Virus not found, netmon.exe javascript.exe

Hi !

I have a virus on my windows 2000 home PC, but none of the anti-virus, spyware etc… can’t find it.

When I search on the web about it, it looks like it’s an old and identify virus but what I have running on my PC is different.

I used to be 1 service running: Net Functions Monitoring - Netmon.exe, I deleted it but after a reboot it came back with a random exec file sss.exe, then fff.exe then hhh.exe etc… I tried removing all entry of it in the registry, it stills come back, I can only block it by disabling the services and also blocking access with my firewall.

Since this morning a have a new service running: Enables Javascript Support - javascript.exe

I tried all the removal fix tool for these identified viruses, but none can’t detect it.

What else can I do ?

Follow the instructions on THIS PAGE

Where is it placing these files, example (C:\windows\system32\infected-filename.xxx)?

A google search returns many hit for netmon.exe, this may also help.

X NetMon netmon.exe Added by the MIMAIL.M WORM!
[url]http://www.bleepingcomputer.com/startups/netmon.exe-3645.html[/url]

http://antivirus.about.com/cs/allabout/a/mimailm.htm
More on Mimail-m

Yes it’s placing them in C:\winnt\system32\

I ran the FXMiMail from Symantec and it’s not finding it, From the description on those sites it’s as if the Virus I have is slightly different than that old 2003 Worm.

I did all the steps from Eddy’s link and no luck.

Please post a HijackThis log here and let us have a look.
Let’s see if we can find something.

Here’s the HiJackThis log

Like I said I disabled the service of NetMon.exe and Javascript.exe, so they are not currently running. It’s the only way, If I delete them they comeback under another name.

Also before someone mentions it, I was running Avast before, but since it was unable to find my virus, I installed NAV thinking maybe it’s better, but it’s not. I will go back to Avast :slight_smile:

Logfile of HijackThis v1.99.1
Scan saved at 11:01:11 AM, on 10/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\servers\Apache2\bin\Apache.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\servers\Apache2\bin\Apache.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\SB Wireless Music\Media Server\SBWMsvr.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU..\Run: [SB Wireless Music] C:\Program Files\Creative\SB Wireless Music\Media Server\SBWMsvr.exe startup
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O17 - HKLM\System\CCS\Services\Tcpip..{4EF28AEA-0FA3-4DEC-8780-A350F2AB5BEA}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip..{B0396E9B-5DB0-4148-9C3A-C793C019C4D0}: NameServer = 198.235.216.111,192.168.2.1
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Apache2 - Unknown owner - C:\servers\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ventrilo - Unknown owner - C:\servers\Ventrilo\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

Lets start with removing PowerReg it is malware.
See HERE

Curious: Why do you ask here while you are using Norton?

Thanks

I’m using NAV today because Avast wasn’t able to find it. I’m trying to get rid of this virus/worm, so I tried NAV. NAV couldn’t solve my problem either.
I’m an Avast user, I will go back to Avast and remove symantec antivirus and his resource hungry processes very soon.

I believe that you would benefit from reading this topic, a browsing, receiving email, etc. as a restricted user would limit the potential damage (no creating/placing/editing files in the system folders, etc.) in the first place.

Security Tips & Tricks - DropMyRights

Thanks

btw here’s the new service it just created and started, here it is from hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 9:47:19 PM, on 10/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\vspool.exe
O23 - Service: Virtual Spool Manager Service (Vspool) - Unknown owner - C:\WINNT\system32\vspool.exe

Fixing it with Hijackthis did nothing :frowning:

I googled vspool.exe… no luck

Versa-Spooler v1.01 multi-printer spooler

:slight_smile: it’s not that, It’s the same Worm/Virus that changes name and exe file.