Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Network infestation?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Network infestation?

Unread postby mickmca » March 18th, 2007, 5:01 pm

I operate a 5-node network in my home, and in the last two months it has fallen apart. Only one of the machines is able to see the DSL modem when I connect it directly to the NIC. That machine [Q, running W2KPro] cannot see any other machine, whether connected by hub (2 different ones tried), firewall router, or direct cable. The other machines claim they don't have NICs at all.

On the main machine [G] (not the one that sees the modem, but the only one with Internet access until a few weeks ago when I got DSL), I have an old 3Com 509 ISA board. WinNT4SP6 says there is no card present. I removed that card and added a Hawkeye PCI. The Hawkeye installer (Realsys) says I have no card to configure. Same response when I moved it to another PCI slot. I removed it and put the 3Com ISA board back in. It told me I didn't have a NIC, and then BSODed on me, requiring a full install (repaired twice with no joy) to fix it. After the full install, my NTFS partition was gone. (I'm slowly restoring those files with TestDisk.)

I was running an old ZoneAlarm on that machine [G], because no firewall I know of supports NT. A few minutes ago, ZoneAlarm DocWatsoned on me. Just before that, TM reported that VSMON was using 220M of RAM and teh machine was "running" like an elderly elephant up a sand dune.

I've routinely been checking G with AdAware Free (updated regularly), Spybot Free, and a licensed AVG, as well as the old ZoneAlarm. None of them reports any problem. I do have a process called "system" in my TM which I've read is a sign of a major malware. What do I do about it?

"System" shows up in four of the five machines (I haven't checked the fifth, which is a portable running W98SP2). The oldest machine [X, running WinNT4SP6 with a Linksys PCI card] announced that its NIC was gone nearly two years ago, and I simply assumed it had given up the ghost after ten years of faithful service. The portable [H, running Win98SP2 with onboard NIC], also crapped out, about a year ago, announcing that its NIC was not working. I assumed the fragile little connector was damaged. But when the three desktops started acting up, I paid attention. The one other machine [Z, running NT4SP6 but about to be FDisked and converted to Ubuntu Linux] stopped seeing G three months ago, then stopped seeing Q a month ago, and now claims not to have a NIC. When I cable it to Q, they can't see each other at all.

I ran HiJackThis on the DSL-aware machine [Q], which also has the "system" process, also is unstable (the CDROM goes flakey and won't read CDs I make on Z w/Nero), and also is declared clean by AdAware, Spybot, AVG Free, McAfee Online, and (as of just a minute ago) Trojan Hunter. Now what? I've been flailing at this problem without success for weeks, months if you count struggling to get Z back in service. Any suggestions are welcome.

M
mickmca
Active Member
 
Posts: 3
Joined: March 18th, 2007, 4:09 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » March 21st, 2007, 12:22 pm

Can you post a hijackthis log for one of the experts to check out.

While doing this you better mark each log you produce with the machines name to make sure (even in the future) we do not get the confused.

So a log from the first machine please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Quanah

Unread postby mickmca » March 21st, 2007, 12:31 pm

This is the Quanah log. Quanah does not seem to have the "system.exe" virus. I'll post the Gandalf log next. Gandalf does definitely have the "system.exe" problem.

===========
Logfile of HijackThis v1.99.1
Scan saved at 10:29:44 AM, on 3/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\xampp\apache\bin\apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\xampp\apache\bin\apache.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\TrojanHunter4.6\THGuard.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Ontrack\PowerDesk\PDExplo.exe
C:\Program Files\Allaire\HomeSite 5.5\Homesite5.exe
C:\Program Files\Bradbury\TopStyle2\TSLite2.exe
D:\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\S9yb0t\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter4.6\THGuard.exe"
O4 - Global Startup: shootmsgr (2).lnk = D:\_transfer\dls\shootthemessenger.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IFLXVRTX - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\quanah\LOCALS~1\Temp\IFLXVRTX.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: JRun Service Manager (jsm-default) - Unknown owner - C:\JRun\bin\jsm.exe (file missing)
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\xampp\service.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
mickmca
Active Member
 
Posts: 3
Joined: March 18th, 2007, 4:09 pm

Gandalf Log

Unread postby mickmca » March 21st, 2007, 2:42 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:32:01 PM, on 3/21/07
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\WINNT\System32\mgasc.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\System32\mgactrl.exe
C:\WINNT\system\system.exe
C:\WINNT\system32\tapisrv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.exe
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE
C:\WINNT\System32\MGAHOOK.EXE
C:\Program Files\TrojanHunter46\THGuard.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\PowerDesk\PDEXPLO.EXE
C:\Program Files\PowerDesk\SIZEMGR.EXE
E:\dload\Keepers\testdisk\testdisk-6.6\win\testdisk_win.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:C:\Program Files\Plus!\Microsoft Internet\docs\home.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE"
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter46\THGuard.exe"
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\refresh.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O13 - WWW Prefix:
O13 - WWW. Prefix: http://
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O23 - Service: IomegaAccess - Iomega Corporation - C:\Program Files\Iomega\Tools_NT\IomegaAccess.EXE
O23 - Service: MGACtrl - Martrox Graphics Inc. - C:\WINNT\System32\mgasc.exe
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINNT\system\system.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe
mickmca
Active Member
 
Posts: 3
Joined: March 18th, 2007, 4:09 pm

Unread postby Nellie2 » April 4th, 2007, 3:50 pm

mickmca, I'm sorry, we seem to have missed your logs, if you still need help could you post some fresh hijackthis logs and we can take it from there :)
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK

Unread postby NonSuch » April 13th, 2007, 11:33 pm

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27235
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware