General discussion

Locked

Very STRANGE ALERT

By KahunaNui ·
We are getting a nasty alert with Zone Alarm where a very strange file (applet, program, trojan, etc...) is not only attempting to access the INet, but act as a server as well. We have done everything I can think of to find out what it is and remove it to no avail. We have scanned entire system for viruses and used number of Adaware / startup cop programs. We did find Alexa adware and deleted it. Nothing else was found. This is an NT4 Workstation. *ALL* other programs either attempting access or that already have access ZA is able to identify, but this nasty thing comes up BLANK. Under Product Name and File Name it is just those bunch of weird ASCII characters, no exe. Under Product Verions & Create Date it is blank. File Size is 0. It gives us multiple alerts. We have sent off the portion of the ZA Log file that deals with this to Zone Labs in hopes that they can help us identify what this is. Portion of ZA Log is below:

PE,2002/06/04,21:58:50 -7:00 GMT,??????W@,0.0.0.0:0,N/A
PE,2002/06/04,21:58:50 -7:00 GMT,??????W@,127.0.0.1:1025,N/A
PE,2002/06/04,21:58:50 -7:00 GMT,??????W@,127.0.0.1:1025,N/A
PE,2002/06/04,21:59:49 -7:00 GMT,??????W@,127.0.0.1:1025,N/A
PE,2002/06/04,22:00:05 -7:00 GMT,??????W@,0.0.0.0:0,N/A
PE,2002/06/04,22:01:24 -7:00 GMT,????L?E@,127.0.0.1:1034,N/A

It also seems to avoid logging when it is trying to access via our DNS. address. If we prevent the access of this unknown entity, we are unable to access the INet at all. We cannot Ping, FTP, Browse or anything. We have searched for this weird ascii file name we come up empty.

We have even tried examining all services and devices, all "run", "run once", etc entries in the Registry as well as all other know startup areas with no luck. Has anyone ever seen this before?!!

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Very STRANGE ALERT

by bitsybug20 In reply to Very STRANGE ALERT

You need to check also your autoexec.bat file, but I'm sure you probably did this. You may want to try a free virus scan at http://housecall.antivirus.com/housecall/start_pcc.asp
I does a more thorough scan than McAfee I have found, and came in very handy with some problems we were having. Make sure all programs are closed except the virus scan before you start. It will check your registry first and your boot sectors for hidden trojens, it found one on 5 computers here that McAfee had missed. Also, if you were attacked by one of the klez viruses, it may have disabled or messed up your virus scan in some way. I had to unload and reload mine. Try this first, if it doesn't find anything, I will see if I can come up with another option or suggestion for you.

Collapse -

Very STRANGE ALERT

by KahunaNui In reply to Very STRANGE ALERT

This is the most baffling situation that I have ever come across in my career. I have tried every single scanning program (for BHO, Startup, Trojan, Spyware, Adware, Virus and everything else we could think of), with no luck whatsoever. However, bygoing to a certain version of Backup Exec and leaving it there, it seems to be in a "dormant" stage and doesn't come up at all. Well, for now we'll leave it alone as this is an extremely mission critical system and at this time we are unable to re-install it. Actually, I would gladly award 4 times this amount of points to learn what this is. It only seems to come out when we upgrade the Veritas software however, when we do a clean install on the system (via removable drive) and install this application first, we don't have any problems whatsoever. What a mystery.

Collapse -

Very STRANGE ALERT

by bitsybug20 In reply to Very STRANGE ALERT

Just a tip about it being dormant at present, if this is a trojan virus, it will attack on a certain anniversary date. That can really mess you up, so I would be aware of that. Unfortuntally you can never really be sure of the anniversary date. Ihad a major problem on my computer, but was able to finally fix the problem and get rid of the remnants of the virus that had attacked mine. What I found by going into regedit, was that there were executable files that had been placed in my programfiles/common directory. These were file names that were very off the wall and had no business being in the shared section of my computer, because the only shared files that my programs use between themselves are help files, dll, files, etc. I alsostarted using the mccafee webscan and interet filter options, which has helped tremendously. Hope all goes well for you.

Collapse -

Very STRANGE ALERT

by KahunaNui In reply to Very STRANGE ALERT

Appreciate the comeback. I am very experienced in this field. I have decided that no matter how solid this particular system is in every other way, I will be zeroing out the drive and re-installing. The bizarre thing is with this one is that it does not appear UNTIL we install a certain program put out by Veritas. It is the update for Backup Exec Desktop Pro 4.5. The update puts it up to ver. 4.61. IMMEDIATELY after the update is installed, this thing, whatever it is attempts to access the INet. I thought we had isolated it to this software however, on another test system, we were unable to duplicate it suggesting it is something else. We are going to zap the system and re-install.

Collapse -

Very STRANGE ALERT

by KahunaNui In reply to Very STRANGE ALERT

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums