Virus that disables firewall and virus scanner

[blackcloud14]

We have Windows ME and recently we have found that the firewall (Tiny PF) and virus scanner (PC-Cillin) shutdown when we try to use them. We had a BKDR_OPTIX04.C virus before that did this but the PC-Cillin removed it, now it won't find what is causing this. In addition the restore function won't work and the restore file is hidden. If the PC is started with the modem turned off, and all the programs closed with Ctrl Alt Del except Explorer then the Firewall and virus scanner run even if the modem is then turned on. Any ideas on what this is?

 

[AVChap]

Check what programs are being loaded during startup. Should be able to identify the culprit from there. Or better yet, can you post the startlog?

AVChap

 

[blackcloud14]

Here is that start log as you suggested. Thanks for the help so far


---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 04/06/2002 17:10:08.86
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"ICSMGR"="ICSMGR.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WinampAgent"="\"D:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"PCCIOMON.EXE"="\"D:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""
"pop3trap.exe"="\"D:\\Program Files\\Trend PC-cillin 2000\\pop3trap.exe\""
"WebTrap.exe"="\"D:\\Program Files\\Trend PC-cillin 2000\\WebTrap.exe\""
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,NewDotNetStartup"
"LoadQM"="loadqm.exe"
"QuickTime Task"="C:\\WINDOWS\\SYSTEM\\QTTASK.EXE"
"Hidserv"="Hidserv.exe run"
"SaveNow"="C:\\PROGRA~1\\SAVENOW\\SaveNow.exe"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
"BCMHal"="rundll32.exe bcmhal9x.dll,BCInit"
"ENSApServer2_0"="d:\\APSERVER.EXE"
"PersFw"="d:\\Program Files\\Tiny Personal Firewall\\persfw.exe"
"PCCIOMON.EXE"="\"D:\\Program Files\\Trend PC-cillin 2000\\PCCIOMON.EXE\""


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file


load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET CLASSPATH=d:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET DBROOT=D:\Program Files
SET DBWORK=D:\Program Files\sql
SET DBCONFIG=D:\Program Files\sql

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Background Monitor.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\olefiles"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

"Common Startup"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,6f,6c,65,66,69,6c,65,
.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-

@echo off
@C:\WINDOWS\tmpcp






















































:s
@if exist "C:\WINDOWS\olefiles\regscan32.exe" goto f
@copy "C:\WINDOWS\SYSTEM\tapisvc.sys" "C:\WINDOWS\Start Menu\Programs\StartUp\regscan32.exe" > nul
:f

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

D:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE


-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 448 30/05/02 16:21
-=================-

[Rename]
C:\WINDOWS\powerpnt.ini=C:\_RESTORE\EXTRACT\powerpnt.ini
C:\WINDOWS\wavemix.ini=C:\_RESTORE\EXTRACT\wavemix.ini
C:\WINDOWS\tasks\desktop.ini=C:\_RESTORE\EXTRACT\desktop.ini
C:\WINDOWS\win.ini=C:\_RESTORE\EXTRACT\win.ini
C:\WINDOWS\system.ini=C:\_RESTORE\EXTRACT\system.ini
C:\WINDOWS\USER.DAT=C:\_RESTORE\EXTRACT\USER.DAT
C:\WINDOWS\SYSTEM.DAT=C:\_RESTORE\EXTRACT\SYSTEM.DAT
C:\WINDOWS\CLASSES.DAT=C:\_RESTORE\EXTRACT\CLASSES.DAT


-=========================-
ICQ Inet Registry StartUp
-=========================-

Shows applications that start when connected to Inet


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps]
"Launch Browser"="No"


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
CLASSPATH=d:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
COMSPEC=C:\WINDOWS\COMMAND.COM
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
DBROOT=D:\Program Files
DBWORK=D:\Program Files\sql
DBCONFIG=D:\Program Files\sql
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

 

[Kento]

1. SaveNow is spyware. Ad-aware will remove it.

http://www.lavasoft.nu/

2. New.net Startup is garbage you don't need so uncheck it from under the startup tab in msconfig or remove it from add/remove. (Start--run--msconfig--ok.) If you decide to uninstall it from add/remove restart immediately after to complete the uninstall.

3. Your av and firewall are being shut down because you're still infected with the Optix trojan. The winstart.bat file points to it. Read here:

http://www.diamondcs.com.au/web/alerts/optixlite.htm

The Cleaner is free to try and may remove the trojan for you:

http://www.moosoft.com

And read this page:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optix.html

Copied from there:

"4. Delete all files that are detected as Backdoor.Optix. If any files are detected as Backdoor.Optix, delete the Winstart.bat file before you restart the computer. For detailed information, read the section that follows.

Delete the Winstart.bat file
This is necessary only if Backdoor.Optix was detected on your computer.

All variants of Backdoor.Optix discovered to date create a batch file named Winstart.bat in the %Windows% folder. Winstart.bat is a standard Windows file that can be created and used by programs when you install software. If the Winstart.bat file exists, it will run when you start Windows, and any commands in it will be executed.

NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.

Backdoor.Optix keeps a second copy of itself on the hard drive. It also may add commands to the Winstart.bat, so that if you delete the Trojan from its original location, when Winstart.bat is run, it will recreate the Trojan file. Norton AntiVirus does not detect the Winstart.bat file, because it is not by itself viral.

Therefore, if Backdoor.Optix is found on the computer, we strongly recommend that you use Windows Explorer to locate and delete the \Windows\Winstart.bat file before you restart the computer."

 

[blackcloud14]

Thanks for all the info. The following describes what happened. The Cleaner detected a backdoor virus and we removed it. This made no difference and when we used the Cleaner again it suffered the same fate as the PC-Cillin software. We then tried the TDS s/w from DiamondCS. This detected a "Process Killer" trojan but didn't know what it was. When this was deleted along with the winstart.bat file the problem went away. I was not able to figure out how to send DiamondCS the trojan for them to investigate, so unfortunately it remains for someone else to get it and send it on.

There is still one issue not resolved, why doesn't the System Restore tool show up in the accessories part of the start menu?

Many thanks for solving this for us

Blackcloud14

 

[Kento]

"why doesn't the System Restore tool show up in the accessories part of the start menu?"

I don't know but that's just a shortcut to it. Maybe its also under the tools menu in system information there? You might want to ask that question in the WinME forum.