Annoyance on the loose

Discussion in 'privacy general' started by *Ari*, Dec 10, 2002.

Thread Status:
Not open for further replies.
  1. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Howdy folks,
    I have been up to one annoyance for the last days; dialing up when windows is still starting. I really tried to find out what is causing that stupidity but finally I have to confess I failed. Start up folder, programs which are running, registry.....no viruses....everything seems to be alright. ZA is not blocking any program attempting to connect on net either. So I need an advice, Thank you.


    StartupList report, 11.12.2002, 2:38:44
    StartupList version: 1.40.1
    Started from : C:\PROGRAM FILES\STARTUPMANAGER\STARTUPLIST.EXE
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\REGPROT\REGPROT.EXE
    C:\OHJELMATIEDOSTOT\HIDEFOLDERS\HF.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\OHJELMATIEDOSTOT\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\OHJELMATIEDOSTOT\GUIDESCOPE\GUIDE.EXE
    C:\OHJELMATIEDOSTOT\MSN MESSENGER\MSNMSGR.EXE
    C:\OHJELMATIEDOSTOT\OPERA\OPERA.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\DLLHOST.EXE
    C:\PROGRAM FILES\STARTUPMANAGER\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Käynnistä-valikko\Ohjelmat\Käynnistys]
    Reboot.exe
    WATCH.exe.lnk = C:\WINDOWS\TWAIN_32\A4S2600X\WATCH.exe

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Käynnistä-valikko\Ohjelmat\Käynnistys]
    ZoneAlarm.lnk = C:\Ohjelmatiedostot\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    AVG_CC = C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\avgcc32.exe /startup
    SystemTray = SysTray.Exe
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    CountrySelection = pctptt.exe
    RegProt = c:\regprot\regprot.exe /start
    hf = C:\OHJELMATIEDOSTOT\HIDEFOLDERS\HF.EXE /s
    PTSNOOP = ptsnoop.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Avgserv9.exe = C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\KAARET~1.SCR
    drivers=mmsystem.dll,power.drv,FSDID32.DLL

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 7/12/2002, 17:53:26)


    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    REM --- By HiSpeed CD-ROM Drive installation program. 11/4/101 ---
    @C:\OHJELM~1\GRISOFT\AVG6\bootup.exe
    rem mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
    rem keyb su,,C:\WINDOWS\COMMAND\keyboard.sys
    mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
    mode con codepage select=850
    keyb su,,C:\WINDOWS\COMMAND\keyboard.sys

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    Himem.sys
    EMM386.exe
    rem device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
    ;REM --- By HiSpeed CD-ROM Drive installation program. 10/21/101 ---
    LASTDRIVE=Z
    REM --- By HiSpeed CD-ROM Drive installation program. 11/4/101 ---
    device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
    Country=358,850,C:\WINDOWS\COMMAND\country.sys

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MSCD000

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: not hidden (arrow overlay: NO!)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Regedit.exe has no CompanyName property! It is either missing or named something else.
    - Regedit.exe has no OriginalFilename property! It is either missing or named something else.
    - Regedit.exe has no FileDescription property! It is either missing or named something else.

    Registry check failed!

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\OHJELM~1\STARDO~1\SDIEINT.DLL - {FFFFFEF0-5B30-21D4-945D-000000000000}
    (no name) - C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91}
    (no name) - C:\OHJELM~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F}

    --------------------------------------------------

    Enumerating Download Program Files:

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1044/V31Controls/x86/w98/fi/actsetup.cab

    [Live365Player Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
    CODEBASE = http://www.live365.com/players/play365.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/20000128/housecall.antivirus.com/housecall/xscan53.cab

    [Cameractl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CAMERA.OCX
    CODEBASE = http://www.lochness.scotland.net/push.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Register Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWUTILS.DLL
    CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37573.7085532407

    --------------------------------------------------
    End of report, 8 483 bytes
    Report generated in 0,129 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,285
    Location:
    New England
    Hi Krusty,

    First, a couple of background questions (the obvious ones, which I'm sure you have thought of already, but I have to ask ;) ).

    1. Have you installed or upgraded any software lately?

    2. How is your dial-up networking connectoid set, especially in the IE options screen (see image below)? If you set it to "Never dial a connection..." and reboot, does it still happen?

    3. When was your last virus/trojan scan, and with what tool?

    4. Are you still running Zone Alarm 3.1.395? Have you read the thread regarding the ZA auto-dial on bootup bug? See it here:

    https://www.wilderssecurity.com/showthread.php?t=3775

    Let us know the answers to these questions if you can. I'm sure people are looking over you Startuplist even as we speak. :cool:

    Best Wishes,
    LowWaterMark
     

    Attached Files:

  3. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hi LowWaterMark, and Thanx for your fast reply :)

    It really seems to be ZA bug .....I have been searching for the all settings and all possible trojans.....found nuttin; I use "AVG" and "Ants, Anti-Trojan". Yes indeed, now I think of it, the annoyance appeared just right after I updated ZA but I couldn´t figure out it just might be good old ZA :p. In that case I might better let it be this way it is, as long as it is not causing any other problems. It can not get connected on net anyway; password is in my head only.

    Thank You again LowWaterMark

    -Ari
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,285
    Location:
    New England
    Well, hopefully Zone Labs will get that fix out soon. I know they have been working on it for a while now.

    Many people have found that if they set the "Never dial a connection" button, it stops ZA dialing on bootup. You may want to try that if you haven't already, even though you seem to have it under control... :cool:

    Best Wishes,
    LowWaterMark
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Krusty,

    Could you do me a favor?
    Pleas download BHODemon from: http://www.definitivesolutions.com/bhodemon.htm
    Run it and select this one:
    (no name) - C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL - {6754A456-BAD9-11D4-93D3-00B0D03A2F91
    click details and more details and let me know what it says.
    If you do not know to which program it belongs try disabling it in the Details screen. If you do know, I would like to know as well.
    Thanx in advance,

    Pieter
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    http://www.odigo.org/ ?
     
  7. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hello Pieter and Tony

    Odigo indeed, I use that IM occasionally, nice feature to find people all over the world, but it´s a spyware I know. The folder Cydoor, Adcache. I used to launch "Spyblocker" as Odigos best friend; it really blocked ads from the server. Ok here´s the details.....By the way, I like very much this BHO feature. Not dialing anymore when starting up, I just disabled autodialing.

    -Ari

    Details for BHO C:\OHJELM~1\ODIGO\BIN\ODIGOBHO.DLL
    ----------------------------------------------------------------------------------------
    CLSID: {6754A456-BAD9-11D4-93D3-00B0D03A2F91}
    File Size (bytes): 53248
    Time Accessed: 2002/12/11 0:0:0
    Time Modified: 2001/2/18 10:23:28
    Time Created: 2002/7/8 2:31:51
    Drive Number: 2
    Comments: odigo browser dll
    CompanyName: Odigo
    FileDescription: OdigoBHO Module
    FileVersion: 1.0
    InternalName: OdigoBHO
    LegalCopyright: Copyright 2000
    LegalTrademarks: 
    OLESelfRegister: (
    OriginalFilename: OdigoBHO.DLL
    PrivateBuild: 100
    ProductName: OdigoBHO Module
    ProductVersion: 3.0
    SpecialBuild: $
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thnx Krusty, for providing that info.
    This BHO was not on Tony´s list yet.
    I´m guessing it will be after the next update ;)

    Regards,

    Pieter
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Oh yes, it will! :D
     
  10. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    LOL, how funny, definitivesolutions.com uses leader.linkexchange.com services and my proxy blocked the banner. Ziff Davis uses doubleclick services :D
    Why is that I wonder, blocking those ads makes my browser jamming sometimes.....bad services....

    -Ari

    besides Ziff D has been spamming me some time

    Now I typed rubbish :oops: It wasn´t Ziff Davis .....but : http://www.pcmag.com/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.