Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
22 Posts
Discussion Starter · #1 ·
This is not the first time I'm here to post about this, but my computer's HDD led keeps on flashing and the processor is constatly doing something. I have all the possible antivirus, firewall and spyware control all detecting nothing. No gumming up or anything visible, and my HJT log is clean. Recently I formatted my hard disc but the problem came back.

There must be a problem with the boot sector. When I first start up my computer, I cant see the BIOS opening screens. The first image I get is the XP loading screen. I can only view the BIOS and startup info when I restart my computer by restarting windows. And sometimes the computer freezes when supposed to shut.

This is what I picked up from ITS systems:

"...A virus in a "stealth" mode, may not be picked up by a normal anti-virus scan. The virus redirects the anti-virus scanner to the real MBR which will scan as normal even though it's in the wrong place. Most viruses will also pre-empt all DOS file calls coming in. In other words it "runs ahead, and disinfects the MBR or file before anti-virus software can scan the MBR or file, and when the MBR or file call is through, the virus then re-infects the MBR or file."

I suspect mine is doing just this. Any advice and or software to correct my problem? Help, please.

-Janski-
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #3 ·
here you go. I doubt there's anything wrong though. My antivirus uses Backweb for updates.

Logfile of HijackThis v1.99.0
Scan saved at 15:24:41, on 12.1.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SONERA~1\backweb\4436233\Program\SERVIC~1.EXE
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
C:\Program Files\Sonera Tietoturva\backweb\4436233\program\fsbwsys.exe
C:\Program Files\Sonera Tietoturva\Anti-Virus\FSGK32.EXE
C:\Program Files\Sonera Tietoturva\backweb\4436233\Program\fspex.exe
C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
C:\Program Files\Sonera Tietoturva\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sonera Tietoturva\Common\FSMB32.EXE
C:\Program Files\Sonera Tietoturva\Common\FCH32.EXE
C:\Program Files\Sonera Tietoturva\Common\FAMEH32.EXE
C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
C:\Program Files\Sonera Tietoturva\Anti-Virus\fsav32.exe
C:\Program Files\Sonera Tietoturva\FSGUI\fsguiexe.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rauno\Omat tiedostot\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soneraplaza.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Sonera Tietoturva\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Sonera Tietoturva\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Sonera Tietoturva\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Sonera Tietoturva - Unknown - C:\PROGRA~1\SONERA~1\backweb\4436233\Program\SERVIC~1.EXE
O23 - Service: Loogisen levyn hallinnan valvontapalvelu - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tapahtumaloki - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - C:\Program Files\Sonera Tietoturva\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - Unknown - C:\Program Files\Sonera Tietoturva\backweb\4436233\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent - F-Secure Corporation - C:\Program Files\Sonera Tietoturva\Common\FSMA32.EXE
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: NetMeeting etätyöpöydän jakaminen - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Älykortti - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Resurssilokit ja -hälytykset - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Aseman tilannevedos - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
 

·
Registered
Joined
·
45,855 Posts
I don't see anything unusual in the scanlog. The symptoms of the hd light flashing and processor activity are not unusual or indications of infection themselves -- unless they are quite constant. Windows performs caching, memory clearing and virtual memory access functions which can cause this to appear. Also during periods of inactivity system restore may do archiving.

When you see this occuring, open the task manager and see if any process is unusually high in cpu usage. Ignore system idle process.

You can also use a utility like "filemon" to monitor disk access and file usage when this occurs. The files accessed may provide some clues as to what is happening.

Filemon is available at System Internals:

http://www.sysinternals.com/

I'm not sure what it is you are not seeing when the BIOS loads, other than the brief progress bar that precedes the Windows progress bar.

And if you have an NTFS file system I don't think that particular description of boot sector viruses applies however NTFS boot sectors can still be infected although they are considered more difficult to spread.

Your F-Secure installation probably has the ability to scan for Boot Sector viruses. They have always been leaders in this area.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #5 ·
Oh yes, the flashing is constant. I know all that you said about windows performing these tasks. Yet none of those should flash the led every two seconds or so when idle. I have monitored my CPU usage using windows task manager, and the only processes that occasionally take up processor time are iexplore.exe and explorer.exe and memory. (from 4% to 10% on a 1,5GHz machine). However, explorer.exe bounces up and down the list all the time, so if there is a virus, this must be it! I'm still in a strong belief that the system is somehow infected, but because no program indicates that, how can I be sure? And how do I get rid of it without damaging Windows??

Addition: the explorer.exe is located in c:\windows, whereas I believe it should go to c:\windows\system32. Definately a virus.

And the problems that I'm facing outside of windows are

1) that I don't see BIOS loading (no "Press DEL to enter Bios, no boot sequence, no nothing before the windows starts loading, just an empty screen)

2) On a computer shutdown, occasionally, the display is closed when Windows closes, but the computer itself (the fans and so on) remain humming, so I have to PRESS the power button to shut it down.

Could all these be the symptoms caused by the same source? EXPLORER.EXE? Why am I not alerted? then, pretty please with sugar on top, tell me how the **** to get rid of it?

Thanks. Have a nice weekend.
 

·
Registered
Joined
·
45,855 Posts
No explorer.exe belongs in c:\windows all right.

Try the utility filemon and see if you can tell what file is being systematically accessed. I've seen this issue a couple of times with logging utilities that have been enabled.

Example of usage here:

http://forums.techguy.org/t113348&highlight=filemon.html

Also if you think this process is associated with Explorer you can do the following:

http://tools.zerosrealm.com/pv.zip

Instructions:

Unzip it, and launch the RUNME.BAT file. Press options 1, 2 and 3

These will create text files of modules loaded with Explorer, Internet Explorer and rundll32.exe

You can upload those here for a gander as attachments. They are generally too long for copy/pastes. Rudll32 may be blank, ignore it if it is.

As for the BIOS, have you entered setup previously on this machine by pressing "DEL"? And can you still do it now, regardless of not seeing the prompt on the screen?

If you go to the Device Manager are there any flags under "System Devices"? Particularly ACPI ?

Did this computer come new with XP installed on it, or was this an upgrade from an older Win98 or other operating system? And was there a time when these issues were not present?

Also I notice that you have NetMeeting Remote Desktop Sharing enabled as a starting process:

O23 - Service: NetMeeting etätyöpöydän jakaminen - Unknown - C:\WINDOWS\System32\mnmsrvc.exe

Are you using this? It's possible that or an associated startup could be involved in the process or file usage. Do not use HijackThis to remove this or the following ...

And: Performance Logs and Alerts

O23 - Service: Resurssilokit ja -hälytykset - Unknown - C:\WINDOWS\system32\smlogsvc.exe

>> should be set to "manual" startup in your Administrative Tools > Services profile.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #7 ·
Thanks so much Rollin' Rog (haha typo) for helping me out. Take a look at these:
Check out the entry

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 6.0 (xpsp_sp2_rtm.040803-2158) User Experience Controls Library
 

Attachments

·
Registered
Joined
·
22 Posts
Discussion Starter · #8 ·
Rollin' Rog said:
As for the BIOS, have you entered setup previously on this machine by pressing "DEL"? And can you still do it now, regardless of not seeing the prompt on the screen?
No, I can't access BIOS when the screen is blank, but this "blankness" has not existed always, though a long time now.

If you go to the Device Manager are there any flags under "System Devices"? Particularly ACPI ?
ACPI is functioning properly and so are the other system devices.

Did this computer come new with XP installed on it, or was this an upgrade from an older Win98 or other operating system? And was there a time when these issues were not present?
My XP is a full one, not an upgrade. And yes, some time ago none of this occured.

Also I notice that you have NetMeeting Remote Desktop Sharing enabled as a starting process:

O23 - Service: NetMeeting etätyöpöydän jakaminen - Unknown - C:\WINDOWS\System32\mnmsrvc.exe

Are you using this? It's possible that or an associated startup could be involved in the process or file usage. Do not use HijackThis to remove this or the following ...

And: Performance Logs and Alerts

O23 - Service: Resurssilokit ja -hälytykset - Unknown - C:\WINDOWS\system32\smlogsvc.exe

>> should be set to "manual" startup in your Administrative Tools > Services profile.
This is a killer. I'm not using those manually and they are set to run manually in the services profile, BUT Performance Logs and Alerts seems to be configured to logon by using an account named NT Authority\NetworkService.
It sure isn't mine!

Hope this answered some of your questions.
 

·
Registered
Joined
·
45,855 Posts
Neither of those could affect issues with the BIOS screens. Since you are not using them and neither are required system processes you could set them to "disabled" in the Services profile. This will test whether the disk access is related to one of them. I would suspect the "performance logs and alerts" since I have seen this before. You may have something configured to run a system monitor which would cause it to be started if set on "manual" startup.

Frankly I just don't have a clue what could be the issue with the BIOS screen, although it sounds to me like for some reason the monitor is not being detected prior to Windows loading.

If this computer is older than a few years you might want to shutdown, open the case and look for the CMOS battery. This is a quarter size silver battery that stores CMOS data. They have a typical system life of 3-5 years and cost about 3 bucks to replace.

Don't worry about "NT authority service", that is the System authority provided for system files.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #10 ·
Now I've disabled the services, but it had no effect on explorer.exe, which I still think is the problem maker here.

I've used a shareware program called Security Task Manager to get more info on the programs running. Attached is a screenshot from the program. Here you can see that explorer.exe is really running from C:\Windows, using 20MB of memory and counting.

What is even more confusing, though, is the Properties-window in the bottom. It says Microsoft signed file, Belongs to HijackThis 1.99.0!!!, functions: record inputs.

What is this. Belongs to HijackThis... I don't get it. Should I delete HiJackThis now to get the file dissapear or what?
 

Attachments

·
Registered
Joined
·
45,855 Posts
Now I've disabled the services, but it had no effect on explorer.exe, which I still think is the problem maker here.
By "no effect on explorer.exe" what do you mean? That procedure was only suggested to troubleshoot the repeating disk access.

I don't understand the "belongs to HijackThis" or the "records inputs" part of the report either. It looks like the program is confused about what it is looking at. Was HijackThis open at the time you ran that program? You might try running it again after a reboot without using HijackThis first and see if it still reports the same thing.

But there is no real indication of anything being wrong with Explorer.exe. It's in the right folder, it has a Microsoft copyright and it is not faulting or producing error messages and the cpu usage is minimal.
 

·
Registered
Joined
·
22 Posts
Discussion Starter · #12 ·
Rollin' Rog said:
By "no effect on explorer.exe" what do you mean? That procedure was only suggested to troubleshoot the repeating disk access..
What I meant was that it had no effect on the disc access. It might be some other program than explorer.exe that is causing this, but from what I've seen from Task Manager and other diagnostics, there is something suspectful in it.
And shouldn't the file go in ..\system32 instead of the root folder of Windows?

Was HijackThis open at the time you ran that program? You might try running it again after a reboot without using HijackThis first and see if it still reports the same thing.
It has never been open when this program has been active, but it still claims that those processes are somehow linked.

But there is no real indication of anything being wrong with Explorer.exe. It's in the right folder, it has a Microsoft copyright and it is not faulting or producing error messages and the cpu usage is minimal
Is it? The CPU usage has never been major, so it doesn't effect on the performance of the computer itself, it's just the once-every-two-seconds disc access I'm worried about.
 

·
Registered
Joined
·
45,855 Posts
The "root" folder would be c:\

Explorer is in c:\Windows, which is where it belongs.

Again about the only thing I can suggest at this stage to track down the file access issue is using Filemon which I mentioned previously.

Keep in mind this probably has absolutely nothing to do with the lack of a BIOS screen on boot up --

What is the computer model by the way? (or the motherboard model it is self-built). And did these issues occur before or after the upgrade to XP SP2 ?
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top