Suspicious behaviour

So, the sound the pc makes when it works, the ticking/snapping. I hear that constantly.
Often when I play or do something, the program stop responding or nothing in what I do makes the program respond as expected.

I scanned with avast, adaware 2007, spybot and used rootkitrevaler. Nothing detected.
Here’s the Rookit-log:

HKLM\SECURITY\Policy\Secrets\SAC* 27.02.2008 07:42 0 bytes Key name contains embedded nulls ()
HKLM\SECURITY\Policy\Secrets\SAI
27.02.2008 07:42 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 14.03.2008 14:07 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 14.03.2008 14:07 4 bytes Data mismatch between Windows API and raw hive data.

From what I understand it’s ok. Vsmon.exe is using some CPU from what I can tell with task manager.
Does that indicate something?

I am pretty sure something weird is going on cause it often cripple the performance and the sound of the pc working all the time isn’t normal.
There is some kind of background service or spyware goin on.

Can I disable BITS? Does anyone know of other tools I can use to detect spyware or view whats goin on in the background?

Vsmon.exe as far as I’m aware is part of ZA and I recall many years ago it occasionally crashed or used lots of CPU, check Task Manager and see if it is using lots of system resources.

I wouldn’t disable BITS without it you won’t be able to use windows update.

What is BITS? ???

It is, ‘Background Intelligent Transfer Service’

Thanks David… I should it should keep running for Windows Update to work properly.

Here is alink regarding the first two
http://forum.sysinternals.com/forum_posts.asp?TID=8881&PN=1

Your welcome. I have mine set on Manual as opposed to Automatic (which I think is the default), so if anything needs it the process can start it. I very rarely use WU now, I tend to get email notification of updates by shavlic.com and I download the updated manually and install them off-line. That way I have a copy of the update should I ever need to install it again (OS re-installation, etc.), so I don’t have to download masses of updated on dial-up.

Thanks.

Yes, Vsmon seems to be the source for CPU-usage but it shouldn’t cripple the PC that much.
I’m not sure if that and the the last two elements in the rootkit-log is related.

I only use Avast AV, Spybot, Adaware 2007 and Zone-alarm (free versions) as security, anything else I need? Anyone know of system explorer tools?
Also, can’t I just disable BITS (if it’s that) and set windows update to manual?

It’s all classical signs of spyware/virus. I really wonder what on earth is going on, cause I can’t tell :stuck_out_tongue:

As far I’ve tested, no.
Windows Update check the ‘state’ of the service start setting. If you disable BITS, you won’t be able to use the Windows Update site, as far I’ve tested.

If Vsmon is causing a high CPU usage (you don’t say how much), you may want to consider reinstalling ZA free. I would start by checking you have the latest version and if not download and save it to your hard disk before uninstalling ZA and rebooting, use the latest version when re-installing.

What classic signs other than the computer making strange noises (not a sign) I don’t see any signs other than Vsmon is acting up. RootkitRevealer isn’t very user friendly and what is reported needs interpreting and all I see is possibly ZA elements acting up. This only reinforces my thought of reinstalling ZA.

Why do you want to disable it, there must be a valid reason ?
As has been said without it no windows update.

It goes from 0 to two constantly as I can tell from task-manager. I downloaded ZA from zonelabs.com this February.
With using Ccleaner I see I do have an issue with zonealarms “default icon”.

No strange noises, it’s the normal work-noises PC makes when it does something. I just hear that going on constantly now.
The classical signs I aim at is programs, games crashing, slowing down or going non-responsive.

Thanks for replying :slight_smile:

Are you saying that it uses %2 :o? Thats nothing,anyway I would take Davids advice and reinstall,even if you have the latest version 7.0.462.000.I read many threads last night who resolved their high cpu usage of vsmon by reinstalling.But they all had cpu usage of %100,which would cause the problems you mentioned

For what vsmon is doing 0-2% cpu usage is normal for the monitoring it does, but there is something wrong. I’m not sure it is malware related so I would start with a clean reinstall of ZA to hopefully resolve any issues, icon, etc.

I reinstalled ZA, noticed this:

Blocked Intrusions
1073 intrusions have been blocked since install.

Thats 5mins after I reinstalled!!! And it keeps rising up fast. That can’t be normal.

Well… ZA is notorious on alarming the user how good it works… any legit operation is numbered as an attack. I’m not saying that everything is ok, but ZA is notorious on saying: “Hey, look at my good work…”.

I am 2k+ blocks atm after 10min, I haven’t noticed it before. :stuck_out_tongue:

Update: I turned off ZA. PC is running smoothly so far. I looks to be it was that, but it doesn’t make so much sense.

Blocks in or out? It’s been a long time, but ZA used to give some info about the blocks. ie ip address or application.

Yes it does… ZA is not as bugless as you’re considering…

Who cares how many “intrusions” ZA or any other FW has blocked. That’s their job.
It’s what they don’t block that will wreak havoc on your computer.
Just turn that notice off. It doesn’t mean anything. ;D