Who changed my computer date?

I have a less than one year old Gateway desktop running XP Home Edition and Internet Explorer 7 (downloaded from MicroSoft). Sometime during the day on February 7, 2007 (as near as I can figure) the year in my computer clock changed from 2007 to 2002 ALL BY ITSELF. Unaware of this I found on the evening of Feb 7 that I could not access my bank, insurance and military pay accounts: I got a message that the site's security certificate had expired. When I phoned one of the banks the next morning they right away asked if I was using a cable modem with C****** (let them remain anonymous at this time); the answer was YES. The bank person said their IT people were working with C****** on the issue. Before the call I had run Norton AV on full system scan to verify no viruses. After talking with the bank I sent emails to all my correspondents who were using C****** to apprise them of the situation. Later that day (Feb 8th) I received an email from one of these correspondents saying that the date showing on my emails was 2002. Sure enough, when I changed it to 2007, voila! I could contact my banks, etc. I phoned C****** tech support: They were unaware of any problem and suggested I contact MicroSoft. The MS Knowledge Base had only one item relating to security certificates, and it did not describe my problem. So, how did the date get changed? Worm? Trojan? Anything that might have slipped through Norton Internet Security? I haven't contacted Symantec yet.

 

time

my time was off too! i didn't notice untill i tried the media center tv guide. it was just one day off. it would not auto adjust i had to do it manually. it had the right min's a day off. and the hr' was wrong time zone. changed to correct zone still would not syncronize. "still won't" i've used it before no problem sync worked fine.

 

Did you recently download and install the DST update? Have you tested the CMOS battery on the motherboard? If the battery is weak or dead the motherboard will revert the time back to it's default setting.

 

Hi, 71sigma and Dytrog.

Here's a link to Microsoft's information about the new DST law.

• Daylight Saving Time Help and Support Center

The CMOS battery for computers these days is usually about the size of a nickel and is installed on the motherboard. Be sure the power to the computer is off (unplugged) when removing/replacing the battery.

 

i disabled auto set. and did manual. i'm good now. i didn't find the mentioned update listed in add-remove. batt is ok.

 

Whiskeyman and mailman.
Having had clock problems eons ago with one other computer I had thought of checking the battery; but since the machine is less than a year old I dismissed that thought. As for the DST business: I see no relevance there. Another curious thing which I didn't think to mention: My clock is updated EVERY TIME I STARTUP by automatically accessing time.windows.com. Granted, that site might not check the YEAR. I also thought that my computer might have hiccupped (yes, it can happen - I am a retired BIG machine programmer who has had to track down little glitches like that). However, hiccups (voltage spikes) rarely change more than one bit in any given byte. To get from 2007 to 2002 "something" or "someone" had to have added 2 bits to the last byte in the year field.

 

Hi, 71sigma.

Has the computer maintained proper time since you fixed it (even after powering off for several hours/days)? If so, then I'd lean towards your conclusion that the CMOS battery is not faulty.

CMOS batteries are relatively inexpensive and easy to swap, so I would still consider replacing the battery to remove all doubt about that possibility.

As you seem to suspect malware, please follow all the instructions in this thread. Then paste your Hijackthis (HJT) log here for us to see if we recognize any indicators of malware.

CAUTION: Do NOT have HJT "fix" anything without guidance from a malware removal expert.

 

time

just tried auto sync. on time still sez error. so i still have auto disabled

 

Mailman suggested:
As you seem to suspect malware, please follow all the instructions in this thread. Then paste your Hijackthis (HJT) log here for us to see if we recognize any indicators of malware.

Seems like a lot of work to me. I'm not comfortable using free AV and Ad-aware stuff. I am more comfortable just going along with Microsoft's built-in XP protections and Norton's Internet Security. Besides, the thread mentioned is more than two years old. How accurate can it still be?

Thanks for your suggestions, however.
71Sigma

 

I would still test the battery. I have seen them die in a short period of time. Who knows how long they sat around before being placed in the PC or even how long the PC sat before being sold. If the battery dies the date will revert to when the motherboard was manufactured.

 

OK Whiskeyman. Couldn't hurt.
I'm headed for CompUSA tomorrow.

 

Computer date

I bought this comp. in nov. I can't set my clock get error message still !!

 

Hi, 71sigma.

Please forgive me for being long-winded with this post. I spent a lot of time editing this post to try to be sure I adequately addressed all of your concerns.

Even though that thread appears to be "more than two years old ", it has since been updated by Windows BBS forum moderators to reflect the latest version numbers for Spybot - Search & Destroy, Ad-Aware SE, and HijackThis. All of those free utilities are very reputable and still highly recommended by the anti-malware experts here at Windows BBS and other reputable anti-malware sites around the web. Also notice that "old" thread is still accessible via PeteC's "Sticky" at the top of the Removing Spyware & Viruses forum here at Windows BBS. People with malware infections who come to Windows BBS seeking help are routinely referred to that thread.

If you want to skip a lot of that "work ", then you can skip the online scans, skip the Spybot and Ad-Aware scans, and proceed directly to the HijackThis (HJT) instructions in that thread. Then paste your HJT log here in this thread for us to take a look at to see if we notice any signs of malware. Your HJT log might help us confirm or rule out the malware possibility, especially since it appears you have not conclusively determined whether your changed computer date problem is related to your currently installed CMOS battery or not.

CAUTION: If you decide to run HJT, do NOT have HJT "fix" anything without carefully following guidance from a malware removal expert.

We only want to help you. Of course, the decision whether or not to paste your HJT log here for our inspection is up to you.


I fully expect some malware is likely to be undetected by "Microsoft's built-in XP protections" and Norton Internet Security as no such protection by itself is 100% effective. Also, since Norton Internet Security is a popular product, I suspect some malware authors may concentrate their efforts on evading Norton's detection methods to maximize their punch when they release malware. Anti-malware experts typically recommend using multiple reputable anti-malware applications to help reduce the possibility of malware going undetected. However, using multiple anti-malware applications concurrently resident in memory can cause problems though, so I recommend periodically using additional reputable anti-malware applications as "on-demand only" scanners instead.

On the other hand, users need to know that security software, any security software, can produce false positives. [I stole part of this statement from a recent forum post by one of Windows BBS's malware removal experts (TeMerc).]


Back to the CMOS battery discussion:

Has your computer reverted back to an old date yet since you fixed the date, especially if you left your computer unplugged for several days in a row since then (which would allow a weak CMOS battery to discharge enough to cause your CMOS to lose track of the current date/time)? If you replace your CMOS battery with a new one without testing your current CMOS battery (experimenting as I just described, for example) and you don't investigate the malware possibility, you might never know "Who changed my computer date? "

Another CMOS battery test you can perform that might help you conclude whether your CMOS battery is weak or not is to use a DC voltmeter to measure the voltage of your current CMOS battery and a new equivalent CMOS battery (while they are removed from the computer) and compare the voltages. A voltmeter/multi-meter can be borrowed from a friend/neighbor or purchased from Radio Shack or even your local department store (K-Mart?, Wal-Mart?) for about $10-$15 I think. You might find voltmeters/multi-meters in the hardware/electrical section or automotive section of the department store. Be sure the voltmeter/multi-meter has a low-range DC voltage setting that is suitable for measuring/comparing the voltages of the CMOS batteries.

Hi, Dytrog. Please start a new thread in the Windows XP forum (if that is your operating system) with a detailed description of your problem. When more than one person's problem is discussed in the same thread, it can become confusing for people who are following the thread. I have an idea about why you might have trouble synchronizing your computer clock with the time.windows.com server (if that is your problem) but I won't discuss that in this thread.

 

Hi Mailman,
Thanks for your concern. I know that folks at the BBS are there to help, and your efforts are "above and beyond." I was glad to see that you think I might get help by just doing the HiJackThis routine. I'll be heading there sometime Tuesday (2/27/07), and will get back here with the resulting log. I often do not have time during the day, but I'll convince my wife I NEED the time away from honey-do's. As for testing the CMOS battery: I will buy a new battery Tuesday and then check the new against the old (OUT of the machine, of course). Having dabbled with amateur radio construction many years ago I have a very good, working multi-meter whose DC voltage ranges are 0.6 to 3, 3 to 15, 15 to 60, and 60 to 300.
71sigma
P.S. Have had no clock problems since first noticing the problem.

 

Hi, 71sigma.

Glad to know you already have a good multi-meter and and it sounds like you're familiar with what to expect regarding the voltages. I wonder if it it would be advisable to test the batteries under load to see how much/quickly the voltage drops. I don't know what resistance would be suitable though (so energy isn't sapped too quickly from the new battery but yet be effective enough to see if your current battery is weak).

Thanks for being willing to paste your HJT log. I'm not an expert at interpreting HJT logs but I looked at several of them in the Removing Spyware & Viruses forum last summer and I could often recognize HJT log entries that were suspicious. Then I used Google to find more details about the HJT log entries in question. It's a rather enjoyable activity for me.

I expect you'll find the HJT log routine is pretty quick and easy (no more than 15 minutes total should be required). Don't tell your wife that though.

HJT is a quick download, stand-alone application (~200 KB and does not require install) and I'm guessing you're familiar with the copy-paste routine from Notepad to a forum reply. (If you want help with the copy & paste, lemme know and I'll paste my detailed instructions.)

Hopefully, Geri and/or TeMerc will look at your HJT log too and let us know whether your HJT log indicates malware issues or not.

 

time

I still can't sync. my time. I tried the update it told me i had newer version ? I now read 16:22 I had set it myself but i did not see or pick that option. none was given ! I wrote Msft. if i get answer will post.

 

Hi Mailman. Who knew that finding a CMOS battery would be such a hassle. CompUSA doesn't sell them; they referred me to Radio Shack; RS didn't have any in stock, but told me that ALL CMOS batteries are 2032's. Went to Rite Aid and bought one. Old battery measured 2.98 VDC. New battery measured 3.3 VDC. New one is in now. Date reverted to 00:00 on 01/01/2005, but no problem setting it to correct date and time. Forgot to answer your earlier question about whether or not my computer is ever unplugged. Unplugged, no. UPS shut off, yes. I keep the monitor and CPU on a UPS and I turn the UPS on only once a day and off late at night (I shut down first, or course).

Here is the highjackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 20:53:54, on 2/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Ahijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157412126734
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Hi, 71sigma.

I studied your HJT log and my untrained eye did not find any obvious signs of malware. The only entries I think might be of concern are the ones related to PartyPoker and the associated RunApp.exe.

Spyware Data:

However, I do not know how reliable the information from Spyware Data is.

My research was inconclusive about whether PartyPoker is undesirable or not. During my research I found several instances where people were guided to remove PartyPoker-related stuff while they were being helped removing malware.

Did you intentionally install PartyPoker? If you did not intentionally install PartyPoker and you don't want it on your computer, then I think it would be a good idea to seek expert assistance with your HJT log and the removal of PartyPoker.

I have no idea about whether this could be related to your date change issue or not.

 

I think I had partypoker at that time. we need to find a way of seeing how many other people with time trouble had it .

 

Hi Mailman and Dytrog,

I have had PartyPoker for about two years. When I replaced my old Gateway almost a year ago I didn't use PartyPoker for a couple of months. Then in June 2006 I installed it and kept playing ( "play" money only). There is a chance that PartyPoker upgraded some time around the date change problem, but I can't swear to it. I don't keep track of their updates because they upgrade every couple of weeks or so. Install date shown in "Properties" of the PartyPoker desktop shortcut is June 17, 2006; but of course that is not necessarily accurate either (past experience tells me that). In any event, I'm ready to believe that the year change COULD have been a flaky CMOS battery. Thanks again for all your help. I'm keeping HighJackThis.exe on my computer for future use (hope not necessary).

71sigma