Zone Alarm Question

[TurnerUKTA]

There is a pop up from zone alarm, which is asking me to allow defragfatz.exe to access the internet.

Does this mean its trying to defrag?

Thanks in advance.

 

[shadowcat]

No. It sound like you may have picked up something nasty. I would scan your computer with an antivirus program with all definition updates. If you do not have one, then use Trend Micro’s House Call Online AV Scanner.

Download Spybot Search & Destroy, Ad-Aware, and Hijack This.

Install Adaware and Spybot -- update the definitions for each program before running.

Reboot after using each program.

Close all running programs and run HiJack This, click on "Do a system scan and save a log file".

Open your saved log, copy it and paste it in this thread.

 

[TurnerUKTA]

I had originally posted it in a different forum, and i tried there procedures, so when i did the one u suggested, it found nothing so it all must be clean.

 

[TurnerUKTA]

Ive just ran hijack this and these are the results.

Logfile of HijackThis v1.98.2
Scan saved at 21:19:56, on 22/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\servoxt.exe
C:\WINDOWS\System32\Super.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\demo\My Documents\Software\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solo.pipex.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [blah service] servoxt.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\RunServices: [blah service] servoxt.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Super.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sygate Personal Firewall] Super.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106408568890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6015F1-65A0-4AD3-8CEA-D8C87041FD91}: NameServer = 62.241.162.200 158.43.240.3
O21 - SSODL: mtklefa - {83A7006F-A5BD-4571-0398-D474574A1643} - C:\WINDOWS\System32\mpsxr32.dll
O21 - SSODL: mtkle - {D8C5EFBA-9EA8-42B7-41B2-D36D28B61A5D} - C:\WINDOWS\System32\qqnb32.dll

 

[Gazornenplat]

You have the W32.Linkbot.H worm. Does no damage, but allows remote access. Get yourself the latest definition files for your AV, and it should remove it. If you don't have an up to date AV, try AVG which is free for personal use.

Ian

 

[TurnerUKTA]

Is this the only thing i need to remove or do i have more problems?

Thanks

 

[Gazornenplat]

Sorry, can't tell from here, but 'defragfatz.exe' indiacates theat virus. If you have that you have more. These two sites

http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/down_home.html

offer free antivirus. I would download it, run it, and see waht, if any, problems you have after that.

Ian

 

[TOGG]

There are some odd looking entries in your log but I'm not an expert in these things. You should probably get the latest HJT version (1.99), run another scan and post that log.

This is the Symantec description of Linkbot H;http://securityresponse.symantec.com/avcenter/venc/data/w32.linkbot.h.html If you are not up to date with your MS Updates, go and get the Critical ones as soon as you have got a real time antivirus. I don't think online scans are a good enough option, however often you may run them.

I assume that, if you had auto updating enabled, you would have SP2 by now, whether you wanted it or not!

Presumably only the ZA firewall is active?

 

[TurnerUKTA]

I dont have auotmatic updates on, so i dont have SP2.

Also i finished running AVG and it found no viruses.

Here is a new log from Hijack This after running AVG,

Do i still have it?

Logfile of HijackThis v1.98.2
Scan saved at 22:30:12, on 22/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\servoxt.exe
C:\WINDOWS\System32\Super.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\demo\My Documents\Software\HijackThis19802.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.solo.pipex.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [blah service] servoxt.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [blah service] servoxt.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] Super.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\demo\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Sygate Personal Firewall] Super.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106408568890
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6015F1-65A0-4AD3-8CEA-D8C87041FD91}: NameServer = 62.241.162.200 158.43.240.3
O21 - SSODL: mtklefa - {83A7006F-A5BD-4571-0398-D474574A1643} - C:\WINDOWS\System32\mpsxr32.dll
O21 - SSODL: mtkle - {D8C5EFBA-9EA8-42B7-41B2-D36D28B61A5D} - C:\WINDOWS\System32\qqnb32.dll

 

[BillC]

You should get rid of these as well

O4 - HKLM\..\Run: [blah service] servoxt.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] Super.exe

You have two entries of the first one and three of the second one. Make sure you check all of them and have HJT fix them.

Then locate and delete these two files:

C:\WINDOWS\System32\servoxt.exe
C:\WINDOWS\System32\Super.exe

Empty your recycle bin and reboot.