2 computers with different issues..

Discussion in 'malware problems & news' started by taosk8r, Nov 3, 2004.

Thread Status:
Not open for further replies.
  1. taosk8r

    taosk8r Registered Member

    Joined:
    Nov 3, 2004
    Posts:
    4
    Well I decided to post in the forum as I didn't see anything like an 'unknown issue possibly related to virus/trojan/spyware' kinda forum.. :)

    Alright, the first and most problematic system is an old emachines 366i2 that I recently hooked up an old HD to.. Unfortunately I cannot post a HJT log since the main problem is that whatever was on that HD killed my internet access from that machine.. So, basically what happened is as soon as I hooked up the 'new' old drive, the bios started complaining of attempted boot sector writes, to which, of course I answered no.. Well I poked around a bit on the drive (w/o executing anything), and scanned it with AVP 4.5, Panda titanium, ad-aware, and webroot (spybot had started being unable to run through scans, giving be some weird 2020 search error which was in German).

    Found nothing on either of my drives with that software, but not trusting the drive due to the virus warning I disconnected it.. Once I rebooted my modem DUN looked to be working fine, but once it connected none of my apps could access the net.. It was like all the packets were being blocked. I'm extremely perplexed.. Went to safe made, looked for dupe drivers, and all the scans again without detecting anything, and even went as far as reinstalling Win98 (haven't upgraded the OS that is installed, default, on the HD) removing the winmodem drivers (hcfmodem) and the DUN driver and making them reinstall, and still haven't been able to restore my internet connection. I also noted that whatever it was overwrote my un write protected boot floppy with an autoexec.bat that pointed to a file called cwcdos.exe in my c:\windows\cwcdata directory..

    Ok the second system got a virus which I removed with Panda (unfortunately I hadn't known that it had caused any damage, so I failed to note the name of it). Then I notice the internet explorer has changed to the icon doze uses when you delete all the files in a dir and there is no icon info for it to point to. The new shortcut points to something similar to dw15.exe (which I found out is the MS diagnostic tool), and everything is pretty much gone from the IE dir. Also, notepad.exe has been deleted, and all the start menu items above Program files (like the windows update item) have been removed. So my first impulse was to reinstall IE.. Went through all that, and there are still no files in the IE dir (btw I can still browse with other browsers Firefox, and even ones that overlay the IE engine like Maxthon and Deepnet Explorer, and I can browse by opening a My computer window or something similar and typing an address into the address bar).

    With all that failing I decided to try reinstalling Win ME (which is on the 'second' system, not the first), and partway through the install it aborted giving my a 'process error' #4 (something in the hundreds like 429) which I cannot find any information about on the MS site (I will try and get on the comp in the next few days when I get ahold of my friend to look up the exact error if anyone needs it).. I suppose I will also try to reinstall again because I found an apparant spyware that went undetected by all the scanners I mentioned above called 2sect.exe that kept loading into the ctrl-alt-del thing and causing all files to get 'access to specified device, file, or path is denied' and loading up ie windows with adware (even when browsing with a browser that blocks popups and uses the ie engine).. It was pretty clever too because it would only activate the popups when you started browsing..

    Anyhow, thats all I got.. Hope some of the symptoms ring some bells with someone here..
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would suggest trying the steps found here:

    https://www.wilderssecurity.com/showthread.php?t=50662

    Once you get one system clean, the other without internet access, you can slave its hard drive off the clean system and have it scan that drive.

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  3. taosk8r

    taosk8r Registered Member

    Joined:
    Nov 3, 2004
    Posts:
    4
    Ok.. I guess I might do better by describing a bit more about things.. The 'first' machine, the emachines one connects with a dialup modem.. Since I cannot recieve any internet info, I cannot download onto it. The second machine resides at a friend's place, and I somewhat rarely have access to it.. It connects with a broadband cable connect. Also a btw, neither machine runs WinXP (which the tool in the link is for)..

    As far as the whole 'fixing one drive and slaving it to the other' possibility.. Well the second machine's HD belongs to a friend who is very picky about stuff and probably will neither allow me to cart it to my other friend's place, nor will he likely allow me to hook my friend's HD to his machine.. Lastly even if he would, I would be highly reluctant to do so, since this very thing is how I got into this mess in the first place.. :(

    Edit: I got to the very bottom of the link and found the stuff about manually reinstalling the tcp/ip and so forth, and I'll try that and report back asap, although the link seems pretty XP focused so if someone could please tell me whether the info at the bottom will apply to Win 98 it would help.. :)
     
    Last edited: Nov 3, 2004
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, just from reading your post I’d say you have multiple infections, the internet access loss is probably related to a dialer pro, also I think you may have some corrupted software, weather from Malware or incompatibilities.

    If possible I would suggest backing up the files you need to keep [only must haves] and Re-Formatting.

    If you Re-Format all Malware will be gone and you will have a fresh platform to work with, also as you said the PC's are quite old it will greatly increase their speed.

    If you do Re-Format after loading Windows install your Anti Virus and Firewall, update them first, then update Windows. Try to get the Win updates on CD or similar, to save time. Be sure to have your system protected as much as possible before you access the net, the current situation is an unprotected WIN XP PC lasts aprox 40min on net before infection, IRC backdoor Trojans work similarly to a port scanner, scanning the net for open PC's, DO NOT attempt WIN updates untill AV & Firewall software is installed and updated.
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    HERE you can find unofficial WIN 98 SE service pack, download and save to disk.
     
  6. taosk8r

    taosk8r Registered Member

    Joined:
    Nov 3, 2004
    Posts:
    4
    As for the dialler program, wouldn't such likely have been found with AdAware SE/Webroot?

    Unfortunately format is a no can do (for both machines - there is installed software on one that I dont know how to reinstall/don't have the install cds/disks for, and that software is mandatory to the owner of the machine, and the situation is pretty similar on the second machine as well (which, btw is a 98, not 98SE machine)).. I really really need an answer on the reinstalling tcp/ip (whether the winxp method listed in the link above works for 9:cool:..
     
  7. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Not sure about the Tcp/ip for 98, the dialer wont be picked up by anti spyware pro if it came with an EULA [end user licence agreement]
     
  8. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    If there are multiple infections, would it make sense to move as few programs accross as possible as there is the possibility that these programs have become infected by the virus(es).

    Jimbob
     
  9. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Probably yes, only move the pros that still work properly.
     
Loading...
Thread Status:
Not open for further replies.