Unknown Virus

Discussion in 'NOD32 version 2 Forum' started by Kym McGain, Sep 21, 2003.

Thread Status:
Not open for further replies.
  1. Kym McGain

    Kym McGain Guest

    Hi
    My computer has a boot virus that is not detected by any virus scanner. My bios virus protection detects a boot virus but can fix it or identify it.
    It puts different coloured blocks of colour all through parts of the screen during load up, and will randomly shut down, and freeze.
    It also stuffs up directx games and programs in windows. My other partion of linux gets no effects.
    I believe this virus travels by disk, because the disk drive lights come on at unusal times.
    I cant find any unusual files on my harddisk or any odd things in the sis ini and wiin ini files so i cant send nod a sample of the virus.
    I also I believe i have had this virus for alot longer than it has been doing very noticable things and that it survived a format by placing itself in my graphics card memory,(winfast A380 geforce 4 ti4200 chipset) i tried doing a graphics bios flash and reseting the memory of the card but no such luck, and this virus is really restricting my computer in alot of ways. It sometimes takes up to 20 reboots before i can get it into windows successfully.
    I would appreciate any help.
    Thank you.
     
  2. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    We'd like to have a closer look. Please do the following:

    Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Kym,

    In addition to the other points/suggestions made above, I think you should consider the possibility that the BIOS virus protection on the systemboard is preventing your scanner from detecting/diagnosing/cleaning the virus. I have always felt that these Motherboard BIOS Virus protection arrangements were far more trouble than they are worth. I would recommend that you go into the BIOS setup and disable the Virus Protection (don't change anything else!) and save your change and when you boot into Windows give your scanner another chance to deal with it.

    If you are unsure how to get into the BIOS setup, gracefully shut down your system so it is completely powered off and then when you turn on the power look for some text indicating the keys to press to enter the BIOS (It might be one of the following; F1 or F2 or F10 or a sequence like Alt+A or just about anything else, you need to press that sequence repeatedly before the monitor shows the windows GUI starting to come up
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Kym,

    I agree with Dan, turn off the BIOS virus protection.

    One of the most common entries into the BIOS is by continually pressing "Delete" on your keyboard while your system boots up.

    Hope this helps

    Cheers :D
     
  6. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi Kym,

    pls. post the NOD SystemInfo from that machine here.

    Thanks,

    jan
     
  7. Kym McGain

    Kym McGain Guest

    Hi its me again, i tried the blaster worm fix and it has not found anything, but i will place the hijack log below.

    Logfile of HijackThis v1.97.2
    Scan saved at 7:44:12 PM, on 24/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PRONGS\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcuser.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcuser.com.au
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC User
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.pcuser.com.au/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcuser.com.au
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.1031365741
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

    Also at the moment i have a bit of a problem with nod32, just a missing dll whic h i can fix, so i will post my nod32 log when i have fixed that.

    Thanks
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Kym,

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

    Then reboot. At least I got one orphaned registry entry out of your system. ;)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.