Interesting bug I'm fighting here...

[Mobo]

One more thing. Ctor.dll is related to hotbar adware so click here with internet exolorer and run the scan as it detects that file..http://www.spyware911.net/xcleaner.htm

[rathnid]

Okay then, here are the "Findit" results:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0490-4145

Directory of C:\WINDOWS\System32

01/08/2005 10:32 AM <DIR> dllcache
01/08/2005 12:21 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 18,280,923,136 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0490-4145

Directory of C:\WINDOWS\System32

01/08/2005 10:32 AM <DIR> dllcache
01/08/2005 12:20 AM 749 wuaucpl.cpl.manifest
01/08/2005 12:20 AM 749 cdplayer.exe.manifest
01/08/2005 12:20 AM 749 sapi.cpl.manifest
01/08/2005 12:20 AM 749 nwc.cpl.manifest
01/08/2005 12:20 AM 749 ncpa.cpl.manifest
5 File(s) 3,745 bytes
1 Dir(s) 18,280,919,040 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 0490-4145

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 0490-4145

Directory of C:\WINDOWS\System32

03/25/2003 05:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 18,280,919,040 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
cdplay~1.man Sat Jan 8 2005 12:20:14a A..HR 749 0.73 K
ncpacp~1.man Sat Jan 8 2005 12:20:14a A..HR 749 0.73 K
nwccpl~1.man Sat Jan 8 2005 12:20:14a A..HR 749 0.73 K
sapicp~1.man Sat Jan 8 2005 12:20:14a A..HR 749 0.73 K
wuaucp~1.man Sat Jan 8 2005 12:20:14a A..HR 749 0.73 K

5 items found: 5 files, 0 directories.
Total of file sizes: 3,745 bytes 3.66 K


[Mobo]

That logfile as well as the previous are clean as a whistle...Try an independent virus scan from here maybe because nothing is showing up except this:
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
Then reset the homepage..and reboot.

[rathnid]

Okay then, after numerous attempts to run various online virus scanners, Adaware, Ewido security suite and Tauscan, they all hang up and die (two of them hung up on MSADO15.dll at 1% of the scan, then hung the whole system up). I'm wondering if you have any advide on detecting and/or removing rootkit type invasions?

[Mobo]

Try updationg the version of that file by downloading and replacing with this http://www.dlldump.com/cgi-bin/downloadcou...s/M/msado15.dll. Be sure however to copy and paste the current file so it can be placed back if need be..

[rathnid]

Well, when I tried copying the new msado15.dll the whole system froze just upon trying to execute a right click copy command. I rebooted and downloaded and installed Microsoft's new version of what used to be Giant Antispy (or something like that). It reported finding SearchSquire Adware installed with the following keys:
Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\searchsquire.com * 4

I then rebooted this morning with a BART's pe disk made from a clean machine last Thursday. After running several scanner with nothing reported, I ran a rather complete, almost 8 hour Tauscan from the disk and found the following:

Tequilla Bandita 1.5 Trojan Virus contained in the file UPX.EXE which is said was located in my TDS3 install (on both drives).

Helios 4.1.0.1e Trojan Virus located at: windows/system32/Bmp2jpeg.dll

I removed them and rebooted and am trying to figure out if there's an over-arching program that has installed and controlled all of this. Have you heard of any root kits containing these trojans?

thanks

[Mobo]

Can't say I have ever heard of such a thing before..Where did you get TDS3 from ?

[rathnid]

I downloaded tds from the link in your posting:
http://tds.diamondcs.com.au/index.php?page=download

but I had installed it prior to when I think the infection took place. I'm thinking something co-opted TDS at that point. Also at 1:00 a.m. today I removed the entire ADO folder containing the MSADO15.dll that kept stalling out my other scanners(did this in safe mode). After this AdAware found several instances of Alexa and Spyware Doctor said it found CWS (although CSShredder has always come up negative).

[Mobo]

Did it give a location for the cws infection or was it a left over reg key. Also did you run any other scanners ?