been hacked, help

I am on 98se, and fouled up by clicking on "ok" to a popb hacker. I have loaded my HJT log onto a disc from home and am on another computer since the infected one does not access the internet now! Outlook Express does not work either, nor does the shut down button. I have run the newest Mcafee virus, ad-aware and spybot. lemme know if I can cut and past my log here or attach the file?

 

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

 

ok, here is log I saved.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

eAcceleration

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKCU\..\RunOnce: [__GSCAdditionalInstallation__] "C:\WINDOWS\TEMP\SETUPDEMO.EXE" -AdditionalInstall

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {B71C61AE-79C5-4870-B761-07A2D21F63E0} (FreeMedia Control) - http://66.28.33.112/v1/Media.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\PROGRAM FILES\ACCELERATION SOFTWARE ←–– Delete this whole folder if it exist!

C:\WINDOWS\TEMP <-- Delete everything in this folder!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

ok, I attempted your directions by phone from a friend who could access the internet last nite. I did not get all of your message from him, as there has been no change in performance (if it is a complete fix). two items to note, the popb.exe showed back up, which I deleted again (i had to delete in safe mode, as it said windows was using it when trying to delete under normal mode), and even though I do not have Acceleration or eacc. programs, the spybot files do contain many many eacceleration zip files, should I delete these? this attack is proving to be very sophisticated, so I would imagine HJT will not completely solve the problems. I had already deleted temp, cookies and recycle bin manually, as well as using the mcafee shredder.

 

If they are related to eAcceleration I would delete them. Also, can you attach me the log from Spybot? Be sure you have the new and updated Spybot S&D 1.4 RC1.

Your HJT log is clean! However I still want to check some things.

Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates. After downloading and updating the program, REBOOT INTO SAFE MODE!

Please make sure ALL Browser Windows are Closed.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and let me know the results.

 

wow, that is strange since my cable modem does not work. I'll call roadrunner and see if that is the cause. I'll have to figure out a way to download the microsoft software, as it is too large for a floppy. I'll delete any eacceleration stuff and try to run a spybot log. how about lglys, do these files mean anything? there is some other questionable stuff I've seen, so I'll attach...... one last question, have any idea how to load the file definition updates to where Mcafee won't still consider HJT as having a generic worm? thanks so much for the focus on this so far, I am in sad shape with facing a re-format if this all doesn't work!

 

Post any file names and/or folders that you think are suspicious and I will try my best to identify them.

http://vil.nai.com/vil/virus-4d.asp

 

Well, I re-formatted back to win98se, and will load XP this week. got fed up trying to fix it without ability to see this website, download etc.... course when I re-formatted, I lost my drivers, so not much better off....... thanks again.

 

Well I hate to hear you had to do this, but glad you got it fixed.

Good Luck!

You should see this article on How to Protect yourself from malware!