Opaserv.A Worm/Phantom files

Discussion in 'malware problems & news' started by mklangelo, Feb 7, 2004.

Thread Status:
Not open for further replies.
  1. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Spyware Search and Destroy has detected it on my system. When I try to remove it with SSD, it says it can't because some part of it is in use. I'm running XP Pro SP1 and this worm does it's thing on Win 9x, and ME. XP isn't mentioned in anything I've read about it. I still want it gone. I disconnected from the net and tried it too since I figgured it wouldn't be "in use" that way. No help.

    I downloaded the removal tool and it can detect nothing. Trial version of NOD 32 says I'm clean also. What's the deal?


    MK o_O
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    Hi mklangelo,

    Could you post the Spybot S&D log?

    And have a look here: http://www.sophos.com/support/disinfection/w32opaserv.html

    Regards,

    Pieter
     
  3. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Pieter,

    I can find no log file. According to my settings, it should be named "checks.log" It is not in the SBSD directory or anywhere else for that matter.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  5. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Pieter,

    Here it is.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:52:44 AM, on 2/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
    C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe
    C:\Program Files\SpamPal\spampal.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\Documents and Settings\Mike Burns\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\smss.exe
    O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
    O4 - HKCU\..\Run: [Ecuc] C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe
    O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate MX\frntgate.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://download.yahoo.com/dl/sbcybeta/yinst.cab
    O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}: NameServer = 65.43.19.26 206.141.192.60
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    Quite some adware, but no virus in sight.
    Let´s see if cleaning you out helps.

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

    O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\smss.exe

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKCU\..\Run: [Ecuc] C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

    O4 - Startup: PowerReg Scheduler.exe

    Then reboot and delete:
    C:\WINDOWS\smss.exe
    C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

    Regards,

    Pieter
     
  7. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Pieter,

    I appreciate your time on this. This forum has been quite helpful to me.


    Regards,

    Mike
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    My pleasure. :)

    Pieter
     
  9. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Pieter,

    The same notification (OpaServ.A) shows up. Two of the files named to delete after final reboot did not exist:

    C:\WINDOWS\smss.exe
    C:\Documents and Settings\Mike Burns\Application Data\bbhi.exe

    Plus in the post you closed, I mentioned a new detection that showed up.

    A quote from the closed thread is below:

    "When I do run a full scan with TrojanHunter, NOD32 will notify on Stealth.Poly.Crypt.Tsr.Driver.

    I might have been more clear in the post, I did mention two seperate issues. My mistake!
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    Hi mklangelo,

    It would really help a lot if we knew where these files were found. (Full path and filename)
    Make some screenshots if you can't find the logfiles.

    Regards,

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    To get the log from Spybot S&D:
    After the scan click Tools > View Report > View Report and copy & paste the content of the main screen into your post.

    Regards,

    Pieter
     
  12. controler

    controler Guest

    Re:Opaserv.A Worm

    I see you are using NOD-32. won't this detect it and remove it?

    con
     
  13. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    I don't think so if one is using the trial version.
     
  14. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Here is the full information from SSD, TrojanHunter and NOD32:

    --- Search result list ---

    --- Spybot-S&D version: 1.2 ---
    2004-01-22 Includes\Cookies.sbi
    2004-01-22 Includes\Dialer.sbi
    2004-01-31 Includes\Hijackers.sbi
    2003-11-11 Includes\Keyloggers.sbi
    2004-01-25 Includes\Malware.sbi
    2003-03-16 Includes\plugin-ignore.ini
    2004-01-22 Includes\Security.sbi
    2004-01-26 Includes\Spybots.sbi
    2003-03-16 Includes\Temporary.sbi
    2004-01-22 Includes\Tracks.uti
    2004-01-25 Includes\Trojans.sbi


    --- System information ---
    Windows XP (Build: 2600) Service Pack 1
    / DataAccess: Security update for Microsoft Data Access Components
    / DataAccess: Security Update for Microsoft Data Access Components
    / DirectX: DirectX Update 819696
    / Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
    / Windows Media Player: Windows Media Update 817787
    / Windows Media Player: Windows Media Update 819639
    / Windows Media Player: Windows Media Update 828026
    / Windows XP / SP2: Windows XP Hotfix - KB821557
    / Windows XP / SP2: Windows XP Hotfix - KB823182
    / Windows XP / SP2: Windows XP Hotfix - KB823559
    / Windows XP / SP2: Windows XP Hotfix - KB823980
    / Windows XP / SP2: Windows XP Hotfix - KB824105
    / Windows XP / SP2: Windows XP Hotfix - KB824141
    / Windows XP / SP2: Windows XP Hotfix - KB824146
    / Windows XP / SP2: Windows XP Hotfix - KB825119
    / Windows XP / SP2: Windows XP Hotfix - KB826939
    / Windows XP / SP2: Windows XP Hotfix - KB828039
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q322011
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q331953
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q817606


    --- Startup entries list ---
    Spybot-S&D Startup list report, 2/8/2004 10:12:15 AM

    Located: HK_CU:Run, RemoteCenter
    file: C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    MD5: 06D83E9BBF14471EDB1572564B55C5EB

    Located: HK_CU:Run, Creative Detector
    file: C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

    Located: HK_CU:Run, MtdAcq
    file: C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s

    Located: HK_CU:Run, Ccch
    file: C:\Documents and Settings\Mike Burns\Application Data\aeca.exe
    MD5: BE6356B5B707C366F4DD0ADBF0E72D38

    Located: HK_LM:Run, SBDrvDet
    file: C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

    Located: HK_LM:Run, ATIPTA
    file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    MD5: 76E9ECD6253BD9D1549CBE32621AD897

    Located: HK_LM:Run, IntelliType
    file: "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

    Located: HK_LM:Run, Zone Labs Client
    file: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    MD5: 9472F49967BD0FCF5AEB6C1497B9083A

    Located: HK_LM:Run, USRpdA
    file: C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

    Located: HK_LM:Run, AsioReg
    file: REGSVR32.EXE /S CTASIO.DLL

    Located: HK_LM:Run, CTSysVol
    file: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    MD5: C88806E6C9AE0AD88D20E1BDA995355A

    Located: HK_LM:Run, CTDVDDet
    file: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    MD5: 49530EA45EBD73E2C11C74DFEBC30D57

    Located: HK_LM:Run, nod32kui
    file: C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

    Located: HK_LM:Run, THGuard
    file: "C:\Program Files\TrojanHunter 3.8\THGuard.exe"

    Located: HK_LM:Run, CTHelper
    file: CTHELPER.EXE

    Located: HK_LM:Run, NeroCheck (DISABLED)
    file: C:\WINDOWS\System32\\NeroCheck.exe
    MD5: 3E4C03CEFAD8DE135263236B61A49C90

    Located: HK_LM:Run, C-Media Mixer (DISABLED)
    file: Mixer.exe /startup



    --- Browser helper object list ---
    Spybot-S&D Browser helper object report, 2/8/2004 10:12:15 AM

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Class file: AcroIEHelper.dll
    Attributes: archive
    Date: 5/15/2003 12:47:54 AM
    MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
    Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
    Short name: ACROIE~1.DLL
    Size: 50376 bytes
    Version: 0.6.0.0
    Class name: AcroIEHlprObj Class
    CLSID database: legitimate software
    Description: Adobe Acrobat reader
    Filename: ACROIEHELPER.OCX

    {53707962-6F74-2D53-2644-206D7942484F}
    Class file: SDHelper.dll
    Attributes: archive
    Date: 3/16/2003 1:02:00 AM
    MD5: 423CBD3CFAEEB62C5C97A9449567B474
    Path: C:\PROGRA~1\SPYBOT~1\
    Short name:
    Size: 711168 bytes
    Version: 255.255.255.255
    CLSID database: legitimate software
    Description: Spybot-S&D IE Browser plugin
    Filename: SDHelper.dll

    {AA58ED58-01DD-4d91-8333-CF10577473F7}
    Class file: googletoolbar_en_2.0.95-big.dll
    Attributes: archive
    Date: 8/4/2003 11:23:18 PM
    MD5: 391C19C7EF7E9AF44CCEA95B5051508D
    Path: c:\windows\
    Short name: GOOGLE~1.DLL
    Size: 741376 bytes
    Version: 0.2.0.0
    Class name: Google Toolbar Helper
    CLSID database: open for discussion
    Description: Google toolbar
    Filename: Googletoolbar.dll


    --- ActiveX list ---
    Spybot-S&D ActiveX report, 2/8/2004 10:12:15 AM

    DirectAnimation Java Classes
    Name: DirectAnimation Java Classes
    Version: 5,1,15,1014

    Microsoft XML Parser for Java
    Name: Microsoft XML Parser for Java
    Version: 1,0,9,2

    {0E5F0222-96B9-11D3-8997-00104BD12D94}
    Class file: PCPITS~1.DLL
    Attributes: archive
    Date: 9/2/2003 10:52:30 AM
    MD5: BCA44EAEFCEA0133B35551664570351F
    Path: C:\WINDOWS\DOWNLO~1\
    Short name: PCPITS~1.DLL
    Size: 249856 bytes
    Version: 0.1.0.0
    Class name: PCPitstop Utility
    CLSID database: unknown class
    Description: Gateway tools
    Filename: PCPITSTOP.DLL
    Contains file: DiskFAU.dll
    Attributes: archive
    Date: 4/18/2003 1:59:44 PM
    MD5: 5689C59C70EC84831FFFDAD1DAA8DA3A
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 53248 bytes
    Version: 0.1.0.0
    Contains file: pcpbios.exe
    Attributes: archive
    Date: 3/14/2002 1:00:26 PM
    MD5: 68C5BB8A734A1C6F38705E61923C3317
    Path: C:\WINDOWS\System32\
    Short name:
    Size: 38567 bytes
    Version: 255.255.255.255
    Contains file: PCPitstop.dll
    Attributes: archive
    Date: 9/2/2003 10:52:30 AM
    MD5: BCA44EAEFCEA0133B35551664570351F
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name: PCPITS~1.DLL
    Size: 249856 bytes
    Version: 0.1.0.0
    Contains file: sysres.dll
    Attributes: archive
    Date: 8/16/1998 6:00:00 AM
    MD5: 4DB16572BB9FC4EC4840EF55FB91F375
    Path: C:\WINDOWS\System32\
    Short name:
    Size: 4096 bytes
    Version: 255.255.255.255
    Download location: http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    Last modified: Tue, 02 Sep 2003 15:03:17 GMT
    Version: 1,0,0,121

    {1DB3B8DD-5801-443F-B2D5-9BF8912B980E}
    Class file: dmgrax2.dll
    Attributes: archive
    Date: 9/12/2003 4:19:12 PM
    MD5: E7C20C81DDB7C9DE2E59035BF6AAA82C
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 167936 bytes
    Version: 0.1.0.1
    Class name: dmgrax2Ctrl Class
    Contains file: dmgrax2.dll
    Attributes: archive
    Date: 9/12/2003 4:19:12 PM
    MD5: E7C20C81DDB7C9DE2E59035BF6AAA82C
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 167936 bytes
    Version: 0.1.0.1
    Download location: http://www.lxsystems.com/downloads/Install.cab
    Last modified: Fri, 12 Sep 2003 21:20:17 GMT
    Version: 1,1,1,4

    {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
    Class file: yinsthelper.dll
    Attributes: archive
    Date: 9/9/2003 5:39:42 PM
    MD5: A74AB5DEF14CC298CC8821CE80A62405
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name: YINSTH~1.DLL
    Size: 124352 bytes
    Version: 7.211.0.9
    Class name: YInstStarter Class
    Contains file: yinsthelper.dll
    Attributes: archive
    Date: 9/9/2003 5:39:42 PM
    MD5: A74AB5DEF14CC298CC8821CE80A62405
    Path: C:\Program Files\Yahoo!\common\
    Short name: YINSTH~1.DLL
    Size: 124352 bytes
    Version: 7.211.0.9
    Contains file: yinsthelper.dll
    Attributes: archive
    Date: 9/9/2003 5:39:42 PM
    MD5: A74AB5DEF14CC298CC8821CE80A62405
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name: YINSTH~1.DLL
    Size: 124352 bytes
    Version: 7.211.0.9
    Download location: http://download.yahoo.com/dl/sbcybeta/yinst.cab
    Last modified: Fri, 12 Sep 2003 22:08:18 GMT
    Version: 2003,9,9,1

    {38578BF0-0ABB-11D3-9330-0080C6F796A1}
    Class file: AxCtp.dll
    Attributes: archive
    Date: 10/10/2003 12:34:22 PM
    MD5: F55BCD60698CCD82317A554A57E0EA2A
    Path: C:\WINDOWS\System32\
    Short name:
    Size: 1187840 bytes
    Version: 0.3.0.1
    Class name: Create & Print ActiveX Plug-in
    Contains file: AxCtp.dll
    Attributes: archive
    Date: 10/10/2003 12:34:22 PM
    MD5: F55BCD60698CCD82317A554A57E0EA2A
    Path: C:\WINDOWS\System32\
    Short name:
    Size: 1187840 bytes
    Version: 0.3.0.1
    Download location: http://www.imgag.com/cp/install/AxCtp.cab
    Last modified: Fri, 10 Oct 2003 20:31:03 GMT
    Version: 3,1,0,0

    {8AD9C840-044E-11D1-B3E9-00805F499D93}
    Class file: npjpi140_01.dll
    Attributes: archive
    Date: 4/16/2002 2:28:48 PM
    MD5: 5049C83AC4E513D0B0AC4FFEA6431162
    Path: C:\Program Files\Java\j2re1.4.0_01\bin\
    Short name: NPJPI1~1.DLL
    Size: 86122 bytes
    Version: 0.1.0.4
    Class name: Java Plug-in 1.4.0_01
    CLSID database: legitimate software
    Description: Sun Java
    Filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
    Download location: http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
    Name: Java Runtime Environment 1.4.0_01
    Version: 1,4,0,1

    {8EDAD21C-3584-4E66-A8AB-EB0E5584767D}
    Contains file: activate.dll
    Attributes: archive
    Date: 3/19/2003 4:39:08 PM
    MD5: 4F159E0135ECA7EB948B66AC9910A7D5
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 118784 bytes
    Version: 255.255.255.255
    Download location: http://toolbar.google.com/data/GoogleActivate.cab
    Last modified: Fri, 21 Mar 2003 16:46:06 GMT
    Version: 0,0,0,1

    {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
    Class file: asinst.dll
    Attributes: archive
    Date: 8/7/2003 9:02:50 AM
    MD5: BF100C75EBD536E45B2BE67A685DD39C
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 110592 bytes
    Version: 0.55.0.2
    Class name: ActiveScan Installer Class
    Contains file: asinst.dll
    Attributes: archive
    Date: 8/7/2003 9:02:50 AM
    MD5: BF100C75EBD536E45B2BE67A685DD39C
    Path: C:\WINDOWS\Downloaded Program Files\
    Short name:
    Size: 110592 bytes
    Version: 0.55.0.2
    Download location: http://www.pandasoftware.com/activescan/as5/asinst.cab
    Last modified: Thu, 07 Aug 2003 07:11:58 GMT
    Version: 55,2,0,0

    {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
    Class file: npjpi140_01.dll
    Attributes: archive
    Date: 4/16/2002 2:28:48 PM
    MD5: 5049C83AC4E513D0B0AC4FFEA6431162
    Path: C:\Program Files\Java\j2re1.4.0_01\bin\
    Short name: NPJPI1~1.DLL
    Size: 86122 bytes
    Version: 0.1.0.4
    Class name: Java Plug-in 1.4.0_01
    Download location: http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
    Name: Java Runtime Environment 1.4.0_01
    Version: 1,4,0,1

    {D27CDB6E-AE6D-11CF-96B8-444553540000}
    Class file: Flash.ocx
    Attributes: archive
    Date: 9/4/2003 2:17:58 PM
    MD5: B414D4BA7BFB6218AE6B224B46C81D60
    Path: C:\WINDOWS\System32\macromed\flash\
    Short name:
    Size: 917504 bytes
    Version: 0.7.0.0
    Class name: Shockwave Flash Object
    CLSID database: legitimate software
    Description: Macromedia Shockwave Flash Player
    Download location: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Last modified: Fri, 05 Sep 2003 18:36:03 GMT
    Version: 7,0,14,0


    --- Process list ---
    Spybot-S&D process list report, 2/8/2004 10:12:15 AM

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 340 ( 4) \SystemRoot\System32\smss.exe
    PID: 392 ( 340) \??\C:\WINDOWS\system32\csrss.exe
    PID: 416 ( 340) \??\C:\WINDOWS\SYSTEM32\winlogon.exe
    PID: 460 ( 416) C:\WINDOWS\system32\services.exe
    PID: 472 ( 416) C:\WINDOWS\system32\lsass.exe
    PID: 636 ( 460) C:\WINDOWS\System32\Ati2evxx.exe
    PID: 660 ( 460) C:\WINDOWS\system32\svchost.exe
    PID: 696 ( 460) C:\WINDOWS\System32\svchost.exe
    PID: 828 ( 460) C:\WINDOWS\System32\svchost.exe
    PID: 856 ( 460) C:\WINDOWS\System32\svchost.exe
    PID: 968 (1400) C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    PID: 1044 ( 460) C:\WINDOWS\system32\spoolsv.exe
    PID: 1124 ( 416) C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    PID: 1192 (1156) C:\WINDOWS\Explorer.EXE
    PID: 1344 (1192) C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    PID: 1384 (1192) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    PID: 1400 (1192) C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    PID: 1412 (1192) C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    PID: 1432 (1192) C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    PID: 1444 (1412) C:\WINDOWS\SYSTEM32\USRshutA.exe
    PID: 1460 (1192) C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    PID: 1472 (1412) C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    PID: 1492 (1192) C:\Program Files\Eset\nod32kui.exe
    PID: 1532 (1192) THGuard.exe
    PID: 1540 (1192) C:\WINDOWS\System32\CTHELPER.EXE
    PID: 1548 (1192) C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    PID: 1560 (1192) C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    PID: 1576 (1192) C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
    PID: 1588 (1192) C:\Documents and Settings\Mike Burns\Application Data\aeca.exe
    PID: 1776 (1192) C:\Program Files\SpamPal\spampal.exe
    PID: 1888 ( 460) C:\WINDOWS\System32\CTSvcCDA.EXE
    PID: 1940 ( 460) C:\Program Files\Eset\nod32krn.exe
    PID: 2008 ( 460) C:\WINDOWS\System32\MsPMSPSv.exe
    PID: 3432 (1192) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


    --- Browser start & search pages list ---
    Spybot-S&D browser pages report, 2/8/2004 10:12:15 AM

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://yahoo.sbc.com/dsl
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://yahoo.sbc.com/dsl
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://yahoo.sbc.com/dsl
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
    Spybot-S&D winsock LSP report, 2/8/2004 10:12:15 AM

    NS Provider ( 1) Tcpip ({22059D40-7E9E-11CF-AE5A-00AA00A7112B})
    NS Provider ( 2) NTDS ({3B2637EE-E580-11CF-A555-00C04FD8D4AC})
    NS Provider ( 3) Network Location Awareness (NLA) Namespace ({6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83})
    Protocol ( 1) NOD32 protected [MSAFD Tcpip [TCP/IP]] ({8C397D36-8698-41E1-930A-1F2CA61B890E})
    Protocol ( 2) NOD32 protected [MSAFD Tcpip [UDP/IP]] ({4B43688E-2A08-4941-96EF-B24E19ABD4CE})
    Protocol ( 3) NOD32 protected [MSAFD Tcpip [RAW/IP]] ({E058E349-941C-4A01-B52A-4E1D68E8319C})
    Protocol ( 4) NOD32 protected [RSVP UDP Service Provider] ({872EA8D1-31AC-4C26-A25A-CBBA92B81DA0})
    Protocol ( 5) NOD32 protected [RSVP TCP Service Provider] ({64BFC2B7-E8D1-4F53-AB28-C0A9E8EC5089})
    Protocol ( 6) MSAFD Tcpip [TCP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
    Protocol ( 7) MSAFD Tcpip [UDP/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
    Protocol ( :cool: MSAFD Tcpip [RAW/IP] ({E70F1AA0-AB8B-11CF-8CA3-00805F48A192})
    Protocol ( 9) RSVP UDP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
    Protocol (10) RSVP TCP Service Provider ({9D60A9E0-337A-11D0-BD88-0000C082E69A})
    Protocol (11) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0C49C7C9-9D4A-4E62-A3DD-F0D11128C575}] SEQPACKET 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (12) MSAFD NetBIOS [\Device\NetBT_Tcpip_{0C49C7C9-9D4A-4E62-A3DD-F0D11128C575}] DATAGRAM 5 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (13) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98BB06F-C94D-4375-9C54-DC345B186BA4}] SEQPACKET 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (14) MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98BB06F-C94D-4375-9C54-DC345B186BA4}] DATAGRAM 0 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (15) MSAFD NetBIOS [\Device\NetBT_Tcpip_{59A396C1-9791-4ABE-A36A-D293008281D1}] SEQPACKET 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (16) MSAFD NetBIOS [\Device\NetBT_Tcpip_{59A396C1-9791-4ABE-A36A-D293008281D1}] DATAGRAM 1 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (17) MSAFD NetBIOS [\Device\NetBT_Tcpip_{39193C8B-A2A5-442E-9E6D-19E14F1FE41C}] SEQPACKET 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (1:cool: MSAFD NetBIOS [\Device\NetBT_Tcpip_{39193C8B-A2A5-442E-9E6D-19E14F1FE41C}] DATAGRAM 2 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (19) MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2D4AAAB-4724-4CA1-801B-8E33DFD96C0E}] SEQPACKET 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (20) MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2D4AAAB-4724-4CA1-801B-8E33DFD96C0E}] DATAGRAM 3 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (21) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}] SEQPACKET 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (22) MSAFD NetBIOS [\Device\NetBT_Tcpip_{9C9D9B7B-6D58-4524-A9E2-BFF8C03AE7BB}] DATAGRAM 4 ({8D5F1830-C273-11CF-95C8-00805F48A192})
    Protocol (23) NOD32 ({28A4D8DA-E908-4C6F-A926-A66CC7AD3224})


    _________________________________________________________________________________________________



    THIS IS INFO FROM TROJANHUNTER:

    File scan
    Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP365\A0303772.exe (Add to ignore list)
    No trojan files found
    _________________________________________________________________________________________________________________

    This is the location of the offending files according to NOD32

    Stealth.Poly.Crypt.Tsr.Driver is the alledged virus.
    Time Module Object Name Virus Action User Info
    2/8/2004 10:28:18 AM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\jN5Rd.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
    2/8/2004 10:27:19 AM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\fcjOC3.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
    2/7/2004 20:24:39 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\v5P.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
    2/7/2004 20:24:36 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\Q64FV.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus error while deleting - error occured while quarantining the object - AMERICAN-Q0JEHN\Mike Burns
    2/7/2004 12:20:44 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\zA1g6.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus AMERICAN-Q0JEHN\Mike Burns
    2/7/2004 12:20:38 PM AMON file C:\DOCUME~1\MIKEBU~1\LOCALS~1\Temp\q79GlTU.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus error while deleting AMERICAN-Q0JEHN\Mike Burns
    2/2/2004 20:57:22 PM AMON file C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP642\A0367029.exe Win32/TrojanDropper.Dater.A trojan renamed to C:\System Volume Information\_restore{41F948C6-E5A2-444B-9F7E-0DC935BD5CB9}\RP642\A0367029.Vexe NT AUTHORITY\SYSTEM





    As earlier, I am having no symptoms. It was suggested that the Stealth virus is a false heuristic positive. I'll leave that to the resident experts.

    EDIT: As for the Opserv.A worm, am I correct saying that is does not effect machines running WinXP?

    Cheers,

    MK
     
  15. controler

    controler Guest

    Re:Opaserv.A Worm

    All the files NOD found are in your TEMP and System Restore
    There is no reason why you can't delete your TEMP files.
    Appears those files were created by some install. Do those files look like something you installed? You can always submit those files to NOD or any other software venders to make sure and wait for their responce.
    You can also send them to controler@usermail.com and I will check them for you.

    con
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Opaserv.A Worm

    One thing that might come in handy:
    The full path to that Temp folder
    C:\DOCUMENTS AND SETTINGS\[owner]\LOCAL SETTINGS\Temp

    The Local Settings folder is hidden by default.
    Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

    Regards,

    Pieter
     
  17. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Hi con,

    These files will not be deleted, renamed of cleaned. I was able to get two of the three to the bin. The third would not be moved since it is "in use" I rebooted and one more appeared. I rebooted yet again and there was a third. While in the process of taking the screenshot attached to this post, my machine locked up, I did a warm reboot and there was a FOURTH file. These files are not assciated with the OpaServ.A worm they are the three, excuse me four bottom files pictured in the screenshot of the window and are the ones NOD32 id's as the above mentioned Stealth.Poly.Crypt.Tsr.Driver virus. (the four have identical properties) properties. I am at a loss.


    - Fixed quote tags and image width to help thread display - LWM
     

    Attached Files:

  18. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
  19. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Re:Opaserv.A Worm

    Randy,

    I'll give two or three of these (online scans) a go this evening. I'm beginning to think I'm dealing with a false heuristic notification but I would still like to know the origin of these files.

    MK
     
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Those ZLTxxxxx.TMP files belong to Zone Alarm. The one that is locked is the one inuse at the moment when Zone Alarm is running. Every time ZA is restarted it creates a new one, which is why every reboot there is one with a different name there.

    However, these files are deleted by ZA when it is shutdown cleanly. If you are getting left over ZLT files in your \Temp\ folder it is because ZA is not getting a chance to shutdown cleanly when you shutdown your system.

    The only time I get left over ZLT files here is if my PC crashes, then obviously ZA was unable to close and delete the specific file it was using at that time.

    You'll need to look at your shutdown... It would appear that it is happening to fast and ZA is not getting a chance to exit on its own and is just killed when the PC is shutdown.
     
  21. mklangelo

    mklangelo Registered Member

    Joined:
    Jan 16, 2004
    Posts:
    19
    Location:
    Wisconsin, USA
    Low,

    I do get alot of crashes/lockups. More by a factor of 20 than I ever got running Win98. I have looked high and low for a reason to no avail.

    Thanks,

    Mk
     
Loading...
Thread Status:
Not open for further replies.