Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what I have...


  • This topic is locked This topic is locked
3 replies to this topic

#1 Rutt Roh

Rutt Roh

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 07 January 2009 - 06:17 PM

this past sunday i was LANing online with my brother (who's in a different state) using a program called Hamachi, which essentially creates a VPN so it's as if my computer were plugged into his router.

in the middle of the game, all of a sudden i get booted out to my desktop with an alert prompt saying something along the lines of "The computer needs to restart. Please save any important documents as you will lose this data." then it mentions something about an unexpected termination code equaling zero which probably caused that prompt. unfortunately, i don't remember exactly what it said at the time but i did remember seeing the message mentioning then something about SYSTMEM.exe (not system.exe). i wasn't sure what happened and this has never happened before.

i thought it was a glitch so the comp restarted. everything was fine with load up back to windows. it wasn't until i got an error message prompt as soon as i could see my desktop saying "Error - could not find path C:\Program" that i began to think maybe this is a virus.

then trying to see my task manager to see that executable file, i found that my access to getting there was disabled by the administator. problem is I AM THE ADMIN. i couldn't do regedit either by using Run. that's all i saw for now... didn't notice anything else different. fortunately i was still able to get on the web, so i looked up this "SYSTMEM.exe" but couldn't find anything. i have a program called WinPatrol which guards against hijacks, etc. and was able to temporarily stop this SYSTMEM.exe file.

i ran ad-aware and spybot and they detected that my registry disabled those functions in addition to a whole lot more, including windows security center, firewall, etc. i cleaned the problems and was able to get access to regedit and the task manager again and i'm guessing that the SYSTMEM.exe was the culprit.

i found that SYSTMEM.exe is not only a hidden file but a hidden system file but apparently it's not a legit file. it hid itself in my program files directory and i'm guessing it disabled a whole bunch of settings in my registry. now, it's clean but i'm surprised my virus checker didn't spot it as a trojan or virus. this is weird because i haven't been to any random sites which were questionable so i don't know how i got this "thing" or installed any questionable software.

... fast forward to yesterday. after running all these scans (including malwarebytes, spybot, ad-aware, and my PC Tools virus checker), i felt better thinking that the problem would be resolved but i guess i was wrong.

i decided to LAN with my brother again via Hamachi and everything was good and normal until randomly again in the middle of the game, i get booted out to my desktop. i can still get back in the game but i get another shutdown message but this time i paid attention to the message (but this time it had a different file):

This shutdown was initiated by NT AUTHORITY\SYSTEM. The system process C:\WINDOWS\SYSTEM32\ISASS.EXE terminated unexpectedly with status code 0.

the computer restarts and everything is normal and i don't see anything out of the ordinary and no weird startup prompt either. my task manager/regedit aren't disabled this time around. i looked online to see if anyone knew what this could be and i came across articles about the blaster worm and sasser worm. but researching them a little more closely, i don't have the files that they supposedly copy onto your computer. and i don't get a restart prompt or anything when i go on the internet, whereas other people said they only had 2 min when they load into windows then they get that prompt for system shutdown. from a surface glance, i don't notice anything out of the ordinary in terms of function. i can go on the web - no problems.

so you can see - i'm clueless as to what the issue is. i've ran the checkers and thought it picked up everything but not sure if they did... apparently not. as i said, i'm able to get on the internet, browse webpages, have full/normal functionality with task manager and regedit and my command prompt, as well as other programs. nothing seems out of the ordinary.

seems like i get that system restart thing when i try LANing, but that only occurs during the middle of the game. the thing that's weird is that i've never had that problem before when i LANed using Hamachi... just happened this past sunday (in the new year so maybe the timeframe set off a dormant virus or something?)... i'm not sure. again, we've LANed the same game before without any problems or trouble and no weird shutdown prompt.

** btw - one of my IT fellows that works with me said to maybe disable windows messenger service and see if that'll help since most viruses and trojans exploit that. or maybe get a different virus checker like AVG or something similar? or maybe the problem is coming from my brother's computer since we're "connected"?

please help... thanks!

Edited by Rutt Roh, 07 January 2009 - 06:20 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:12 PM

Posted 07 January 2009 - 08:57 PM

Hello i don't know what you ran so I will ask you start with an MBAM scan,thanks.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Rutt Roh

Rutt Roh
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 07 January 2009 - 10:59 PM

i used malwarebytes as one of the scanners i used to check what was issue. i also used ad-award 2008 and spybot. by the way, malewarebytes in addition to these other programs have picked up several things before i created this thread and have removed them since.

but since i ran into that system shutdown message again yesterday after LANing with my brother, i ran a full scan of my system before i left for work this morning and left it running. when i got back this afternoon, malwarebytes didn't find anything. here's the log:

Malwarebytes' Anti-Malware 1.32
Database version: 1627
Windows 5.1.2600 Service Pack 1

1/7/2009 19:00:01
mbam-log-2009-01-07 (19-00-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152079
Time elapsed: 2 hour(s), 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Rutt Roh, 07 January 2009 - 11:02 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:12 PM

Posted 07 January 2009 - 11:42 PM

Hi, I don't think it's malware any more. I would ask the This shutdown was initiated by NT AUTHORITY\SYSTEM. The system process C:\WINDOWS\SYSTEM32\ISASS.EXE terminated unexpectedly with status code 0., question now in the XP forum as they may have the answer. I am closing this topic to avoid confusion of duplicate posting. If you need it re opened PM me.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users