Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 36 Posts

·
Registered
Joined
·
47 Posts
Discussion Starter · #1 ·
Help, please! I was trying to help my brother with his computer and I did an ADD/Remove Programs (uninstall) on a program listed as Worms2 and after that the computer wouldn;t boot up into Windows 98SE. I just see the background screen. He doesn't have a Windows disk. I have one but some of the files on it are corrupted. Any suggestions? I think I'm in deep water.

The Gator is barely treading water here...
 

·
Registered
Joined
·
59,690 Posts
Try hitting F8 when booting up and go to a command prompt. Type scanreg /restore (enter) and restore the registry to a day or two before. It might at least get you back to where you were.
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #3 ·
Elam68, thanks for the help with the scanreg commands. It worked like a charm. I was able to restore and begin to work on my brother's system. I had some really tough problems with this previously unprotected system. Among the things found were two viruses and two Trojan horses and lots of tough spyware including a very deceptive spyware ridden blank screen screen-saver. I've done a lot of scanning with Panda and AVG 7.0, and Adaware SE and SpyBot S&D and have installed Spyware Blaster and Spyware Guard. I've updated the Windows and IE software and dumped the cache and put in Active X security measures. I improved the system resources and went to a better video setting. I thought everything might be okay, but now I am convinced that something is going on in the registry.

When I was installing software I noticed I would have repeated file registration errors which would cause the program to misfunction or fail. Complete and thorough uninstalls and reinstalls cleared it up. This happen for three separate programs. It had nothing to do with the download. Only the install.

Also, I found that after a period of idle time (perhaps 24 hrs) I found an error in Zone Alarm. It was unable to activate the ZClient component, causing the program to fail. Reboots would not clear the problem and I was afraid to go online without Zone Alarm intact. So I had to restore. Still, in a short while I found the ISP dialer causing a Windows error due to a missing file and no reboots would clear the problem. I did some research elsewhere and came back several hours later and powered up and got through Windows with no fault and got online.

I've made a HijackThis log. Please take a look and see if you can advise. Thanks, again.

Logfile of HijackThis v1.99.0
Scan saved at 11:48:48 PM, on 2/2/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1HELPER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1HELPER.EXE /partner BO1
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spywareguard\sgmain.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/jpager/y/pg4_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

I noticed that my windows software is not at the latest update for some reason, despite my recent efforts. So I will back, if I can get back, after I do some more updating and rebooting and rerunning of HiJackThis. See ya soon, hopefully...
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #4 ·
Hi!
I'm back and although I made a few minor updates the version is still 4.10.1998 while my Win 98SE machines are 4.10.2222 . Could the difference be due to different types of processors: Intel Celeron versus Pentiums? Anyway here's the new HiJackThis Log:

Logfile of HijackThis v1.99.0
Scan saved at 3:14:23 AM, on 2/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1HELPER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\NSACCEL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\CSS.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1HELPER.EXE /partner BO1
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spywareguard\sgmain.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SonnReg.lnk = C:\Program Files\E-Color\Registration\SonnReg.exe
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/jpager/y/pg4_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

Please take a look and advise. Thank you soo much!
 

·
Registered
Joined
·
59,690 Posts
It looks like your brother's machine is an original Win98 and you have Win98 second edition. I've found that the second edition offers more utilities and easier network solutions. Anyway to upgrade his to SE?
Also, you might want to clear out your temp files and temporary internet files.
And, when you get to the desktop, hit control-alt-delete and see if there's anything running that you don't recognize.
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #6 ·
Thanks for your reply ekim68. You know, I did clean out the temporary internet files and temporary files and cookies, etc. and cache using Zone Alarm Pro and it freed up 416 MB. I've been checking the running programs as you said with cntrl-alt-delete and there's nothing that shouldn't be there. I went over to www.answersthatwork and checked the Task List. I was thinking about getting their Ultimate Toolkit and trying to fine tune. I was also thinking about using a registry cleaner. But I wonder if either of these ideas would be useful at this point. I guess you didn't see anything wrong in the above HiJackThis Logs. I'll continue to work with the PC tonight and report back. Thanks for your help. I look forward to any further guidance.
 

·
Registered
Joined
·
59,690 Posts
There is a free Microsoft registry checker on majorgeeks.com. You can try that. What I've found useful is Norton Systemworks for checking registry entries. If you have a copy, just run it from the CD and click on Windoctor. I recommend against installing it and running it because it is a resource hog. I've looked at your log and I'll do a little research and get back to you.
 

·
Registered
Joined
·
59,690 Posts
In your hijackthis log fix:
01 - Hosts: 66.40.16.218 auto.search.msn.com

And these next few are in your startup files but don't really need to be there:

04 - HKLM\..\Run: (HPDJ Taskbar Utility) C"\WINDOWS\SYSTEM\hpztsb08.EXE
04 - HKLM\..\Run: (BO1HelperStartUp) C:\PROGRAM FILES\BUTTERFLY OASIS SCREENSAVER\BO1HELPER.EXE /partner BO1
04 - HKLM\..\Runservices: (DkService) C:\Program Files\Executive Software\Diskeeper\DkService.exe

And, fix these:
09 - Extra button: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - c:\Program Files\Messenger|MSMSGS.EXE (file missing)
09 - Extra 'Tools' menuitem: MSN Messenger Service - (FB5F1910-F110-11d2-BB9E-00C04F795683) c:\Program Files\Messenger\MSMSGS.EXE (file missing)
016 - DPF: (0122955E-1FB0-11D2-A238-006097FAEE8B) (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #9 ·
Wow ekim68! What a night I had...I'm fighting a Trojan and he's winning. After doing the stuff we talked about and running Registry Mechanic, I could tell that I still had the problem. So I thought from the fact that things started happening after a delay in my activities normally and the fact that I could see a flash of an outline of a window on my computer when the icons were appearing on the desktop at startup, that possibly I still had something from the downloaded screensaver. So I searched the forums for screensaver spyware and got a post in early Jan 2005. The guy like me was having a tough time of it. I saw a plan for flushing out the spyware layed out. I followed the plan and just at the end the dial out started and I couldn't cancel it and I didn't realize it was a Trojan trying to get on the web till later when it started accessing the disk and I tried to cancel the connection. It didn't dawn on me to pull the plug. Anyway I got it cancelled when I realized it and then later decided to go out to online virus/trojan cleaners to get rid of him but he just broke the connection every time I did. I snuck one in through the history file and got to symantec to run one there but no luck they didn't detect him. I got to housecall.trendmicro but he failed the connection for the update and foolish me left for a few minutes and he went to work. I found him and powered off. Well, I worked all night and I'm discouraged but I brought the computer home with me where I have the possibility of dial-up or cable modem. Don't know just what to do at this point. I've run Spybot S&D, and CWShredder since the dial out but nothing.
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #10 ·
ekim68,

Here's the plan I followed from mjack547:

Run an online antivirus check from at least one and preferably 2 of the following sites

http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx

Be sure and put a check in the box by "Auto Clean" before you do the
scan. If it finds anything that it cannot clean have it delete it or
make a note of the exact file name and file location so you can delete it yourself.

Than
Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

CWshredder from http://www.subratam.org/?page=removal
Spybot - Search & Destroy from http://security.kolla.de
Download Adaware SE http://www.lavasoftusa.com/support/download/

then
Run CWSHREDDER,

Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you have all of Microsoft security updates

then reboot &

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #13 ·
Sorry, I was off a couple days...just exhausted working on this problem. Finally had to get some sleep.

I'm afraid I don't know where the trojan is exactly. The closest I could get to an address was that he was in c:/windows/systems the address was truncated and I was not in advanced mode on Spybot S&D so I couldn't get the rest of it.

What is worse is that when I went out on the internet he called out and started accessing the disk. When I noticed, I broke the internet connection but the disk activity kept on so I powered down. I am fearful that he has called in a really bad actor to destroy the hard drive. At this point I don't know what is the best next step to take. Do you have any ideas? I am afraid to turn the power on but I got to start some where. Many thanks.
.....the Gator with her tail between her legs
 

·
Registered
Joined
·
59,690 Posts
You said earlier that you ran an AVG scan. Do you have the latest definitions? And do you have "show hidden files" in your folder options checked. If not, open My Computer and click on tools, then folder options, view, and click on show hidden files, and unclick the next two lines. Then hit apply in the lower right and then click on "Like current folder". Run AVG again and let's see if we can find this thing. You might want to unplug your modem. And, post another Hijackthis log. After you save the log, you might want to copy it to a floppy and send it by way of your computer.
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #15 ·
Okay, ekim68, here's the results:

AVG (last updated 2/3/05) scanned 32,060 obj and 0 infected obj were detected. I also ran a-squared with update as of 2/5/05 it also found no malware. Previously, when I went to Symantec and did the online scan there they didn't detect him nor did RAV. I just couldn't get past him to do the housecall.trendmicro online update. He was fighting me at every turn.

I was very happy tonight to find the computer disk and data apparently functional.

Here's the HiJackThis Log:

Logfile of HijackThis v1.99.0
Scan saved at 12:10:49 AM, on 2/8/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\NETSCAPE INTERNET SERVICE\NETSCAPE WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spywareguard\sgmain.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/jpager/y/pg4_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

It seemed this guy really turned bad after I ran CWShredder, Friday night. That's when he started trying to call out. Or at least that's when I first noticed him doing it. Since then it's been ugly. But with no internet connection available tonight, there was no sign of activity on his part that I could see.

Hope you can get something from this. What do you think we should try next? Again, many thanks.
 

·
Registered
Joined
·
59,690 Posts
Since all of the scans are clean, I just don't see any signs of trojans. Let's try some other things. If you're comfortable going into the bios setup, then make sure the computer is set to NOT wake up from a remote signal. (Some older bios settings may not have this feature.) Try uninstalling the modem and reinstalling it. Turn off any auto-updates, such as the anti-spyware and anti-virus and see if it tries to connect.
And, after poking around, I've found that the Rnaapp.exe in your system file (the window 98 dial-up networking app.), can be called up by the VSMON.EXE which is a core element of the ZoneAlarm firewall. (Apparently ZA's previous versions, (3.x) didn't have this and they're working to fix this on later versions.) Try turning it off and just run a program in Windows and see if the modem is trying to dial up. You might try checking with a ZoneAlarm forum for more info.
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #17 ·
Hi ekim68!

I was unable to figure out how to get into the bios of this computer. I looked it up in my book Windows 98 Secrets and it said that how you change your computer's bios settings varies with the manufacturer. In the example in the book they were working with a Phoenix BIOS and that used the F2 key during boot up. I tried it but it doesn't work for me and I'm unable to figure out just what key combination to use to get into it. I did read somethings in the Zone Alarm Forums and learned some general info on trojans and picked up two more scanning systems to try. I went to www.trojanscan.com a free online trojan scanner. It was good but the last update was in 10/04. No trojans were detected but I did have some trouble with the malware after the scan which I will describe later. I also tried the 30 day trial of TDS which is super thorough and updated daily but basically didn't find the malware...I will show you some interesting info from the scans though. During all this activity I was online from 0200 - 1200 with no sign of interference from the malware as far as accessing the internet was concerned. I'm not sure he's fully aware of my address since I am now at my home rather than at my brother's place. Today was my first day online with this computer since I got back here. I don't know? Perhaps the remote computer guy is busy at a job or school. I did however see signs of the malware software: the outline of the screen at startup of Windows, and during one of the trojan scans the cursor changed from an arrow to the creepy little gloved hand that I've only seen in association with that malware screen saver my brother downloaded that I think brought this guy in to begin with. After the the scan was over, the old bad screen saver caused a blank black screen and cntrl-alt-del just said the the trojanscan.com was non-responsive. Ending it led to a general Windows error message. There was nothing to do but shut down. That's a familiar pattern for that screen saver. Just can't eliminate him except by setting desktop to screen saver none.

I tried to cancel any autostarts that would access the internet but some like AVG Free won't give you that option. But I do have control over internet access for this computer because I'm using dial-up and configuring Zone Alarm to require my permission for the dialer to be allowed to access the internet. So far, he has been unable to override that. It stops him cold.

Here's the log from the TDS scan:
08:57:56 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
08:57:57 [Init] Started 09-02-05 08:57:57 Central Standard Time (UTC: 6), Internet Time @665.24
08:57:57 [Init] Loading TDS-3 Systems ...
08:57:57 [Init] Token successfully adjusted.
08:57:57 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
08:57:57 [Init] • Plugins : OK. Loaded 13
08:57:57 [Init] • Exec Protection : Not Installed
08:57:57 [Init] WARNING: Your Radius.TD3 database needs to be updated!
08:57:57 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
08:57:57 [Init] Licensed users can use the Update facility from the TDS menu
08:57:58 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
08:58:31 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
08:58:31 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
08:58:31 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
08:58:40 [Init] TDS-3 Ready. <P v [email protected], 0.0.0.0, 0.0.0.0, 0.0.0.0, 127.0.0.1 - usa>
08:58:40 [Tip Of The Day] Do you think TDS-3 is missing something that you'd like to see built in? If so, email [email protected] - TDS-3 was built on customer requests and feedback, and we'd love to hear from you.
08:58:41 [TDS] Good morning P v warren.
08:59:00 [Mutex Memory Scan] Started...
08:59:02 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:59:02 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
09:21:23 [Quit] Unloading ...
09:24:27 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
09:24:27 [Init] Started 09-02-05 09:24:27 Central Standard Time (UTC: 6), Internet Time @683.65
09:24:27 [Init] Loading TDS-3 Systems ...
09:24:27 [Init] Token successfully adjusted.
09:24:27 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
09:24:27 [Init] • Plugins : OK. Loaded 13
09:24:27 [Init] • Exec Protection : Not Installed
09:24:27 [Init] WARNING: Your Radius.TD3 database needs to be updated!
09:24:27 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
09:24:27 [Init] Licensed users can use the Update facility from the TDS menu
09:24:28 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
09:25:15 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
09:25:16 [Init] • Systems Initialised [46476 references - 22387 primaries/11938 traces/12151 variants/other]
09:25:16 [Init] Radius Systems loaded. <Databases updated 09-02-2005>
09:25:16 [Init] TDS-3 Ready. <P v [email protected], 0.0.0.0, 0.0.0.0, 172.164.5.70, 127.0.0.1 - usa>
09:25:16 [Tip Of The Day] To see everyone who is connected to your computer using a TCP connection, click on System Analysis | Netstat, then click on the Remote Connections tab.
09:25:16 [TDS] Good morning P v warren.
09:25:49 [Mutex Memory Scan] Started...
09:25:53 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:25:53 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
09:38:21 [CRC32] Started - verifying 29 files ...
09:38:28 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
09:38:29 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
09:38:30 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
09:38:34 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
09:38:35 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
09:38:40 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
09:38:42 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
09:38:45 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
09:38:46 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
09:38:48 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
09:38:50 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
09:38:55 [CRC32] Test finished.
09:50:13 [Memory Scan] Memory scan started, please wait a moment ...
09:50:31 [Memory Scan] Memory scan complete.
09:50:31 [Mutex Memory Scan] Started...
09:50:33 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:50:33 [Trace Scan] Started...
09:52:16 [Trace Scan] Finished.
09:52:16 [Service\Driver Scan] Scanning for services and drivers ...
09:52:16 [Service\Driver Scan] Scanned 20 services and drivers.
09:52:17 [File Scan] Scanning in A:\ ...
09:52:19 [File Scan] Scanned 0 files: 0 alarms in 2.261719 seconds (Avg 1. files/sec)
09:52:19 [File Scan] Scanning in C:\ ...
11:14:55 [File Scan] Scanned 19954 files: 1 alarms in 4955.43 seconds (Avg 5.03 files/sec)
11:14:56 [File Scan] Scanning in D:\ ...
11:14:56 [File Scan] Scanned 0 files: 1 alarms in 5.078125E-02 seconds (Avg 1. files/sec)
11:14:57 [Scan] Finished.
11:38:54 [Screen Text] Saved to C:\PROGRAM FILES\TDS3\scr0.txt
11:42:01 [Infection Test] File infection test started. Please wait a moment while baits are deployed and tested.
11:42:01 [Infection Test] EXE infection testing started ...
11:42:08 [Infection Test] Test .exe file remained untouched.
11:42:08 [Infection Test] COM infection testing started ...
11:42:13 [Infection Test] Test .com file remained untouched.
11:43:17 [Internet IP] Current interface addresses: 0.0.0.0, 0.0.0.0, 0.0.0.0, 172.164.5.70, 127.0.0.1
11:43:18 [Internet IP] Connecting to ISP (tds.diamondcs.com.au:80) for physical test, please wait ...
11:43:38 [Internet IP] The current Internet IP address for this system is 172.164.5.70
12:23:19 [ICMP] An error occurred. Please try again.
12:28:44 [Memory Scan] Memory scan started, please wait a moment ...
12:29:28 [Memory Scan] Memory scan complete.
12:35:57 [Quit] Unloading ...
14:29:31 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
14:29:32 [Init] Started 09-02-05 14:29:32 Central Standard Time (UTC: 6), Internet Time @895.51
14:29:32 [Init] Loading TDS-3 Systems ...
14:29:32 [Init] Token successfully adjusted.
14:29:32 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
14:29:33 [Init] • Plugins : OK. Loaded 13
14:29:33 [Init] • Exec Protection : Not Installed
14:29:33 [Init] WARNING: Your Radius.TD3 database needs to be updated!
14:29:33 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
14:29:33 [Init] Licensed users can use the Update facility from the TDS menu
14:29:35 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
14:30:23 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
14:30:23 [Init] • Systems Initialised [46476 references - 22387 primaries/11938 traces/12151 variants/other]
14:30:23 [Init] Radius Systems loaded. <Databases updated 09-02-2005>
14:30:24 [Init] TDS-3 Ready. <P v [email protected], 0.0.0.0, 0.0.0.0, 172.149.255.197, 127.0.0.1 - usa>
14:30:24 [Tip Of The Day] TDS-3 is made from all-natural ingredients - no artificial preservatives or flavours added!
14:30:24 [TDS] Good afternoon P v warren.

I was particularly interested in the statement given below:

09:25:16 [Tip Of The Day] To see everyone who is connected to your computer using a TCP connection, click on System Analysis | Netstat, then click on the Remote Connections tab.

I did what it said and wrote down the info but I don't know how to interpret it. Are you familiar with the program? Could we use this to track or block the guy who's trying to access this computer?

Well, as usual got lots of questions. I'll be watching to see if he tries to do anything unusual. Thanks for your help!
 

·
Registered
Joined
·
47 Posts
Discussion Starter · #18 ·
Just a follow-up, I went over to PC-PitStop and found out that my BIOS is American Megatrends 04/19/99 if you can help me find out how to change the settings. Thanks again!
 

·
Registered
Joined
·
59,690 Posts
Sometimes hitting delete while booting will get you into the Bios setup, or even F2. Did you set the hidden files to be shown as I suggested in an earlier post? I'm a little familiar with TDS-3. Could you post the information from the "tip of the day"? I'm going to check on a couple of things and get back to you.
 

·
Registered
Joined
·
59,690 Posts
The reason I asked about the hidden files being shown, is maybe we can use the find, or search option to find out what the screensaver's filename is. Go to start> find> files or folders> and in the 'name' box type SCR and make sure that the 'Look in' box is set to My Computer, and check the 'include subfolders' box. Maybe you could post the list.
 
1 - 20 of 36 Posts
Status
Not open for further replies.
Top