# ZoneAlarm just alerted me of two weird exe's

Discussion in 'Windows - Virus and spyware problems' started by DeadMan45, May 21, 2007.

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
Hi,

This morning, before I even begin to do anything after starting up my PC, ZoneAlarm gives me two alerts of programs trying to access the internet. These programs were "owns settings.exe" and "slowremote.exe". I tried searching google for these two, but neither turned up anything significant. I ran my anti-virus (nod32) and it didn't find anything, and I ran two anti-spyware programs (spybot and ad-aware) and they didn't find anything other than the normal ad related stuff. Has anyone heard of "owns settings.exe" or "slowremote.exe" before?

Here's my PC specs just in case:

PC Model: HP Pavilion a1410n
CPU: AMD Athlon 64 3800+ (Venice)
Clock: 2.4Ghz
Motherboard: Asus A8N-LA Socket 939, nVidia 6150 Chipset
Memory: 1024MB PC3200 DDR SDRAM (2 x 512mb)
GPU: nVidia GeForce 7300GS 512MB
HDD: 200GB
Operating System: Windows XP Media Center Edition 2005 SP2

If you need a HijackThis log, just say so.

Last edited: May 21, 2007
2. ### onyaGuest

At this point, it may be very obvious that you Deny access to these programs. If this is the first time this has happened, then this should give you a clue as to what software you have installed recently that may the culprit(s). Zone should give you the directory to where these programs are, and if you have no idea how they got there....DELETE 'EM and run a reg cleaner. Do a restart and see if the problem re-occurs. How did you go?

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
That was the first thing I did. Since I had never seen these programs before, and i know they are not essential, I denied them and asked ZA to remember my response. I checked the file path for both. "owns settings.exe" comes from "C:\Documents and Settings\All Users\Application Data\viewclose16junk\" and "slowremote.exe" comes from "C:\Documents and Settings\[user name]\Application Data\chic hide\". I know that both of these folders are unneeded, so I've deleted them. However, there were 3 other programs in the "chic hide" folder (the one with slowremote.exe). They were "jubvugon.exe", "MemoCityThatfour.exe", and "TrayVgaHeart.exe". None of those programs turn up any search results. I'm just curious as to where these came from, and if it belongs to some other malicious file that is even more harmful.

Last edited: May 21, 2007
4. ### bluecoalGuest

do you use messenger 3 plus?

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
If you mean the Messenger Plus addon for MSN/WLM, I use Messenger Plus Live! for Windows Live Messenger.

6. ### bluecoalGuest

Ok, I haven't looked at this issue for awhile.

There used to be a product called messenger 3 plus - a messenger addon - by a developer named patchou. If you installed it with sponsors, it also installed an adware issue called lop.

Try uninstalling messenger plus live (you can reinstall it later without sponsors).

If that doesn't fix it, post back with a hijackthis log, and I'll see if I can find the current steps to help you clear this out.

(The misc tools section of hijackthis has an option for generating a startup list. Also run that and look for a section on task scheduler jobs and post information in that section along with the hjt log.)

Last edited by a moderator: May 21, 2007

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
Well I don't use plus 3, I use Plus Live, which is basically plus 4. But either way, I chose to not support the sponsor crap, so there is no problem there (and on that note, I never support any of the extra crap that comes with programs, like winmap and the emusic stuff). After deleting those two folders, I haven't heard from any of those programs, so everything seems fine now. But I'd still like to know where it came from.

Last edited: May 21, 2007
8. ### bluecoalGuest

Best I can tell you is to research Lop and find out how else it shows up besides messenger addons.

glad you got the problem sorted.

9. ### FredilRegular member

Joined:
Jul 19, 2006
Messages:
390
0
Trophy Points:
26
Huh....

Then, extract HijackThis from its archive and place it in its own folder - NOT on the Desktop!. This is important. A good location for HijackThis would be the following path:

C:\HijackThis

The program (HijackThis_v_1.99.1.exe) would go in the folder "HijackThis".

Follow the instructions above, run HijackThis, and make a logfile. Post that logfile in a reply.

Edit: Come on, colour tags don't work?

Last edited: May 21, 2007
10. ### bluecoalGuest

If you don't want to post any more logs that is fine - your call.

In relation being sure your computer is clean though, I would suggest that you do two things:

Check the documents and settings folders for each of the users on your computer for folders that have funny made up names like you described. There might be more than what you described - they are probably all lop. If you find anything and want to consult before you delete something, post back.

I also still think you should check the task scheduler. If you run hijack this and run that list under the misc tools section, look in the task scheduler for jobs that have a string of letters and numbers for a name. If you find something like that, and want help getting it out, post back and I'll find a link and instructions for the tool for you. They are usually locked so that you can't just remove them from the list.

Kaspersky and AVG/Ewido have nice online scans (Kaspersky is scan only, Ewido/AVG is scan and fix) which you could also run to check your system over a little more without having to make additional posts here.

Regards.
bc

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
Although my PC is fine now, I'll post a HijackThis log for further reassurance.

Logfile of HijackThis v1.99.1
Scan saved at 9:07:08 PM, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\asdf.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [16 junk sect site] C:\Documents and Settings\All Users\Application Data\viewclose16junk\owns settings.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Microsoft Research Asia\Digital Effects for MSN Messenger\MsgrShl.exe"
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164075356546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I checked all the user folders in documents and settings. There's nothing else suspicious.

Last edited: May 22, 2007
12. ### bluecoalGuest

You still have lop in that log.

I haven't got time right now, probably be tomorrow, but I'll get back with you and tell you what to hunt for and delete. We are going to need the task scheduler info too, I'll see if I can come up with the tool that I want you to use.

I just don't have all that info at my fingertips any more.

Regards.
bc

13. ### bluecoalGuest

Not sure if what I see is just left overs or whether it has reinstalled.

You said you deleted these two folders:
C:\Documents and Settings\All Users\Application Data\viewclose16junk
C:\Documents and Settings\[user name]\Application Data\chic hide

These two lines show in HijackThis:
O4 - HKLM\..\Run: [16 junk sect site] C:\Documents and Settings\All Users\Application Data\viewclose16junk\owns settings.exe

And refer to those locations.

Check again and be sure the folders are gone.
run HijackThis with scan only mode and have it fix those two lines.
Reboot the computer and run a new hjt log. We are looking for those 2 lines or something similar. If they come back, task scheduler has a job and another hidden location to reload from. If they stay gone, you are probably ok.

Regards.
bc

Joined:
Apr 6, 2007
Messages:
18
0
Trophy Points:
11
I checked for those folders, and neither was in any of the user folders. Then I ran HijackThis again and deleted those two lines. I restarted my PC, and I noticed that my PC was a bit more responsive than before.

Here's my hijackThis scan from after the restart.

Logfile of HijackThis v1.99.1
Scan saved at 1:01:16 PM, on 23/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\asdf.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164075356546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I don't see those two lines anymore. But I'd just like to mention that I do have system restore enabled. I'm saying this because that means that my files are backed up on a certain part of the hard drive, including any potential viruses. My friend had once found 100 Trojan viruses inside those backup files. (it was only 1 Trojan multiplying itself). But I got him NOD32 and his PC was like new after. So I know NOD32 is good (which is what I have obviously).

Also, once this lop problem is solved (if what I just did hasn't already solved it), there is another problem I have noticed. Recently, whenever I start Windows Live Messenger, the window never pops up and I never see the little icon on the bottom left. However, I do see msnmsgr.exe as running in the Task Manager. In order to actually get it to properly open, I put my PC into sleep mode. When I move my mouse to get it back to the desktop, it opens. Also, sometimes Winamp freezes whenever I do something on WLM. It only happens with WLM and nothing else. If WLM is not open, Winamp runs perfectly. However it is does not work the other way around, even if winamp is closed, WLM still acts weird. I have tried uninstalling and reinstalling both Winamp and WLM, but it still does that same things. For now I'm not using WLM, I'm using xfire but I'm thinking of either switching to Miranda or Trillian. Either that or just give in and format.

Anyways, thanks for the help.

Edit: I think my next computer will be a Mac.

Last edited: May 23, 2007
15. ### bluecoalGuest

The lop is gone.

Clearing the restore points would resolve the infected restore points issue, but it also removes the restore points. You are aware of the potential issue and you know what to look for in the hjt log if you need to check it again, so I think you can continue as is right now if you want to. (Note: I would probably be criticised in other forums for not instructing you to clear the restore points.)

I do not have the knowledge to help you with the windows live messenger question, you could try a post in the windows software forum if you want.

Upper left corner of this has an online scan
http://www.ewido.net/en/
You could use that as a cross check on nod if you want to.

Joined:
Apr 6, 2007
Messages:
18