Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown virus / malware


  • Please log in to reply

#1
VeeDub

VeeDub

    New Member

  • Member
  • Pip
  • 2 posts
Hi,

I have a computer running NT4 that has some sort of virus that is date activated. The symptoms are that if you restart the computer with today's date. When the system restarts IE won't load any pages. If you open the Internet icon in the Control Panel you can view all the Tabs except Connections Tab (which just hangs). Some applications also won't start when the computer is in this state (NAV, MDaemon).

If you set the date back (to say 30-06-2005) and restart the computer then everything works fine. Once you logon you can change the date to today's date and everything continues to work OK (which is what I am doing as a work-around at the moment).

NAV doesn't detect any virus. Spyware Doctor removed some spyware. Panda doesn't detect any virus. SpyBot has immunised and doesn't detect any viruses. I tried to use HouseCall, but it wants to use the Java engine, which unfortunately NT4 does not support.

I suspect the issue may be related to Zone Alarm, which used to be installed on the computer, and when the license expired I expected ZA to continue to work (but would no longer be able to update) like it does on my WXP computer. However on the NT4 system it went into some sort of "lockdown" mode which prevented all Internet access (much like what I am experiencing now).

ZA then proved to be a real handful to remove, however I was eventually able to remove all the program files and registry entries (according to the removal instructions on the ZA forums). However the date does not tie with the license expiry date of ZA, so while I suspect ZA, I am not absolutely certain. There is nothing about these symptoms in the ZA forums.

Here's the log, hope something shows up ...

Thanks,

VW

Logfile of HijackThis v1.99.1
Scan saved at 0:53:18, on 16/12/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT.SBS\System32\smss.exe
C:\WINNT.SBS\system32\winlogon.exe
C:\WINNT.SBS\system32\services.exe
C:\WINNT.SBS\system32\lsass.exe
C:\WINNT.SBS\system32\spoolss.exe
C:\WINNT.SBS\system32\RpcSs.exe
C:\WINNT.SBS\System32\msdtc.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
E:\ARCSERVEIT\DBENG.EXE
E:\ARCSERVEIT\JOBENG.EXE
E:\ARCSERVEIT\MSGENG.EXE
E:\ARCSERVEIT\TAPEENG.EXE
E:\ARCSERVEIT\casmrtbk.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
E:\ALERT\ALERT.EXE
C:\Program Files\NAV\defwatch.exe
C:\Program Files\Promise\FastTrak\FtrakSvc.exe
C:\WINNT.SBS\system32\cba\pds.exe
C:\MDaemon\APP\MDAEMON.EXE
C:\Program Files\NAV\rtvscan.exe
C:\Program Files\SSC\NSCTOP.EXE
E:\ARCSERVEIT\RDS.EXE
c:\winnt.sbs\system32\pstores.exe
C:\Program Files\Symantec\Quarantine\Server\qserver.exe
C:\WINNT.SBS\System32\LOCATOR.EXE
C:\WINNT.SBS\system32\MSTask.exe
C:\WINNT.SBS\system32\MsgSys.EXE
C:\WINNT.SBS\system32\tapisrv.exe
C:\WINNT.SBS\System32\wins.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT.SBS\System32\inetsrv\inetinfo.exe
C:\WINNT.SBS\system32\ams_ii\hndlrsvc.exe
C:\WINNT.SBS\system32\ams_ii\iao.exe
C:\WINNT.SBS\system32\cba\xfr.exe
E:\ExchSrvr\bin\mad.exe
C:\WINNT.SBS\System32\nddeagnt.exe
C:\WINNT.SBS\System32\ASDscSvc.exe
C:\WINNT.SBS\System32\Liccheck.exe
C:\WINNT.SBS\Explorer.EXE
C:\Program Files\NAV\vptray.exe
C:\WINNT.SBS\System32\HPJETDSC.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
C:\VIAhm\viahm.exe
E:\ExchSrvr\bin\events.exe
E:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
E:\download\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT.SBS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NAV\vptray.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - HKCU\..\Run: [Set Time] E:\ZEN\DT\SetTime2.vbs
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FastCheck Monitoring Utility.lnk = C:\Program Files\Promise\FastTrak\RAIDeUtility.exe
O4 - Global Startup: VIA Hardware Monitor.lnk = C:\VIAhm\viahm.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O13 - WWW. Prefix: http://
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cvcltd.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 203.134.64.66 202.138.0.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 70.84.234.226 70.84.234.227 203.134.64.66
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: ARCserveIT Database Engine (ASDBEngine) - Unknown owner - E:\ARCSERVEIT\DBENG.EXE
O23 - Service: ARCserveIT Discovery Service (ASDiscoverySvc) - Computer Associates - C:\WINNT.SBS\System32\ASDscSvc.exe
O23 - Service: ARCserveIT Job Engine (ASJobEngine) - Unknown owner - E:\ARCSERVEIT\JOBENG.EXE
O23 - Service: ARCserveIT Message Engine (ASMsgEngine) - Unknown owner - E:\ARCSERVEIT\MSGENG.EXE
O23 - Service: ARCserveIT Tape Engine (ASTapeEngine) - Unknown owner - E:\ARCSERVEIT\TAPEENG.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - E:\ALERT\ALERT.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NAV\defwatch.exe
O23 - Service: Promise FastTrak DMI Service (FastTrakDMISvc) - Unknown owner - C:\Program Files\Promise\FastTrak\ftdmisvc.exe
O23 - Service: Promise FastTrak Log Service (FastTrakSvc) - Promise Technology Inc. - C:\Program Files\Promise\FastTrak\FtrakSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINNT.SBS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel Corporation - C:\WINNT.SBS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT.SBS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINNT.SBS\system32\cba\pds.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: MVFJFNG - Sysinternals - www.sysinternals.com - C:\TEMP\MVFJFNG.exe
O23 - Service: Norton AntiVirus Server - Symantec Corporation - C:\Program Files\NAV\rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\Program Files\SSC\NSCTOP.EXE
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\Program Files\Symantec\Quarantine\Server\qserver.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)



Below is the log, which I ran when the computer was restarted with today's date (i.e. IE was not working)
  • 0

Advertisements


#2
VeeDub

VeeDub

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi,

It would be useful for me to know whether the log that I have posted appears to be clean. That way at least I know that what I am dealing with is some code that modifies an existing process.

Any general advice on tools or howto's that I could use to try and isolate this offending code would also be appreciated.

Thanks.

VW
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP