1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Zone Alarm Question

Discussion in 'All Other Software' started by TurnerUKTA, Jan 22, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. TurnerUKTA

    TurnerUKTA Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    125
    There is a pop up from zone alarm, which is asking me to allow defragfatz.exe to access the internet.

    Does this mean its trying to defrag?

    Thanks in advance.
     
  2. shadowcat

    shadowcat

    Joined:
    Oct 18, 2003
    Messages:
    1,280
    No. It sound like you may have picked up something nasty. I would scan your computer with an antivirus program with all definition updates. If you do not have one, then use Trend Micro’s House Call Online AV Scanner.

    Download Spybot Search & Destroy, Ad-Aware, and Hijack This.

    Install Adaware and Spybot -- update the definitions for each program before running.

    Reboot after using each program.

    Close all running programs and run HiJack This, click on "Do a system scan and save a log file".

    Open your saved log, copy it and paste it in this thread.
     
  3. TurnerUKTA

    TurnerUKTA Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    125
    I had originally posted it in a different forum, and i tried there procedures, so when i did the one u suggested, it found nothing so it all must be clean.
     
  4. TurnerUKTA

    TurnerUKTA Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    125
    Ive just ran hijack this and these are the results.

    Logfile of HijackThis v1.98.2
    Scan saved at 21:19:56, on 22/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\servoxt.exe
    C:\WINDOWS\System32\Super.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\demo\My Documents\Software\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solo.pipex.net/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [blah service] servoxt.exe
    O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\RunServices: [blah service] servoxt.exe
    O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Super.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Super.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106408568890
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6015F1-65A0-4AD3-8CEA-D8C87041FD91}: NameServer = 62.241.162.200 158.43.240.3
    O21 - SSODL: mtklefa - {83A7006F-A5BD-4571-0398-D474574A1643} - C:\WINDOWS\System32\mpsxr32.dll
    O21 - SSODL: mtkle - {D8C5EFBA-9EA8-42B7-41B2-D36D28B61A5D} - C:\WINDOWS\System32\qqnb32.dll
     
  5. Gazornenplat

    Gazornenplat

    Joined:
    Dec 30, 2004
    Messages:
    106
    You have the W32.Linkbot.H worm. Does no damage, but allows remote access. Get yourself the latest definition files for your AV, and it should remove it. If you don't have an up to date AV, try AVG which is free for personal use.

    Ian
     
  6. TurnerUKTA

    TurnerUKTA Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    125
    Is this the only thing i need to remove or do i have more problems?

    Thanks
     
  7. Gazornenplat

    Gazornenplat

    Joined:
    Dec 30, 2004
    Messages:
    106
  8. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,912
    There are some odd looking entries in your log but I'm not an expert in these things. You should probably get the latest HJT version (1.99), run another scan and post that log.

    This is the Symantec description of Linkbot H;http://securityresponse.symantec.com/avcenter/venc/data/w32.linkbot.h.html If you are not up to date with your MS Updates, go and get the Critical ones as soon as you have got a real time antivirus. I don't think online scans are a good enough option, however often you may run them.

    I assume that, if you had auto updating enabled, you would have SP2 by now, whether you wanted it or not!

    Presumably only the ZA firewall is active?
     
  9. TurnerUKTA

    TurnerUKTA Thread Starter

    Joined:
    Jan 22, 2005
    Messages:
    125
    I dont have auotmatic updates on, so i dont have SP2.

    Also i finished running AVG and it found no viruses.

    Here is a new log from Hijack This after running AVG,

    Do i still have it?

    Logfile of HijackThis v1.98.2
    Scan saved at 22:30:12, on 22/01/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\servoxt.exe
    C:\WINDOWS\System32\Super.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\Program Files\Grisoft\AVG Free\avgemc.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\demo\My Documents\Software\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solo.pipex.net/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [blah service] servoxt.exe
    O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunServices: [blah service] servoxt.exe
    O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Super.exe
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\demo\LOCALS~1\Temp\IXP000.TMP\"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Sygate Personal Firewall] Super.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106408568890
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6015F1-65A0-4AD3-8CEA-D8C87041FD91}: NameServer = 62.241.162.200 158.43.240.3
    O21 - SSODL: mtklefa - {83A7006F-A5BD-4571-0398-D474574A1643} - C:\WINDOWS\System32\mpsxr32.dll
    O21 - SSODL: mtkle - {D8C5EFBA-9EA8-42B7-41B2-D36D28B61A5D} - C:\WINDOWS\System32\qqnb32.dll
     
  10. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    You should get rid of these as well

    O4 - HKLM\..\Run: [blah service] servoxt.exe
    O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe


    You have two entries of the first one and three of the second one. Make sure you check all of them and have HJT fix them.

    Then locate and delete these two files:

    C:\WINDOWS\System32\servoxt.exe
    C:\WINDOWS\System32\Super.exe


    Empty your recycle bin and reboot.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322250

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice