# vsmon.exe infection



## MyDoomVictim (Feb 12, 2005)

Recently I've noticed a runaway process called _*vsmon*_._*exe * _ on my system alternately grabbing large amounts of cpu.

A little research showed that this process might be the result of a worm, and it might have once been a legitimate process associated with the firewall product Zone Alarm.

I do use Zone Alarm on my system, and it is not longer active nor will it startup when I invoke it.

1.) I need help to confirm and get rid of this worm.
2.) I have a greater concern. Once I moved my service from a large DSL provider to a large cable provider, my active Zone Alarm firewall began indicating it was warding off intrusions into my system. Since then I have been quarantined by my cable provider, (I am no longer allowed to send outbound email) and now I notice the runaway vsmone.exe and the absence of the legitimate zone alarm product running.

How do I protect Zone Alarm from future attacks. Do I need to get an update or something?

3.) I'm using Windows XP. Should I be able to restore to an earlier "safe" version of XP and eliminate this worm?

Thanks.


----------



## Byteman (Jan 24, 2002)

Hi, What I would do:

Post a Hijackthis log so experts can help spot anything that may be present> it does not show everything, but quite a bit...

We should have a log made before you scan at the site below to start with:

While waiting for advice, do the next part>

Do an online antivirus scan here:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

Scan all your hard (data) drives. This scanner does NOT remove spyware and adware-type things but does detect them extremely well.

Panda lets you View the Report, then, save the Report, called activescan.txt to your desktop and *post the contents of activescan.txt into your next reply along with a Hijackthis log made after the Panda scan*

You *should be able* to System Restore to an earlier time, yes, but it sometimes does not work , I would try the above first.



Cookiegal said:


> Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
> to download HijackThis.
> 
> Close all open windows and open HijackThis. Click Scan. When the scan is finished, the scan button will change to Save Log. Click on Save Log and then save it to Notepad. Click on Edit  Select all  copy and then paste into the thread.
> ...


This is usually how that one part of ZoneAlarm looks in a good log: in XP>

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


----------

