[Resolved] zone alarm shutting down

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
Hmm , im confused. I am using Zone Alarm...just recently, I was surfing and I was receiving multiple alerts. Then all of a sudden my zone alarm disappears and stops running.
Am I being hacked or what?
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
OK, just a little more info. I have now been on for about a half an hour and zone alarm will not stay on for 2 min. at a time...and i have to put it on again. The icon just disappears and it stops running altogether. Anyone know what this could mean?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Eddie's right.
Nowadays there are certain trojans that are able to disable your antivirus or firewall without you even norticing it, in some cases.

Gtz.
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
Ok, ill run virus scan now. Umm one other thing. This may be completely unrelated but...i was just checking out my bank account and loans and stuff online. I had two weird entries under loans...they were called online loans and had account numbers. They weren't there two days ago. I called the online banking people and they say they have no idea what they are. Under amounts it says not available. Oh well, maybe im being paranoid???
I have also been having lots of shut downs and blue screens today....
Ill keep you updated....thanks
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
Hiya

run the Startup log first. We can have a look at that whilst you do your scanning.

Regards

eddie
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
There IS something there.......what is it?

Start-Ups checked at 11-05-2001 8:37:18.66p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"ATIGART"="c:\\ati\\gart\\atigart.exe"
"AtiPTA"="Atiptaaa.exe"
"AtiCwd32"="Aticwd32.exe"
"AtiQiPcl"="AtiQiPcl.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"AVG_CC"="C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP"
"Touch Manager"="C:\\Program Files\\Netropa\\Touch Manager\\TouchMgr.exe"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON.EXE -service"
"MiniLog"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\MINILOG.EXE -service"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=spring.exe

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
rem - By Windows 98 Network - C:\WINDOWS\net start
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\AUDIOPCI

PATH C:\WINDOWS;C:\WINDOWS\COMMAND;C:\BITWARE\;C:\PROGRA~1\GRISOFT\AVG6

@SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1


==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\AUDIOPCI\SBINIT


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\HALLOW~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\AUDIOPCI
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\BITWARE\;C:\PROGRA~1\GRISOFT\AVG6
CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
Okay, lets have a look

Hmm...

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=spring.exe

load=
Now, a search keeps coming up with screensavers and paint Shop pro...why the last I have no idea.

Have you ever been here: http://www.screensavers-tlc.com/spring.html

I doubt

There is a virus called Spring.768, though its not dangerous.

Might need someone else here.

eddie
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
someone help!
Housecall found numerous infected files in windows system.....infected with pe magistr.b and says its not cleanable...also one is called spring.exe......
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
Thats what i have!
What do i do with this???
This tool is designed to clean a system that is infected with PE_MAGISTR.B.
This tool cleans infections of the Trojan program in Windows NT/2000 and Windows 95/98 systems.

The tool will clean the system in this order:

o Check all files referred to in the following registry key:

If the file contains a copy of PE_MAGISTR.B, the value in the registry
is deleted. The file detected will not be erased yet.

o Check the file referred to by "run" key in the [Windows] section of
WIN.INI. If the file contains a copy of PE_MAGISTR.B, the value of
the key is deleted.

Note that since sometimes there is no path specified in the key,
the tool will automatically check for the file's existence in the
current directory, Windows directory, and in the Systems directory.

The file detected will not be erased yet.

o Check the file referred to by "shell" key in the [Boot] section of
SYSTEM.INI. If the file contains a copy of PE_MAGISTR.B, the value
of the key is deleted.

Note that since sometimes there is no path specified in the key,
the tool will automatically check for the file's existence in the
current directory, Windows directory, and in the Systems directory.

The detected file will not be deleted yet.

o For Win 9x/ME based computers, scan %windir%\WIN.COM. If it contains
a copy of the Trojan program, then the user is notified of the
presence of the Trojan. The Trojan file will not be deleted and the
user will be asked to replace it with a copy from the installation
package.


o For Win NT-/2K-based computers, scan C:\NTLDR. If it contains
a copy of the Trojan program, then the user is notified of the
presence of the Trojan. The Trojan file will not be deleted and the
user will be asked to replace it with a copy from the installation
package.

o Optionally, scan the file system and delete infected files.




*************************************
III Requirements

This tool should be executed in a Windows-based operating system.

*************************************
IV How to use

Syntax:
Fix_MagistrB.COM <path> [options]


Options:

/Q - Silent or quiet mode. There will be no user
intervention. Infected files will not be
deleted unless /A is used.

/S - Skip subdirectories. Scan current folder only.

/A - Autodelete infected files.

/* - Scan all files. Default is .EXE and .SCR only.

/N - No Scan. Only cleans the registry and INI files.

/? - Display this help message.

<path> - Path to be scanned. Default path is the current directory.


If during the scanning the Trojan was detected in WIN.COM or NTLDR,
DO NOT RESTART WINDOWS. This Trojan portion of the virus will trash
your hard drive.

For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one
that was detected.

For NT/2K, restore NTLDR from backup.


*************************************

For more information regarding this virus, please visit our Web site at:

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName/PE_MAGISTR.B
 

jenni73

Thread Starter
Joined
Nov 24, 2000
Messages
139
Well im an idiot...and i have it.......what do i do now????????
PLease?????
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
Okay, I have seen the tool. What it does is just cleans out your system for you.

It also mentions

For 9x/ME users, obtain a clean copy of WIN.COM and overwrite the one
that was detected.
I assume this is what you're using.

You may have to do this:

http://support.microsoft.com/support/kb/articles/q136/6/30.asp

Creating a New Win.com File When You Cannot Start Windows


SYMPTOMS
When you try to start Windows 95/98, you may receive one of the following error messages and be returned to the MS-DOS prompt:

The following file is missing or corrupted: Win.com

The following file is missing or corrupted: Win.com Program too big to fit in memory

Cannot find Win.com, unable to continue loading Windows

Program too large

CAUSE
This issue can occur if the Win.com file is missing or damaged. Check the file to see if it is the correct size:

Windows 98: 24,791 bytes
Windows 95: 22,679 bytes
Windows 95 OEM Service Release 2: 24,503 bytes

RESOLUTION
Create a new Win.com file by extracting the Win.cnf file from your Windows disks or CD-ROM to the Windows folder, and then renaming it to Win.com. To do so, follow these steps:

Extract the Win.cnf file from your Windows disks or CD-ROM to the Windows folder. For information about how to do so, see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q129605
TITLE : How to Extract Original Compressed Windows Files
NOTE: The Win.cnf file is in the following locations:

Disk 3 of the original Windows 95 disks

Win95_03.cab of the original Windows 95 CD-ROM

Win98_28.cab of the original Windows 98 CD-ROM

Win98_25.cab of the original Windows 98 Second Edition CD-ROM

Rename the Win.cnf file in the Windows folder to Win.com. To do so, type the following line, and then press ENTER:

ren c:\windows\win.cnf c:\windows\win.com

Restart your computer.
To extract it

Start>Run, key in SFC and press enter. At the bottom of the dialog box select "Extract one file from the installation disk". Now key Win.cnf and click on Start. Insert your W98 CD or obviously skip this step if your W98CD is loaded on the hardrive. If the "Restore From" box is empty, click on Browse and point it to the Win98 folder on the W98 CD in your CDRom drive or if you have no W98 CD try c:\windows\options\cabs. The "Save File To" should already be defaulted to c:\windows\system. Click on OK to restore it. You'll be prompted to backup the current one, just take the defaults. Then follow the prompts to restart the PC so the new copy of the file is loaded

Regards

eddie
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,484
max

I'm off in a bit..getting late. Do you want to take a look at it? I PM'd Rollin' but he's gone offline.

eddie
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top