Top Left corner of my screen is "dead".

I am not sure how to exactly describe this, so here's what is
happening. For some weird reason the top left corner of my screen
does not work when I click on anything in that corner. On my desktop,
the icon in that corner is "My Computer". If I try to click on it,
nothing happens. If I load any program, for example, lets say I open
Internet Explorer. the "FILE and EDIT" options do not work on the top
bar. This is true of any program I open. In brief, there is an area
about 1.5 inches in size that will not work at all, on this computer,
and it's located in the top left corner of the screen. This just
suddenly happened. I suspect a possible virus, or??????

As a followup note. I have both Win98se and Win2k installed on this
computer (dual boot). This problem does not occur when I boot to
Win98, nor does it occur if I boot to Dos. It only happens when I am
booted to Win2K. This proves it's not a hardware issue, but rather a
problem in Win2K.

As a final note, using my former example, if I minimize IE, so the top
of the window is located more in the middle of the screen, then I can
click on the FILE and EDIT buttons. Therefore, it's just that corner
of the screen, which is "dead".

This is the oddest thing I have ever seen.......

It sounds as if something was interfering with your mouse so that
coordinates relating to the top left-hand corner are no longer correctly
processed. Does this happen in Safe Mode too? And what happens when you use
the usual keyboard shortcuts for those pull-down menus that are beyond the
reach of the mouse, e.g. Alt+E?

I just managed to fix the problem by restoring an earlier copy of the
registry. Hiwever, I'd still like to know what caused this in the
first place. I did not try safe mode, but using shortcuts such as
ALT+E or others DID work. One other thing I will mention is that when
Win2K was loading, I could highlight "My computer" on the desktop if I
did it immediately. After 2K completed loading, the problem appeared.
I fought with this for several days and tried all sorts of things.
Suppose I should have tried safe mode. I was about ready to reinstall
2K, but loading an earlier registry fixed it. I wonder where the
coordinates are listed in the registry? This is one of the weirdest
problems I have ever seen on a computer.

.... or mouse driver issue. It would be worthwhile to uninstall/reinstall the
driver, or else try a different mouse such as a USB device, PS2 device, etc.

Well, I'm back and reporting that the problem reappeared. However, I
think this time I actually killed it, and it IS a virus. Oddly enough
I can not find anything about this virus online. Here's what
happened:

I went to Safe Mode (VGA). In Safe mode, I found a small webpage
loaded in that corner of the screen. The page had no CLOSE or
MINIMIZE bottons, just a small screen with an error message (regular
error saying I am not online). I'm on dialup and I only let the
computer connect manually. I found that RIGHT clicking did work and
gave me the option to scroll left, scroll down, scroll right, scroll
up. I was able to right click, select PROPERTIES ,and this lead me to
this link:
http://cpk.51ku.cn/count/count.asp?m...xxx&ver=100101

(the xxxxx's are actually the name of my computer in windows, which I
replaced with x's). And this is NOT a Macintosh (mac)?

Ok, I ran "Hijack This". I found a reference to a file located in
C:\RECYCLED and called taskhit.exe. The file had an attribute of
Hidden and System. I had to go to Dos and type ATTRIB to find it.
Oddly enough, Win2k is installed on my D: partition, and I never send
anything to the recycle bin, I have it set to automatically delete. I
have Win98 on C: Win98 was not affected at all.

I manually removed this file, and the problem is gone. However,
Hijack This continues to try to load it, but says "file missing".

This is cut from a Hijack This log file (below)
O23 - Service: Updata Service Device (UpdatesService) - Unknown owner
- c:\Recycled\taskhit.exe (file missing)

The problem is gone. My whole screen works again. That webpage was
sitting there the whole time, but invisible. I could mouse over it,
but not click on the normal desktop items.

Searching for "taskhit.exe" on Google does not bring up anything
helpful about this. Yet, I know for fact that it's some sort of
malware. Maybe it's very new??????

I am crossposting this to alt.comp.anti-virus and alt.comp.virus
Maybe someone on there has an answer.

It's a computer from 2000. It would likely run XP, but nothing
higher. (1ghz processor. 512megs ram). I do not like XP.

Actually, most of the time I run Win98se. I like it the best.
I only have Win2000 installed because some USB items dont work on 98,
and some of the latest Adobe Flash stuff wont work. Had I been using
Win98, I probably would not have gotten this virus. I was too lazy to
reboot !!! I'm using Win98 now.

By the way, I did a search for that URL, and came up with this
article. This is exactly what I was infested with, but under a
different filename. Here is the (long) article:

*** FROM THE WEBSITE ***
http://www.threatexpert.com/report.a...afff38de2d086c

*** THE ARTICLE***

Visit ThreatExpert web site

Submission Summary:
Submission details:
Submission received: 17 February 2009, 04:55:45
Processing time: 8 min 12 sec
Submitted sample:
File MD5: 0xC59E4BE30B2C974936AFFF38DE2D086C
File SHA-1: 0x2ED82188E211D7A7DCC263BFD7CF017334D94059
Filesize: 241,152 bytes
Alias & packer info:
Trojan-Downloader.Win32.Delf.qks [Kaspersky Lab]
Trojan.Buzus.iij [Ikarus]
packed with: UPX [Kaspersky Lab]
Summary of the findings:
What's been found Severity Level
Creates an executable file in the fake Recycle Bin folder with the
purpose of concealing its presence in the system.
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:


Possible Security Risk

Attention! The following threat category was identified:
Threat Category Description
A program that downloads files to the local computer that may
represent security risk

File System Modifications

The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:\RECYCLER\taskts.exe
[file and pathname of the sample #1] 241,152 bytes MD5:
0xC59E4BE30B2C974936AFFF38DE2D086C
SHA-1: 0x2ED82188E211D7A7DCC263BFD7CF017334D94059
Trojan-Downloader.Win32.Delf.qks [Kaspersky Lab]
Trojan.Buzus.iij [Ikarus]
packed with UPX [Kaspersky Lab]
2 %System%\[filename of the sample #1 without extension].bat 120
bytes MD5: 0xAB7411F18E91B1C49430F4D99C0FDE52
SHA-1: 0xF268C0D52DCEF744259EC1A36622F5C2619FABBE (not available)

Note:
%System% is a variable that refers to the System folder. By default,
this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
(Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:
Process Name Process Filename Main Module Size
taskts.exe c:\recycler\taskts.exe 544,768 bytes
[filename of the sample #1] [file and pathname of the sample #1]
544,768 bytes

There was a new service created in the system:
Service Name Display Name Status Service Filename
TCencerVer Safe Center Service "Running" c:\RECYCLER\taskts.exe

Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Enum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "TCencerVer"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER\0000]
Service = "TCencerVer"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Safe Center Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TCENCERVER]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Enum]
0 = "Root\LEGACY_TCENCERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TCencerVer]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "c:\RECYCLER\taskts.exe"
DisplayName = "Safe Center Service"
ObjectName = "LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "TCencerVer"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER\0000]
Service = "TCencerVer"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Safe Center Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TCENCERVER]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Enum]
0 = "Root\LEGACY_TCENCERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00
02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01
00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCencerVer]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "c:\RECYCLER\taskts.exe"
DisplayName = "Safe Center Service"
ObjectName = "LocalSystem"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
NotifyDownloadComplete = "yes"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
ProxyEnable = 0x00000000
The following Registry Value was deleted:
[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]
(Default) = "%SystemRoot%\media\Windows XP Start.wav"
The following Registry Values were modified:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000C
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders]
Cookies = "%Profiles%\LocalService\Cookies"
Local AppData = "%Profiles%\LocalService\Local Settings\Application
Data"
History = "%Profiles%\LocalService\Local Settings\History"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3]
1601 = 0x00000000

Other details

To mark the presence in the system, the following Mutex object was
created:
CritOpMutex
The following port was open in the system:
Port Protocol Process
1037 UDP taskts.exe (c:\RECYCLER\taskts.exe)

The following Internet Connection was established:
Server Name Server Port Connect as User Connection Password
cpk.51ku.cn 80 (null) (null)

The following GET requests were made:
count/count.asp?mac=COMPUTERNAME&ver=090205
count/index.jpg
myxy.asp

Please submit a sample of "taskhit.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition Virus
Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

I suggest that you look at the win-98 forum on msfn.org as well as look
at the win-98 files available from mdgx.com. You will find many
techniques, patches, fixes and upgrades for win-98 that gives it more
flexibility and compatibility with many newer USB devices as well as
being able to install and run many application programs that are usually
classified as "win-2K" or newer. For example, I happen to be running
Flash version 10.0.12.36 on my win-98 system.

I shoud have saved a copy of it, but it's gone. I would have liked to
get it analyzed too. I thought I had saved a copy, after changing the
..exe to .txt, (filename) but because it was in the recycle bin, it was
not saved.
From what I recall, the file size was the same as the file listed in
the article I posted. Probably the same file under another name.

Thanks a lot for these tips. One of my biggest problems has been
running that Flash 10xxxx. Plus USB support. And then my Win2K
install will not run my Canon LBP465 printer (no drivers for 2k and
up). I am glad to hear that people continue to create patches for
Win98. I am not willing to upgrade, which means buying a new
computer, when I am perfectly happy with Win98 and dont want all the
bloat in XP and higher. Besides, I can always fix 98 when it gets
messed up, from the command prompt. One can not do that with XP and
above. (I can sort of still od it with 2K, because I did not use the
NTFS format).

By the way, I absolutely hate the way Win2k puts stuff in the
Documents and Settings folder. At least 98 had a separate folder in
the windows dir for the Desktop, and Favorites, and other stuff like
that. Plus, 2K has this "RECENT" folder which is nothing but an
accumulation of links to everything I touch on the computer, and this
is most annoying because if anyone goes on my computer, they have a
record of everything I do. There is no way to turn this off either.
I just have to remove it constantly. I hate to think how they track
usage in Vista and Win7.

Also in the MRU (most recently used) registry entries for many
applications.

These locations and behaviours are configurable by registry settings.
Using TweakUI from MS is probably the easiest way to change them.

You might be surprised about what info is tracked in Windows and saved
in the registry. Google for articles by Didier Stevens on "UserAssist".

If you install XP on a drive that's been formatted as FAT32, and
"install" DOS first on that drive, then when you install XP you'll be
able to set it up as a dual-boot with a choice to boot into DOS or into
XP. You can download DOS 7.1, which supports long file names.

If you boot into DOS, you'll have full access to all files on the drive.

No third-party boot manager needed.

I'm curious ... what is it that can be "fixed" from a win98 command prompt
that can't be "fixed" from an winXP or win2000 command prompt?

We use FAT32 for the system "C:" drive, and ext3 for everything else, as the
ext3 journaled file system allows for very large video files, and the 2TB
USB drives are RW'able with Linux systems as well.

http://www.fs-driver.org/

NTFS is proprietary, and like most of Billy-Boy's software doesn't work or
play well with others, the sole exception being the ODBC drivers

TweakUI can change the location of the "stuff". You may have
to login as admin.
Or you can tinker with
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Explorer\Shell Folders

The Recent can be cleared automatically at logon (TweakUI >
Paranoia).
For on-the-fly clearing you can write a script a la
if exist X:"%homepath%"\Recent\*.lnk del D:"%homepath%"\Recent
\*.lnk

The X: is a drive letter. If you didn't move the Doc's and
Sett's, the X: is %homedrive%.

He's talking about the DOS command prompt I believe - using DOS as a
maintenance OS.

The command interpreter in the "Recovery Console" environment for NT
versions is limited in scope, but in Vista (and probably Windows 7) it
has been improved.

MAC = Media Access Control address. All network interfaces (such as
an ethernet card) have a unique MAC address which supposedly differs
from every other individual nework interface in the world.
I'm guessing your virus is keeping track of the MAC address of your
computer, for it's own virulent purposes.

Go to Start Button/Programs/Administrative Tools/Services.
See if a service of that name is present. If so, STOP it if
it's started, then set it to Disabled.

Then delete the service entirely:

1. Run "C:\WINNT\regedit.exe".
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
3. If there's a folder in there that you can clearly identify
as being your virus, delete it.

WARNING: Deleting stuff from this part of your registry is like
performing brain surgery. If for some reason you mess things up
so bad you can no longer boot, you can revert by booting with
Windows 2000 install CD, "Repair an Installation", "Repair Console".
Go into C:\WINNT\system32\config and do these two commands:
ren SYSTEM SYSTEM.BAD
copy SYSTEM.ALT SYSTEM
That reverts to last known good copy of your system hive.