Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Zone Alarm Issue (possibly)

6041 Views 9 Replies 5 Participants Last post by  rhinestone
R
For the past few days, Zone Alarm is detecting programs named Object: ######## and process #### trying to access the internet. The #'s change everytime, but they keep coming. At first I thought it was Zone Alarm, and reverted to a past copy. I also reverted PHP, which I had updated around the same time these started. Neither helped. The firewall asks for permission for the program when using different applications. Usually, it happenes while using PHP, but it has happened once when using a VB client for a server my friend is developing. There's no specific script, and it happens only once in a while. Lately, it's gotten worse. I've scanned my entire computer for viruses and spyware (with Norton Antivirus 2002 and Ad-Aware 5). No viruses were detected, and clearing all spyware components (both registry and executables) did not solve the problem. At this point, I am really desperate for a solution. I'm using Zone Alarm Pro 3.5.166.

Since you'll probably ask me, here's the list that StartupList generated:

StartupList report, 1/24/2003, 5:40:12 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Admin\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\IMail\IMAP4D32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\IMail\iwebmsg.exe
C:\mysql\bin\mysqld-max-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\IMail\POP3D32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\IMail\smtpd32.exe
C:\Program Files\Cybiko\EZLoader\EZLoader.exe
C:\WINDOWS\System32\svchost.exe
C:\IMail\SYSLOGD.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\G6 FTP Server\G6FTPSrv.exe
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Admin\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
AtiPTA = atiptaxx.exe
WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup = C:\Program Files\Iomega\DriveIcons\deskup.exe
EZLoader = C:\Program Files\Cybiko\EZLoader\EZLoader.exe /NoSplash
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AbyssWebServer = C:\Program Files\Abyss Web Server\abyssws.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://download.internetfuel.com/ef1/freevideo.exe

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://161.58.211.148/wfplayer/tdserver.cab

[Yahoo! Vision]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YV.DLL
CODEBASE = http://download.yahoo.com/dl/fv/yv.cab

[LiveUpdate Crescendo]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CRES.OCX
CODEBASE = http://www.liveupdate.com/controls/getcab2.dll

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[TestX Class]
InProcServer32 = C:\WINDOWS\SYSTEM\PTESTX.DLL
CODEBASE = http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.17.23/13d2c4ec3e87b9801f16/netzip/RdxIE.cab

[{4248083C-9656-11D2-8B7F-00105A17847A}]
CODEBASE = http://downloads.mplayer.com/MplayerAutoInstaller.exe

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM32\opuc.dll
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[HbInstObj Class]
InProcServer32 = C:\Program Files\Hotbar\bin\HbInstIE.dll
CODEBASE = http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[NetCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXTELNET.DLL
CODEBASE = http://www.nucleus.com/axtelnet/axtelnet.cab

[Microsoft HTML Layout Control 1.0]
InProcServer32 = C:\WINDOWS\SYSTEM32\isctrls.ocx
CODEBASE = http://activex.microsoft.com/activex/controls/mspert10.cab

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://www.cracks.st/mp3.exe

[InstallShield Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.3455671296

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://download.yahoo.com/dl/mail/ymmapi.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/rpg/darkorbit/wildtangent/wtinst.cab

[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SIMCITYX.OCX
CODEBASE = http://simcity.ea.com/us/guide/classic/simcityx/SimCityX.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R868/V31Controls/x86/w98/en/actsetup.cab

[plug Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM32\nsupdate.dll
CODEBASE = http://204.177.92.201/quickdl/NSupd9x.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

[Yahoo! WebCam Viewer Wrapper]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YVWRCTL.DLL
CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

[IMViewerControl Class]
InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

[ThingViewer Class]
CODEBASE = http://www.thingworld.com/download/ie/ThingViewer.cab

[Zoom Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZACTIVEX.DLL
CODEBASE = http://www.zoomify.com/download/zoomify204.cab

[WildTangent Control]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/adrenaline/microsoft/wtinst.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\GLB1A2B.EXE||\??\C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

--------------------------------------------------
End of report, 10,968 bytes
Report generated in 0.210 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

I took a screenshot which you can view here - http://www.tshastry.com/zonealarm.jpg. Does anyone have any insight or ideas?
See less See more
Save
Like
Status
Not open for further replies.
1 - 10 of 10 Posts
S
I'm not an expert on HijackThis, but I do see you have Xupiter which is one of the nastiest of the nasty things on the web nowadays. Also you have Hotbar which is considered spyware.

It looks like there are some other suspicious things in there but hopefully Tony or one of the other experts will come along and check out the log.

I had the object thing a while back asking to connect to the internet, and I blocked it of course and never heard from it again. I did a google search on it and didn't really find anything much. When I did a search for files and folders and found it, it said invalid date and 0 kb. I figured with 0 kb it couldn't do to much harm Really got my curiosity up though.
Save
Like
S
I just looked at your screenshot and you have several things checked for server rights. I have read that nothing really should have sever rights. I have not given any programs server rights and they all work fine without it.

Maybe someone else has input on that.
Save
Like
Del
You got that right, I'd get rid of the hotbar and xjupitor first and go from there.
Save
Like
$teve
go here and download spybot:
http://beam.to/spybotsd

click the online button/search for updates and then run spybot,this will tidy things up a little,then post another list.
Save
Like
R
I used SpyBot and got rid of both (which Ad-Aware didn't detect), but it didn't help. I do run a server so some of my programs do need server rights. The issue suzi had with the object thing is the same one I'm having, only it won't stop. The file has an invalid date, no size, and no path. If it comes on while running a PHP script, then denying it access makes the PHP script fail to load.

Edit: Didn't see the last post, here's another list

StartupList report, 1/25/2003, 10:02:50 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\Admin\My Documents\Programs\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\IMail\IMAP4D32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\IMail\iwebmsg.exe
C:\mysql\bin\mysqld-max-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\IMail\POP3D32.exe
C:\IMail\smtpd32.exe
C:\WINDOWS\System32\svchost.exe
C:\IMail\SYSLOGD.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Cybiko\EZLoader\EZLoader.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\G6 FTP Server\G6FTPSrv.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\My Documents\Programs\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Admin\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
BPFTP Server.lnk = C:\Program Files\G6 FTP Server\G6FTPSrv.exe
WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
CoolSwitch = C:\WINDOWS\System32\taskswitch.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
AtiPTA = atiptaxx.exe
WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A
ADUserMon = C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
Deskup = C:\Program Files\Iomega\DriveIcons\deskup.exe
EZLoader = C:\Program Files\Cybiko\EZLoader\EZLoader.exe /NoSplash
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AbyssWebServer = C:\Program Files\Abyss Web Server\abyssws.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://download.internetfuel.com/ef1/freevideo.exe

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://161.58.211.148/wfplayer/tdserver.cab

[Yahoo! Vision]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YV.DLL
CODEBASE = http://download.yahoo.com/dl/fv/yv.cab

[LiveUpdate Crescendo]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CRES.OCX
CODEBASE = http://www.liveupdate.com/controls/getcab2.dll

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[TestX Class]
InProcServer32 = C:\WINDOWS\SYSTEM\PTESTX.DLL
CODEBASE = http://www.3dgreetings.com/Plugin/3DGreetings/PlayerX.CAB

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.17.23/13d2c4ec3e87b9801f16/netzip/RdxIE.cab

[{4248083C-9656-11D2-8B7F-00105A17847A}]
CODEBASE = http://downloads.mplayer.com/MplayerAutoInstaller.exe

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM32\opuc.dll
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[NetCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXTELNET.DLL
CODEBASE = http://www.nucleus.com/axtelnet/axtelnet.cab

[Microsoft HTML Layout Control 1.0]
InProcServer32 = C:\WINDOWS\SYSTEM32\isctrls.ocx
CODEBASE = http://activex.microsoft.com/activex/controls/mspert10.cab

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://www.cracks.st/mp3.exe

[InstallShield Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37576.3455671296

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://download.yahoo.com/dl/mail/ymmapi.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/rpg/darkorbit/wildtangent/wtinst.cab

[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SIMCITYX.OCX
CODEBASE = http://simcity.ea.com/us/guide/classic/simcityx/SimCityX.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[{CEBC955E-58AF-11D2-A30A-00A0C903492B}]
CODEBASE = http://windowsupdate.microsoft.com/R868/V31Controls/x86/w98/en/actsetup.cab

[plug Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

[Yahoo! WebCam Viewer Wrapper]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YVWRCTL.DLL
CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

[IMViewerControl Class]
InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://lw9fd.law9.hotmail.msn.com/activex/HMAtchmt.ocx

[ThingViewer Class]
CODEBASE = http://www.thingworld.com/download/ie/ThingViewer.cab

[Zoom Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZACTIVEX.DLL
CODEBASE = http://www.zoomify.com/download/zoomify204.cab

[WildTangent Control]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WEBDRIVER.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/adrenaline/microsoft/wtinst.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\GLB1A2B.EXE|||A

--------------------------------------------------
End of report, 10,543 bytes
Report generated in 2.834 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
See less See more
Save
Like
R
It just happened again after a long time. Didn't happen for half the day, but then came up again now while using phpMyAdmin. Can someone please help?
Save
Like
S
rhinestone,

I'm at a loss now. You might try the forums at http://www.spywareinfo.com. Post your HijackThis log there.

Things are a little slower on the weekend with the posting but you will get help there eventually.

A lot of sites are still down due to the attack of the worm on the internet so things are not moving as quickly as usual. I wish I could help you, but it's beyond my level of knowledge.
Save
Like
Rollin' Rog
You have so many unusual server applications there that it may be impossible for any of us to know what is legitimately connected to them.

However I do see one thing in those startups which still needs to be removed:

WebInstall2 = C:\DOCUME~1\Admin\LOCALS~1\Temp\ins1168.tmp /R /A

This is a left over from a botched MovieNetworks install. It is evidently running something from the Temp files. If they've never been deleted that might explain the lack of an error message.

To remove this entry run regedit and navigate to the key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Look in the right hand pane for the WebInstall2 entry and right click on that and delete it.

I would also go to Internet Options > Settings > View objects and remove all of those Active X objects not associated with major, recognizable vendors such as Microsoft, Yahoo, Macromedia, etc...
See less See more
Save
Like
R
I went through my ActiveX plugins and found a few interesting ones. One led to mp3.exe which I've always known is spyware. There were a few that had code bases with IP's and wierd folder names, so I deleted them. An Object alert came up right before I opened up the ActiveX folder, so I don't know if it's been solved yet. I'm trying on spywareinfo.com to see if I can get some more help.
Save
Like
1 - 10 of 10 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top