Date + time random changes

Discussion in 'other security issues & news' started by Felicity, Mar 22, 2003.

Thread Status:
Not open for further replies.
  1. Felicity

    Felicity Guest

    XP 1800+ has got odd problem, when rebooted the time is changed. If I do restart change is only a few minutes, if I leave it switched off for 1 hour or more, time and date maybe different, by seveal hours. For example: switch off 9pm 20/march. Switch on 9:05pm 20/march, date and time = 19/march-17:20. Restart and the time stays close at 8:45pm. Date = 19/march.

    Otherwise ok, running ZA-free, Kav-pers, Trojan hunter, BOClean. Scanned also with NOD32 and Avast via networked pc. Was running RAV also for 30 days. Spybot, regclean, sfc all ok. Windows update ok. XPantispy ran also.
    Easycleaner does see 6 entries in registry that are unknown to me, all start
    HKEY-LM/software/Microsoft /WBEM/WDM. any ideas?

    I delete them then restart with disk cleanup etc..
    But still wierd time displayed.

    Any clues? NB: using seperate pc to send this..
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Felicity,

    I thought of a few possibilities. All very unlikely, but I can´t think of anything you haven´t already checked.
    -It could be your motherboard battery, but the time would only be lagging behind more and more as far as I know.
    -The keys EasyCleaner found would indicate different user profiles. Again, very unlikely, since these wouldn´t be on a different time/date.

    Although you seem to have checked everything I would like to see your StartUpList.
    Could you please download HijackThis.
    Unzip and Run it. Click Config > Misc Tools > Generate Startuplist and post the contents of the .txt file that is generated.
    Maybe that will learn us some more.

    Regards,

    Pieter
     
  3. Felicity

    Felicity Guest

    This is it... thanks in advance for looking...

    StartupList report, 22/03/2003, 21:55:32
    StartupList version: 1.52
    Started from : C:\Program Files\Hijack\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\BOClean.exe
    C:\Program Files\TrojanHunter 2.5\THGuard.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
    C:\Program Files\Hijack\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Kaspersky Anti-Virus Monitor.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
    BOCleanautostart = BOClean.exe
    THGuard = "C:\Program Files\TrojanHunter 2.5\THGuard.exe"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003030601/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37666.5453009259

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 3,962 bytes
    Report generated in 0.070 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Felicity,

    My compliments. That´s the cleanest StartUpList I´ve seen in a long time. :cool:
    Do you use multiple user profiles on that computer and, if so, are the other ones having the same problem?

    Regards,

    Pieter
     
  5. Felicity

    Felicity Guest

    Yes to multiple user accounts, me = admin plus 3 other limited. One of them does have the same problem. Other two don't know, not used.

    Battery - unlikely, 3 months old pc. No other symptoms, all progs running ok.

    Is trojan/virus possible?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Felicity,

    If you do have a trojan or virus I don´t see it running.
    You could check your Services to see if anything strange is going on in there.
    Start > Control Panel > Adminstrative Tools > Services
    While you are in the Administrative tools have a look at your logs (Event viewer) as well to see if any alarms are logged there.

    Since it is only three months old, I would consider bringing it in to the shop and let them have a look.
    Back up your important data before you do so however.

    Regards,

    Pieter
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Felicity,

    Any news?
    My fellow Moderators gave me a few more things you could have a look at to solve your problem:

    - When you are looking at the Services find Windows Time, rightclick it, choose Properties and set it to disabled.
    - In Trojan Hunter, try enabling the Shutdown Protection.
    - If you are using a router, check if it is equipped with time-sync.

    Regards,

    Pieter
     
  8. Felicity

    Felicity Guest

    Thanks, I'll try them and let you know.
     
  9. FanJ

    FanJ Guest

    Hi Felicity,

    Just some side-notes:

    I guess you are aware that you are running two resident AT's: BOClean and TrojanHunter-Guard.
    Usually it is not adviced to use two resident AV's or AT's.
    But in this case (BOClean and TH-Guard) it looks like there is no problem having them both resident, because they work in a different way. I have tried it yesterday on my W 98 SE system, no problem so far. (just the same as with BOClean and Execution Protection, the resident part of TDS-3: no problem to have them both "running"; but I myself have more experience with these two and I am more sure about no conflict between those two).

    Pieter's advice about the Shutdown Protection of TH was merely meant to make you aware of that option in TH.
     
Loading...
Thread Status:
Not open for further replies.