Win 98 Desktop

Joe L · Apr 3, 2005

You folkes helped me before. Now I have a problem with my old backup desktop. Its 7 years old DELL with Win 98. I wanted to clean up the system so I downloaded and ran Spybot and Adaware SE. Spybot discovered and repaired 125 problems and Adaware found 90 potential problems. In adaware I selected the continue option to delete the selected files I got the message' SELECTED FILES BEING DELETED". This ran for 45 minutes. I finally shut down the system(CNTRL< ALT< DEL). Then had to manually turn off the cpu with the on-off switch.
The problem now is no desktop icons work in MY Computer. I cannot access Recycle bin, or any windows icons or programs. Even IR will not launch. The only applications that will work are WINWord and Excell. I cannot shut down the system unless i manually turn off the switch. I go to start turo off shto down, and the program freezes. same whenever I try to launh a Win program from the desktop. None of the icons work. tried Safe mode, got to My Computer but could not run any programs. The constant messsage was always "IE EXPLORER COULD NOT BE FOUND", enev when I was not trying to launch IR. No problems were present( Only slow speed) before I ran Spybot and Adaware.
Any help will be appreciated

chaslang · Apr 4, 2005

Joe L said:

The constant messsage was always "IE EXPLORER COULD NOT BE FOUND", enev when I was not trying to launch IR.
Click to expand...

Are you sure it said IE Explorer? I don't think so. I would bet it said Explorer (or explorer.exe) could not be found. That is your startup shell. But if you have a Desktop that has icons on it, explorer.exe cannot be missing.

You could try restoring from Ad-Aware and Spybot's backup's. I would like to know exactly what it is that they found and deleted. I have never seen them break a PC.

Can you run Internet Explorer to download programs or can you get a program on to this computer by downloading elsewhere and then copying here. If so, do the below:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Joe L · Apr 4, 2005

My apologies for the mis information. It did say "explorer.exe could not be found".
I cannot run Internet Explorer to download any programs. it will not launch. The only programs I can run are Winord and Excel. At one time MY COMPUTER icon on the desktop gave me the same message, but now that works, but when I try to access any of the programs thrrough that I get the same explorer.exe message. Oddly, I do have all my icons on the desktop. I wish I had installed Firefox, but I cannot now since IE does not work. Adaware did not delete anything. it just got hung up. Everything I do gets hung up, even shutting down. I will try your other suggestions, to restore Adaware.
A point of concern,,, to speed up the start up, I did delete MS Office from the Start up menu. Maybe that did the damage. regardless I cannot open the recycle bin icon to to restore MS Office.
Thanks

chaslang · Apr 4, 2005

Do you have your Win 98 CD? If so, you could try getting a copy of explorer.exe from the CD and copying it to you c:\windows folder.

Try opening a command prompt window by clicking Start, Run, and enter command and click OK.

The type the below follow by the enter key:
sfc /scannow

What happens?

Joe L · Apr 4, 2005

Hi guyes,
As yau suggested I ran a recovery from SPYBOT and the following were deleted..ALXIA,XUPITER,ALL IN ONE TELCOM, BTV INDUSTRIES, COMMON NAME, COOL WWW SEARCH, FLASHTRACK, GAIN GATOR, NEW NET, PEOPLE IN PAGE, POSSIBLE HIJACK, RAPIDBUSTER, TOTAL VELOSITY,URL SEARCH HOOK, WINPOP.
To give you a bit more info. when I reboot or on start up, I get the error "cannot find file fntldr.exe" followed by cannot load fntldr.exe in win.ini"
I was able to run HIJACK THIS but only a cd copy. Since the PC I am corredponding on is not the PC with the problems I am not sure as to how to forward the HJ saved file.The 2 attachments are scanned versions of the HJ THIS files.
Hope this helps

Joe L · Apr 4, 2005

The Hijack this Scanned files were to large to attach. I will try to get a win 98 cd and reinstall explorer.exe. Will keep you posted
Thanks

chaslang · Apr 5, 2005

If the PC has a floppy disk on it, run HijackThis from the floppy and save the log to the floppy so you can upload it here.

What about restoring from Ad-Aware's quarantine or did you already delete all of them?

fntldr.exe is an advertising program by Gator. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
Click to expand...

Joe L · Apr 5, 2005

I was deleteing from Adaware when it froze up. I am attaching a .doc copy of the HIJACKTHIS files. I will try to get a win 98 cd or the recovery cd.
I may try reinstalling 98. The attachment i am sending is a re-typed version of the actual list from HIJACKTHIS.exe
thanks

chaslang · Apr 6, 2005

It is better for us and actually much simplier for you, to just save the HJT log as created by HJT. That is, as a .log file not a .doc file.

This PC is way out of date with updates. No wonder it is in such bad shape. You have a real bad case of an HSA hijacker. I will post a starting fix as soon as I can.

chaslang · Apr 6, 2005

First try to get about:Buster on to the infected system! You will not be able to do the update to it that I would like on the problem PC, so it would be good if you first extracted the files from the ZIP on to your PC. Then run about:Buster and click Update and download the updated database. Then save those files (you don't need the ZIP file) to a floppy and copy them on to the problem PC.

Here are the steps you will need run on the problem PC after getting about:buster installed on it.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

Okay, unplug your internet connection and exit browsers now!!!!
Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C\WINDOWS\SYSTEM\JAVAGQ32.EXE
C:\WINDOWS\SDKJJ32.EXE
C:\WINDOWS\SYSTEM\NETWP32.EXE
C:\WINDOWS\SYSTEM\SDKLF.EXE
C:\WINDOWS\SYSTEM\APIDE.EXE
C:WINDOWS\SYSTEM\NTBL.EXE
C:\WINDOWS\NETNT.EXE
C:\WINDOWS\SYSTEM\CRZV.EXE
C\:WINDOWS\APIUC.EXE
C:\WINDOWS MFCEE32.EXE
C\:WINDOWS\APPGF.EXE
C:\WINDOWS\SYSYW.EXE
C:\WINDOWS\SYSTEM\D3UX32.EXE
C:\WINDOWS\SYSTEM\MSXC32.EXE
C:\WINDOWS\SYSTEM\D3IK32.EXE
C:\RAY.EXE
C:\WINDOWS\APPGF.EXE
C:WINDOWS\SYSTEM\NTBL.EXE

After killing all the above processes, click "Back"

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_Page_URL=about: blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL=about: blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar =res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search Page =res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL = about: blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_ URL = res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar= res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Search Page= res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\ Search , SearchAssistant= res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main, Search CustomizeSearch= res://c:\WINDOWS\lxpaq.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant= res://c:\windows/lxpaq.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\ Search, CustomizeSearch= about: blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe hpfsched
O2 - BHO: Class - {A0B7B1C7-F95-C9AF-3708-B2B4A5B8699B1} - C:\WINDOWS\JAVAUD32.DLL
O4 - HKLM\..\Run: [SourcePath} c:\cabs\gwreg.exe
O4 - HKLM\..\Run: [D3IK32.EXE] c:\WINDOWS\SYSTEM\D3IK32.EXE
O4 - HKLM\..\Run: [Shell] c:\ray.exe
O4 - HKLM\..\Run: RunServices: [JAVAGQ32.EXE] c:\WINDOWS\SYSTEM\JAVAGQ32.EXE /s
O4 - HKLM\..\Run: RunServices: [SDKJJ32.EXE] c:\WINDOWS|SYSTEM|SDKJJ32.EXE /s
O4 - HKLM\..\Run: RunServices: [NETWP32.EXE] c:\WINDOWS|SYSTEM|NETWP32.EXE /s
O4 - HKLM\..\Run: RunServices: [SDKLF.EXE] c:\WINDOWS|SYSTEM|SDKLF.EXE /s
O4 - HKLM\..\Run: RunServices: [APIDE.EXE] c:\WINDOWS|SYSTEM|APIDE.EXE /s
O4 - HKLM\..\Run: RunServices: [NTBL.EXE] c:\WINDOWS|SYSTEM|NTBL.EXE /s
O4 - HKLM\..\Run: RunServices: [NETNT.EXE] c:\WINDOWS|SYSTEM|NETNT.EXE /s
O4 - HKLM\..\Run: RunServices: [CRZV.EXE] c:\WINDOWS|SYSTEM|CRZV.EXE /s
O4 - HKLM\..\Run: RunServices: [APIUC.EXE] c:\WINDOWS|APIUC.EXE /s
O4 - HKLM\..\Run: RunServices: [MFCEE32.EXE] c:\WINDOWS\MFCEE32.EXE /s
O4 - HKLM\..\Run: RunServices: [APPGF.EXE] c:\WINDOWS\APPGF.EXE /s
O4 - HKLM\..\Run: RunServices: [SYSYW.EXE] c:\WINDOWS\\SYSYW.EXE /s
O4 - HKLM\..\Run: RunServices: [D3UX32.EXE] c:\WINDOWS|SYSTEM|D3UX32.EXE /s
O4 - HKLM\..\Run: RunServices: [MSXC32.EXE] c:\WINDOWS|SYSTEMMSXC32.EXE /s
O9 - Extra button : Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a }- c:\ WINDOWS\web\related.htm
O9 - Extra 'Tools" menuitem: Show $Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - c:
PROGRAM FILES\YAHOO!\MESSENGER|YHEXBMES0521.DLL (file missing)
O9 - Extra 'Tools' menuitem; Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333DOAD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEBMES0521.DLL (file missing)
O19 - User stylesheet; (file missing)

Then exit HJT after clicking FIX

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others even if they have different 3 character extensions like .dat, .ini, .dll, .exe but DO NOT delete anything on your own.):
c:\WINDOWS\lxpaq.dll
C:\WINDOWS\JAVAUD32.DLL
c:\cabs\gwreg.exe
C\WINDOWS\SYSTEM\JAVAGQ32.EXE
C:\WINDOWS\SDKJJ32.EXE
C:\WINDOWS\SYSTEM\NETWP32.EXE
C:\WINDOWS\SYSTEM\SDKLF.EXE
C:\WINDOWS\SYSTEM\APIDE.EXE
C:WINDOWS\SYSTEM\NTBL.EXE
C:\WINDOWS\NETNT.EXE
C:\WINDOWS\SYSTEM\CRZV.EXE
C\:WINDOWS\APIUC.EXE
C:\WINDOWS MFCEE32.EXE
C\:WINDOWS\APPGF.EXE
C:\WINDOWS\SYSYW.EXE
C:\WINDOWS\SYSTEM\D3UX32.EXE
C:\WINDOWS\SYSTEM\MSXC32.EXE
C:\WINDOWS\SYSTEM\D3IK32.EXE
C:\RAY.EXE
C:\WINDOWS\APPGF.EXE
C:WINDOWS\SYSTEM\NTBL.EXE
c:\WINDOWS\SYSTEM\MSXC32.EXE
c:\windows\fntldr.exe or c:\windows\system\fntldr.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin. In fact as an additional measure do the following.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

Let me know anything else that you notice.

Joe L · Apr 6, 2005

Thank you for all your efforts. I have a business trip scheduled through Friday and intend to to all your repairs on Saturday, when I will have plenty of time and no interuptions.
I will send along the results and hopefully thumbs up.
M
Many thanks again.

chaslang · Apr 6, 2005

OK! But if you shutdown or rebooted the PC inbetween posting the HJT log and working on my fix, my fix may no longer apply as these problems can mutate and spread during shutdowns. When you get ready to work on it, you will have to check a current HJT log against the one you previously posted to see if it has changed.

Joe L · Apr 6, 2005

Will do. Any changes I will resubmit the file.

chaslang · Apr 6, 2005

OK! Let me know what happens! One more thing, just in case we have problems getting this procedure to work, are you familiar with booting to a command prompt and using MS-DOS commands to navigate around and delete files?

Joe L · Apr 6, 2005

No, but I am sure you will tutor me.
Thanks
By the way I am physician with far more knowledge in medicine than IT.
I may come across as computer illiterate, (and I will admit that myself), but trust me, in the ER I know injuries like you know hard drives. Afterall we both treat viruses.

chaslang · Apr 6, 2005

Joe L said:

No, but I am sure you will tutor me.
Thanks
By the way I am physician with far more knowledge in medicine than IT.
I may come across as computer illiterate, (and I will admit that myself), but trust me, in the ER I know injuries like you know hard drives. Afterall we both treat viruses.
Click to expand...

Cool! This stuff can give people a pain in their occipital protuberance.

Joe L · Apr 10, 2005

Well, I returned to my "PROBLEM" as we discussed earlier, and really blew it. First, I was too compulsive to go slow,. So I tried to reinstall win 98SE, but,never reformated. First from a recoverdy cd, then I tried every cd that came with the PC. Same problem. So I got a Win 98 full version and tried to install. The OS would not let me rename a new directory, so I installed over the old version. Now things could not be worse.The desktop is totally out of settings, there are only 4 Icons (My Computer, My Documents, Recycly Bin, and IE.) none of the work. I tried another recovery but now get the message that "primary slave drive ATAP I incompatable". Easy enough to bypass by the ecs.key. Still all I get are several icons. I cannot install Office 2000 or any of its programs..says I'm not authorized (had the correct key, because it fully installed, the started to get numerous files that "could not be found". Off ie 2000 was previously on this PC. So I think I put in enough time and efffort/ I do not want to reformat because I did have valuable data in MY Documents the files are still there but I cannot access the w/o Office.. Cannot save them to any drive. I think it's time to "pull the plug" for the final time on this PC and bow my head in shame.
Thanks for your efforts.

chaslang · Apr 11, 2005

You're welcome Joe! I think your only recourse is to backup your valueable data somehow and format and start over.

Log in or Sign up

Win 98 Desktop

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

Attached Files:

Logfile of HijackThis .doc

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Joe L Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member