PDA

View Full Version : Zone Alarm latest update trouble


Tartan Giant
10th Nov 2004, 00:14
Hi guys,

Anybody else having snags after loading the latest ZA (Free) edition update ? Stuck at 5%......... cancel....re-try went through OK second time.
However, after that new update (5.5.062.000) the machine slowed down finding websites, then did not lock onto some of them.

Then ZA asked to allow: dcxrpaeur.exe to use the Internet (as a server); don't recall that permission being sought before......... said no first few times it popped up.
Looked at the file....... two of them.......... looked OK........ gave permission.

Win XP Pro
256 mem
Broad Band

Got fed up with the slow progress trying to access websites, decided to restore to a point I made just before the update, but PC unable to comply!!
Tried other restore points a week old that I had made, same again, no can do!

How does one deny ZA a previous allowed permission for a programme to access the internet? eg that dcxrpaeur.exe for instance!

I'm basically trying to get back to the point before I upgraded to ZA 5.5.062.000 when the machine was just fine (well so I thought minus its inability to restore!).

Any help appreciated.

Cheers

TG

E-Liam
10th Nov 2004, 06:23
Hi TG,

dcxrpaeur.exe is a randomly generated filename by the look of it, possibly a trojan, if it's looking for server access. It may even be specific to stopping ZA work properly.

Please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Cheers

Liam

swh
10th Nov 2004, 08:52
The latest update looks for illegial copies of the program, and illegial licence files, like those generated by crack programs downloaded off the net.

If an illegal copy is detected, you will be given two weeks to get legal version, i.e. you get a standard trial period.

Do you have a legal copy ?

Tartan Giant
10th Nov 2004, 10:21
JHi E-Liam,

I've got to leave the fix for two days....... I'm away from home, but when I get back I'll do as you say and report back.

Many thanks.

TG

PS: SWH Do you meana legal copy of ZA ? Yes, registered and all that - and it's only the FREE version, so no big deal anyway.

Tartan Giant
12th Nov 2004, 15:18
Hi E-Liam,

I try to send the log-file, but the board says there are too many images!

I'll sends you a PM and see if we can get round the snag.

Cheers

TG

E-Liam
12th Nov 2004, 17:28
Hi TG,

The first thing you need to do, is to place Hijack This in it’s own folder (e.g. C:\HJT\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted. Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…

O1 - Hosts: 203.161.127.141 www.dcsresearch.com

O3 - Toolbar: Enfish Find... - {1F680408-B58A-40B0-A330-50A344786F97} - C:\Program Files\Enfish Corporation\Client\EtiFndBr.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] dcxrpaeur.exe

O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] dcxrpaeur.exe

O4 - HKCU\..\Run: [Slingshot Tray App] C:\Program Files\Enfish Corporation\Client\EtiTray.exe /startup

O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] dcxrpaeur.exe

O4 - Global Startup: Image Transfer.lnk = ?

O16 - DPF: EtiGrab - http://www.enfish.com/smart_install/etiGrab.cab

O18 - Protocol: eti - {3AAE7392-E7AA-11D2-969E-00105A088846} - C:\Program Files\Enfish Corporation\Client\EtiPBrkr.dll

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\WINNT\Temp folder, but not the folder itself. Next please find and delete the following bolded file...

C:\WINNT\System32\dcxrpaeur.exe

..and this folder...

C:\Program Files\Enfish Corporation

Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next, please reboot and post a new log for a final once over.

Then, you really need to update your security. XP is on SP2 now, and IE is on SP1. These patches cover huge holes in both operating system and browser. I'd suggest for the OS updates that you get a PC mag disc or similar.. If you're on dial up, it takes forever. The IE patches take less time though. Just lick on teh Windows update button, or go url=http://v4.windowsupdate.microsoft.com/en/default.asp]here[/url], click Scan for updates in the main frame, and download and install all CRITICAL updates recommended. (Again, unless you're on broadband, do the OS patches off a disc.

I've just seen that you sent a new PM, so I'll just go and read that, and then I have to pop out for a an hour. I'll check up how you're doing later.

Cheers

Liam

---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals (http://asap.maddoktor2.com/) since 2004.

Tartan Giant
12th Nov 2004, 19:12
Hello E-Liam,

Many thanks for getting this info to me.

Before I start, I use my ENFISH programme to locate odds and sods from within my PC (it is a superb prog for that), and with the greatest respect I would hesitate to do anything to remove its ability to do that work............ may I double check with you that your instructions will still allow that function to carry on unmolested?


Whilst trying to see what effect this probable Trojan had done, I have stopped its access to the internet via ZA options.

The PC is running as before, as if nothing has happened, but I realise the sodding 'thing' is lying in wait!!!

Another thought is this....... did anybody else get an email (9 Nov)purporting to be from Zone Labs saying the latest version is ready to download........... if not, I have been suckered into accepting this as a genuine update!

The version on the PC right now is:
ZoneAlarm version:5.5.062.000
TrueVector version:5.5.062.000
Driver version:5.5.062.000

Hope I'm not causing grief with my inputs.

Best wishes,

TG

BOAC
12th Nov 2004, 19:44
Hello TG - hope you are well. If it is any consolation the 'upgrade' to 5.5' option has come up on my machine via the ZA 'manual update' choice so I think it is genuine - and the URL passed the 'spoof URL' check as well!

Tartan Giant
12th Nov 2004, 19:52
Hello there BOAC,

Many thanks for that.......... so it looks as if the update is the genuine article then..... that's good.

Did you get "pop ups" asking for this damn funny file (dcxrpaeur.exe) asking for access to the net, and as a server to boot?

Whilst awaiting our good friend E-Liam to get back ref my ENFISH query, I am finding myself in very good health!!
Too many of our old mates are going to the big hanger in the sky of late!

Hope you are fit as a fiddle as always.

Cheers

TG

BOAC
12th Nov 2004, 20:06
Good to hear!
Update: Downloaded AND installed ok. No sign of the 'rogue' file request but will let you know.

E-Liam
13th Nov 2004, 07:11
Hi TG,

The reason I highlighted Enfish is because it is regarded as a parasite, and the quote comes from Spywaredata..

http://www.spywaredata.com/spyware/toolbar.php?search_by=progid&search_for=enfish&op=search_submit

Parasiteware is the term for any adware that by default overwrites certain affiliate tracking links. Their behavior is viewed as parasitic because this type of software credits other sites with commissions and in turn lives off what would have been the affiliate's income. To the end user, Parasiteware is not a big security threat.

As you see not a real threat to security, so I'll leave the choice to you.

Cheers

Liam

Tartan Giant
14th Nov 2004, 20:15
Hello Liam, and all,

I've sort of stalled when it came to
"....then please boot back into normal mode......"

Please excuse my ignorance, but from an engines running handover in SAFE MODE (OS XP Pro) having followed your instructions, how does one tell the PC, all is well, go back to running in "normal" mode whilst still in SAFE MODE? :O

Cheers

TG