XP Pro Virus, trojan?? Please Help, expert needed 
Author Message
 XP Pro Virus, trojan?? Please Help, expert needed

I have some kind of script that keeps running on my
system. I have tried reformatting to no avail. While xp
is reinstalling my cmd window pops up and something runs
for about 15 seconds. this happens again while installing
my system works 2002. I do not know whats on my machine.
I have downloaded and tried every removal tools norton
makes. Norton is not detecting anything. But my event log
is being stopped. My security audits are being stopped.
Trojan scanners won't install I get errors when they
worked fine before. I have scanned my registry and just
do not see what where it's hiding. I am no expert in the
area but have read and searched for a month now and can't
find anything.I have tried everything from renaming admin
accounts and setting policys, changing permissions and
inherits. I even renamed guest and disabled it. I have
alot of listening ports that should not be open and pay
no mind to the permissions I set or to the blocks of my
firewall. I have a dsl connection that I shut off when
not using and since I noticed a problem my firewall goes
off much more than ever before after a reformat it goes
nuts than within hours it's quite and all those ports are
open. My auto exe bat is is empty and is my config some
say this is normal others say no. some say delete
partitions in dos. my manufacturer says no. Anyone have
any idea what this is and should i start messing in dos
and if so where can I find info on how?

Would really appreciate any help.

pss. I have been searching this a month and bought alot
of books if you own xp pro  the book xp pro inside out
deluxe edition is a must had I bought that first I would
not have needed anything else it's an awesome book and I
probably necver would have gotten infected to begin with
relied to much just on my Norton.  



Tue, 10 May 2005 04:19:44 GMT  
 XP Pro Virus, trojan?? Please Help, expert needed

Quote:

> I have some kind of script that keeps running on my
> system. I have tried reformatting to no avail. While xp
> is reinstalling my cmd window pops up and something runs
> for about 15 seconds. this happens again while installing
> my system works 2002. I do not know whats on my machine.
> I have downloaded and tried every removal tools norton
> makes. Norton is not detecting anything. But my event log
> is being stopped. My security audits are being stopped.
> Trojan scanners won't install I get errors when they
> worked fine before. I have scanned my registry and just
> do not see what where it's hiding. I am no expert in the
> area but have read and searched for a month now and can't
> find anything.I have tried everything from renaming admin
> accounts and setting policys, changing permissions and
> inherits. I even renamed guest and disabled it. I have
> alot of listening ports that should not be open and pay
> no mind to the permissions I set or to the blocks of my
> firewall. I have a dsl connection that I shut off when
> not using and since I noticed a problem my firewall goes
> off much more than ever before after a reformat it goes
> nuts than within hours it's quite and all those ports are
> open. My auto exe bat is is empty and is my config some
> say this is normal others say no. some say delete
> partitions in dos. my manufacturer says no. Anyone have
> any idea what this is and should i start messing in dos
> and if so where can I find info on how?

These are certainly some distressing symptoms, but by themselves I'd say
that none of them meant you absolutely had a virus or trojan. All together,
however, its obvious that something ain't quite right. I'd forget about the
contents, or lack of contents i should say, of autoexec.bat and config.sys
files. Those were important to Windows 3.11,95,98, and ME, but Windows XP
works in a totally different way to those systems and really doesn't care
much about those files.

Can you post a reply showing the list of opened ports that you are talking
about? When you say the event logs stop, are there any events recorded in
the log just prior to that happening? Has the event service actually been
stopped?

If you run the system configuration tool (start, run, type MSCONFIG, hit
enter) and look in startup, can you list what you see there please?

What's the source of your Windows XP install media? Is it a disk you
purchased yourself? Is it OEM? (e.g. it came with the computer). If the
latter, its entirely possible that the command prompt boxes you describe
would open during installation as part of a manufacturer's customisations.

Lastly on the subject of the install media you are using, please don't take
this the wrong way because I'm not trying to be funny, but if the XP CD you
are using came from an.. ahem.. creative source, if you catch my drift, this
would mean you had to be careful about trusting it. I get the impression
from your post that this is NOT the case, but I want to make double sure.

Regards
Rob Moir
Microsoft MVP



Tue, 10 May 2005 07:35:39 GMT  
 XP Pro Virus, trojan?? Please Help, expert needed
Hi Robert,

Thanks for replying. Ok the reinstall I am using is from
my OEM, (Dell) full version xp pro and legal. Good
question to ask though and understand why you did. The sp
fix downloads and installs without a problem as well. The
only bad software I might have gotten is I use the
shareware and trialware off tucows alot. Been doing it
for years and have never had a problem but that is the
only non package software to hit my computer. I have a
script I run that I received with xp pro inside out that
shows hidden files and I have found many I cannot account

encrypted and I cannot decrpyt them fully so that is the
best I can tell you about them. I also find  stuff liek
this fykjs^lokre in my internet explorer registry and
always directed at winword8 or 10. I delete it but always
come back had norton scans the pointer  .docs but say
they are clean.

Here are the open ports listening:

1025-1026-5000-9044-3001 through 3022-16745- there are
more but at this time not listed and usually are 3200 or
3300 series. The 3001 seems to make the most connections
even after blocking it in firewall. My firewall also has
my email scanner go into error for no reason and I get no
alert that it did.

Here are my running services:
 windows audio
 alg
 cryptographic
dhcp client
logical disk manager
dns client
error reporting service
event log
com+ event system
help and support
server
tcp/ip netbios helper
machine debug manager
Norton anti virus auto
network connections
norton personal firewall listed twice
network location
norton unerase
nvidia
plug n play ( i use it on and off not always enabled)
IPSEC storage
protected storage
remote access connection (the second option only, desktop
and registry and first option  disabled)
security accounts manager
task scheduler
secondary log on
Internet connection firewall
system event Notification
snmp
speed disk
print spooler
system restore
ssdp discovery
norton firewall again
terminal services
telephony
themes
iploiad manager
distributed tracking
windows time
web client
windows management
portable media serial number
automatic updates

everything else is either not running or I disabled it.
My event system stops and errors. no warning before it
does but it is always right after I make a succesful
internet connection is where i am finding it in my log.
  On windows install log alot of non critical errors
reported.
also this:
cant find autoexec.bat using autoexec.net temp instead
yet I cannot find this file.

what do you think?
Thanks again for your help
Nike

Quote:
>-----Original Message-----

>> I have some kind of script that keeps running on my
>> system. I have tried reformatting to no avail. While xp
>> is reinstalling my cmd window pops up and something
runs
>> for about 15 seconds. this happens again while
installing
>> my system works 2002. I do not know whats on my
machine.
>> I have downloaded and tried every removal tools norton
>> makes. Norton is not detecting anything. But my event
log
>> is being stopped. My security audits are being stopped.
>> Trojan scanners won't install I get errors when they
>> worked fine before. I have scanned my registry and just
>> do not see what where it's hiding. I am no expert in
the
>> area but have read and searched for a month now and
can't
>> find anything.I have tried everything from renaming
admin
>> accounts and setting policys, changing permissions and
>> inherits. I even renamed guest and disabled it. I have
>> alot of listening ports that should not be open and pay
>> no mind to the permissions I set or to the blocks of my
>> firewall. I have a dsl connection that I shut off when
>> not using and since I noticed a problem my firewall
goes
>> off much more than ever before after a reformat it goes
>> nuts than within hours it's quite and all those ports
are
>> open. My auto exe bat is is empty and is my config some
>> say this is normal others say no. some say delete
>> partitions in dos. my manufacturer says no. Anyone have
>> any idea what this is and should i start messing in dos
>> and if so where can I find info on how?

>These are certainly some distressing symptoms, but by
themselves I'd say
>that none of them meant you absolutely had a virus or

trojan. All together,
Quote:
>however, its obvious that something ain't quite right.

I'd forget about the
Quote:
>contents, or lack of contents i should say, of

autoexec.bat and config.sys
Quote:
>files. Those were important to Windows 3.11,95,98, and
ME, but Windows XP
>works in a totally different way to those systems and
really doesn't care
>much about those files.

>Can you post a reply showing the list of opened ports

that you are talking
Quote:
>about? When you say the event logs stop, are there any
events recorded in
>the log just prior to that happening? Has the event

service actually been
Quote:
>stopped?

>If you run the system configuration tool (start, run,
type MSCONFIG, hit
>enter) and look in startup, can you list what you see
there please?

>What's the source of your Windows XP install media? Is
it a disk you
>purchased yourself? Is it OEM? (e.g. it came with the
computer). If the
>latter, its entirely possible that the command prompt
boxes you describe
>would open during installation as part of a

manufacturer's customisations.
Quote:

>Lastly on the subject of the install media you are

using, please don't take
Quote:
>this the wrong way because I'm not trying to be funny,

but if the XP CD you
Quote:
>are using came from an.. ahem.. creative source, if you

catch my drift, this

- Show quoted text -

Quote:
>would mean you had to be careful about trusting it. I
get the impression
>from your post that this is NOT the case, but I want to
make double sure.

>Regards
>Rob Moir
>Microsoft MVP

>.



Tue, 10 May 2005 11:53:01 GMT  
 XP Pro Virus, trojan?? Please Help, expert needed

Quote:

> Hi Robert,

> Thanks for replying. Ok the reinstall I am using is from
> my OEM, (Dell) full version xp pro and legal. Good
> question to ask though and understand why you did. The sp
> fix downloads and installs without a problem as well. The
> only bad software I might have gotten is I use the
> shareware and trialware off tucows alot. Been doing it
> for years and have never had a problem but that is the
> only non package software to hit my computer. I have a
> script I run that I received with xp pro inside out that
> shows hidden files and I have found many I cannot account

> encrypted and I cannot decrpyt them fully so that is the
> best I can tell you about them. I also find  stuff liek
> this fykjs^lokre in my internet explorer registry and
> always directed at winword8 or 10. I delete it but always
> come back had norton scans the pointer  .docs but say
> they are clean.

> Here are the open ports listening:

> 1025-1026-5000-9044-3001 through 3022-16745- there are
> more but at this time not listed and usually are 3200 or
> 3300 series. The 3001 seems to make the most connections
> even after blocking it in firewall. My firewall also has
> my email scanner go into error for no reason and I get no
> alert that it did.

> Here are my running services:
>  windows audio
>  alg
>  cryptographic
> dhcp client
> logical disk manager
> dns client
> error reporting service
> event log
> com+ event system
> help and support
> server
> tcp/ip netbios helper
> machine debug manager
> Norton anti virus auto
> network connections
> norton personal firewall listed twice
> network location
> norton unerase
> nvidia
> plug n play ( i use it on and off not always enabled)
> IPSEC storage
> protected storage
> remote access connection (the second option only, desktop
> and registry and first option  disabled)
> security accounts manager
> task scheduler
> secondary log on
> Internet connection firewall
> system event Notification
> snmp
> speed disk
> print spooler
> system restore
> ssdp discovery
> norton firewall again
> terminal services
> telephony
> themes
> iploiad manager
> distributed tracking
> windows time
> web client
> windows management
> portable media serial number
> automatic updates

> everything else is either not running or I disabled it.
> My event system stops and errors. no warning before it
> does but it is always right after I make a succesful
> internet connection is where i am finding it in my log.
>   On windows install log alot of non critical errors
> reported.
> also this:
> cant find autoexec.bat using autoexec.net temp instead
> yet I cannot find this file.

> what do you think?

I'm afraid i still don't know what to say. Perhaps you can email a sample of
these suspect hidden files to me? It could be a virus or trojan related
problem as you fear but it could also be some kind of issue with the OEM
windows installation. I'm sorry, I know you need to hear something a bit
more definate, but right now thats all that springs to mind, unless someone
else in the group can think of something i'm missing from your
description....


Wed, 11 May 2005 23:10:18 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. Trojan Horse Virus, Help needed

2. Microsoft XP Pro Beta - Firewall and Anti-virus

3. Need BIGTIME expert help to solve problem (READ THIS PLEASE)

4. Expert System with prolog, need help please....

5. XP Home vs XP Pro - switch ???

6. FS: Mr. Debug, Multi-Edit Pro, Grok, Broplus, Expert Help, Star Class, R&R

7. Help needed converting 2.1 for DOS files - Clarion Expert needed

8. Antigen found Win32/PSW.Hooker 2.4.Trojan (CA(InoculateIT)) virus

9. Trojan Dialer Virus

10. trojan virus

11. virus removal: Backdoor.Sdbot (Trojan)

12. trojan virus

 

 
Powered by phpBB® Forum Software