Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have a virus


  • Please log in to reply
12 replies to this topic

#1 schmii

schmii

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 16 June 2005 - 06:22 PM

Do I have a virus

My Microsoft word (2000 9.0.3821), seems to arbitrarily switches to overwrite mode, OVR,
I occasionally observe OVR flashing in the bottom tool bar, stops when I hit the ESC key (or any other key) seems to occur roughly every 5-minutes or maybe some character count?

At Boot time I always see the message:
“Your disk needs to be checked for consistency”
“disk checking has been cancelled”

I’m running MS windows 2000 5.00.2195 service pack 4

So far I’ve run virtually every antivirus fixer/cleaner known to man: MacFee/AntiVir spybot, CWShredder RegClean, RootkitRevealer, s-t-i-n-g-e-r, spybotsd13, XoftSpy413, Ewido, hijackthis, etc..
Some of which prove to be more troublesome than they’re worth.
I’ve also tried reinstalling several applications.

I haven’t come across anything destructive but I can’t get over a nagging impression there’s still something lurking in the background.
Is there someway to reactivate disk checking?

Any advice would be greatly appreciated

Schmii

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 18 June 2005 - 09:31 AM

Have you read this thread yet?
http://www.bleepingcomputer.com/forums/How...s_Log-t956.html

#3 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 19 June 2005 - 01:36 AM

Thank you for responding. I have checked out your link.
I have the latest versions of Spybot-S&D and Ad-Aware and have used them extensively over the past month but nothing particularly malicious has ever been reported.

Several months ago something infected my “Microsoft Office.hta” file. Inside the script among other things it ran a malicious executable located on my desktop “68cc4592.exe” I’m not sure what its effect was but for a while I wasn’t able to boot in safe mode. Only after several attempts using my distribution CD was I able to run a free pass with Spybot - S&D.

At this point randomly any active input fields (IE search field/Notepad, or word were being filled with constant stream of ‘-------‘ until I hit the esc key.
I performed a clean install of Microsoft office.
Everything has been reported clean over the past month by a dozen free trail versions of every popular antivirus software and register-cleaners.
I’ve looked over the task manager processes many times but fail to see anything out of the ordinary.

Any help would be greatly appreciated.

The following is a copy of my hijack log


Logfile of HijackThis v1.99.1
Scan saved at 8:12:13 PM, on 6/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\file_Work\FixItTools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15144ec3cd3ef5...ip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:8080/web/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {D4328549-2B43-40D5-BBF8-77D6EEA60412} (StorefrontUpload.BulkImageUpload1) - http://www.ldphotostation.com/images/globa...ontUpload19.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...499/mcfscan.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 19 June 2005 - 10:01 AM

I don't see anything in the active log either. Could you boot into safe mode and get me a HJT log from there?

#5 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 19 June 2005 - 12:43 PM

I also have noticed for the last while I’ve been unable to run chkdsk (even in safemode) “volume is locked by another process” is this one of my antivirus/zonealarm processes?
Runs ok without /r switch reports nothing

Could there be something more insidious in the boot sector/bios?

Here’s my log results while in safe mode:

Thank you
schmii


Logfile of HijackThis v1.99.1
Scan saved at 10:20:34 AM, on 6/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\file_Work\FixItTools\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15144ec3cd3ef5...ip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://gisweb3.city.vancouver.bc.ca:8080/web/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {D4328549-2B43-40D5-BBF8-77D6EEA60412} (StorefrontUpload.BulkImageUpload1) - http://www.ldphotostation.com/images/globa...ontUpload19.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...499/mcfscan.cab
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 19 June 2005 - 01:03 PM

I don't see anything in there either, I wouldn't recommend using any registry cleaners. they tend to cause more problems than they help. Just out of curiosity, have you tried swapping out your keyboard and mouse? Sometimes hardware glitches do some really weird things.

As far as a bios infection, I highly doubt it. They are extremely rare, and even then they are almost never seen outside of the lab. Have you tried running an online virus scan? Are your AntiVir definitions up to date? Have you ran Spybot 1.4 with updated definitions?

Zone Alarm would not be locking your hard drive; neither does AntiVir.

When you are trying to run chkdsk, are you running it under the Administrator account?

#7 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 19 June 2005 - 11:53 PM

I tried logging in as administrator but received the same message that “volume is locked by another process”
Do you know what that process might be?
The keyboard & mouse are the original, but I don’t have a spare right now to experiment.

In the hijack log why are there still references to:
www.pandasoftware.com
Windows Registry Repair Pro
security.symantec.com
When I haven’t used them for months? Can I delete these?

Every time I run Spybot, antivir, adaware I always load latest definitions.
as mentioned I've pretty much tried every free scan virus software I could find.
I guess my pc must be reasonably clean

Thanks for all your help
Gerhard

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 20 June 2005 - 09:45 AM

The only other thing that I can think is that Registry Repair Pro might be locking it, so I would try uninstalling that, and then seeing if chkdisk will work. Whatever issue you are having, I am 99% sure that it is not malware.

See if that works. If not, then I will have to refer you to one of the other sections to try and resolve it. :thumbsup:

#9 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 June 2005 - 11:35 AM

I tried logging in as administrator but received same message that “volume is locked by another process”
Do you know what that process might be?
The keyboard & mouse are the original, but I don’t have a spare right now to experiment.

In the hijack log why are there still references to:
www.pandasoftware.com
Windows Registry Repair Pro
security.symantec.com
When I haven’t used them for months? Can I delete these?

Every time I run Spybot, antivir, adaware I always load latest definitions.

I guess my pc must be reasonably clean

Thanks for all your help
Gerhard

#10 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 June 2005 - 11:36 AM

oops sorry please disregard last post. forgot I sent it
again thanks for all your help

schmii

#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 21 June 2005 - 12:39 PM

Wow.. I could swear I answered this already :thumbsup: We had a bad storm here yesterday, and between trying to clean up, and answer logs, and do my normal work, I'm a little fuzzy about what I have and haven't done.

At any rate, if you are not using those programs, you can go ahead and delte the references to them in the HJT log. I don't see any malware in your log, so I am pretty sure you are clean.

#12 schmii

schmii
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 25 June 2005 - 05:21 PM

I did as you suggested and swapped out the keyboard and this time found the chkdsk routine highly recommend and to press any key to skip.
Well I let it run and for the first time in a while it successfully ran the chkdsk.

So far I haven’t noticed any peculiar behaviour of OVR mode while in word.

What I suspect is my old keyboard had a stuck non-character key (NUM LOCK, HOME etc..) (caused by a spill) that was constantly sending keycodes to the pc thereby always skipping chkdsk and maybe causing some kind of a buffer overflow in WORD?
Well what do you know the first reported keyboard virus attack. ;)

Thanks for all your help.
I’m deeply indebted to you, Groovicus.

Thanks schmii

#13 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:05:55 PM

Posted 25 June 2005 - 05:30 PM

Well I am glad you got that figured out. Keyboard and mouse malfunctions are about the hardest to figure out, and they cause the most ridiculous errors possible.

I wonder if chkdsk was trying to check a keyboard driver or something, and it was in use, so chkdsk just bombed out?? Weird.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users