TDS-3 keeps getting killed with an error

Discussion in 'Trojan Defence Suite' started by testG, May 13, 2004.

Thread Status:
Not open for further replies.
  1. testG

    testG Guest

    Ok I did not login as tempnexus since this is not my system and I don't want anyspyware from catching my passwords.
    SO I've scanned the system with TDS-3 and KAV with Xbases (all in safemode). THe system had a bunch of trojans etc. Then I've scanned it with Spysweeper and it removed quite a few spyware. BUT if I try to run the TDS3 scan in normal windows the TDS-3 gives me an error and shutsdown after about 2 min. Subseqent scans in Safemode reveal nothing. Also AOL dies once in a while...also gives an incorect state or something like that and quits. The windows search assistant is borked after I've removed a few spyware from this how to get the search assistant back on? Finally could you please check the hijackthis log in order to make sure that there is nothing new.

    StartupList report, 5/13/2004, 9:53:32 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    * Showing rarely important sections

    Running processes:

    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\America Online 9.0c\aoltray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Documents and Settings\Annlise Calypso\Local Settings\Temporary Internet Files\Content.IE5\K6SWY0YD\HijackThis[1].exe


    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0c\aoltray.exe
    AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    Verizon Support Center.lnk = C:\Program Files\Support Center\bin\matcli.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,


    Autorun entries from Registry:

    Dell|Alert = C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
    Ink Monitor = C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    DadApp = C:\Program Files\Dell\AccessDirect\dadapp.exe
    Apoint = C:\Program Files\Apoint\Apoint.exe
    type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    WinTools = C:\Program Files\Common files\WinTools\WToolsA.exe
    Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    nwiz = nwiz.exe /installquiet


    Autorun entries from Registry:

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*


    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll - {87766247-311C-43B4-8499-3D5FEC94A183}


    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job


    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx


    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cnxtdiag: System32\DRIVERS\cnxtdiag.sys (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Diskeeper: C:\Program Files\Executive Software\Diskeeper\DkService.exe (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fallback: System32\DRIVERS\fallback.sys (autostart)
    Fsks: System32\DRIVERS\fsksnt.sys (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    eTrust Antivirus RPC Server: "C:\Program Files\CA\eTrust Antivirus\InoRpc.exe" (autostart)
    eTrust Antivirus Realtime Server: "C:\Program Files\CA\eTrust Antivirus\InoRT.exe" (autostart)
    eTrust Antivirus Job Server: "C:\Program Files\CA\eTrust Antivirus\InoTask.exe" (autostart)
    INO_FLTR: \??\C:\WINDOWS\System32\Drivers\ino_fltr.sys (autostart)
    K56: System32\DRIVERS\k56nt.sys (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SoftFax: System32\DRIVERS\faxnt.sys (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Tones: System32\DRIVERS\tonesnt.sys (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    V124: System32\DRIVERS\v124nt.sys (autostart)
    Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    WinPPPoverEthernet: C:\Program Files\Verizon Voyager\High Speed Internet Service\WinPoET\WrOS.EXE (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    End of report, 11,789 bytes
    Report generated in 0.180 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  2. Pilli

    Pilli Registered Member

    Feb 13, 2002
    Hampshire UK
    Hi testG, You have other problems that require you to post in the Adware/HiJackThis forum as your posted information is not enough:

    Note you will have to become a member to post.

    For more information about the posting requirements go here:

    Once that is sorted out we can then address the TDS3 problem if you still have one.

    Thanks - Pilli
  3. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    Sorry, I am a member but as I said before I WAS UNABLE to post with my real name since I don't want any remaining trojans to steal my password.

    So can you guys help me now?
  4. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    we need a hjt log not a start up list for this one
    but post it in the hjt forum please
Thread Status:
Not open for further replies.