TDS-3 fails to find trojan found by McAfee

Discussion in 'Trojan Defence Suite' started by Trial User, Feb 14, 2005.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. Lynton

    Lynton Guest

    dvk01, again thanks for great answers. I copied UnlockDPF.bat to desktop and followed your instructions. I still don't see the hidden file. What might I be doing wrong?
    Also thanks for answer on dellater and Killbox. Can you give URL for Killbox, please?
     
    Lynton, Feb 15, 2005
    #26
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    when you open the downloaded program files folder do you see a list of files with dll's & inf files like a normal folder or do you just see a list of controls with installed or unknown beside them
     
    dvk01, Feb 15, 2005
    #27
  3. Lynton

    Lynton Guest

    dvk, I just see a list of controls with Installed status...
     
    Lynton, Feb 15, 2005
    #28
  4. Lynton

    Lynton Guest

    Not meaning to confuse this thread, here is the HJT log you asked for:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:30:01 PM, on 15/02/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\freecell.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\Program Files\Ad-Aware\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\LYNTON~1\LOCALS~1\Temp\Rar$EX00.656\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\Copernic\COPERN~1\COPERN~1.EXE
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/316c40ec95b6697ffc01/netzip/RdxIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4427/mcfscan.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Aluria Spyware Eliminator Service - Unknown - C:\PROGRA~1\SYSTEM~1\SPYWAR~1\ASE\ASE\ASEServ.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: PDScheduler - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
     
    Lynton, Feb 15, 2005
    #29
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    double click the bat file again and make sure that you see a black screen falsh up

    some script blockers in your antivirus will attempt to stop any bat file being run
     
    dvk01, Feb 15, 2005
    #30
  6. Lynton

    Lynton Guest

    dvk, there is a flash but it's almost instantaneous and it's not full screen, it's just "window" sized..I suspect it is being blocked...
     
    Lynton, Feb 15, 2005
    #31
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There's nothing obvious in the HJT log
     
    dvk01, Feb 15, 2005
    #32
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    that is what it's supposed to do , just a quick windows size flash up for a microsecond

    now open the dpf folder again and see
     
    dvk01, Feb 15, 2005
    #33
  9. Lynton

    Lynton Guest

    No luck..:-( ..please check your email..
     
    Lynton, Feb 15, 2005
    #34
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    turn off microsoft Anti spyware first then that blocks if it isn't set right
     
    dvk01, Feb 15, 2005
    #35
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    but just let tds fix it

    it isn't worth the aggro to mess around
     
    dvk01, Feb 15, 2005
    #36
  12. Lynton

    Lynton Guest

    ok dvk, if you say so...
    I'll delete this file that I couldn't find, that no other scanner sees..I would have loved to see this super invisible hidden file but, well, you're right, it's not worth the agro...;-)
     
    Lynton, Feb 15, 2005
    #37
  13. controler

    controler Guest

    Ok that is cool oldtimers still use BAT files ( DOS )LOL

    Unlock PDF

    cd\"WINDOWS\Downloaded Program Files"
    attrib -h -r desktop.ini
    ren desktop.ini desktop.nul
    exit

    Lock PDF

    cd\"WINDOWS\Downloaded Program Files"
    ren desktop.nul desktop.ini
    attrib +h +r desktop.ini
    exit

    Simply changing the ATTRIBS on desktop.ini and renaming it again.

    Bruce
     
    controler, Feb 15, 2005
    #38
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The alternative way to view the DPF files is

    go to Start | Run
    Paste in this command and press enter:

    regsvr32 /u occache.dll

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Now go to the C:\WINDOWS\Downloaded Program Files Folder and find the offending file and delete it .

    When you finish go back to:
    Start | Run
    Paste in this command:

    regsvr32 occache.dll

    but a double click on a bat file on the desktop is easier
     
    dvk01, Feb 15, 2005
    #39
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...