Unidentifiable Virus

joeclem111joeclem111 Sheffield England
edited August 2006 in Spyware & Virus Removal
Hi, I have many years experience in computers including a lot of system security and virus control, but this one has got me. I use AVG anti virus, updated (if necessary) 4 times daily. I also use ad-aware. I have Zone Alarm firewall fitted. I use Ramidle Pro to keep a check on the RAM situation (I have 512MB fitted). I am on a 2.8 GB board, 60 GB hard drive (2 logical drives, 40 and 20). I have various professional tools including winhex and security clean disk. I recently loaded a CD with some old documents on it (from an old PC that had been used on various virus related jobs). Since then I have a problem. No anti virus software has detected the presence of a virus! The malware behaves like the early version of JS_Play. In every case a re-boot is the only cure (unless stated otherwise). It does things like the following:
1. It will attach a jpg file to an outgoing e-mail (usually taken at randon from the temporary internet files).
2. It will shut down the monitor.
3. It will blank out the keyboard input so you cannot see what you have typed.
4. It will shut down the email send/receive function.
5. It will replicate one line of the screen from the bottom to the top.
6. It will occupy all available memory down to zero available left.
7. It will multitask until the PC cannot do any more
8. It will slowly blank and refresh any web page you are on.
9. It will shut down vsmon which is a virus related part of Zone Alarm.
10. It will block the use of AVG update facilities and also the AVG control panel.
11. On occasions, at shutdown, the system will not close. The shutdown window will come up with the usual message "This program is not responding" but there is only a blank where the name should be in the window.

Does anybody have any ideas? One theory I have is that it is resident in the BIOS. Many BIOS chips have a 2MB capacity but only 500KB is used for the actual BIOS program. It is theoretically possible that a virus could flash upgrade itself into the BIOS, therefore being totally undetectable. Any ideas on that one? I have also tried a few heuristic anti virus packages (AVG is supposed to be heuristic) but they fail to identify any problem. Is there any software that would monitor and send to a log file all processes in the order they happen (a large task) or that can be set to report on the performance of a given software package? My thoughts here are that such software directed at the e-mail software might report on the whereabouts of the process that stopped the send/receive function.

THIS IS A GOOD ONE FOLKS! and it is for real. In theory, if it came from the CD, it is contained for analysis. Anyone know what they are looking for and fancy the job?

Hoping for some comment on this one. I will be in constant touch. Thanks.

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    We need to get a look at what's running on your computer in order to help you. Please follow the directions at this link to download a tool called Hijackthis and post a log.

    http://www.short-media.com/forum/showpost.php?p=172584&postcount=2
  • joeclem111joeclem111 Sheffield England
    edited April 2005
    joeclem111 wrote:
    Hi, I have many years experience in computers including a lot of system security and virus control, but this one has got me. I use AVG anti virus, updated (if necessary) 4 times daily. I also use ad-aware. I have Zone Alarm firewall fitted. I use Ramidle Pro to keep a check on the RAM situation (I have 512MB fitted). I am on a 2.8 GB board, 60 GB hard drive (2 logical drives, 40 and 20). I have various professional tools including winhex and security clean disk. I recently loaded a CD with some old documents on it (from an old PC that had been used on various virus related jobs). Since then I have a problem. No anti virus software has detected the presence of a virus! The malware behaves like the early version of JS_Play. In every case a re-boot is the only cure (unless stated otherwise). It does things like the following:
    1. It will attach a jpg file to an outgoing e-mail (usually taken at randon from the temporary internet files).
    2. It will shut down the monitor.
    3. It will blank out the keyboard input so you cannot see what you have typed.
    4. It will shut down the email send/receive function.
    5. It will replicate one line of the screen from the bottom to the top.
    6. It will occupy all available memory down to zero available left.
    7. It will multitask until the PC cannot do any more
    8. It will slowly blank and refresh any web page you are on.
    9. It will shut down vsmon which is a virus related part of Zone Alarm.
    10. It will block the use of AVG update facilities and also the AVG control panel.
    11. On occasions, at shutdown, the system will not close. The shutdown window will come up with the usual message "This program is not responding" but there is only a blank where the name should be in the window.

    Does anybody have any ideas? One theory I have is that it is resident in the BIOS. Many BIOS chips have a 2MB capacity but only 500KB is used for the actual BIOS program. It is theoretically possible that a virus could flash upgrade itself into the BIOS, therefore being totally undetectable. Any ideas on that one? I have also tried a few heuristic anti virus packages (AVG is supposed to be heuristic) but they fail to identify any problem. Is there any software that would monitor and send to a log file all processes in the order they happen (a large task) or that can be set to report on the performance of a given software package? My thoughts here are that such software directed at the e-mail software might report on the whereabouts of the process that stopped the send/receive function.

    THIS IS A GOOD ONE FOLKS! and it is for real. In theory, if it came from the CD, it is contained for analysis. Anyone know what they are looking for and fancy the job?

    Hoping for some comment on this one. I will be in constant touch. Thanks.
  • joeclem111joeclem111 Sheffield England
    edited April 2005
    Hi, and thanks for the quick reply. Sorry about the re-quote, not using this site too well. Got the hijacker and created the log. Can't seem to get it uploaded. The message says the file is attached but the preview doesn't show it. Anyway, there was 1 entry "no name" and "no file". Hijackthis said it was a browser helper and mentioned BHO.dll. I let hijacker delete it. Give me a day or two to check the box performance and I will confirm status. Thanks.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Going forward, when you get the log from Hijackthis just select all of the text and copy it. Then paste it here as a reply in your thread. There's no need to attach it as a file.

    Logfile of HijackThis v1.99.1
    Scan saved at 17:27:26, on 30/04/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\NEWS\NEWSUPD.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
    C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCTRL32.EXE
    C:\PROGRAM FILES\FAXTALK NETONHOLD\FTNOHMGR.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\RAM IDLE\RAM_98.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\RTEGPRS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\DAP\DAP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\REGISTER\REMIND32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOSTR05.EXE
    C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
    C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE
    C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
    C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\L-EXPRESS.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\LEXIBASE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOVDX05.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
    C:\WINDOWS\SYSTEM\HPOHID05.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\PBHELPER.DLL
    O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAM FILES\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
    O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
    O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_98.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [RTEGPRS] "C:\WINDOWS\RTEGPRS.EXE" tray
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - Startup: HP-AiO.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Register\Remind32.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Bin\HPOstr05.exe
    O4 - Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
    O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
    O4 - Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/227
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\SLIPSTREAM WEB ACCELERATOR\SLIPACCEL.EXE/250
    O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Download mwav.exe from MicroWorld, then:

    - Double-click the mwav.exe icon to run it (it'll self extract).
    - When it opens, check the following:
    ---- Memory
    ---- Registry
    ---- Startup Folders
    ---- System Folders
    ---- Services
    ---- Drive
    ---- All local drives
    ---- Scan all files

    - Then click on SCAN

    When it completes, post back the results (copy and paste) from the 'Virus log information' pane.
  • joeclem111joeclem111 Sheffield England
    edited May 2005
    Thanks for all your help so far BUCKEYE_SAM, much appreciated. Did the mwav, nothing shown in the log window, it was blank. Other info from scan was Objects scanned 31116, viruses = 0, disinfected = 0, deleted = 0, renamed = 0, errors = 4, time elapsed = 00:26:58. Since our last contact I used hijackthis to knock out all plugins (3 of them). System has been more stable BUT I have had some recurrence of denial of service on e-mail, some of the internet home screen slow refresh, some of the memory usage problem (during the mwav scan the memory dropped to 30Mb and I used Ram-idlepro to get it back up to 250Mb). It also runs processing loops to tie up the chip and I have just experienced it turning the volume up and down on the CD I was playing. All these are just like the old JS_PLAY virus used to do. It is possible that one of the system files that LOOKS OK is infected, isn't it? After knocking out the plugins, I used a registry repair tool and cleaned the register. I then did scandisc and defrag. I used Security Clean Disk to wash the back end of the D: drive. It returned with an error, it found difficulties writing to the final sector of drive D:. Examination shows there to be a few clusters of code at the very end of the drive. I have not yet tried filling these clusters with zeros. If I did and got a refusal to write it might tell us something? Hope all this helps.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    If a legitimate system file was infected MWAV should have picked it up. If AVG comes up clean, trojan scanner is clean, and MWAV is clean, then the only thing we can do is look for a rootkit infection.

    Please download RootKitRevealer from here:
    http://www.sysinternals.com/files/rootkitrevealer.zip
    Unzip it to the desktop, run it, and click Scan. This may take a while so be patient. This will generate a log file; please post the entire contents of the log file here for me to see.
  • joeclem111joeclem111 Sheffield England
    edited May 2005
    Tried that just now. Rootkit won't run. All I get is the "This program has performed an illegal operation and will be shut down" window. Tried a disk boot but it won't run in DOS mode. Smells like you are on the right track. After all my years in the business, this is the first time I have ever come across a browser hijacker and, until now, I have never come across a rootkit infector. The learning curve is massive. So, what next friend?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    There's another tool you can try. I've never used it, so I can't offer a lot of info. But at this point, you might want to give it a shot.

    http://www.greatis.com/unhackme/download.htm

    Let me know how it goes.
  • joeclem111joeclem111 Sheffield England
    edited May 2005
    Thanks for that. Downloaded it but won't run. It wants NT, XP or 2000 or better. I am running WIN98, the original version.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited May 2005
    I'm afraid I can't help you. I'm out of ideas. :confused:

    At this point it may be your best option to backup your data as best you can and reinstall Windows.
  • joeclem111joeclem111 Sheffield England
    edited May 2005
    Thanks for all your efforts. Might go up to WIN XP anyway. The knowledge of the new software fixers I got from this was worth it. Just a thought. The AVG software, like all other anti V products looks for a signature in a pattern file. What do you think about the potential of a rogue virus. It gets on the machine but is not seen by the anti-V stuff. You let it infect the boot strap then boot up on a disk and clean the boot strap. Do you think this could leave the malware behind on the disk but with no signature? If so there is no way to find it amongst 30,000 plus files, is there? Be glad to hear from you.
  • steve gogolack
    edited August 2006
    my computer has virus's I need them removed. How do I take care of that for free?
  • joeclem111joeclem111 Sheffield England
    edited August 2006
    steve gogolack wrote:
    my computer has virus's I need them removed. How do I take care of that for free?
  • joeclem111joeclem111 Sheffield England
    edited August 2006
    Hi, go online to Trend anti virus. The page is called housecall. This will download a virus checker onto your system and then scan it. You can also do this with Panda antri virus and also at pcpitstop.com. Any of these remote scanners will fix you. You should then remove your anti virus. Download and install AVG anti virus fron grisoft.cz. Also download and install Zone Alarm which ius a firewall. They are both free. Al;so free is hijackthis, which will show you if your browser has been hijacked and remove the offending program. Rootkitrevealer is also free and will check for that kind of infection. Spybot is a free adware killer and is excellent. If you install its inbuilt program called teatimer, it will give you the ability to accept or deny any changes to the system registry, so unknown spyware/virus programs cannot get into the registry. Finally, you need to find trojanhunter which will ensure there are no trojans on the system. Its a lot, I know, but all of it is necessary under a windows driven PC. I have learned my lesson, I do not use windows, I use LINUX, which is far better than windows. Linux is not affected by windows viruses. There are about 70,000 windows viruses and only 20,000 Linux viruses. Mandriva Linux version 10 contains its own anti virus and is free to download and install. Good luck.
Sign In or Register to comment.