Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown virus / malware

Started by VeeDub , Dec 15 2005 08:17 AM

  • Please log in to reply

#1
VeeDub
Posted 15 December 2005 - 08:17 AM

VeeDub

    New Member

  • Member
  • Pip
  • 2 posts
Hi,

I have a computer running NT4 that has some sort of virus that is date activated. The symptoms are that if you restart the computer with today's date. When the system restarts IE won't load any pages. If you open the Internet icon in the Control Panel you can view all the Tabs except Connections Tab (which just hangs). Some applications also won't start when the computer is in this state (NAV, MDaemon).

If you set the date back (to say 30-06-2005) and restart the computer then everything works fine. Once you logon you can change the date to today's date and everything continues to work OK (which is what I am doing as a work-around at the moment).

NAV doesn't detect any virus. Spyware Doctor removed some spyware. Panda doesn't detect any virus. SpyBot has immunised and doesn't detect any viruses. I tried to use HouseCall, but it wants to use the Java engine, which unfortunately NT4 does not support.

I suspect the issue may be related to Zone Alarm, which used to be installed on the computer, and when the license expired I expected ZA to continue to work (but would no longer be able to update) like it does on my WXP computer. However on the NT4 system it went into some sort of "lockdown" mode which prevented all Internet access (much like what I am experiencing now).

ZA then proved to be a real handful to remove, however I was eventually able to remove all the program files and registry entries (according to the removal instructions on the ZA forums). However the date does not tie with the license expiry date of ZA, so while I suspect ZA, I am not absolutely certain. There is nothing about these symptoms in the ZA forums.

Here's the log, hope something shows up ...

Thanks,

VW

Logfile of HijackThis v1.99.1
Scan saved at 0:53:18, on 16/12/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT.SBS\System32\smss.exe
C:\WINNT.SBS\system32\winlogon.exe
C:\WINNT.SBS\system32\services.exe
C:\WINNT.SBS\system32\lsass.exe
C:\WINNT.SBS\system32\spoolss.exe
C:\WINNT.SBS\system32\RpcSs.exe
C:\WINNT.SBS\System32\msdtc.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
E:\ARCSERVEIT\DBENG.EXE
E:\ARCSERVEIT\JOBENG.EXE
E:\ARCSERVEIT\MSGENG.EXE
E:\ARCSERVEIT\TAPEENG.EXE
E:\ARCSERVEIT\casmrtbk.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
E:\ALERT\ALERT.EXE
C:\Program Files\NAV\defwatch.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT.SBS\system32\cba\pds.exe
C:\MDaemon\APP\MDAEMON.EXE
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
E:\ARCSERVEIT\RDS.EXE
c:\winnt.sbs\system32\pstores.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT.SBS\System32\LOCATOR.EXE
C:\WINNT.SBS\system32\MSTask.exe
C:\WINNT.SBS\system32\MsgSys.EXE
C:\WINNT.SBS\system32\tapisrv.exe
C:\WINNT.SBS\System32\wins.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT.SBS\System32\inetsrv\inetinfo.exe
C:\WINNT.SBS\system32\ams_ii\hndlrsvc.exe
C:\WINNT.SBS\system32\ams_ii\iao.exe
C:\WINNT.SBS\system32\cba\xfr.exe
E:\ExchSrvr\bin\mad.exe
C:\WINNT.SBS\System32\nddeagnt.exe
C:\WINNT.SBS\System32\ASDscSvc.exe
C:\WINNT.SBS\System32\Liccheck.exe
C:\WINNT.SBS\Explorer.EXE
C:\Program Files\NAV\vptray.exe
C:\WINNT.SBS\System32\HPJETDSC.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\VIAhm\viahm.exe
E:\ExchSrvr\bin\events.exe
E:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
E:\download\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT.SBS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NAV\vptray.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [Set Time] E:\ZEN\DT\SetTime2.vbs
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: VIA Hardware Monitor.lnk = C:\VIAhm\viahm.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O13 - WWW. Prefix: http://
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cvcltd.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 203.134.64.66 202.138.0.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 70.84.234.226 70.84.234.227 203.134.64.66
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: ARCserveIT Database Engine (ASDBEngine) - Unknown owner - E:\ARCSERVEIT\DBENG.EXE
O23 - Service: ARCserveIT Discovery Service (ASDiscoverySvc) - Computer Associates - C:\WINNT.SBS\System32\ASDscSvc.exe
O23 - Service: ARCserveIT Job Engine (ASJobEngine) - Unknown owner - E:\ARCSERVEIT\JOBENG.EXE
O23 - Service: ARCserveIT Message Engine (ASMsgEngine) - Unknown owner - E:\ARCSERVEIT\MSGENG.EXE
O23 - Service: ARCserveIT Tape Engine (ASTapeEngine) - Unknown owner - E:\ARCSERVEIT\TAPEENG.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - E:\ALERT\ALERT.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Promise FastTrak DMI Service (FastTrakDMISvc) - Unknown owner - C:\Program Files\Promise\FastTrak\ftdmisvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT.SBS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT.SBS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT.SBS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT.SBS\system32\cba\pds.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: MVFJFNG - Sysinternals - www.sysinternals.com - C:\TEMP\MVFJFNG.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)



Below is the log, which I ran when the computer was restarted with today's date (i.e. IE was not working)
  • 0

Advertisements

#2
VeeDub
Posted 16 December 2005 - 07:17 PM

VeeDub

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi,

It would be useful for me to know whether the log that I have posted appears to be clean. That way at least I know that what I am dealing with is some code that modifies an existing process.

Any general advice on tools or howto's that I could use to try and isolate this offending code would also be appreciated.

Thanks.

VW
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP