Is this a malware problem?

[souwester]

I'm the antithesis of a techie, hence my question to this forum.

To try to make a long story short, it appears that my cable internet provider changed my IP address. Zone Alarm Pro indicated a new network wanted access. Not knowing what this meant, I kept the "new network" in the internet zone, and I lost access to my e-mail and the internet. I had various conversations with the cable company's techies. In the end, it appears that the problem was deeper than a firewall problem, and I was advised it was either a corruption of the operating system or malware. Basically, something was preventing the uninstall of the old network setup, which in turn prevented the install of a whole new setting.

Additional problem: Part of the efforts to resolve this problem involved changes to the registry - namely, I believe, winsock and winsock2. It was suggested that I do an "upgrade install" to restore my system. However, after doing this, not only do I have no access to the net and e-mail, but something is wrong with the Windows Installer, which prevents me from using programs already on my computer.

Before this trouble, I was using Windows 2000, SP4,  and Internet Explorer 6 with all up-to-date security updates. However, the hijackthis below indicates that I am now using IE5, which may be a consequence of trying the "upgrade install" with the CD.

I use the up-to-date home version Avast with the January 16 definitions. I did a thorough scan including archived files in safe mode, which showed no viruses but 65 files could not be scanned. I also used Spybot and Ad-Aware in safe mode, which identified and repaired problems with the "Alexa" data miner.

Below is the result from hijackthis. Thx in advance for your help.

Logfile of HijackThis v1.99.0
Scan saved at 11:42:53 AM, on 17/01/2005
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\cinetray.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

[lee16]

Well Spybot and Ad-Aware seemed to of removed all the MAlware, i can't see any left over in the log, however the below are not needed to load at boot-time, removing these with hijackthis will only speed up your log on:

o4 - hklm\..\run: [updatemanager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
o4 - hklm\..\run: [quickfinder scheduler] "c:\program files\corel\wordperfect office 2002\programs\qfschd100.exe"
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

And yes your IE is out of date, but as you can't connect to the net, you can't update it.

Does disabling your firewall help?
Can you manuly uninstall the 'old network' then leave then let the 'new network' install?

Also, when you say you upgradeed the installation, do ypou mean you inserted the Win2000 disk and let it reinstall?

--lee

[souwester]

lee16,

Thank you for your reply.

Your hijackthis suggestions also seem to be the problems identified by the computer when I start up. I definitely will follow your suggestions, and see if they help.

I disabled the firewall when I spoke to the cable company's techies. One techie thought Zone was probably running in the background and was the problem, but the last fellow (who spent the most time on it) said a firewall would not lock up the system like that even if it were running, and that it must be a corruption of the operating system or malware. He was quite certain it wasn't the firewall.

Yes, I did an install with the CD over the existing system (called an upgrade as opposed to a clean install). Of course, it really wasn't an upgrade, as I had previously downloaded all the updates, while the CD involved an older version of Windows 2000. I did backup the old registry at the techie's suggestion, in a file called "old registry" in Documents and Settings, but I don't know how to recover it. I suspect I'll end up taking the computer to a professional, as much of this stuff is well beyond my computer knowledge.

[Eddy]

Disabling ZA isn't enough. Remove it (for testing only ofcourse). It happens a lot that if you only disable ZA, it is still blocking net access. This is a know 'glitch' that sometime appears with ZA.

You can through away the old registry. Putting it back is of no use. The repair instal of the OS changed a lot, putting back the old registry only will bring more troubles.

Remove your network connection and protocols, reboot, and set them up again. This may do the job.

[souwester]

Eddy,

Thx for your reply, and I will try it. (I had been avoiding uninstalling it because I downloaded ZA Pro from the Net, unwisely didn't pay the extra to preserve the right to download for a year, and now the 30 days is just over).

Are the Windows 2000 Help instructions adequate to properly remove the network connection and protocols, or is there some other place I should look as well?

Somewhat off topic: Does ZA Pro provide much better security than free ZA, or does it primarily provide greater flexibility for skilled users?

[souwester]

Eddy,

I am away from home computer, so I ahven't ahd a chance to check Windows 2000 Help. I did google it from a different computer. By remove network connection and protocols, do you mean this:

How to Bind or Unbind a Network Protocol or Service
 
1.   Click Start, point to Settings, and then click Control Panel.      
2.   Double-click Network and Dial-up Connections.      
3.   Right-click Local Area Connection, and then click Properties.      
4.   In the Connect using box, click the network adapter for which you want to bind or unbind the protocol or service.      
5.   In the Components checked are used by this connection box, select the check box for the protocol or service that you want to bind, or clear the check box for the protocol or service that you want to unbind.      
6.   Click OK.      
7.   Restart the computer.


Or this?

How to Remove a Network Protocol or Service from the Bind List
 
1.   In the Local Area Connection Properties dialog box, click the protocol or service that you want to remove in the Components checked are used by this connection box, and then click Uninstall.      
2.   Click Yes to confirm that you want to remove the component.      
3.   When you are finished making changes, restart the computer.   
Thank You.   

[Eddy]

Both are telling the same and can be used.
First one is just giving more detailed info.

[souwester]

Eddy,

Thank you for your assistance.

[souwester]

I tried Eddy's suggestion, uninstalled ZAP and spoke to the cable techies again. The uninstall may not have worked, but the cable techies think trace elements of ZPA are responsible for the lock up.

However, the brief period of trying to access the Net (I can do so for very brief periods) to repair the connection resulted in my computer being flooded with viruses and malware. Avast must have found 15 or 20 viruses (I gave up keeping track), while Spybot/Ad-Aware must have dealt with over 200 incidents of malware.

Spybot/Ad-Aware can't get rid of the istbar. I didn't have Eddy's nine step program at home, so I'll try it this weekend.

Also, I did a thorough, archived Avast scan in safe mode. Avast couldn't save to the Chest because the RPC? didn't work. Basically, I deleted instead of saving to chest.

I find it hard to believe so much malware hit so fast. Perhaps I could get via my computer ports, but bad stuff could come in?

Here is the most recent hijackthis log. I couldn't stay on the net long enough to update my IE or other security updates. In retrospect, the repair install of Windows 2000 was probably a mistake.

I have run this through Eddy's analyzer. I wonder if the HKLM keys (unknown applications) but which reference known applications should be deleted.

Logfile of HijackThis v1.99.0
Scan saved at 9:13:07 AM, on 20/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\gjvhom.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\mssams.exe
C:\WINNT\System32\mpwe.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
C:\HJT\hijackthis.exe
C:\WINNT\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Security Agent Manager] mssams.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [Windows Media Player] mpwe.exe
O4 - HKLM\..\Run: [JBEcNVthK] C:\WINNT\gjvhom.exe
O4 - HKLM\..\Run: [nwbkx] C:\WINNT\nwbkx.exe
O4 - HKLM\..\RunServices: [Security Agent Manager] mssams.exe
O4 - HKLM\..\RunServices: [Windows Media Player] mpwe.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Security Agent Manager] mssams.exe
O4 - HKCU\..\Run: [Windows Media Player] mpwe.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\cinetray.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11b Wireless Cardbus & PCI Adapter HW.11 V1.20\WlanCU.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

[lee16]

I find it hard to believe so much malware hit so fast. Perhaps I could get via my computer ports, but bad stuff could come in?

Yes, happens because of unpatched systems, and aslo because there is no firewall 

Well i ran it though Eddys analyser to, result below, but i don't think there is anythink there stoping your internet connection, but theres no harm in trying i suppose.
How long do you mean by a breif period of time BTW?
Also, just a long shot, but can you remain onlinr lonfer if you use another browser such as Firefox/Opera/Netscape?

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
o2 - bho: (no name) - {ed103d9f-3070-4580-ab1e-e5c179c1ae41} - (no file)
o16 - dpf: {cc05bc12-2aa2-4ac7-ac81-0e40f83b1adf} (live365player class) - http://www.live365.com/players/play365.cab
o16 - dpf: {e7dbfb6c-113a-47cf-b278-f5c6af4de1bd} - http://download.abacast.com/download/files/abasetup155.cab

--------------------------------------------------------------------------------
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
--------------------------------------------------------------------------------
Nothing found.

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [updatemanager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
o4 - hklm\..\run: [quickfinder scheduler] "c:\program files\corel\wordperfect office 2002\programs\qfschd100.exe"
o4 - hklm\..\run: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot

I also ran it though the Online analyser, and it identified the below as 'Nasty, must be fixed'

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe



--lee

[souwester]

lee16,

Thx for your reply.

By "brief" I generally mean a matter of a few seconds or a minute. For example, Avast virus definitions were able to update, and I did update Ad-aware last night.

After I uninstalled the firewall, I was able to download e-mail before the system shut down. Actually, last night I was able to stay on for a couple of minutes, but the connection died before I could download the updates from Windows Update.

However, I have been hooked to the cable modem while attempting to fix this. Maybe bad stuff was entering my computer even though I could not access the net to any degree. Once I saw the unexpected slew of malware from Ad-Aware, and Avast going off like crazy, I unhooked the modem and haven't hooked it back up.

[souwester]

On reviewing my HiJack and doing some research, it appears that all Registry references to gjvhom.exe, mssams.exe, mpwe.exe, and nwbkx.exe probably relate to viruses or malware.

Is there a way to get the latest (Jan 20) virus definitions without going on the net.

[souwester]

Ok, I checked the website and it is possible to download the virus definitions update. The trouble is: the Jan 20 definitions update is too large for a floppy. Any way around this? I can't copy to a CD because my work computer is not so equipped.

Also, how do I effect the update even if I could get it on more than one floppy or a CD?

[igor]

The offline updater contains the whole virus database file. Sorry, but its size is given by the number of viruses it can detect - we cannot make it any smaller.
You can split the file to 2 diskettes using a compression program (RAR, ZIP, ...)

To apply it, just run its executable on the target computer, it will take care of the installation.

[souwester]

Igor,

Thx for your reply.