Hi! I am new to this forum, and glad I found it because I am SO confused (more so than the computer I am writing about!) Here's what happened:

This past Friday night, checked email - no problems. Sat. morning, get up, turn on computer (3 yr old Gateway that belonged to my boss a couple of years ago), and it loaded with HIS old desktop, internet connection, etc! It also, when it first starts, lists several short paragraphs that say something about certain files having been deleted, and that if I deleted them by mistake, to reload them, or something like that. I can't even get it into safe mode. I have run scandisk, Hijackthis, and a virus scan, but Ican't get my desktop back (even tho I can find all my documents, etc)
Any ideas???!!
Thanks!

Also, the most annoying thing is this: after I reloaded MY internet connection info, I can't get into my Hotmail account (shows totally blank white page), and I tried to get to Yahoo to open a mail account, AND Lycos, and it won't show any of them- so I can't get into ANY EMAIL account!!

Umm, woah that's weird, Im guessing that it is a virus, post your HiJackThis! log here and let some members check it out. Run more than 1 anti-virus program, sometimes it takes alot more than 1 of them...


Feel free to ask me anything,

8raker

Hi! Thanks so much for replying so quickly! I will post my log tonight when I get home. It didn't look all that bad to me (I had 2 Dell's at work that were getting huge amounts of pop-ups, and did the Hijackthis for both of them, and got them straightened out!)
Thanks again!

. . . 8raker's suggestion to run a double-check scan for virus/spyware with another program is a good one. If your Internet connection is speedy enough for an online scan [these are painfully slow to download on dialup connections - but bearable if your connection can remain steady at 40k or better]. HouseCall does a good job, and seems to get along with other scanners: http://housecall.trendmicro.com
. . . . .
If your system scans clean - you can try restoring your registry settings to those from Friday (depending on how many times you've rebooted). Windows 98 will usually save a Registry from a successful boot for each day (if the machine is rebooted during that day). If you have a Windows 98 CD (not a Recovery or Restore disk, but the Windows installation CD), you can boot with that, "start computer with cd-rom support", and from the A: prompt type

scanreg/restore

and choose a date from the list from Friday or before.
. . . . .
It rather sounds like your boss left his User Profile on the computer, created another one for you, and something has either damaged yours, or simply caused the switch. I'd suspect spyware as the likeliest culprit. If HijackThis doesn't find and kill the beast, you can also try a run of AdAware or SpyBot Search & Destroy.

Best of luck . . . and Welcome to the PC Mechanic forums
. . . Gary

[p.s. .... if you don't have a Windows Cd, you can download a bootable floppy diskette from http://www.bootdisk.com . . . use the one that matches your version of Windows. The download creates the bootable floppy (you might want to use a known, clean computer to download and create it), Write-protect the floppy (by moving the little tab), and boot from that]

Here is a copy of my HJT log.....I tried to download and install the Housecall but it failed. I wanted to install and run Spybot like I have at work but can't seem to find the right one (found one that scans but doesn't fix!)

Scan saved at 7:24:59 PM, on 7/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
A:\HIJACKTHIS.EXE

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Thanks for any help!

Hi again

I'm not much familiar with HijackThis (I've read about it, but haven't tried it), but most of the items you show running don't seem spyware related at first glance [the fellows at the HijackThis forums are fairly experienced reading such logs . . .they might see something I've missed]

What seems a little odd are the three different antivirus programs mentioned: Norton, McAffee, and HouseCall. Was there an error message when you tried HouseCall? (or was it simply that the connection dropped?). All the versions of SpyBot that I've used were able to install from a file downloaded on a different computer (same has been true for AdAware). I've never heard of a version that finds problems but doesn't offer to try and remove them. ...And - did you have Norton first, then uninstalled it, and tried McAfee?

It might be easiest in your situation, if you have a technically helpful friend around, to slave your troubled hard drive in another computer [one that is well-protected with up-to-date antivirus/antispyware programs] and clean it from there.
. . . . . . .
I'm not sure exactly what you mean by the older desktop & internet connection showing. If you can get into Control Panel, and "Users", are there two or more User Profiles setup? . . . or, are you simply referring to a change in the desktop wallpaper?

Hopefully some HJT-savvy folks will drop in here soon & add their recommendations. I should be able to check in later after some sleep
. . . Gary

Hi, Gary- Hope you get a good night's sleep! Thanks for trying to help me out, too!
First, with the desktop and internet problem: I got this PC from my old boss, where I used to work. Before he gave it to me, he removed all his stuff- desktop wallpaper, programs, etc. - and when I got it, I changed everything to my preferences, wallpaper, etc. My log in was "deb", and had a pic of my horse for wallpaper with purple border. When I turned on the PC Sat. morning, I got several mesages that have a program address, something like "C:/PROGRA~/NORTON/????(can't remember the rest but you get the idea...!. There are 4 or 5 of those lines, separated by 3 small paragraphs that say something like "This program cannot be located or has been delted. This program is needed to run Windows....please reinstall program, etc. etc) I never deleted anything so don't know what it is talking about. Then after the desktop finally came up, it asked for the logon for "jim" (my old boss), and up comes his old desktop (a picture of some movie star with large breasts, dressed in a black bathing suit and holding a large gun...NO THANKS!), and all his old icons are there, not mine. I go into USERs and there is "deb" and "deb000" and "deb006" and "jim" and "horselady" and about 6 others! And I have no search engine (click on search and it is blank), and can't get into Hotmail account. When I try to get into Hotmail, the address on the bottom bar looks different, has some weird letters and numbers init, but I can't change it.
Anyway, last night, I downloaded Housecall, took about 20 minutes, said it was installing (those weren' t the exact words but...), then came up with a message box that I think said something about something failed. I know I had a good internet connection so don't really know what happened. As for Spy bot, I have it on my PC here at work, and so tried to dowmload it at home. I typed in "Spybot search and destroy" went to the website, downloaded what I thought was the same thing, it scanned, then said I could fix the items found if I paid! It had found a lot of stuff, most things that had the source of a girl's name, Claria or something like that. Anyway, I may try to save my Spybot from here onto a disk to load at home. What a mess! Anyway, thanks for trying!

Def. a virus :( I can tell ya that much, and by the way the HJT log looks tidy, so i dunno.. :rolleyes:

I'm no expert but here's what I see. The CMESYS.EXE is part of Gator - dump it. Running Norton and McAfee can cause major conflicts. Personally I'd use the Add/Remove programs and remove both of them completely from the system. Then do a Search/Find of anything Norton, Symantec, or McAfee and remove it from your system. Are you using the latest Spybot program, ver 1.3? It replaced 1.2. Make sure your Adaware and Spybot programs are updated. If you want a good, free antivirus, instead of reinstalling McAfee, try AVG from www.grisoft.com. Look on the left for the free version.

I noticed you said Spybot told you that you have to pay to have it fix the problems it found....apparently you didn't get the right Spybot thing downloaded because Spybot is free to use and they simply encourage you to donate to their company and its cause, but you don't have to. Here's a link directly to the mirror download sites where you can get the version of Spybot you need to download and install, then run. I don't know if it will find what your problem is, but it can't hurt. CLICK HERE FOR THE DOWNLOAD SITE (http://www.safer-networking.org/en/mirrors/index.html)

Hi again

[kinda hectic - Sorry I'm so late replying...] I like the suggestions from 8raker, Panama, and Juppy. The system does seem like it needs a good cleaning.

It might be hard to run a thorough set of scans from your computer at the moment, though - since it’s possibly severely compromised. That’s where using another computer to clean yours might be helpful. If that’s not an option, see if you can install and run AdAware (or SpyBot) in Safe Mode. If you can access the Internet in Safe Mode on your PC, try HouseCall again from Safe Mode.

The list of User Profiles seems much too big. Something’s not right there. After you get the system cleaned up with the antivirus/antispyware programs, try deleting the User Profiles that you’re fairly certain you don’t want or need [You might want to opt for not using profiles at all! – which would greatly simplify things].

When all done with the cleaning and User Profiles, see if you can set up the desktop and email accounts to your liking. If things aren’t functioning like they should at that point, we can look at some repairs for that.

A couple extra questions for you: 1) since this is a Gateway, is a program called “GoBack” running? (it works a lot like System Restore) . . . 2) do you have a set of “Recovery Disks”?, 3) do you have a Windows installation CD? and 4) do you have a set of backups?
. . . Gary

RUNDLL.EXE is malware!

WinTasks Process Library


rundll - rundll.exe - Process Information

Process File: rundll or rundll.exe
Process Name: Rundll
Description: Added to the system as a result of the LOXOSCAM virus that is a backdoor Trojan that allows a hacker to gain access to the computer. The application is written in the Delphi programming language.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.loxoscam.html