Unknown virus - looking for advice on howto isolate and remove

Discussion in 'malware problems & news' started by VeeDub, Dec 16, 2005.

Thread Status:
Not open for further replies.
  1. VeeDub

    VeeDub Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    4
    Location:
    Sydney, Australia
    Hi,

    I have a computer running NT4 that has some sort of "virus" that is date activated. The symptoms are that if you restart the computer with today's date. When the system restarts IE won't load any pages. If you open the Internet icon in the Control Panel you can view all the Tabs except Connections Tab (which just hangs). Some applications also won't start when the computer is in this state (NAV, MDaemon).

    If you set the date back (to say 30-06-2005) and restart the computer then everything works fine. Once you logon you can change the date to today's date and everything continues to work OK (which is what I am doing as a work-around at the moment).

    NAV doesn't detect any virus. Spyware Doctor removed some spyware. Panda doesn't detect any virus. SpyBot has immunised and doesn't detect any viruses. I tried to use HouseCall, but it wants to use the Java engine, which unfortunately NT4 does not support.

    I suspect the issue may be related to Zone Alarm, which used to be installed on the computer, and when the license expired I expected ZA to continue to work (but would no longer be able to update) like it does on my WXP computer. However on the NT4 system it went into some sort of "lockdown" mode which prevented all Internet access (much like what I am experiencing now).

    ZA then proved to be a real handful to remove, however I was eventually able to remove all the program files and registry entries (according to the removal instructions on the ZA forums).

    However the date work-around does not tie with the license expiry date of ZA, so while I strongly suspect ZA has left something behind, I am not absolutely certain about this. There is nothing about these symptoms in the ZA forums.

    I have posted a Hijack log on another forum, and so far no response, which makes me suspect that I am dealing with a process that has modified an existing valid process (rather than a separate and relatively easily identifiable "foreign" process).

    What I am looking for is some advice on tools or procedures that I can follow to try and isolate and remove this nasty code.

    Thanks,

    VW
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Zonealarm is a firewall and you managed to clear the prog files and reg entries using the ZA forums removal instructions. So what could be left behind by ZA after all that...? You said Spyware Doctor removed some spyware, got any more detailed info as to what pieces of spyware were found? I don't think its related to Zonealarm at all.
    I suspect you may have a trojan on your computer. So maybe the trojan works similarly to those kind of computer viruses that execute various functions and activate on a specified date.
    Also, can you provide me with the link to the forum page where you posted your HijackThis log? I need to take a look at it to see if I can find any suspicious entries. And please post more information about the spyware that Spyware Doctor found.

    According to what you stated in your 1st paragraph, I think some piece of malicious software is attempting to do something with your IE and is stopping some security programs from running. The date workaround might only be a temporary measure.
     
    Last edited: Dec 19, 2005
  3. VeeDub

    VeeDub Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    4
    Location:
    Sydney, Australia
    Hi Nadirah,

    Thanks for offering to take a look at this.

    Here is the link to the HijackThis log that I posted http://www.geekstogo.com/forum/index.php?showtopic=84880

    At the moment I don't recall the items that SpyWare Doctor found, I will see whether it keeps a log. The second Spyware Doctor scan was "clean", so I believe that it removed the items that it detected. Having said that, you may well be right in your suspicions.

    My thinking is, that if is ZoneAlarm is responsible, it will be because ZA modifies some of the existing OS files. If I am right, then when you remove ZoneAlarm (via the ZoneAlarm uninstall process) then ZA reverses these changes at the same time as it removes all the other files and registry entries.

    But as you say it could be another trojan, although all these problems began when the ZA license expired.

    My un-install of ZA was far from "clean", because the license had expired by the time I tried to un-install ZA. ZA didn't want to un-install, and then resisted my attempts to disable it. Basically if it had been easier to re-install the machine from scratch I would have. I have since removed all the documented ZA program files and registry entries manually (I am confident that I have done this correctly).

    For that reason up until now, I have been very wary of re-installing ZA, just so that I can go through the ZA uninstall process. However at the moment I think I need to do this, so that I can establish whether it is ZA or some other (as yet unidentified trojan) that is causing the symptoms that I see.

    What I plan to do tomorrow night, is take an image backup of the box. Install ZA. Then make sure that the "Load at Startup" box is unchecked. This should allow me to go through the un-install process without ZA trying to shutdown the un-install process (which is what happened last time) and worst case I can restore from the backup.

    I'll let you know how it goes, and I will be very interested to see whether you see anything in the HijackThis log.

    Thanks for your help.

    VW
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Note: wilders security forums no longer analyses hijackthis logs, but im helping you out specially because there seems to be no reply to your log at the other forum.
    Be very careful, I'm referring to hijackthis tutorial on another site to identify bad entries in your log.
     
    Last edited by a moderator: Dec 21, 2005
  5. VeeDub

    VeeDub Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    4
    Location:
    Sydney, Australia
    Hi Nadirah,

    Thanks for taking a look at my HijackThis log.

    Entries 017 and 023 are fine, I know what they do. Entries 09 and 013 are worth looking into, although I think it is unlikely that they're responsible for the issues I have been experiencing (still I will make a backup of the system and remove them and see what happens).

    I did some testing of my own tonight along the lines that I outlined before. It turns out that I am right that it is ZoneAlarm that is responsible. How can I be certain? ... after I re-installed ZoneAlarm, when I started going through the un-install process (which did not go smoothly - just like last time) I was able to reproduce the exact symptoms that I have been observing ... and the symptoms cease immediately when the True Vector engine finally stops.

    The issue however remains, even though this time I perservered and got ZA to complete the uninstall and remove all the program and registry entries (unlike last time when I gave up on ZA un-install and did it myself) - there is clearly some hook into the OS that is being left behind. Because after the uninstall has completed "successfully" (I did 3 install / uninstalls) I still have exactly the same issue as before.

    I think I'll have to consider posting a question on the ZA forums, not that I expect that I'll get answer.

    What I would really like to find is an approach that I can use to try and isolate this "lockdown" code myself. There has got to be a way to do it, I just wish I had some idea on how to approach it. The interesting point is that the "lockdown" doesn't affect all applications - only some.

    The fact that IE is crippled has got to be where you would focus. Identify how the Connections Tab in the Control Panel is being "locked down" and somehow isolate the code that is responsible for doing that. Hopefully that identifies a DLL (or some process) that you can then concentrate on.

    I can live with the workaround, but I would really like to get to the bottom of this.

    VW
     
  6. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    VeeDub,

    What exactly is Service: MVFJFNG - Sysinternals - www.sysinternals.com - C:\TEMP\MVFJFNG.exe? A service running from a temporary folder? Never an encouraging situation....., I know it refers to SysInternals...., but even so, is it a valid, albeit renamed, executable?

    Blue
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    And which sysinternals product is that service related to? Couldn't find any info about such a service on google.
    Is that a service pretending to be a sysinternals one? What's more its running from the temp folder. Must be a malicious file.
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Although I'd clearly lean in this direction, it doesn't have to be the case. When advising remotely, I always try to move with caution, even at the expense of slowness. However, there is no doubt that one doesn't go about installing services (or running executables) from temporary locations, this is always a hint that something is amiss.

    Blue
     
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Mod comment:
    Edited out HighJackThis log assistance....Bubba

    Please take note of info contained in the below Announcement in regards to Wilders no longer providing HJT log lanalysis except where noted in that Announcement.

    This Announcement---> Stopping HijackThis Log Cleaning Services!
     
    Last edited by a moderator: Dec 21, 2005
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Correct.
    In this thread, you can see that I highlighted out some hijackers from veedub's log.
    In the FIRST post of this thread, Veedub stated that his Spyware Doctor removed some spyware, but he does not seem to have posted any more detailed information as to what pieces of spyware were found.
    See those 017- lop.net hijackers? Did Spyware Doctor remove any spyware related to the hijacker?
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    nadirah, I will ask you to please follow our rules and guidelines here regarding HJT log analysis. As stated in the Announcement thread that Bubba has linked to, HJT logs are no longer analysed here at Wilders unless they have been specifically requested by an Expert Spyware/HJT log Analysis or Wilders' Staff.

    VeeDub has only recently posted their HJT log at the other forum, and a day or two waiting is not out of the norm given how busy those forums can get.

    Any further posts by yourself with guessing at what might be the problem and/or advice on what should be fixed using HJT, will be removed without further notice.


    VeeDub, please be patient and I'm sure a qualified Spyware Expert will be assisting you at the forum where you've posted your log as soon as possible. A li'l patience will result in you're not accidently removing something critical and possibily doing irreversible damage to your computer.

    Regards,

    snap
     
  12. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I can follow-up directly via PM with him if my posts are not welcome here.
     
  13. VeeDub

    VeeDub Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    4
    Location:
    Sydney, Australia
    Hi Blue,

    One of the Sysinternals products is RootKitRevealer http://www.sysinternals.com/Utilities/RootkitRevealer.html

    When you use this tool, it needs to launch itself as a randomly named exe so that the target rootkit can't readily identify the rootkitrevealer and hide itself.

    That's what the exe is/was (I've removed it now) in the Temporary folder.

    Thanks

    VW
     
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I see, its rootkitrevealer and not some malicious file.
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    nadirah, you know our forum's rules and policies regarding HJT log analysis, and how dangerous the wrong advice from an unqualifed person can be. You are not a log reader, and we do not want to guess when using such a powerful tool as HijackThis and risk damage to someone's pc.

    Also, if the other forum were to find that VeeDub was receiving help with their log at another forum, they would most likely not assist him there.

    nadirah, if you want to help people with their HJT logs, then I would suggest that you join BootCamp and learn to read them correctly. Then you can help out at those forums that do do HJT log analysis.

    If you require further clarification on this matter, feel free to PM me.

    Regards,

    snap
     
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    That's right! A new feature in the current, or recent, versions.

    Blue
     
Loading...
Thread Status:
Not open for further replies.