Hi, This morning, before I even begin to do anything after starting up my PC, ZoneAlarm gives me two alerts of programs trying to access the internet. These programs were "owns settings.exe" and "slowremote.exe". I tried searching google for these two, but neither turned up anything significant. I ran my anti-virus (nod32) and it didn't find anything, and I ran two anti-spyware programs (spybot and ad-aware) and they didn't find anything other than the normal ad related stuff. Has anyone heard of "owns settings.exe" or "slowremote.exe" before? Here's my PC specs just in case: PC Model: HP Pavilion a1410n CPU: AMD Athlon 64 3800+ (Venice) Clock: 2.4Ghz Motherboard: Asus A8N-LA Socket 939, nVidia 6150 Chipset Memory: 1024MB PC3200 DDR SDRAM (2 x 512mb) GPU: nVidia GeForce 7300GS 512MB HDD: 200GB Operating System: Windows XP Media Center Edition 2005 SP2 If you need a HijackThis log, just say so.
At this point, it may be very obvious that you Deny access to these programs. If this is the first time this has happened, then this should give you a clue as to what software you have installed recently that may the culprit(s). Zone should give you the directory to where these programs are, and if you have no idea how they got there....DELETE 'EM and run a reg cleaner. Do a restart and see if the problem re-occurs. How did you go?
That was the first thing I did. Since I had never seen these programs before, and i know they are not essential, I denied them and asked ZA to remember my response. I checked the file path for both. "owns settings.exe" comes from "C:\Documents and Settings\All Users\Application Data\viewclose16junk\" and "slowremote.exe" comes from "C:\Documents and Settings\[user name]\Application Data\chic hide\". I know that both of these folders are unneeded, so I've deleted them. However, there were 3 other programs in the "chic hide" folder (the one with slowremote.exe). They were "jubvugon.exe", "MemoCityThatfour.exe", and "TrayVgaHeart.exe". None of those programs turn up any search results. I'm just curious as to where these came from, and if it belongs to some other malicious file that is even more harmful.
If you mean the Messenger Plus addon for MSN/WLM, I use Messenger Plus Live! for Windows Live Messenger.
Ok, I haven't looked at this issue for awhile. There used to be a product called messenger 3 plus - a messenger addon - by a developer named patchou. If you installed it with sponsors, it also installed an adware issue called lop. Try uninstalling messenger plus live (you can reinstall it later without sponsors). If that doesn't fix it, post back with a hijackthis log, and I'll see if I can find the current steps to help you clear this out. (The misc tools section of hijackthis has an option for generating a startup list. Also run that and look for a section on task scheduler jobs and post information in that section along with the hjt log.)
Well I don't use plus 3, I use Plus Live, which is basically plus 4. But either way, I chose to not support the sponsor crap, so there is no problem there (and on that note, I never support any of the extra crap that comes with programs, like winmap and the emusic stuff). After deleting those two folders, I haven't heard from any of those programs, so everything seems fine now. But I'd still like to know where it came from.
Best I can tell you is to research Lop and find out how else it shows up besides messenger addons. glad you got the problem sorted.
Huh.... Download HijackThis and post a logfile. You can get HijackThis at this link: link Then, extract HijackThis from its archive and place it in its own folder - NOT on the Desktop!. This is important. A good location for HijackThis would be the following path: C:\HijackThis The program (HijackThis_v_1.99.1.exe) would go in the folder "HijackThis". Follow the instructions above, run HijackThis, and make a logfile. Post that logfile in a reply. Edit: Come on, colour tags don't work?
Hi DeadMan45, If you don't want to post any more logs that is fine - your call. In relation being sure your computer is clean though, I would suggest that you do two things: Check the documents and settings folders for each of the users on your computer for folders that have funny made up names like you described. There might be more than what you described - they are probably all lop. If you find anything and want to consult before you delete something, post back. I also still think you should check the task scheduler. If you run hijack this and run that list under the misc tools section, look in the task scheduler for jobs that have a string of letters and numbers for a name. If you find something like that, and want help getting it out, post back and I'll find a link and instructions for the tool for you. They are usually locked so that you can't just remove them from the list. Kaspersky and AVG/Ewido have nice online scans (Kaspersky is scan only, Ewido/AVG is scan and fix) which you could also run to check your system over a little more without having to make additional posts here. Regards. bc
Although my PC is fine now, I'll post a HijackThis log for further reassurance. Logfile of HijackThis v1.99.1 Scan saved at 9:07:08 PM, on 22/05/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\RTHDCPL.EXE C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\windows\system\hpsysdrv.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\asdf.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [16 junk sect site] C:\Documents and Settings\All Users\Application Data\viewclose16junk\owns settings.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Microsoft Research Asia\Digital Effects for MSN Messenger\MsgrShl.exe" O4 - HKCU\..\Run: [WarnUp] C:\DOCUME~1\HP_ADM~1\APPLIC~1\CHICHI~1\slowremote.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.4.105.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164075356546 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe I checked all the user folders in documents and settings. There's nothing else suspicious.
You still have lop in that log. I haven't got time right now, probably be tomorrow, but I'll get back with you and tell you what to hunt for and delete. We are going to need the task scheduler info too, I'll see if I can come up with the tool that I want you to use. I just don't have all that info at my fingertips any more. Regards. bc
Not sure if what I see is just left overs or whether it has reinstalled. You said you deleted these two folders: C:\Documents and Settings\All Users\Application Data\viewclose16junk C:\Documents and Settings\[user name]\Application Data\chic hide These two lines show in HijackThis: O4 - HKLM\..\Run: [16 junk sect site] C:\Documents and Settings\All Users\Application Data\viewclose16junk\owns settings.exe O4 - HKCU\..\Run: [WarnUp] C:\DOCUME~1\HP_ADM~1\APPLIC~1\CHICHI~1\slowremote.exe And refer to those locations. Check again and be sure the folders are gone. run HijackThis with scan only mode and have it fix those two lines. Reboot the computer and run a new hjt log. We are looking for those 2 lines or something similar. If they come back, task scheduler has a job and another hidden location to reload from. If they stay gone, you are probably ok. Regards. bc
I checked for those folders, and neither was in any of the user folders. Then I ran HijackThis again and deleted those two lines. I restarted my PC, and I noticed that my PC was a bit more responsive than before. Here's my hijackThis scan from after the restart. Logfile of HijackThis v1.99.1 Scan saved at 1:01:16 PM, on 23/05/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\arservice.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\RTHDCPL.EXE C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\asdf.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ps2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [ALCMTR] ALCMTR.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.4.105.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164075356546 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe I don't see those two lines anymore. But I'd just like to mention that I do have system restore enabled. I'm saying this because that means that my files are backed up on a certain part of the hard drive, including any potential viruses. My friend had once found 100 Trojan viruses inside those backup files. (it was only 1 Trojan multiplying itself). But I got him NOD32 and his PC was like new after. So I know NOD32 is good (which is what I have obviously). Also, once this lop problem is solved (if what I just did hasn't already solved it), there is another problem I have noticed. Recently, whenever I start Windows Live Messenger, the window never pops up and I never see the little icon on the bottom left. However, I do see msnmsgr.exe as running in the Task Manager. In order to actually get it to properly open, I put my PC into sleep mode. When I move my mouse to get it back to the desktop, it opens. Also, sometimes Winamp freezes whenever I do something on WLM. It only happens with WLM and nothing else. If WLM is not open, Winamp runs perfectly. However it is does not work the other way around, even if winamp is closed, WLM still acts weird. I have tried uninstalling and reinstalling both Winamp and WLM, but it still does that same things. For now I'm not using WLM, I'm using xfire but I'm thinking of either switching to Miranda or Trillian. Either that or just give in and format. Anyways, thanks for the help. Edit: I think my next computer will be a Mac.
The lop is gone. Clearing the restore points would resolve the infected restore points issue, but it also removes the restore points. You are aware of the potential issue and you know what to look for in the hjt log if you need to check it again, so I think you can continue as is right now if you want to. (Note: I would probably be criticised in other forums for not instructing you to clear the restore points.) I do not have the knowledge to help you with the windows live messenger question, you could try a post in the windows software forum if you want. Upper left corner of this has an online scan http://www.ewido.net/en/ You could use that as a cross check on nod if you want to.
Thanks a lot of the help. Regarding WLM and Winamp, I'll post that question on a forum dedicated to MSN/WLM/Messengers. I'll check more into clearing my restore points. I might clear all but one (which will be a checkpoint for today). Edit: I was reading up on clearing system restore points, and I read that turning off system restore on all drives is the best thing to do because I can always manually create restore points. So thats what I'll do.
