TDS File infection (virus-checker) freezes computer

Discussion in 'Trojan Defence Suite' started by intheusa, Nov 1, 2004.

Thread Status:
Not open for further replies.
  1. intheusa

    intheusa Guest

    Hello,

    Looking for good advice, and recommended virus scanner.

    Computer base system

    Windows 98 Gold (Win9x 4.10.199:cool:
    Internet Explorer v5.51 SP2 (5.51.4807.2300

    TDS V3.2.0 Radius database Oct 14,04

    Complete scan on drive and memory (clean)
    Scaned on manually isolated files now on CD-RW yields names of the torjans found.

    Used TDS virus-checker, COM and EXEC launch locks up computer, to extent no reboot with CNTL-ALT-DEL, required power down. Your COM and EXEC files still not changed (checked with hex editor). Waited 45 minutes to reboot.

    Thought DiamondCS might be interested in what is freezing my computer and their TDS program, if so read on. I have not purchased TDS (yet), trial version looks good so far. I did buy Port Explorer

    Problem, Was Hijacked Oct,3,04. Been basically off line on this computer (cable modem). All security was compromised, fixed manually but not sure. Caught HiJack in progress.

    Any recommendations for good program that checks this ?

    Also computer will not execute HiJackThis.EXE in normal or SAFE mode, page fault error 015F:004CA030. Program works fine on other Win98 computer. In fact this is why I think something is still wrong, along with TDS lockup.

    Any other program that gives similiar results to HiJackThis ?

    Compromised Computer seems to work ok on all other programs I executed so far, maybe slightly slower.

    Suspect some type of hook or code in memory, that starts in safe mode also. If this works in safe mode what files to look for. I can also work well from DOS.

    I have a export registery from June,1,04 for comparisions.

    No backup registery expect from Aug,8,03. Seems computer was not backing up all this time.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    your radius file should be of 1 november 2004 with 40502 references.
    so please get the latest on the TDS site. Put the file in the TDS derectory and load TDS.

    Also i guess you might be missing system files and updates, so in your IE browser Tools > windows Update please go to the Windows update site and get all available urgent updates.

    A reboot after all that can't harm.
    Hope all is much better then!
    Please let us know your next results.
     
  4. intheusa

    intheusa Guest

    Per request

    First this is my Control.ini file and those two program paths are working. The mlcfg32.cpl seems to be associated with office windows, which I rarely use and launchs explorer per Prcview.Exe

    [don't load]
    snd.cpl=no
    joystick.cpl=no
    midimap.drv=no
    sticpl.cpl=no

    [MMCPL]
    mlcfg32.cpl=C:\PROGRA~1\COMMON~1\SYSTEM\MAPI\1033\95\MLCFG32.CPL
    pfse70.dll=C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL

    [Patterns]
    (None)=(None)
    Bricks=187 95 174 93 186 117 234 245
    Buttons=170 125 198 71 198 127 190 85
    Cargo Net=120 49 19 135 225 200 140 30
    Circuits=82 41 132 66 148 41 66 132
    Cobblestones=40 68 146 171 214 108 56 16
    Colosseum=130 1 1 1 171 85 170 85
    Daisies=30 140 216 253 191 27 49 120
    Dizzy=62 7 225 7 62 112 195 112
    Field Effect=86 89 166 154 101 149 106 169
    Key=254 2 250 138 186 162 190 128
    Live Wire=239 239 14 254 254 254 224 239
    Plaid=240 240 240 240 170 85 170 85
    Rounder=215 147 40 215 40 147 213 215
    Scales=225 42 37 146 85 152 62 247
    Stone=174 77 239 255 8 77 174 77
    Thatches=248 116 34 71 143 23 34 113
    Tile=69 130 1 0 1 130 69 170
    Triangles=135 7 6 4 0 247 231 199
    Waffle's Revenge=77 154 8 85 239 154 77 154

    [Screen Saver.3DFlowerBox]
    Smooth=1
    Slanted=0
    Cycle=0
    Spin=1
    Bloom=1
    Subdiv=10
    ColorPick=501
    ImageSize=55
    Geom=2
    TwoSided=1028

    [Screen Saver.3DPipes]
    JointType=0
    SurfStyle=0
    TextureQuality=0
    Tesselation=0
    Flex=0
    MultiPipes=1
    Texture=
    TextureFileOffset=0

    [Screen Saver.3DFlyingObj]
    Options=3
    Type=4
    Tesselation=100
    Size=73
    Texture=
    TextureFileOffset=0

    [Screen Saver.Flying Windows]
    WarpSpeed=14
    Density=15

    --------------------------------------------

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Nick@P500, 11-01-2004
    c:\autoexec.bat
    SET FULTEMP=C:\WINDOWS\TEMP
    PATH C:\PROGRA~1\MICROS~3\OFFICE;c:\utility;c:\vcadwin\utils;C:\PBDLL60\BIN;C:\PBDLL60\BIN16;c:\rolodex
    C:\DEV\MSCDEX.EXE /D:MSCD000
    @SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
    c:\config.sys
    c:\windows\himem.sys
    \DEV\TAISATAP.SYS /D:MSCD000 /N:1
    C:\WINDOWS\dosstart.bat
    C:\DEV\MSCDEX.EXE /D:MSCD000
    C:\PROGRA~1\MICROS~4\MOUSE\MOUSE.EXE
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\SYSTEM\3DFLOW~1.SCR
    HKCR\htafile\shell\open\command\
    C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
    C:\WINDOWS\system\SysTray.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EnsoniqMixer
    C:\WINDOWS\starter.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Adaptec DirectCD
    C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER
    point32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
    Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
    Rundll32.exx
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SchedulingAgent
    C:\WINDOWS\system\mstask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
    C:\WINDOWS\DEFRAG.EXE
    C:\WINDOWS\Tasks\Maintenance-ScanDisk.job
    C:\WINDOWS\SCANDSKW.EXE
    C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job
    C:\WINDOWS\CLEANMGR.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\Net.Medic.lnk
    C:\Program Files\VitalSigns\Net.Medic\Program\netMedic.exe
    C:\WINDOWS\system\iosubsys\
    C:\WINDOWS\system\iosubsys\ESDI_506.PDR
    C:\WINDOWS\system\iosubsys\HSFLOP.PDR
    C:\WINDOWS\system\iosubsys\RMM.PDR
    C:\WINDOWS\system\iosubsys\SCSIPORT.PDR
    C:\WINDOWS\system\iosubsys\CDRPWD.VXD
    C:\WINDOWS\system\iosubsys\ATAPCHNG.VXD
    C:\WINDOWS\system\iosubsys\CDFS.VXD
    C:\WINDOWS\system\iosubsys\CDTSD.VXD
    C:\WINDOWS\system\iosubsys\CDVSD.VXD
    C:\WINDOWS\system\iosubsys\DISKTSD.VXD
    C:\WINDOWS\system\iosubsys\DISKVSD.VXD
    C:\WINDOWS\system\iosubsys\NECATAPI.VXD
    C:\WINDOWS\system\iosubsys\CDUDF.VXD
    C:\WINDOWS\system\iosubsys\TORISAN3.VXD
    C:\WINDOWS\system\iosubsys\VOLTRACK.VXD
    C:\WINDOWS\system\iosubsys\CDUDFRW.VXD
    C:\WINDOWS\system\iosubsys\BIGMEM.DRV
    C:\WINDOWS\system\iosubsys\VSDLDR.PDR
    C:\WINDOWS\system\iosubsys\CDR4VSD.VXD
    C:\WINDOWS\system\iosubsys\apix.BAK
    C:\WINDOWS\system\iosubsys\Scsi1hlp.hp
    C:\WINDOWS\system\iosubsys\Acbhlpr.vxd
    C:\WINDOWS\system\iosubsys\UdfReadr.vxd
    C:\WINDOWS\system\iosubsys\drvwcdb.hp
    C:\WINDOWS\system\iosubsys\Ensqio.hp
    C:\WINDOWS\system\iosubsys\DRVWPPQT.VXD
    C:\WINDOWS\system\iosubsys\DRVWQ117.VXD
    C:\WINDOWS\system\iosubsys\MUSBPORT.PDR
    C:\WINDOWS\system\iosubsys\drvwcdb.vxd
    C:\WINDOWS\system\iosubsys\cdralvsd.vxd
    C:\WINDOWS\system\iosubsys\APIX.VXD
    C:\WINDOWS\system32\vmm32\
    C:\WINDOWS\system\vmm32\ifsmgr.vxd
    C:\WINDOWS\system\vmm32\ios.vxd
    C:\WINDOWS\system\vmm32\qemmfix.vxd
    C:\WINDOWS\system\vmm32\vmouse.vxd
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\SYSTEM\mswsosp.dll
    C:\WINDOWS\SYSTEM\msafd.dll
    C:\WINDOWS\SYSTEM\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\SetupcPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\AppletsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\FontsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}\
    rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}\
    rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
    HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
    RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo2\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMmsysPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownAvivideoPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Base\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\ShellPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Shell2PerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winbase_Links\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winapps_Links\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_LinkBar_URLs\
    C:\WINDOWS\COMMAND\sulfnbk.exe /L
    HKLM\Software\Microsoft\Active Setup\Installed Components\TapiPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUserOldLinks\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRegisterPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Paint_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Calc_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CVT_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownRecPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Vol\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMPlayPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSWordPad_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_RNA_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Dialer_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
    HKLM\Software\Microsoft\Active Setup\Installed Components\{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fpxprs16.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CDPlayer_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAolPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAttPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsCompuservePerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsProdigyPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsMsnPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Chl99\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\>PerUser_MSN_Clean\
    C:\Progra~1\Online~1\MSN\msnmig.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_DCC_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Chlen-us\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-us.inf,InstallUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSBackup_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 C:\WINDOWS\INF\applets1.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmon_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Onlinelnks_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    C:\PROGRA~1\OUTLOO~1\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\NetservrPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Enable_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{578B3FA6-6B04-4709-908B-DD1B08F565F2}C0022D\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ClipBrd_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf
    HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
    C:\WINDOWS\system\vnetsup.vxd
    HKLM\System\CurrentControlSet\Services\VxD\NDIS\
    ndis.vxd,ndis2sup.vxd
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
    C:\WINDOWS\SYSTEM\vrtwd.386
    HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
    C:\WINDOWS\SYSTEM\vfixd.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
    C:\WINDOWS\system\vnetbios.vxd
    HKLM\System\CurrentControlSet\Services\VxD\CC95DRV\
    C:\WINDOWS\system\cc95drv.VXD
    HKLM\System\CurrentControlSet\Services\VxD\ASPIENUM\
    C:\WINDOWS\system\ASPIENUM.VXD
    HKLM\System\CurrentControlSet\Services\VxD\NDISWAN\
    C:\WINDOWS\system\ndiswan.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
    C:\WINDOWS\system\vredir.vxd
    HKLM\System\CurrentControlSet\Services\VxD\DFS\
    C:\WINDOWS\system\dfs.vxd
    HKLM\System\CurrentControlSet\Services\VxD\NWLink\
    C:\WINDOWS\system\nwlink.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VSERVER\
    C:\WINDOWS\system\vserver.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VSHINIT\
    C:\WINDOWS\SYSTEM\VSHINIT.VXD
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  6. intheusa

    intheusa Guest

    Checked file,

    Webcheck.dll is Microsoft 5.50.4807.2300 apparently installed by my cable provider, and checks with my reg file dated June,1,04.

    I understand the cable company Comcast.Com kind of sticks some of its on monitoring stuff in.

    Whats the dll's purpose ? Will go check at microsoft.

    By the way, want to say Thanks for help so far !!!
    I need to practice that more often

    Nick
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Snapdragin is advising me ATM. I have been told to try this: Rename HJT to HJT.com as that might work or try this the tool is called "CoolWebSearch.Smartkiller (v1/v2) Miniremoval Tool" and you can find it here: http://www.bleepingcomputer.com/forums/index.php?showtutorial=47
    Please post the text of your HJT log when you get it going.

    Thank you Snap :)

    Cheers. Pilli
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    another tip I've seen to cure the HJT problem is download a new copy but make sure it is in a folder on the desktop & run it from there
     
  10. intheusa

    intheusa Guest

    DVK01,

    Have it on hand but didn't update yet. Reason being I also ran his program StartUpList.EXE which uses VB6 runtime files and it works. I try to keep new installs at a minimum up to now, makes it easier to spot bad files and registry changes.

    For this reason I am looking for good advice on the better virus scanners !!!! I downloaded Avguard ?

    I did run HiJackThis from Desktop 1st time. Renamed file completely, but not with COM extension. Even went in and edited all three (3) internal files names with hex editor, and still failed to run. But runs on my other win98 computer with same, or close to same system updates.

    This is error screen generated by Kernel32.dll

    HIJACKTHIS caused an invalid page fault in
    module HIJACKTHIS.EXE at 015f:004ca030.
    Registers:
    EAX=fffb55e7 CS=015f EIP=004ca030 EFLGS=00010297
    EBX=64800000 SS=0167 ESP=006ffe18 EBP=fffb55e7
    ECX=00000006 DS=0167 ESI=0049e433 FS=21d7
    EDX=003b954d ES=0167 EDI=00403f66 GS=0000
    Bytes at CS:EIP:
    8b 02 83 c2 04 89 07 83 c7 04 83 e9 04 77 f1 01
    Stack dump:
    00401000 00000000 818ee480 006fff78 006ffe3c 005f0000 818ee4e0 818ee4a0 004c9f60 bff8b537 00000000 818ee480 005f0000 616a6948 68746b63 45007369

    Thanks for advice !! I appreciate all help
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Don't run it from the desktop that is posssibly why it is giving the error but make sure it is a folder and run from the folder
     
  12. intheusa

    intheusa Guest

    Hello Again,

    Just checking back in. Merijn.org also has CWSshredder.EXE that uses the VB 6 module, and all the same dll's modules that are used by HiJackThis, and this runs successfully on my computer. (CWS found nothing). I made the module comparision on my 2nd computer.

    I also know that my IE 5.5 explorer displays find "google.com" when starting if it thinks it has a active connection. It should not ! I managed to save three of the htm files located in temporary internet folder. One lists the script language code along with all the IP sites its tying to direct me to, and title page is "Goggle.com". I could post it with permission. It may be helpful. Its probably from an encrypted or compressed file cause I can't find any ot this text in a search.

    Whats IE's startup process? What files or information does it look for, I am at a loss here ?? I have looked at many sites. How can I clear this out ?? The registry start and home pages are ok.

    When using TDS, I did notice a running TDS3EXEC.BAT file that remains alive (per Prcview.exe) even when TDS is closed. It is probably part of TDS process, and contains
    Set>C:\tdstemp.002
    Exit
     
  13. intheusa

    intheusa Guest

    Hello again,

    TDS scanned all files that I Isolated, but did not pick up on one 380,928 byte EXE file that I also isolated. I am 90% confident its connected with HiJacking software (trojans), 1st its date is recent, no info on file and has hidden atttibute within C:\Windows\system directory.

    If interested give me a address I can upload to. Coder actually used a label "release mutex" inside of code.
     
  14. intheusa

    intheusa Guest

    I guess I didn't isoate that file quick enough, it has infected many of my files on both computers. I need some help here. Will upload any files necessay. I did a scan on the key name releasemutex, and its in a lot of files.

    Nick
     
  15. FanJ

    FanJ Guest

    Nothing wrong with that file, I too have it on my system.

    On my system (Win 98 SE Dutch):
    The file <C:\TDS3exec.bat> has the following Checksum(s)
    MD5 - 7BE397BF48BEE091EB590AD103DC031E
     
  16. FanJ

    FanJ Guest

    Not clear to me....
    Which Trojans were found? ?
    Give scandump from TDS-3 !

    What EXACTLY do you mean ?
    TDS-3 is an Anti-Trojan program, not an Anti-Virus program.

    Or were you perhaps doing this TDS-3 test:
    In TDS-3:
    System Testing >
    File Infection Test (Anti-Virus)

    The result should be:

    03:12:10 [Infection Test] File infection test started. Please wait a moment while baits are deployed and tested.
    03:12:10 [Infection Test] EXE infection testing started ...
    03:12:12 [Infection Test] Test .exe file remained untouched.
    03:12:12 [Infection Test] COM infection testing started ...
    03:12:14 [Infection Test] Test .com file remained untouched.


    - Quotes from the TDS-3 Helpfile -
    File Infection Test (Anti-Virus)

    This test creates a virgin .exe and .com file, each weighing in at approximately 15 kilobytes each. These files are then executed.

    Should a .com or .exe infecting virus be alive in your system, the files should become infected. The Infection test will report back the results - whether the file remained the same, or if it's modification date has changed, or if it's size has changed, or if it's internal contents have changed (via checksum calculations). This test should trap the majority of .exe/.com-infecting viruses.

    On a positive infection scan these files and the rest of your system with an updated virus scanner. If none can recognize the virus it is a new virus or variant and can then be submitted to antivirus vendors for analysis.

    - end quotes -

    Completely unclear to me, sorry !!!

    First : it is not EXEC but EXE, as you see in my posting.
    Second : the rest is really unclear to me.
    Which program gave you that info at which moment doing what......

    Sorry once again:
    By which Hijacker was your computer compromised?
    Which program told you that your computer was compromised?
    How did you clean it?
     
    Last edited by a moderator: Nov 4, 2004
  17. Intheusa

    Intheusa Guest

    Its very clear. My computer locked up when it launched the small exe and com file the other day. That little bat file I sent was to see if it was part of the TDS process.

    I have the trojan loader file now, which TDS3 did not find nor online Bitdefender. I had it isolated but it was a liitle to late. What I need it someone to upload this file to. I can also send a few of my infected files, this is a trojan, or maybe a cross strain.

    Whatever it is its new !!
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Whatever suspicious file, what's the name, can you please submit it to submit@diamondcs.com.au for further advice, zipped if possible, and if you can add the link to this thread into your email it will be really helpful. thanks!
    Looking forward to further developments here.
     
Thread Status:
Not open for further replies.