[Terry Puente]

We have 12 workstations on our network. Up until six months ago, we all shut our systems down every night. Never had any problems. Then four of us began to log in to our workstations from our homes. We would leave our systems hosted through PC Anywhere and log in from home to work. No problems until last month. Now anytime we leave our systems on all night, we either lose network connectivity or our systems work real slow. Then we re-boot and whatever problems occur go away. This occurs on 9 of the 12 workstations. There are 3 that are not having problems. The problem is that 2 of the people with the problems are the ones that work from their homes. Because of the problem they cannot wake up at 5:30 am and work on their systems because they cannot access the programs on the network server. There is no one in the office to re-boot, log in and rehost their systems. Any ideas or thoughts on what is the most likely cause. It seems to be the problems occur as the time the person is logged in increases. Please help. I am the IT person plus the bookkeeper. The people with the problems are the most productive in our office. If they get behind, we are all in trouble. Thanks in advance for any help!

[Advertisements]

have you checked for possible infections (malware, trojan, virus)? Given it is the machines that are connected to home machines, which are often infected, the infection could be traveling that way.

Of, whatever is on them might have simply entered through an open port, since PCANYWHERE needs to have open ports and listening

Memory leak in PcAnywhere, perhaps? Did you upgrade, patch PCANYWHERE?

[gerryf]

have you checked for possible infections (malware, trojan, virus)? Given it is the machines that are connected to home machines, which are often infected, the infection could be traveling that way.

Of, whatever is on them might have simply entered through an open port, since PCANYWHERE needs to have open ports and listening

Memory leak in PcAnywhere, perhaps? Did you upgrade, patch PCANYWHERE?

[gerryf]

btw---dial in or connect via vpn?

[Terry Puente]

We log in using IP Addresses, I went through the steps to be certain my system was clean. We us Virusscan ASAP, could a virus keep traveling back and forth through the network? This morning when the system was running slow, I did the HiJack this log, before I re-booted. Here it is.

Logfile of HijackThis v1.99.1
Scan saved at 12:57:30 PM, on 05/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Journyx\database\MSSQL$JOURNYXMSDE\Binn\sqlservr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Sybase\Shared\Sybase Central 4.2\scjview.exe
C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\Journyx\jwt\timesheet\TimesheetService.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Journyx\python\python.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\TimeClock Plus 5.0 Client\LoadTck.exe
C:\Program Files\TimeClock Plus 5.0 Client\LoadTck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Documents and Settings\tpuente\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\PROGRA~1\McAfee\MANAGE~1\VScan\Splash.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SybaseCentral42] "C:\Program Files\Sybase\Shared\Sybase Central 4.2\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] "C:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\Plugins\NP~avtif.dll
O16 - DPF: ViewTIFF for Java - http://imaging.landa...in/TIFFView.cab
O16 - DPF: {27F09AE0-972C-444A-8D4A-E6AE606BAC28} - http://downloads.tax...013/install.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptoda...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {F2193034-3534-4D60-BF72-530FCE97B167} - http://downloads.tax...all/default.cab

edited

O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\myRmProt3.0.0.572.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Journyx Timesheet 5.5 (journyxtimesheet) - Unknown owner - C:\PROGRA~1\Journyx\jwt\timesheet\TimesheetService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Managed Services Agent (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Any insight? Thanks.

[gerryf]

took the liberty of editing out some info that the public doesn't need to see....

now

MSConfig.exe /auto--second time I've seen this in the past couple minutes....what are you doing on this machine by way of selective startup at the moment?


Hard to guess what is going on when you look like you are in the middle of troubleshooting

I see mcafee software running...any updates to this software occur at about the time of the problem...there was a bad mcafee update about a month ago, it seems...cannot recall exact date.

incredimail---incredibly annoying and a system resource waster, but people sure love it.

How long has ewido been on here?


I see remote desktop....xp pro?

All updates?


Also, if you could



start > run
eventvwr.msc
<enter>

Look under systems and applications for items with red Xs...list them here. (the ones that occur about the time of the trouble)

[Terry Puente]

Thanks for editing. System is fine at this time. I will do as you request as soon as my system slows. It may not be until tomorrow. Thanks.

[gerryf]

I've got time....

you know where to find us....if the thread gets lost going into the weekend ( I may be going out of town...not sure yet), feel free to bump it)