Virus, i think, but nothing finds it

[Caligo]

Ok, here are the things that have happened so far:
1. ZoneAlarm and Norton 2002 open with the interfaces missing most of their buttons and all information(can't close zlclient process, says I don't have permission and access denied)
2. Logon password character changed from dot to pipe "|"
3. www.sarc.com won't open, nor will several other antivirus sites, like mcaffee(Only in IE are they blocked) By blocked, I mean they don't load all the way. Only the top banner and a few links.
4. downloaded avg and another virus checker from panda software but they found nothing.
5. Changes fonts on most sites in Mozilla 1.5

Does anyone recognize this as something?? I can't format and start over until the end of next week. Any suggestions will be greatly appreciated. Thanks.

 

[ming]

Haven't heard that one before. Think you'll just have to take precautions, while seeing it through til the end of next week mate.

On the other hand, have you done any system maintenance recently? Like use Norton Utilies to find errors and stuff? Maybe that'll fix some of the problems you have.

 

[Caligo]

I don't have norton utilities, just the antivirus. Should I run some of the maintenance tools in windows and see if it finds anything? Does this sound like a virus or did windows just screw up again? Happened a few months ago, windows just decided it would no longer boot(couldn't find some files and it wouldn't let me write to the drive when I booted into the repair console) and I had to redo it. Possibly related?? Thanks.

 

[Geffy]

Informed Enyo, he might have some things for you to try

 

[mbx]

use the online virus checker at http://housecall.antivirus.com/housecall/start_frame.asp, if you think it might be a virus.
This will take a while on a slow connection because it downloads the software and virus definition files from scratch, but does mean it isn't messed with by an installed virus.

 

[Caligo]

Thanks, I will try that site as soon as I get back to the computer and then post an update on anything it finds.

 

[Caligo]

It didn't find anything. I think my computer is sending email too. Every time I do a send and receive in Outlook 2003 the thing says it's receiving on both accounts but also that it's sending on both of my accounts. Also, I've gotten a few blank emails. No sender, or recipient, size is 0, just the time it was received.

 

[j79zlr]

wierd, have you checked msconfig for strange startup items? what about this registry value, has anything tacked itself on with explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

check the value of "Shell"

 

[Perris Calderon]

put one of your other addresses in your email library, and don't send yourself anythinhg

see if you get anything from this account.

 

[Caligo]

Ok, the value for shell is Explorer.exe. I looked through all of the latest threats on sarc.com and none of them fit the problems I am getting.

 

[Caligo]

Just restarted my computer and it said at post, Back up all data SMART has detected an imminent failure may occur, or something like that. Not sure what to think of that, but I won't be restarting it again.

 

[leedogg]

Sounds like a windows repair is in order. Plus try reinstalling chipset drivers. My system kept falling apart when I didnt have any chipset drivers installed. Might be a trojan, these arent as easy to detect, see what is loading during startup - get asviewer or startup control panel.

 

[Caligo]

Would that cause the SMART error at the beginning or is it likely that there is something genuinely wrong with the drive?

 

[dreamliner77]

sounds like your drive is about to give up the ghost

 

[LeeJend]

SMART is the hard drive internal diagnostics. Built into the drive to detect something going bad. It has detected the HD is about to die.

Back up your data.
Run the manufacturers diagnostics
Send in diagnostic report and get RMA.
Get a new drive free.

The SMARTs message may / or may not be related to the original problem but you should not ignore it.

 

[Enyo]

It sounds like your having a few problems. I will comment on those discussed at the start of the thread.

First things first a startup List and OpenPorts logs are essential to discovering if indeed this is malware related.

Startup List:

http://www.tomcoyote.org/hjt/startuplist.zip

OpenPorts:

http://www.ntfs.org/forum/showthread.php?s=&threadid=36654

Please attach the logs here for review.

 

[Caligo]

Here is the output from open ports. Startuplist output is attached.

______________________________________________________________________________

SYSTEM [0]
TCP 192.168.1.101:1644 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1636 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1601 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1613 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1649 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1645 207.44.192.61:80 TIME_WAIT
TCP 127.0.0.1:1582 127.0.0.1:31595 TIME_WAIT
TCP 192.168.1.101:1626 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1594 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1650 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1647 207.44.192.61:80 TIME_WAIT
TCP 192.168.1.101:1611 207.44.192.61:80 TIME_WAIT
SYSTEM [4]
TCP 192.168.1.101:139 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 192.168.1.101:137 0.0.0.0:0 LISTENING
UDP 192.168.1.101:138 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
svchost.exe [636]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
svchost.exe [668]
TCP 0.0.0.0:1201 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1198 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
UDP 127.0.0.1:123 0.0.0.0:0 LISTENING
UDP 192.168.1.101:123 0.0.0.0:0 LISTENING
svchost.exe [752]
UDP 0.0.0.0:1074 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1040 0.0.0.0:0 LISTENING
svchost.exe [768]
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1900 0.0.0.0:0 LISTENING
UDP 192.168.1.101:1900 0.0.0.0:0 LISTENING
iexplore.exe [952]
TCP 192.168.1.101:1640 217.79.127.10:80 ESTABLISHED
TCP 192.168.1.101:1641 213.130.34.120:80 ESTABLISHED
TCP 0.0.0.0:1640 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1641 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1244 0.0.0.0:0 LISTENING
spmd.exe [1100]
TCP 0.0.0.0:7050 0.0.0.0:0 LISTENING
ray3xsi3_0server.exe [1304]
TCP 0.0.0.0:7003 0.0.0.0:0 LISTENING
WebProxy.exe [1716]
TCP 127.0.0.1:31595 0.0.0.0:0 LISTENING
UDP 127.0.0.1:18001 0.0.0.0:0 LISTENING
Mozilla.exe [1828]
TCP 127.0.0.1:1508 127.0.0.1:1509 ESTABLISHED
TCP 127.0.0.1:1509 127.0.0.1:1508 ESTABLISHED
TCP 127.0.0.1:1508 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1509 0.0.0.0:0 LISTENING

 

[Enyo]

Both logs appear fine.

 

[Caligo]

That's good. So does this mean that my hard drive is going bad or did XP dropkick itself? I'll run the diagnostic tools from Western Digital later today and see what comes up.

Leedog, you mentioned installing chipset drivers. Did you mean for the motherboard chipset? I installed those when I formatted and reinstalled back in October.

Thanks for the help.

 

[Caligo]

IT'S FIXED!!! I downloaded the diagnostic tool from western digital and it did a complete scan of the drive. It said that it found several lbad sectors but it could fix them. I backed up my data and let it try. I restarted and everything is back to normal. How could something like that cause the problems that I was having? Thanks for all the help everyone.