. If windows fails to start, run SetUp again. Press any key to continue.
I Hit a key and it started in safe mode. Then I did a shutdown. And I left it alone for about 8 hours because I was sure I had permanently broken it.
Started it up when we got home, immediately (too soon) got the Windows 98 screen, but left the room, and when I'd come back 30 minutes later, I had my logon screen ................. and here I am!
I did go ahead and run the three logs you wanted; here they are:
HiJack ThisLogfile of HijackThis v1.99.1
Scan saved at 6:55:42 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\ZONEALARM FIREWALL\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\ZoneAlarm Firewall\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .gov/FOTWWebApp/StudentAccessServlet;jsessionid=000244XWKXDHJCKEFBCX5DYG5EA?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&faamode=undefined: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.c...ntr_current.cabO17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbcglobal.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,206.13.28.12
FindItWarning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
------- System Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM
JQVACP DLL 405,504 07-11-05 10:33a jQvacp.dll
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
2 file(s) 405,536 bytes
0 dir(s) 14,482.09 MB free
------- Hidden Files in System Directory -------
Volume in drive C has no label
Volume Serial Number is 1474-0DFF
Directory of C:\WINDOWS\SYSTEM
VSCONFIG XML 895 07-30-05 6:46p vsconfig.xml
ZLLICTBL DAT 4,212 07-17-05 5:01p zllictbl.dat
HPF81T11 GID 8,628 01-24-05 6:28p HPF81t11.GID
HPF81D11 GID 8,628 06-07-04 7:31a HPF81d11.GID
FFASTLOG TXT 23,226 10-16-02 6:12a FFASTLOG.TXT
{38648~1 DAT 32 10-08-02 2:00p {386485B0-DAC6-11D6-9089-0010B544D08D}.dat
ATISETUP LOG 0 11-17-99 4:40a ATISETUP.LOG
FOLDER HTT 13,122 11-17-99 4:33a folder.htt
DESKTOP INI 266 11-17-99 4:33a desktop.ini
9 file(s) 59,009 bytes
0 dir(s) 14,482.08 MB free
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8F5E7113-73C5-04B1-05E6-1FBC1CF8E492}"=""
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM\
vsconfig.xml Sat Jul 30 2005 6:46:28p A..H. 895 0.87 K
zllictbl.dat Sun Jul 17 2005 5:01:30p ...H. 4,212 4.11 K
jqvacp.dll Mon Jul 11 2005 10:33:50a ..S.R 405,504 396.00 K
3 items found: 3 files, 0 directories.
Total of file sizes: 410,611 bytes 400.98 K
------------ Strings.exe Qoologic Results ------------
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.I
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.723: TROJ_QOOLOGIC.A
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.I
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.E
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.D
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.723: TROJ_QOOLOGIC.A
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
----------------- HKLM Run Key ------------------
-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\jQvacp.dll: InitUMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: UMonitor
C:\WINDOWS\SYSTEM\jQvacp.dll: /cgi-bin/UMonitorV2
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"CriticalUpdate"="c:\\windows\\SYSTEM\\wucrtupd.exe -startup"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"Zone Labs Client"="C:\\Program Files\\ZoneAlarm Firewall\\ZoneAlarm\\zlclient.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
VX2 BetterInternet FinderLog for VX2.BetterInternet File Finder
Files Found---
User Agent String---
{8F5E7113-73C5-04B1-05E6-1FBC1CF8E492}
=================================================
So, did I totally mess this up?
What should I do? I'm afraid to shut down again .....
Thanks for your help, and sorry if I botched the whole thing. Obviously, I rebooted more than once, but I didn't seem to have a choice.
I'll wait to hear back. Thank you again.
Debbie