Possible Invasion

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tonkacat

Thread Starter
Joined
Mar 7, 2005
Messages
406
I posted in the Windows 98 forums. It has been suggested I post here. This is the link:
http://forums.techguy.org/windows-95-98-me/433202-possible-invasion.html
:confused:

-----------------
Logfile of HijackThis v1.99.1
Scan saved at 1:15:23 PM, on 1/11/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\ARMON32A.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\PV92TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\HP PRINTER SCANNER COPIER\BIN\HPOSTR02.EXE
C:\PROGRAM FILES\HP PRINTER SCANNER COPIER\BIN\HPOVDX02.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {15C9938F-CB96-496D-800A-B827F2E34EA1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\BELLSOUTH\CONNECTION TOOL\ARMon32a.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: HP Printer Scanner Copier 300 StartUp.lnk = C:\Program Files\HP Printer Scanner Copier\bin\HPOstr02.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Bellsouth
 

liquid_flame

Banned
Joined
Jan 8, 2006
Messages
69
Install CleanUp!

Download and install Ewido Security Suite
During the installation, uncheck the following under Additional Options:

Install background guard
Install scan via context menu
Run Ewido and click OK when prompted to update the program
On the left side of the screen, click update>>Start
When the update is finished, exit Ewido

Start your computer in Safe Mode

Run CleanUp! and go to Options>>Custom CleanUp!
Put a checkmark next to each of the following items:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users
Click OK>>CleanUp!
Exit CleanUp!

Run Ewido Security Suite
Click scanner>>Complete System Scan
Click OK when prompted to clean the problems found
When the scan is finished, click Save Report and save a copy of this log to your Desktop
Exit Ewido

then restart your computer in normal mode, run a HiJackThis 'scan and save a logfile', then post the contents of the log here, and tell us how the system is running. and post your ewido logfile you saved to your desktop earlier.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Liquid flame if you want to help, then it would be better to do a little research first

Ewido doesn't work on 98
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I can't see anything there but doing a repair install of windows which is what you have done wouldn't wipe it out

If you have a persistant hacker or intruder especially on 98 then format & reinstall from scratch not repair, it's much safer
 

tonkacat

Thread Starter
Joined
Mar 7, 2005
Messages
406
Is it possible to format and reinstall when the recovery disk are in the computer? They are in the cab files.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Haven't you got a windows CD
 

tonkacat

Thread Starter
Joined
Mar 7, 2005
Messages
406
No. Apparently at the time my computer was made Dell thought it wise to install the disk into cab files and not on cd's.:rolleyes:
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Look for a setup.exe in the directory with the .cab files.
 

tonkacat

Thread Starter
Joined
Mar 7, 2005
Messages
406
AcaCandy, I went to check for the file, my computer froze, I had to reboot, in the process lost the graphic driver. I couldn't reinstall them so I used dos to do the cab/setup thing. I then reinstalled the driver. It's working but I don't know for how long. there are some missing dll files. On the bright side, my sounds are back.

Yes, there is a setup.exe in the windows/options/cabs/ folder.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Not sure I understand how the setup reinstalled the driver, but, am glad you got something working.

Derek, shouldn't we be able to copy the whole directory to a cdrom and do a clean install that way? It's been awhile since I've had to play with a 98 install from the hard drive files. I was thinking that should do a clean install as well, but maybe not?
 

tonkacat

Thread Starter
Joined
Mar 7, 2005
Messages
406
I have a boot disk and a cd with all the cab files burned on it, I just need directions.(y)
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Well, can you test the boot disk and the cd? Boot to the disk, choose with cdrom support, see if the cd will load, then change to the cd directory, which is usually one driver letter away from where it is now, and type

setup
and press enter

If setup starts, you should be good to go. I can't remember if Windows gives you a clean install option, or if we'll have to format c: (MY FAVORITE THING) first :D

You have nothing to back up, right?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top