1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Zone Alarm Issue (possibly)

Discussion in 'Virus & Other Malware Removal' started by rhinestone, Jan 24, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. rhinestone

    rhinestone Thread Starter

    Joined:
    Jan 24, 2003
    Messages:
    4
    For the past few days, Zone Alarm is detecting programs named Object: ######## and process #### trying to access the internet. The #'s change everytime, but they keep coming. At first I thought it was Zone Alarm, and reverted to a past copy. I also reverted PHP, which I had updated around the same time these started. Neither helped. The firewall asks for permission for the program when using different applications. Usually, it happenes while using PHP, but it has happened once when using a VB client for a server my friend is developing. There's no specific script, and it happens only once in a while. Lately, it's gotten worse. I've scanned my entire computer for viruses and spyware (with Norton Antivirus 2002 and Ad-Aware 5). No viruses were detected, and clearing all spyware components (both registry and executables) did not solve the problem. At this point, I am really desperate for a solution. I'm using Zone Alarm Pro 3.5.166.

    Since you'll probably ask me, here's the list that StartupList generated:

    StartupList report, 1/24/2003, 5:40:12 PM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\Admin\Desktop\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\IMail\IMAP4D32.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\IMail\iwebmsg.exe
    C:\mysql\bin\mysqld-max-nt.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\IMail\POP3D32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\IMail\smtpd32.exe
    C:\Program Files\Cybiko\EZLoader\EZLoader.exe
    C:\WINDOWS\System32\svchost.exe
    C:\IMail\SYSLOGD.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\tlntsvr.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\G6 FTP Server\G6FTPSrv.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Admin\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Admin\Start Menu\Programs\Startup]
    HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
    WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    AtiPTA = atiptaxx.exe
    WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A
    ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
    Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    Deskup = C:\Program Files\Iomega\DriveIcons\deskup.exe
    EZLoader = C:\Program Files\Cybiko\EZLoader\EZLoader.exe /NoSplash
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AbyssWebServer = C:\Program Files\Abyss Web Server\abyssws.exe
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://download.internetfuel.com/ef1/freevideo.exe

    [TDServer Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
    CODEBASE = http://161.58.211.148/wfplayer/tdserver.cab

    [Yahoo! Vision]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YV.DLL
    CODEBASE = http://download.yahoo.com/dl/fv/yv.cab

    [LiveUpdate Crescendo]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CRES.OCX
    CODEBASE = http://www.liveupdate.com/controls/getcab2.dll

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [TestX Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\PTESTX.DLL
    CODEBASE = http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.17.23/13d2c4ec3e87b9801f16/netzip/RdxIE.cab

    [{4248083C-9656-11D2-8B7F-00105A17847A}]
    CODEBASE = http://downloads.mplayer.com/MplayerAutoInstaller.exe

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM32\opuc.dll
    CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

    [HbInstObj Class]
    InProcServer32 = C:\Program Files\Hotbar\bin\HbInstIE.dll
    CODEBASE = http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab

    [GigexCtrl ActiveX]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
    CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

    [NetCtrl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXTELNET.DLL
    CODEBASE = http://www.nucleus.com/axtelnet/axtelnet.cab

    [Microsoft HTML Layout Control 1.0]
    InProcServer32 = C:\WINDOWS\SYSTEM32\isctrls.ocx
    CODEBASE = http://activex.microsoft.com/activex/controls/mspert10.cab

    [{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
    CODEBASE = http://www.cracks.st/mp3.exe

    [InstallShield Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.3455671296

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://download.yahoo.com/dl/mail/ymmapi.cab

    [{A1DC3241-B122-195F-B21A-000000000000}]
    CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

    [{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
    CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
    CODEBASE = http://www.wildtangent.com/install/wdriver/rpg/darkorbit/wildtangent/wtinst.cab

    [SimCityX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\SIMCITYX.OCX
    CODEBASE = http://simcity.ea.com/us/guide/classic/simcityx/SimCityX.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
    CODEBASE = http://windowsupdate.microsoft.com/R868/V31Controls/x86/w98/en/actsetup.cab

    [plug Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
    CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [NSUpdateLiteCtrl Class]
    InProcServer32 = C:\WINDOWS\SYSTEM32\nsupdate.dll
    CODEBASE = http://204.177.92.201/quickdl/NSupd9x.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    [Yahoo! WebCam Viewer Wrapper]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YVWRCTL.DLL
    CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

    [IMViewerControl Class]
    InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
    CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

    [ThingViewer Class]
    CODEBASE = http://www.thingworld.com/download/ie/ThingViewer.cab

    [Zoom Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZACTIVEX.DLL
    CODEBASE = http://www.zoomify.com/download/zoomify204.cab

    [WildTangent Control]
    InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
    CODEBASE = http://www.wildtangent.com/install/wdriver/adrenaline/microsoft/wtinst.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


    --------------------------------------------------
    End of report, 10,968 bytes
    Report generated in 0.210 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    I took a screenshot which you can view here - http://www.tshastry.com/zonealarm.jpg. Does anyone have any insight or ideas?
     
  2. suzi

    suzi

    Joined:
    Dec 27, 2002
    Messages:
    362
    I'm not an expert on HijackThis, but I do see you have Xupiter which is one of the nastiest of the nasty things on the web nowadays. Also you have Hotbar which is considered spyware.

    It looks like there are some other suspicious things in there but hopefully Tony or one of the other experts will come along and check out the log.

    I had the object thing a while back asking to connect to the internet, and I blocked it of course and never heard from it again. I did a google search on it and didn't really find anything much. When I did a search for files and folders and found it, it said invalid date and 0 kb. I figured with 0 kb it couldn't do to much harm Really got my curiosity up though.
     
  3. suzi

    suzi

    Joined:
    Dec 27, 2002
    Messages:
    362
    I just looked at your screenshot and you have several things checked for server rights. I have read that nothing really should have sever rights. I have not given any programs server rights and they all work fine without it.

    Maybe someone else has input on that.
     
  4. Del

    Del

    Joined:
    Aug 31, 2001
    Messages:
    3,452
    You got that right, I'd get rid of the hotbar and xjupitor first and go from there.
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    go here and download spybot:
    http://beam.to/spybotsd

    click the online button/search for updates and then run spybot,this will tidy things up a little,then post another list.
     
  6. rhinestone

    rhinestone Thread Starter

    Joined:
    Jan 24, 2003
    Messages:
    4
    I used SpyBot and got rid of both (which Ad-Aware didn't detect), but it didn't help. I do run a server so some of my programs do need server rights. The issue suzi had with the object thing is the same one I'm having, only it won't stop. The file has an invalid date, no size, and no path. If it comes on while running a PHP script, then denying it access makes the PHP script fail to load.

    Edit: Didn't see the last post, here's another list

    StartupList report, 1/25/2003, 10:02:50 AM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\Admin\My Documents\Programs\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\CFusionMX\runtime\bin\jrunsvc.exe
    C:\CFusionMX\db\slserver52\bin\swagent.exe
    C:\CFusionMX\db\slserver52\bin\swstrtr.exe
    C:\CFusionMX\runtime\bin\jrun.exe
    C:\CFusionMX\db\slserver52\bin\swsoc.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\IMail\IMAP4D32.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\IMail\iwebmsg.exe
    C:\mysql\bin\mysqld-max-nt.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\IMail\POP3D32.exe
    C:\IMail\smtpd32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\IMail\SYSLOGD.exe
    C:\WINDOWS\System32\tlntsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Cybiko\EZLoader\EZLoader.exe
    C:\Program Files\Abyss Web Server\abyssws.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Program Files\G6 FTP Server\G6FTPSrv.exe
    C:\mysql\bin\winmysqladmin.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Admin\My Documents\Programs\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Admin\Start Menu\Programs\Startup]
    HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
    WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
    TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    AtiPTA = atiptaxx.exe
    WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A
    ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
    Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    Deskup = C:\Program Files\Iomega\DriveIcons\deskup.exe
    EZLoader = C:\Program Files\Cybiko\EZLoader\EZLoader.exe /NoSplash
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AbyssWebServer = C:\Program Files\Abyss Web Server\abyssws.exe
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://download.internetfuel.com/ef1/freevideo.exe

    [TDServer Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
    CODEBASE = http://161.58.211.148/wfplayer/tdserver.cab

    [Yahoo! Vision]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YV.DLL
    CODEBASE = http://download.yahoo.com/dl/fv/yv.cab

    [LiveUpdate Crescendo]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CRES.OCX
    CODEBASE = http://www.liveupdate.com/controls/getcab2.dll

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [TestX Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\PTESTX.DLL
    CODEBASE = http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.17.23/13d2c4ec3e87b9801f16/netzip/RdxIE.cab

    [{4248083C-9656-11D2-8B7F-00105A17847A}]
    CODEBASE = http://downloads.mplayer.com/MplayerAutoInstaller.exe

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM32\opuc.dll
    CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

    [GigexCtrl ActiveX]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
    CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

    [NetCtrl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXTELNET.DLL
    CODEBASE = http://www.nucleus.com/axtelnet/axtelnet.cab

    [Microsoft HTML Layout Control 1.0]
    InProcServer32 = C:\WINDOWS\SYSTEM32\isctrls.ocx
    CODEBASE = http://activex.microsoft.com/activex/controls/mspert10.cab

    [{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
    CODEBASE = http://www.cracks.st/mp3.exe

    [InstallShield Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.3455671296

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://download.yahoo.com/dl/mail/ymmapi.cab

    [{A1DC3241-B122-195F-B21A-000000000000}]
    CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
    CODEBASE = http://www.wildtangent.com/install/wdriver/rpg/darkorbit/wildtangent/wtinst.cab

    [SimCityX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\SIMCITYX.OCX
    CODEBASE = http://simcity.ea.com/us/guide/classic/simcityx/SimCityX.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
    CODEBASE = http://windowsupdate.microsoft.com/R868/V31Controls/x86/w98/en/actsetup.cab

    [plug Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
    CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    [Yahoo! WebCam Viewer Wrapper]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YVWRCTL.DLL
    CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

    [IMViewerControl Class]
    InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
    CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

    [ThingViewer Class]
    CODEBASE = http://www.thingworld.com/download/ie/ThingViewer.cab

    [Zoom Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZACTIVEX.DLL
    CODEBASE = http://www.zoomify.com/download/zoomify204.cab

    [WildTangent Control]
    InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
    CODEBASE = http://www.wildtangent.com/install/wdriver/adrenaline/microsoft/wtinst.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\GLB1A2B.EXE|||A

    --------------------------------------------------
    End of report, 10,543 bytes
    Report generated in 2.834 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. rhinestone

    rhinestone Thread Starter

    Joined:
    Jan 24, 2003
    Messages:
    4
    It just happened again after a long time. Didn't happen for half the day, but then came up again now while using phpMyAdmin. Can someone please help?
     
  8. suzi

    suzi

    Joined:
    Dec 27, 2002
    Messages:
    362
    rhinestone,

    I'm at a loss now. You might try the forums at http://www.spywareinfo.com. Post your HijackThis log there.

    Things are a little slower on the weekend with the posting but you will get help there eventually.

    A lot of sites are still down due to the attack of the worm on the internet so things are not moving as quickly as usual. I wish I could help you, but it's beyond my level of knowledge.
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You have so many unusual server applications there that it may be impossible for any of us to know what is legitimately connected to them.

    However I do see one thing in those startups which still needs to be removed:

    WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A

    This is a left over from a botched MovieNetworks install. It is evidently running something from the Temp files. If they've never been deleted that might explain the lack of an error message.

    To remove this entry run regedit and navigate to the key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Look in the right hand pane for the WebInstall2 entry and right click on that and delete it.

    I would also go to Internet Options > Settings > View objects and remove all of those Active X objects not associated with major, recognizable vendors such as Microsoft, Yahoo, Macromedia, etc...
     
  10. rhinestone

    rhinestone Thread Starter

    Joined:
    Jan 24, 2003
    Messages:
    4
    I went through my ActiveX plugins and found a few interesting ones. One led to mp3.exe which I've always known is spyware. There were a few that had code bases with IP's and wierd folder names, so I deleted them. An Object alert came up right before I opened up the ActiveX folder, so I don't know if it's been solved yet. I'm trying on spywareinfo.com to see if I can get some more help.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/115171

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice