Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus - or hardware?

Status
Not open for further replies.
HLinderoth

HLinderoth

Technical User
Dec 15, 2003
24
SE
AVG and Mcafee have been used to scan the system - no virues detected.

Symptoms:
. UNPROVOKED REBOOT occurs with IRREGULAR frequency. Most of the time during Win-Startup, both also, on a few occasions, well after logon and into a session. After an unprovoked reboot the system boots the normal way - that is, is NOT running checkdisk or checking consistency etc.

Possible symptoms:
. IE is somewhat, but not incredibly, slow (not 'blaster-slow') and the relation Sent/Received is not abnormal
. IE seems to have more problems finding each site as I surf. More often than before, and for longer times, 'Connecting' is shown in the IE status bar.

Stuff listed with SpyBot (processes-list below was taken with IE running and a live internet-connection):

--- Startup entries list ---
Spybot-S&D Startup list report, 2003-12-10 00:12:04

Located: HK_CU:Run, internat.exe
file: internat.exe

Located: HK_LM:Run, Synchronization Manager
file: mobsync.exe /logon

Located: HK_LM:Run, EM_EXEC
file: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
MD5: 692C2BE43C8A88597DDE63EDF2682033

Located: HK_LM:Run, InstantAccess
file: C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

Located: HK_LM:Run, RegisterDropHandler
file: C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
MD5: EBEA065B4A6932C83059C190D1516E4C

Located: HK_LM:Run, LoadQM
file: loadqm.exe

Located: HK_LM:Run, NeroCheck
file: C:\WINNT\system32\NeroCheck.exe
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, NvCplDaemon
file: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

Located: HK_LM:Run, nwiz
file: nwiz.exe /install

Located: HK_LM:Run, AVG_CC
file: C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

Located: HK_LM:Run, QuickTime Task (DISABLED)
file: "C:\Program Files\QuickTime\qttask.exe" -atboottime

Located: HK_LM:RunServices, RegisterDropHandler
file: C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
MD5: EBEA065B4A6932C83059C190D1516E4C

Located: Startup (common), Acrobat Assistant.lnk
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
MD5: 0E6E43D31AC16BCF682EB5F63178C492

Located: Startup (common), Adobe Gamma Loader.lnk
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
MD5: 5CD0CD0EC4DC5DF459B3AC016764F5AA

Located: Startup (common), Microangelo Desktop.lnk
file: C:\Program Files\Microangelo\muamgr.exe
MD5: 9F1AEE3C3196FABD5B63174D195A0C75

Located: Startup (common), Microsoft Office.lnk
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
MD5: 69AA2ABAF8FB65A96F811A3F0B888787

Located: Startup (common), Service Manager.lnk
file: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
MD5: 978294640062C57482BF2B65A342C266

Located: Startup (user), Mindpad _lastCompile.lnk
file: C:\_DEVELOPMENT\MINDPAD\Mpad_VB\mpaden.exe
MD5: C152545AED1DA41CC4BDE0D2B19734A8



--- Browser helper object list ---
Spybot-S&D Browser helper object report, 2003-12-10 00:12:04

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Class file: AcroIEHelper.ocx
Attributes:
Date: 2001-03-02 11:02:04
MD5: 8394ABFC1BE196A62C9F532511936DF7
Path: C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveXShort name: ACROIE~1.OCX
Size: 37808 bytes
Version: 0.1.0.0
Class name: AcroIEHlprObj Class
CLSID database: legitimate software
Description: Adobe Acrobat reader
Filename: ACROIEHELPER.OCX


--- ActiveX list ---
Spybot-S&D ActiveX report, 2003-12-10 00:12:04

DirectAnimation Java Classes
Download location: file://C:\WINNT\Java\classes\dajava.cab
Name: DirectAnimation Java Classes
Version: 5,1,15,1014

Microsoft XML Parser for Java
Download location: file://C:\WINNT\Java\classes\xmldso.cab
Name: Microsoft XML Parser for Java
Version: 1,0,9,2

{00000161-0000-0010-8000-00AA00389B71}
Download location: Last modified: Fri, 19 Nov 1999 03:16:31 GMT
Version: 0,0,0,1

{9F1C11AA-197B-4942-BA54-47A8489BB47F}
Class file: iuctl.dll
Attributes: archive
Date: 2003-08-25 18:06:50
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINNT\System32Short name:
Size: 115808 bytes
Version: 0.5.0.4
Class name: Update Class
CLSID database: legitimate software
Description: Windows Update
Filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
Contains file: iuctl.dll
Attributes: archive
Date: 2003-08-25 18:06:50
MD5: 8757E24D6B002FD7E9EF3A6DF697BA57
Path: C:\WINNT\System32Short name:
Size: 115808 bytes
Version: 0.5.0.4
Contains file: iuengine.dll
Attributes: archive
Date: 2003-08-25 18:06:50
MD5: 6B43E283AF93D9823D7B69D9766AB4E9
Path: C:\WINNT\System32Short name:
Size: 182880 bytes
Version: 0.5.0.4
Download location: Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Version: 5,4,3790,14

{D27CDB6E-AE6D-11CF-96B8-444553540000}
Class file: Flash.ocx
Attributes: archive
Date: 2003-09-04 14:17:58
MD5: B414D4BA7BFB6218AE6B224B46C81D60
Path: C:\WINNT\System32\macromed\flashShort name:
Size: 917504 bytes
Version: 0.7.0.0
Class name: Shockwave Flash Object
CLSID database: legitimate software
Description: Macromedia Shockwave Flash Player
Download location: Last modified: Fri, 05 Sep 2003 18:36:03 GMT
Version: 7,0,14,0

{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
Class file: mcfscan.dll
Attributes: archive
Date: 2003-12-03 09:51:14
MD5: 76B64F6465D1BA27B3A4E2A73962A920
Path: C:\WINNT\McAfee.com\FreeScanShort name:
Size: 86016 bytes
Version: 0.1.0.5
Class name: McFreeScan Class
Download location: Last modified: Wed, 03 Dec 2003 17:51:42 GMT
Version: 1,5,0,4307


--- Process list ---
Spybot-S&D process list report, 2003-12-10 00:12:04

PID: 0 ( 0) [System]
PID: 8 ( 0) System
PID: 144 ( 8) \SystemRoot\System32\smss.exe
PID: 168 ( 144) CSRSS.EXE
PID: 188 ( 144) \??\C:\WINNT\system32\winlogon.exe
PID: 216 ( 188) C:\WINNT\system32\services.exe
PID: 228 ( 188) C:\WINNT\system32\lsass.exe
PID: 268 (1416) C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PID: 396 ( 216) C:\WINNT\system32\svchost.exe
PID: 424 ( 216) C:\WINNT\system32\spoolsv.exe
PID: 452 ( 216) C:\WINNT\System32\msdtc.exe
PID: 520 (1416) C:\Program Files\Spybot\SpybotSD.exe
PID: 588 ( 216) C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
PID: 600 ( 216) C:\WINNT\System32\cisvc.exe
PID: 628 ( 216) C:\WINNT\System32\svchost.exe
PID: 660 ( 216) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 688 ( 216) C:\WINNT\System32\nvsvc32.exe
PID: 716 ( 216) C:\WINNT\system32\regsvc.exe
PID: 744 ( 216) C:\WINNT\system32\MSTask.exe
PID: 764 ( 216) C:\WINNT\System32\tcpsvcs.exe
PID: 780 ( 216) C:\WINNT\System32\snmp.exe
PID: 832 ( 216) C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
PID: 876 ( 216) C:\WINNT\system32\stisvc.exe
PID: 900 (1288) C:\Program Files\Internet Explorer\iexplore.exe
PID: 908 ( 600) C:\WINNT\System32\cidaemon.exe
PID: 916 ( 216) C:\PROGRA~1\MI4F93~1\webtool.exe
PID: 940 ( 216) C:\WINNT\System32\WBEM\WinMgmt.exe
PID: 952 ( 216) C:\WINNT\System32\mspmspsv.exe
PID: 964 ( 216) C:\WINNT\system32\svchost.exe
PID: 1012 ( 216) C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 1048 ( 216) C:\WINNT\System32\mqsvc.exe
PID: 1304 (1416) C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
PID: 1336 (1416) C:\WINNT\System32\RUNDLL32.EXE
PID: 1416 (1420) C:\WINNT\Explorer.EXE
PID: 1520 (1416) C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
PID: 1536 (1416) C:\Program Files\Microangelo\muamgr.exe
PID: 1556 (1416) C:\WINNT\System32\internat.exe
PID: 1572 (1416) C:\Program Files\Grisoft\AVG6\avgcc32.exe
PID: 1580 (1416) C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
PID: 1612 ( 964) C:\WINNT\System32\wuauclt.exe
PID: 1680 ( 396) DLLHOST.EXE
PID: 1824 ( 600) C:\WINNT\System32\cidaemon.exe


--- Browser start & search pages list ---
Spybot-S&D browser pages report, 2003-12-10 00:12:04

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch


--- Winsock Layered Service Provider list ---
Spybot-S&D winsock LSP report, 2003-12-10 00:12:04

NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
Protocol ( 1) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 2) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 3) MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
Protocol ( 4) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 5) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
Protocol ( 6) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9FB78A48-14C9-45E1-9FAF-0FCCB3967E96}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 7) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9FB78A48-14C9-45E1-9FAF-0FCCB3967E96}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 8) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2982F7D-A520-43CB-A276-67772694599F}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol ( 9) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D2982F7D-A520-43CB-A276-67772694599F}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (10) MSAFD NetBIOS [\Device\NetBT_Tcpip_{E423AE6C-286B-4284-8A31-80F82BE93C40}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{E423AE6C-286B-4284-8A31-80F82BE93C40}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (12) MSAFD NetBIOS [\Device\NetBT_Tcpip_{F33AB948-BB00-4663-BEF1-EF7A22ED005A}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{F33AB948-BB00-4663-BEF1-EF7A22ED005A}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{6132BB4E-0B85-4B6A-9BC0-5CE2C03544F8}] SEQPACKET 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{6132BB4E-0B85-4B6A-9BC0-5CE2C03544F8}] DATAGRAM 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})

IDEAS ANYONE?
Regards
HLinderoth
 
Sort by date Sort by votes
FORGOT THIS: I'm running WIN2000 PRO! /HLinderoth
 
Upvote 0 Downvote
Sorry about my message-mess. An additional possible symptom: The system tries, repeatedly and
more aggressively than before, to access the floppy drive a:/ during boot and windows start-up.

That's all for now - promise.
HLinderoth
 
Upvote 0 Downvote
The item seems OK - has to with my scanner and OCR. This is what Spybot says:
--------
Current value: InstantAccess
Current filename: C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

Database status: Typically not required
Value: InstantAccess
Filename: INSTAN~1.EXE

Description
From TextBridge Pro 9.0 OCR scanner software. Available via Start -> Programs

Source: Paul Collins startup list
------

Also, none of the symptoms listed by the Symantec article are present on my machine.
 
Upvote 0 Downvote
Howdy !

This is no good .
Msblast place SVCHOST.EXE ,DLLHOST.EXE files
in upper case name
PID: 1680 ( 396) DLLHOST.EXE

Original Microsoft dllhost.exe is lower case .
Resides in \Windir\system32

This neither
PID: 168 ( 144) CSRSS.EXE

Nimda.d@mm:
Spreads as Nimda.A, but is a PECompact-compressed variant. (F-secure)
Spreads using the filenames SAMPLE.EXE for README.EXE, CSRSS.EXE for MMC.EXE, and HTTPODBC.DLL for ADMIN.DLL. (McAfee)


Cant se how it's loaded though.

Try download and run Mcafee stinger .


syar
 
Upvote 0 Downvote
I've been suspicious about the exact files you mention. But the STINGER did not find anything (set it to do the most complete scan it was capable of - 'all files & directories' etc.) - thanks though for pointing out that application. I'll keep it updated and run it from time to time.

HLinderoth
 
Upvote 0 Downvote
ADDITIONAL QUESTION:
If any of the files listed by SYAR above are in fact 'phony' ones, can I replace them with clean Windows-ones?

I have an additional OS (Win2KAdvServer) with its system folder on an e:partion. If I boot with this OS, can I simply substitute my current files on the Win2KPRO-partition (C:) with 'good' ones from the Windows-CD?

Files mentioned by Syar:

ADMIN.DLL found in folders:
With CAPS in name -
C:\Program Files\Common Files\Microsoft Shared\web server extensions\50\isapi\_vti_adm\ADMIN.DLL
Without CAPS -
C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm\admin.dll

CSRSS.EXE found:
Without CAPS -
C:\WINNT\ServicePackFiles\i386\csrss.exe
With CAPS -
C:\WINNT\system32\CSRSS.EXE

MMC.EXE and HTTPODBC.DLL are both found with lower-case names in C:\WINNT\system32\ and C:\WINNT\system32\inetsrv\ respectively.

Regards everybody
HLinderoth
 
Upvote 0 Downvote
FOR SUPER-TECHNICIANS AND/OR ANYONE WITH PLENTY OF TIME...

I have used the Computer Management Console to generate a list of 'Loaded modules'. If anyone wants to view it and interpret it to find possible viruses, you'll find it here in html-format:


Phew - have a field-day with it!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
287
Oorde
Oorde
Olumighty
  • Locked
  • Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP 1
Replies
1
Views
178
SamBones
SamBones
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
122
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
182
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
180
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top