TDS-3 generating errors and closed

Discussion in 'Trojan Defence Suite' started by petiepotamus, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Just recently installed and registered TDS-3.
    The program starts and runs for awhile, then generates the following error:

    tds-3.exe has generated errors and will be closed by windows. You will need to restart the program. An error log is being created.

    I tried renaming tds-3.exe and followed the instructions on the web site. Same thing.

    I had previously had the Trojan.rebootpc.b, as reported by Kaspersky anti-Virus.

    Any suggestions?

    Thank You
     
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Welcome to Wilders, Petiepotamus (that's a tongue twister...) :)

    Was KAV able to clean your machine? Sounds like that might not be the case. Try posting your hijack log on this forum to see if someone can spot a problem.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can't get to the proper information about that file, waited over 10 mionutes for the only maybe reliable page for it, KAV viruslist doesn't contain it either. It could be a legal part of a process is suggested in part of another description which i don't believe before i have all proper information.
    If you still have the file somewhere please submit@diamondcs.com.au
    As you did not disable system restore it is still in the system restore with possible overwritten files and in an older restore point before that overwriting took place.
    In the meantime nothjing against the HijackThis log, think that is a great step to next now.
    Please keep us updated how it goes while i keep trying to get to that rebootpc trojan info somewhere.
     
  4. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Kaspersky appears to have cleaned the file involved.

    Thank You for your quick response!
    Here is the HijackThis log:

    Logfile of HijackThis v1.98.0
    Scan saved at 11:45:42 AM, on 7/5/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\WINNT\System32\cisvc.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\progra~1\scansoft\paperp~1\pptd40nt.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    C:\Program Files\Caere\OmniPagePro90\opware32.exe
    C:\Program Files\Motherboard Monitor 5\MBM5.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\WINNT\system32\ntvdm.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\WINNT\System32\tbctray.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\ScreenPrint\screenprint.exe
    C:\Program Files\UltimateZip 2.7\uzqkst.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Documents and Settings\Administrator\Desktop\Hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
    O1 - Hosts: comments (such as these) may be inserted on individual
    O2 - BHO: (no name) - {02336F51-24CA-4422-AB63-18841ADF35E6} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
    O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
    O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [WinPatrol PLUS] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINNT\System32\tbctray.exe
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe
    O4 - Startup: ScreenPrint.lnk = C:\Program Files\ScreenPrint\screenprint.exe
    O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2.7\uzqkst.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O20 - AppInit_DLLs: ,
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I'm aware you can't have two AV's running resident at the same time. What about two AT's? Is this a possible conflict? o_O
     
  6. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    TDS-3 was doing this before Trojan Hunter was installed.
    I am uninstalling Trojan Hunter.
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    If it was fine before installing TH, then I doubt uninstalling it would make a difference.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The HJT log needs expert review, i just alerted them and let's see what happens.
    TDS and TH do run fine together, do you have the resident protection with TH installed?
    If you also activate KAV and PP the resident protection at the same time that is too much i guess and one of the three or two of them should be closed. Why do you have PestPatrol in the startup if you have kaspersky?
    Make sure one at most is resident, and use the other occasionally to scan files or system.
    Also when you do a full scan make sure at that moment only one scanner is running at the time:
    with any of the scanners it is no problem if you have TDS up, as ling as it is not scanning at the same time, during a scan with TDS you should close all the others, including resident parts.
    So the same with KAV or PP, close all the scanner parts and resident protection to use one at the time.
    I'm 99% sure TH does want you to close all other scanners too during a full scan with that. I don't know if TH likes or dislikes any of the other scanners, only know TDS and TH run fine together normally, even with the TH resident protection up.
    What is the scansoft? another scanner or part of one of the others?

    Maybe with such advices your system runs better already?

    with my un-HJT-expert eyes i only see that O2 with no file, but don't fix that till a real HJT expert tells you to do so.
    I see only the things described, i think the system is protecting so many files that TDS can't breathe and can't run at all!

    Do you remember what was the last time when TDS ran without any problems and what you added after that or changed in your settings?
    Hmm win2000 so no system restore to try it out either..... hmmmm
    Should go back step by step as far as you remember and get programs mentioned one by one from autostart to start with.

    Looking forward to good news from you!


    PS: could you also show us the errorlog to ease searching with you?
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    We found this about Trojan.rebootpc.b and Kaspersky:
    http://www.911cd.net/911cd/details.html
    Quote:
    The 911 CD Builder: Kaspersky Antivirus gives a warning about a virus called 'Trojan.Rebootpc.b' in 'shutdown.com' in the 'mnuutils.cab' file when installing the 911 CD Builder.
    Known problems in the 911 Rescue CD
    The following is a list of some known problems with 911 Rescue CD.

    The 911 CD Builder: Kaspersky Antivirus gives a warning about a virus called 'Trojan.Rebootpc.b' in 'shutdown.com' in the 'mnuutils.cab' file when installing the 911 CD Builder.
    This is not a virus, this is a false alarm from a file that does just what its name says "SHUTDOWN.COM", it shutdown systems that supports the ATX power specification (when issued from command-line, not automatically as a virus would do), it doesn't do anything else.
    I've tested my program with the latest Norton Antivirus, McAfee Virus Scan, Trend Micro PC Cillin, F-Prot and AVG Personal Edition; and I can assure it is a false alarm caused by only the Kaspepersky Anti-Virus Engine (and the Virus scanning programs that relies on its AntiVorus engine) which considers this part of the 911 CD Builder as a trojan-like activity (hence its name "trojan.Rebootpc.b" which gives the idea it considers the file as a trojan that reboots the PC, and nothing else).
    end quote


    Did you use that 911 boot CD? then know it is a false alarm of KAV and not to worry about that one, hope you didn't remove files you needed!
     
  10. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Trojan Hunter seems to run fine with everything running.

    TRS-3 has never completed a scan, always terminating abnormally.
    I will try running trs-3 with kaspersky disabled, and also Pestpatrol disabled.

    Thank you for your response.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Maybe for the full system scan you should also close the resident part for Trojan Hunter.
    Could it be TDS is stopping each time at the same place, for instance a very large file or each time the same RAR archive, to name some examples?
    In that case the rar file could be either corrupt or of a format TDS can't handle (maybe!) and in that case it would help to disable the scanning in archives/zip/rar to complete the scan. Untill you know which file is making the trouble, which you could exclude from scannign altogether if you want.

    Please keep us informed how it goes!
     
  12. FanJ

    FanJ Guest

    Hi petiepotamus,

    Like Jooske asked:
    Did you use that "The 911 CD Builder" ?
    Was KAV the only scanner on your system that caught that one (you do have several scanners)?


    As for all your scanners:
    In general: no problem, I too have for example several AT's (on my old W 98 SE box).
    But : when I let TDS-3 (or any other AT) do a full system scan, I close ALL (other) resident AT's and AV's (and close my internet connection).
    I think you have to pay attention to that. I for one wouldn't be surprised if your TDS-3 problem would be gone if you would give TDS-3 "the room" to let it do its job ;)
    You could also think about the option not to let TDS-3 do a Process Memory Space Scan automatically; but don't forget to let TDS-3 do it another time: it IS an important part of TDS-3.
     
  13. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    Trojan Hunter has been removed from the system.
    Cable modem has been disconnected.
    Pestpatrol has been disabled.
    Kaspersky has been disabled.
    Ran TDS-3 file scan and same thing happened.

    I tried TDS-3 demo on 3 other machines, and it ran perfect.
    One machine has Vexira Antivirus running and also pestPatrol, and there seemed
    to be no problem.
    I will be doing more tests on this problem machine.
    I will post again as soon as I have new information.

    Thanks to everyone for their response.
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Do you have incomplete multipart RAR archives on your machine ?
    Try unticking scan ZIP/RAR and see how it goes

    If thats the problem, you can exclude the folder with those incomplete files
     
  15. petiepotamus

    petiepotamus Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    6
    I unclicked scan zip/rar files, as Gavin suggested, and that did the trick. It completed normally.
    Now to find the offending zip and/or rar file(s).

    Thanks everyone for the great support.
     
  16. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Gavin, would you suggest peti send you the zip file if he is able to isolate it? What type of a problem with an archive file could crash TDS? I would hope that if TDS came across a zip file it couldn't handle that it would simply skip it and notify the user.
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So Petie, in the meantime i also had more expert-looks on your HJT log as i needed the confirmation nothing wrong or suspicious with that, fortunately.
    Now you know you can put TH back as well, that was not the culpit as i had not expected in the first place.
    Only like we said, don't start all scanners and protection at the time and don't set more then one at a time with resident protection and you should be fine!
    Scan with different scanners, including the Adaware, SpybotS&D, look at the JavaCool tools, look at the other DiamondCS software (those run all nicely together!) including all the free tools, which are very handy things each one of them.

    The rar file (probably) is either corrupt or from a format TDS can't deal with at the moment, i don't think of zips in the first place, maybe that helps with looking for it, if you remember where TDS stopped scanning?
    It does not necessary mean the file is dangerous.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I got one nice tip relating your HOSTS file:
    think you should be able to get there the easiest way via
    TDS > system analysis > View file > Network Hosts
    which should open the real HOSTS file
    You will probably have a line starting with # and
    127.0.0.1 localhost
    64.91.255.87 www.dcsresearch.com
    (add this second one if not there)
    and save.
    I mean the HOSTS file, not the Hosts.sam which will also be somewhere in your system.
    If you have no HOSTS file nowhere, copy the Hosts.sam with that name and make that addition if you like.
    That second line helps you to have your F5 button in TDS jump immediately to the TDS forum at the DiamondCS site!
     
Thread Status:
Not open for further replies.