Tech Support banner

Status
Not open for further replies.
1 - 20 of 25 Posts

·
Registered
Joined
·
90 Posts
Discussion Starter #1
Hi! I've been working with help from the HijackThis Log Help forum in the Security Center for over a month now. With many thanks to the people who helped me in that forum, I have reached the following state:

  • No longer getting WinFixer or WinAntiSpyware popups!
  • Internet Explorer is no longer freezing up whenever more than one IE window is open.
  • Several viruses and worms have been removed. Scans with several scanners are now clean.
However, I still have one remaining problem for which I have been referred to this forum.

When my computer has been left on for several hours or more, it loses its connection to the Internet.

The whole Internet connection (email and Internet) stops working when the computer has been left on for several hours or overnight. By "stops working," I mean that when I try to surf to any web page, even the RoadRunner home page or Yahoo!, I get a page not found message. When I try to download or upload email, it searches for the POP server but does not find it. The only way I have found to resolve these problems is to reboot. After the reboot, it works fine.

I am running a fairly new (purchased in February) HP Pavilion a820n computer (click here for specs) with Win XP Home (SP2 installed). I have RoadRunner cable high speed Internet service through Time Warner Cable.

Here's a link to my thread on the HijackThis Log Help forum for more details.

Does anyone have any ideas on how to solve this issue?

Thank you in advance for your help!
 

·
Registered
Joined
·
90 Posts
Discussion Starter #2
By the way, in the other forum, Ried from the Security Team suggested that I repost here the errors from my Event Viewer Log.

Here's what I found:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/29/2005
Time: 8:38:34 AM
User: N/A
Computer: JOELSPC
Description:
Faulting application msimn.exe, version 6.0.2900.2180, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 73 69 ure msi
0018: 6d 6e 2e 65 78 65 20 36 mn.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 6e 74 64 6c 6c 2e 64 6c ntdll.dl
0038: 6c 20 35 2e 31 2e 32 36 l 5.1.26
0040: 30 30 2e 32 31 38 30 20 00.2180
0048: 61 74 20 6f 66 66 73 65 at offse
0050: 74 20 30 30 30 31 30 66 t 00010f
0058: 32 39 0d 0a 29..

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/19/2005
Time: 7:32:52 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\JOELSPC.ldb" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB18.tmp". File "C:\WINDOWS\Internet Logs\JOELSPC.ldb" was corrupt and has been deleted.

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/19/2005
Time: 7:32:51 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt, restoring from backup "C:\WINDOWS\Internet Logs\BACKUP.RDB".

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/19/2005
Time: 7:32:51 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB17.tmp". File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been deleted.

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5009
Date: 10/18/2005
Time: 9:58:58 PM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: Timeout on debug mutex

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 10/18/2005
Time: 9:57:28 PM
User: N/A
Computer: JOELSPC
Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 49 45 58 50 4c 4f IEXPLO
0018: 52 45 2e 45 58 45 20 36 RE.EXE 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/15/2005
Time: 4:33:48 PM
User: N/A
Computer: JOELSPC
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2769, fault address 0x0025660b.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6d 73 68 74 6d in mshtm
0038: 6c 2e 64 6c 6c 20 36 2e l.dll 6.
0040: 30 2e 32 39 30 30 2e 32 0.2900.2
0048: 37 36 39 20 61 74 20 6f 769 at o
0050: 66 66 73 65 74 20 30 30 ffset 00
0058: 32 35 36 36 30 62 0d 0a 25660b..

Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/11/2005
Time: 7:08:53 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\JOELSPC.ldb" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB16.tmp". File "C:\WINDOWS\Internet Logs\JOELSPC.ldb" was corrupt and has been deleted.


Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/11/2005
Time: 7:08:52 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt, restoring from backup "C:\WINDOWS\Internet Logs\BACKUP.RDB".


Event Type: Error
Event Source: TrueVector Service
Event Category: None
Event ID: 5007
Date: 10/11/2005
Time: 7:08:52 AM
User: N/A
Computer: JOELSPC
Description:
TrueVector engine: File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been copied to "C:\WINDOWS\Internet Logs\xDB15.tmp". File "C:\WINDOWS\Internet Logs\IAMDB.RDB" was corrupt and has been deleted.



Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 10/11/2005
Time: 703 AM
User: N/A
Computer: JOELSPC
Description:
Faulting application vsmon.exe, version 5.1.39.4, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x000117a5.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 76 73 6d ure vsm
0018: 6f 6e 2e 65 78 65 20 35 on.exe 5
0020: 2e 31 2e 33 39 2e 34 20 .1.39.4
0028: 69 6e 20 6e 74 64 6c 6c in ntdll
0030: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0038: 2e 32 36 30 30 2e 32 31 .2600.21
0040: 38 30 20 61 74 20 6f 66 80 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 31 31 37 61 35 117a5

There were many more, but I stopped copying them. I'm posting only the first 10 Events. I figured this should give you something to start with. If you need more, let me know.

Thanks!
 

·
Registered
Joined
·
1,353 Posts
Hello jsudds it seems you may have a corrupted vsmon.exe file. In order to correct the errors you will have to uninstall/reinstall Zone Alarm.

Please do this in Safe Mode
1. Go to Start>Run, type services.msc and stop True Vector from running(double-click TV, in the Startup Type pull down menu select Disabled).
2. Uninstall Zone Alarm from the Add/Remove Programs (make sure all traces of ZA are removed. Look in system drive Programs>Zone Alarm).
3. Reboot and reinstall ZA.

Report back and let us know what happens.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #4
Hi quizme1220. I don't actually have ZoneAlarm installed, so I can't follow your instructions. I'm using the eTrust EZ Armor suite (Anti-Spam, Anti Virus, Firewall and Pest Patrol) that was provided free through RoadRunner.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #5
Do any other programs use the vsmon.exe file besides ZoneAlarm?

I did an Internet search and from reading this site found that there is a worm that disguises itself as vsmon.exe. (Click here for details from TrendMicro.com.) (Click here for details from Zone Labs.) Could this be my problem?

From the same site, I also found that there is a relationship between Zone Labs and Computer Associates, publishers of the EZ Armor software that I am using, and a suggestion that EZ Armor also uses the vsmon.exe file. (Click here for info from Zone Labs.) Is vsmon.exe used by EZ Armor? If so, should I follow your original instructions, but instead of uninstalling/reinstalling Zone Alarm, uninstall/reinstall EZ Armor?

I will do another TrendMicro online scan and will post the report here if it finds anything (i.e. the WORM_RBOT.BO worm).

Do you have any suggestions on what else I should try?
 

·
Registered
Joined
·
90 Posts
Discussion Starter #6
I did another TrendMicro online scan and it found no viruses, worms, trojans, or spyware (other than some cookies which I had it remove). It did not find the WORM_RBOT.BO worm.

What do you suggest I do next?
 

·
Registered
Joined
·
90 Posts
Discussion Starter #7
Well, since I didn't get any response, and since the TrendMicro scan seemed to rule out the WORM_RBOT.BO worm, I went ahead and followed your instructions to uninstall/reinstall EZ Armor (instead of ZoneAlarm.)

I followed step 1 with no problems. In step 2, it allowed me to uninstall all components of the EZ Armor suite (Anti-Spam, Anti Virus, Firewall and Pest Patrol) except Pest Patrol. The uninstaller for that component kept trying to contact Windows Uninstaller via the Internet, and gave me an error message that it could not complete the uninstall in safe mode. So I rebooted into normal mode, and uninstalled Pest Patrol.

Next, I downloaded and reinstalled EZ Armor.

Hope I did the right thing.

I'll leave the computer on tonight to see if it continues to have the problem. Willl report back again in a day or two.
 

·
Registered
Joined
·
4,890 Posts
ezTrusts EZArmor suite uses the Zone Alarm engine for its firewall.

Reinstall the suite and see what happens.
 

·
Registered
Joined
·
4,890 Posts
Also, go into Device Manager, and bring up the properties for your network card. There (is? may?) be an option to keep the card from being shut down to save power.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #10
Sorry I've been away for awhile. Here's an update:

I uninstalled and reinstalled ezTrusts EZArmor suite. I have not tried to shut off the network card's power save option yet.

I'm still having the problem where I lose the Internet connection after the computer has been left on for several hours, although now it is occurring far less often. Sometimes the computer can be left on for days with no issue. Other times, it happens.

I'm also having a few new problems.

1) Outlook Express is getting quirky. When we first open up Outlook Express, it starts with the Outlook Express start-up window, which lists the folders, links to the inbox & newsgroups, etc. We have several email identities (one for each of 3 family members), and it usually opens up with my wife's identity. Here's where the problem occurs. Often, when we first click on the link to open up the inbox, either nothing happens at all, or Outlook Express just closes without warning. If that happens, a reboot is usually required to get back in to email. This started happening actually a day or two before I uninstalled/reinstalled EZ Armor, so I don't think it can be blamed on the reinstallation.

2) Also, everytime I boot up, I get an error message saying "Runner Error: Runner file name (Updates from HP.exe) lacks a '-' (the app id separator)." This started happening with the first reboot after uninstalling/reinstalling EZ Armor. I've been instructed to disable Backweb once before (see this post). I can do that again, but before doing so, I thought I'd check to make sure you still think I should.

3) This is minor, I know. But now every time I reboot, Spysweeper is launching with a screen telling me my subscription has expired. Is there any reason I should not uninstall it? I was afraid to do so until after we get the main issue resolved. Didn't want to cause any more problems.

Any help would be greatly appreciated.

Thanks!
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Your Issues:

1. Open up Event Viewer and post just the errors that involve Outlook express. I'm asumming RIED had you run sfc /scannow already?

2. The error is common on a HP/Compaq PC. You can either disable backweb again...or disable HP.EXE startup entry in the msconfig startup tab.

3. Yes you can remove Spysweeper as we just used it to remove the infection you had.

When you leave the PC on and connected...are you set up so the PC enters Sleep/Suspend mode? The issue seams network related...as your ISP may not see the PC connected and cuts off the connection. How do you connect? Cable/DSL/Modem?
 

·
Registered
Joined
·
90 Posts
Discussion Starter #12
Hi,

Sorry it's been so long since my last post...

MicroBell said:
Your Issues:

1. Open up Event Viewer and post just the errors that involve Outlook express.
I opened the event viewer, but found no errors obviously associated with Outlook Expres.

Under Application Events, the sources of errors sorted alphabetically include:

Application Error
Application Hang
ccEvtMgr
ccProxy
ccSetMgr
crypt32
dcfssvc
DrWatson
ESENT
LightScribeService
LoadPerf
MsiInstaller
NPFMntor
SecurityCenter
SNDSrvc
SPBBCSvc
TrueVector Service
Userenv
Winlogon

Under System events, the sources of errors include:
Application Popup
cdrom
DCOM
Dhcp
eventlog
NtSErvicePack
Print
Service Control Manager
sr
Tcpip
USER32
W32Time
Windows Update Agent


MicroBell said:
I'm asumming RIED had you run sfc /scannow already?
I've run so many things that I've lost track, but I'm pretty sure I haven't been asked to run that one yet.

MicroBell said:
2. The error is common on a HP/Compaq PC. You can either disable backweb again...or disable HP.EXE startup entry in the msconfig startup tab.
3. Yes you can remove Spysweeper as we just used it to remove the infection you had.
OK, I will.

MicroBell said:
When you leave the PC on and connected...are you set up so the PC enters Sleep/Suspend mode?
No. I use the standard Windows screensaver, but no sleep/suspend mode.

MicroBell said:
The issue seams network related...as your ISP may not see the PC connected and cuts off the connection. How do you connect? Cable/DSL/Modem?
I connect via Cable. I have Time Warner's RoadRunner service. My computer is connected to a Netgear WGR614 wireless router (but the wireless transmission is turned off -- the router was free, and I only use it so I can plug in my work laptop and not tie up the home computer.) Then the router is connected to a Toshiba PCX1100U Cable Modem which was supplied by Time Warner.

Thanks for your help!
 

·
TSF Team Emeritus, Microsoft Support
Joined
·
15,478 Posts
Go ahead and Run the System File Checker

Go to the Run box on the Start Menu and type in:

sfc /scannow ( sfc if not reconized)

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. You will need your Windows cd.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #14
OK, I ran the System File Checker, but it never asked me for my Windows disk, and it didn't appear to find anything that needed repairing.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #16
I assume that by "have your disk inserted" you are referring to the Windows Recovery disks (2 DVD_ROM disks) that I made when I bought the computer. The computer came with no other disks, so that's all I have.

I tried it again with recovery disk 1 inserted, and again it seemed to run through the system file checker for about a half-hour, but didn't give any indication that it was correcting anything, and didn't seem to try to use the disk at all.

Did I do something wrong?
 

·
Registered
Joined
·
4,890 Posts
Are you running any Symantec products? If so, uninstall them and see if that helps. Running 2 different antivirus apps can cause trouble.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #18
No, I'm not running any Symantec products. I used to run Norton Antivirus and Norton Personal Firewall (free trial versions that came installed on the computer), but I uninstalled them and switched to eTrust EZArmor a few months ago. (EZ Antivirus, EZ Antispam, EZ Firewall and Pest Patrol).
 

·
Registered
Joined
·
4,890 Posts
IIRC ...

ccEvtMgr
ccProxy
ccSetMgr

These three relate to Norton Antivirus ... Have you also uninstalled the Live Update feature (there's a second one, but I can't remember the name ... Live Reg?) These don't uninstall when you remove the main app.
 

·
Registered
Joined
·
90 Posts
Discussion Starter #20
I had already uninstalled everything I could find that looked like it was related to Norton Antivirus, including LiveUpdate.

I can't find anything in Add/Remove Programs that looks to be related to anything by Norton or Symantec. The 3 items you mentioned (ccEvtMgr, ccProxy, ccSetMgr) are not in Add/Remove Programs, so I don't know how to find them to uninstall them.

I did find a folder called c:\Programs\Norton AntiVirus. The contents of the folder are:
  • END-USER.TXT
  • ezip.dat
  • filter.dat
  • NAVALERT.DAT
  • Navoptx.dat
  • Navstart.dat
  • Original Copy of country.dat
  • Original Copy of EXCLUDE.dat
  • Original Copy of EXCLUDEL.dat
  • Original Copy of Navopts.dat
  • Original Copy of README.TXT
  • Original Copy of scancfg.dat
  • Original Copy of version.dat
  • partnum.dat
  • platform.dat
I have deleted the folder and its contents.

I will try to run sfc again.
 
1 - 20 of 25 Posts
Status
Not open for further replies.
Top