InstallShield Update

Discussion in 'other software & services' started by BeenBit, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    I recently installed Zone Alarm on my computer. An alert keeps popping up telling me that "InstallShield Update Service" is trying to connect to the internet.

    Can someone tell me if this is a good program that I want to allow to work, or is this some type of nightmare? I've tried to find out more about the program (and have even gone to the website), but as a newbie I really don't know for a fact that it's being used for something beneficial.

    I haven't noticed any difference in the operation of the computer, but . . .

    Thanks!

     
  2. dangitall

    dangitall Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    430
    Location:
    New Hamster, USA
    Mornin', BeenBit -

    It would all depend on what program is behind that request to connect. As someone else said in another thread, when in doubt - deny. After you've denied the access request (do NOT check the 'Always Remember ...' checkbox, at least not yet), then you can sit down and try to determine just which of your programs is set to auto-update and is responsible for the request.

    Once you've found the source of the request, you can make the choice as to whether or not you want to always allow, or disallow, the request using the 'Always Remember ...' checkbox.

    Hope this helps.
     
  3. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    Thanks Dangitall! I have been denying access and then waiting with baited breath to see if something bad happens to a good program.

    In your reply, you say:

    After you've denied the access request, then you can sit down and try to determine just which of your programs is set to auto-update and is responsible for the request.

    Other than luck, is there a good way to find out specifically which program is using InstallShield?

    Thanks for the help!

    :)
     
  4. RedLobster

    RedLobster Guest

    Looks like you may have zone alarm set to CHECK FOR UPDATE..(of zone alarm)
    Maybe Dangitall could better explain to you how to un-check the update feature.....been a long time since I looked at ZA..........I seem to recall that this update feature was in CONFIG....which was the last Tab on the right of the screen....(ZA screen)
     
  5. dangitall

    dangitall Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    430
    Location:
    New Hamster, USA
    You could download and install Mike Lin's StartupControlPanel (http://www.mlin.net/); this may give you enough information to work with. Another option might be posting a HijackThis log - in the appropriate forum, of course - along with an explanation of what you're trying to find, and why.

    FYI: common 'automatic updaters' - antivirus programs and some media players (such as Real).

    Now that I think about it, an HJT log might not be a bad idea at all: while I can't recall having heard of, or seen, any malware using InstallShield to do its dirty work, there's always a first time for everything. Regardless, grab Mike Lin's program and see if there's anything there.

    EDIT: RedLobster mentions that it might be the AutoUpdate feature of ZoneAlarm itself. While this is possible, I don't believe this to be the case as I have that particular feature turned on and I've never seen ZA ask for access to update itself (Now, there's some fodder for deep philosophical speculation!).
     
  6. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    :)

    Thanks you guys! These are some great suggestions I'll follow up on when I get home tonight.
     
  7. RedLobster

    RedLobster Guest

    Yet another thought....since this was a new install of ZA could it possibly be that its trying to REGISTER the user/program ?

    Again Dangitall may be able to answer that being a ZA user.


    Yes, there are some malware that uses the install service.....I think NOD was either the first or near first to detect and clean it.
    Paul Wilders could better answer that
     
  8. dangitall

    dangitall Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    430
    Location:
    New Hamster, USA
    Not that I recall ... and thanks for the info regarding InstallShield being used by the baddies. A suspicion/expectation confirmed.
     
  9. RedLobster

    RedLobster Guest

    Dangitall...

    I was hoping that just once it could be something simple LOL an Beenbit could relax.........but its never simple
    Well you have this well in hand Dangitall so will get myself on down the pike..

    Beenbit.....good luck..
     
  10. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    Dangitall (or other Wilders Expert),

    I have run HijackThis as suggested and am posting the log here. I know you said it may be more approriate in another forum, and if so will be happy to repost there with the background information on my problem (?).
    Just let me know.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:00:42 PM, on 4/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

    :)

    Thanks!

    P.S.- I downloaded Mike Lin's StartUp Control Panel but I'm not sure what I'm looking for. Can someone provide additional help for a newbie as to how I can use this to help with the problem? Thank you!
     
  11. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    Installshield Update Service is used by progams other than baddies for auto updating of existing programs on a user's system. Prior to installing ZA I had never heard of it before. I allow it internet access for my system and nothings blown up so far. I use to have a link that showed a lot of the programs that uses Installshield Update Service, but as time has gone by............................zapped............sorry.
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi BeenBit,

    There is nothing wrong with your HJT log, it is clean.

    I would suggest if you are alerted to this again, try to remember anything you did in the minutes before it happened. Did I start any progrems manually in the last few minutes, etc..... Anything that you may can think of that may help figure it out. Look for IP addresses in your ZA log and notice if it is any particular port your are being alerted to....

    Sorry not to have been of any more help ;) ...

    Regards,
    Kent
     
  13. RedLobster

    RedLobster Guest

    So there is no confusion here....Pretender is correct when saying "Installshield Update Service is used by progams other than baddies "

    My mention of installshield update was only to imply that ZA COULD BE LOOKING FOR AN UPDATE.....if that option was CHECKED that would be one explanation for it wanting to EXIT to the internet.
    Could Installshield be used by the Baddies....consider that when it comes to computers...well, after all these years people are still finding explotable means.....so I don't ever under-estimate what can be done.

    So, its good to be cautous and alert....often its nothing wrong with the software....but a Check or NO Check where one should not be....or where one should be......all part of the computing experience
     
  14. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    :)

    All of you kind folks bring up good points. I guess the message is to be vigilant and aware of what is going on with your PC. I have spam control and pop-up stopper with my Earthlink Service, and I wonder if it may be related in some way to that. I think I'll put a call in to their customer support to see if they can tell me anything.

    Thanks to all of you guys!

    Jim
     
  15. FanJ

    FanJ Guest

    Hi,

    Maybe a little bit off topic:

    In IE-SPYAD from Eric Howes you can find the following:

    ; InstallShield
    ; -------------

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\installengine.com]
    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\installfromtheweb.com]
    "*"=dword:00000004

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\installshield.com]
    "*"=dword:00000004


    This means that those websites are placed in the restricted zone of IE.

    However: as far as I was able to see this is in the section of IE-SPYAD "NOT FOR EVERYONE".


    Edit:
    This was in the previous version of IE-SPYAD; at the moment I haven't yet installed the latest one.
     
  16. dangitall

    dangitall Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    430
    Location:
    New Hamster, USA
    BeenBit - sorry I missed yesterday's activities here, but I was otherwise occupied. Yes, it is entirely possible that the software provided by Earthlink could be related to this. I had more problems with that stuff ...! Some people I know just love their Earthlink service, but it seemed that I was on the phone, or in their IM Help, with them at least every other day or so because of issues with their software.

    Everybody else made some great points, and it's ALWAYS a relief to have a clean HJT log (!) but, yes, vigilance and knowledge are always the key to anything. Keep your eyes and mind open and you should be fine.
     
  17. BeenBit

    BeenBit Registered Member

    Joined:
    Jul 5, 2003
    Posts:
    24
    :D

    Thanks Dangitall! I appreciate your help more than you know. All of you folks at the Wilders Forum are the greatest!
     
  18. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    I'm currently using Earthlink. I can't remember if my first encounter with Installshield Service was after intalling the EL software or not, but am inclined to think it was. I had numerous problems with the Earthlink software on first install. Had to take it all out and start again three or four times before it started working without noticeable problems. Using Windows XP and haven't had any problems for a long time now. What does that mean? Who knows. Seems to be a problem with the installation and whether it works right or not. Getting back to Installshield..........when I first allowed it to access thru ZoneAlarm then I ended up with a drastic delay in loading of XP. That has finally been taken care of.
     

    Attached Files:

  19. dcdc

    dcdc Registered Member

    Joined:
    Nov 22, 2004
    Posts:
    195
    Location:
    Boston area
    This is my recent experience with InstallShield Update. After being in the hospital for a few days, I came home and fired up my machine, and to my surprise found this InstallShield icon in my system tray. I had done some anti-malware updates just before I went in, so I thought it might be some part of an upgrade from one of them. But it just didn't seem right.

    I ran all the updates again, and then started doing scans. The first was Spy Sweeper, which found adware NeededWare (ironic name, isn't it?), with one item and two traces found. Some info from Spy Sweeper:
    Threat Assessment: Medium
    usually installed via Active-X driveby download
    may display pop-up ads.

    I let Spy Sweeper quarantine this one for me.

    Next I ran scans from Ad-Aware SE and Spybot in that order, but they found nothing additional. I also have SpywareGuard and SpywareBlaster running, but apparently neither blocked this NeededWare.

    Next I restarted the system, and the InstallShield icon in the system tray was gone. Some other members have mentioned Zone Alarm, but I have never downloaded that one, and if they had a free system scan, I don't remember using it. So at least for me, I didn't get this malware from Zone Alarm.

    I hope others may find this info useful.

    By the way, let's see a show of hands of how many think the new Windows Longhorn OS, arriving a couple of years behind schedule, will bring all this malware to an end once and for all without a glitch. Not too many that I can see.

    I think the prudent moral here is do your own updates - don't rely on unknown programs to do them for you.
     
Loading...
Thread Status:
Not open for further replies.