are we infected

Discussion in 'malware problems & news' started by phredd, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. phredd

    phredd Registered Member

    Joined:
    Aug 22, 2003
    Posts:
    2
    Location:
    Mumbles, South Wales, U.K.
    We run Windows98, with PC-cillin2000 & Zone Alarm (free version) both fully up to date. Our computer began freezing every few minutes,so I ran scandisc prior to defragging.However scandisc repeatedly re-started until a window informed me that a program was writing to windows causing the re-starts.If I disconnect my cable modem, then scandisc runs fully first time.Also,the data l.e.d. on the modem is flashing non stop (when connected) and only stops when the computer freezes. I've run the virus scan,Spybot Search & Destroy,& used an on_line scan from P C Pitstop.Nothing shows up.Zone alarm shows no sign of internet activity, and the modem data l.e.d.continues to flash even when the internet lock is on.
    I've also noticed that the clock is wrong & I can't alter it using the date time properties box.Sorry to shout but HELP!!!
    Here's hoping I'm dull & it's something really simple, Phredd.
    Logfile of HijackThis v1.96.1Logfile of HijackThis v1.96.1
    Scan saved at 16:46:50, on 22/08/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\TABLET.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gump.net/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gump.net/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: C&ustomize this Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
    O8 - Extra context menu item: Fi&ll Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
    O8 - Extra context menu item: Save For&ms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: RF Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: Robo Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fi&ll Forms (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save For&ms (HKLM)
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\IntraLaunch.CAB
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37592.3819328704
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.es/activescan/as/asinst.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/233916e2ef4a5fcfcc05/netzip/RdxIE601.cab
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Phred and welcome to the forum.
    I leave the analysis and what exactly to delete / fix in the HJT log to the guys who have the experience.
    I'm surprised about this one
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    on a win98 system, as that is used on the NT/2K/XP systems.
    Did you close your ports 135-139 properly?
    You might like to check at the Gibson ShieldsUp! site www.grc.com and test your ports.
    You might like to get the evaluation version of Port Explorer, overhere at DCS so you can see realtime what is happening on your system and connecting and with PE you can block unwanted connections and spy on the packets dropped in so with all that you know what to look for and what to block/change.
    It sounds as too many processes are running and win98 not being able to keep up with that; on my own system i noticed somehow Port Explorer helps windows releasing dead sockets and threads space much sooner thus less freezing and a faster system.
    Fingers crossed this and the guys advices about the HJT fixes will do the trick!
    Please report back!
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Phredd,

    Welcome to Wilders!

    I see nothing in the output that would for sure account for the periodic freezing. The main possibility from what I could see are the wacom tablet driver or the Asus systemboard "Probe" utility but I am hesitant to advise you on removing either till I know more.

    Have you installed either of those recently?

    Have you scanned your system with an AntiVirus? Even if you have a local one you might consider using an online one just to be extra sure. One can be found here

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    As regards the rest of the log output, I advise that you close all other programs/windows and select and fix the following;

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gump.net/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gump.net/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\system\IntraLaunch.CAB
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/233916e2ef4a5fcfcc05/netzip/RdxIE601.cab

    Once this is done you can reboot.

    Please let us know the answers to the questions and we can possibly have more definitive things to advise.

    Regards,

    Dan
     
  4. phredd

    phredd Registered Member

    Joined:
    Aug 22, 2003
    Posts:
    2
    Location:
    Mumbles, South Wales, U.K.
    Hi Dan and Jooske.
    I tested my shields at GRC and am invisible, green boxes all the way.I've uninstalled several utility programs and programs I don't use anymore,and I've uninstalled and reloaded the Wacom tablet drive & Asus probe ,they'been on here for 18 & 60 months respectivly.I could'nt download the anti virus from Pandasoftware, I've allways had trouble trying to download activeX controls no matter how low I set the security levels.I ran an online virus check from the PC Pitstop site but they do'nt update very often.I've downloaded and run Port Explorer, and post a snapshot below.I have noticed that the bottom portion of the interface( the log window) shows activity all the time , and shows the same remote address every time,194.168.4.100:53 over 500 entries in 20 minutes.here's the snapshot--------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    | rpcss.exe | 10:07 25/08/2003 | -396697 | TCP | 127.0.0.1 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | rpcss.exe | 10:07 25/08/2003 | -396697 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | iexplore.exe | 10:56 25/08/2003 | -342385 | UDP | 127.0.0.1 | 1397 | 127.0.0.1 | 1397 | LISTENING | 202/202 | 202/202 |
    | pcciomon.exe | 10:48 25/08/2003 | -82117 | TCP | 81.97.229.245 | 1332 | 66.35.253.66 | 80 | CLOSE_WAIT | 1/149 | 1/555 |
    | pcciomon.exe | 10:48 25/08/2003 | -82117 | TCP | 81.97.229.245 | 1334 | 63.218.13.198 | 80 | CLOSE_WAIT | 1/171 | 31/25283 |
    | SYSTEM | --- | 0 | TCP | 0.0.0.0 | 1332 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 0.0.0.0 | 1334 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1397 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 81.97.229.245 | 138 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 81.97.229.245 | 137 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 81.97.229.245 | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 81.97.229.245 | 138 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 81.97.229.245 | 137 | *.*.*.* | * | LISTENING | --- | --- |
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    heres a small portion of the log file
    0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:00am SEND UDP 0.0.0.0:1802 194.168.4.100:53 Success 43 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:00am RECEIVE UDP 0.0.0.0:1802 194.168.4.100:53 Success 95 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:00am CLOSE UDP 0.0.0.0:1802 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:16am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:16am SEND UDP 0.0.0.0:1803 194.168.4.100:53 Success 44 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:16am RECEIVE UDP 0.0.0.0:1803 194.168.4.100:53 Success 96 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:16am CLOSE UDP 0.0.0.0:1803 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:17am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:17am SEND UDP 0.0.0.0:1804 194.168.4.100:53 Success 44 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:17am RECEIVE UDP 0.0.0.0:1804 194.168.4.100:53 Success 96 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:17am CLOSE UDP 0.0.0.0:1804 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:21am SEND UDP 0.0.0.0:1805 194.168.4.100:53 Success 41 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am RECEIVE UDP 0.0.0.0:1805 194.168.4.100:53 Success 92 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am CLOSE UDP 0.0.0.0:1805 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:21am SEND UDP 0.0.0.0:1806 194.168.4.100:53 Success 43 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am RECEIVE UDP 0.0.0.0:1806 194.168.4.100:53 Success 94 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:21am CLOSE UDP 0.0.0.0:1806 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:32am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:32am SEND UDP 0.0.0.0:1807 194.168.4.100:53 Success 43 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:32am RECEIVE UDP 0.0.0.0:1807 194.168.4.100:53 Success 94 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:32am CLOSE UDP 0.0.0.0:1807 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:41am OPEN UDP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789
    25/08/2003 11:28:41am SEND UDP 0.0.0.0:1808 194.168.4.100:53 Success 44 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:41am RECEIVE UDP 0.0.0.0:1808 194.168.4.100:53 Success 96 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom
    25/08/2003 11:28:41am CLOSE UDP 0.0.0.0:1808 194.168.4.100:53 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-320789 United Kingdom


    I hope this is'nt too long winded,but here is the latest HJT log too.

    Logfile of HijackThis v1.96.1
    Scan saved at 11:34:04, on 25/08/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\TABLET.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\PORT EXPLORER EVALUATION\PEDEMO.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\HH.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: C&ustomize this Menu - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComCustomIEMenu.html
    O8 - Extra context menu item: Fi&ll Forms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComFillForms.html
    O8 - Extra context menu item: Save For&ms - res://C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll/ComSavePass.html
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: RF Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: Robo Toolbar (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fi&ll Forms (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save For&ms (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
    O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB

    thanks again Phredd
     
  5. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @phredd

    I have noticed that a process called iexplore.exe is running on your computer. Did you use Internet Explorer at that time? If not, there is a hidden iexplore window running. And you may be infected by a DLL trojan.

    Regards,

    Nautilus
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Were there any sockets / processes colored red in the PE window?
    I'm still not happy with that RPCSS.EXE in your startup. Win98SE doesn't need them, so you can in MSCONFIG > startup > uncheck that one as if you would notice any program does need it back you can re-enable it in the same place.
    194.168.4.100 cache1.ntli.net United Kingdom
    inetnum: 194.168.4.0 - 194.168.5.255
    netname: CABLEOL
    descr: Cable Online Ltd
    country: GB
    admin-c: NNMC1-RIPE
    tech-c: NNMC1-RIPE
    status: ASSIGNED PA
    mnt-by: AS5089-MNT
    remarks: INFRA-AW
    changed: hostmaster@ntli.net 20020529
    changed: hostmaster@ntli.net 20020815
    source: RIPE
    trouble: For technical issues/questions please -
    trouble: email : nmc@ntli.net
    trouble: ----------------------------------------------
    trouble: For peering issues/requests please -
    trouble: email : peering@ntli.net

    Does that make sense somehow? If you spy on the packets sent by that one (you might have to add the PID with the "-" in the spy tool to work properly) and see if any packets give some info you can make some of.
    Looks like a portscan, see the numbers growing 1808 1809 etc etc?
    Could be something which needs cleaning or better configuration. If it goes on this way all time it's a lot of traffic.
    Port 53 would be connection to the mailserver, btw, for which ZAPro gives permission and the email packets can enter; you should after a few one and back lines see port 110 for the email client. Could it be the email client has no proper access or needs better configuration so it does not keep polling for connection/emails?
    It could explain the constant flashing. Do other programs like a cookie control and whatever kinds of security traps analyse every packet to/from your system for possible code of any kind (spam, spy, malicious) online life from some server? Then you get lots of traffic and windows98 will not be able to deal with that and will freeze after a while.
    Maybe you can look at your programs and settings and see if there can be done something.
    Do the PCCillin and PestPatrol tools run fine together? Is one of them responsible for the delay in email collection?

    Yes, i reread your postings, and i remember this: ZoneAlarm has the vsmon thing always there, even if you disconnect from internet and close ZA, so this causes the restarting of scandisk.
    Only in safe mode you will get good through it.
    You have to close all any unnecessary programs and AV/AT scanners anyway for a scandisk and defrag, so safe mode is easier to do.

    Please report back.
     
  7. controler

    controler Guest

    Hello

    I have seen lots of trouble using the new ASUS
    motherboard probe.. In fact , just recently I had trouble with it on a ME system using an ASUS mobo with a AMD 500 3d cpu. kEPT FREEZING the ASUS program but I could close it using CTL-ALT-DEL.
    Are you using the same version listed here?

    http://fileforum.betanews.com/detail.php3?fid=1053033598
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Regarding the 194.168.4.100 host, that is a legitimate DNS server for Cable Online and the traffic you described are normal DNS queries so there is nothing to worry over there.

    Your new HJT log looks good

    I believe the rpcss would come into play when file and printer sharing is enabled on the system. If you have those enabled and you do not have a home network you might want to disable that and see if you still continue to get the rpcss activity

    I'm pretty much working under the idea that it is either of the aforementioned utilities and give what Controler writes I rather suspect the Asus one. Depending on the design of the board, disabling the auto-launch of the utility may hamper much or little of the performance of the system, but at least as a test you might try disabling it for a day to see if the issue goes away.

    Of course, even if it does go away there is yet to answer why it suddenly started causing problems. But the main point here is to narrow the focus of the issue
     
Loading...
Thread Status:
Not open for further replies.