Jump to content


Photo

Help with removing zonealarm search, or should I remove it?


  • This topic is locked This topic is locked
54 replies to this topic

#1 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 13 January 2013 - 04:33 PM

Hello everyone,

 

I recently updated (re-registered) my zonealarm firewall.  I must have missed a check-box or something going through the installation, in any case, afterward my web browser defaulted to Zonealarm Search as its homepage.  I thought I got rid of it by changing the settings back but it still comes up every time I open a new tab. I don't suppose this is an actual problem, but I would like to remove it if I don't need it for some reason. 

 

Also, there is now a "ZoneAlarm Diagnostics Tool" installed on my start menu, which I presume came from the same installation.  Anyway, I didn't put it there.  I don't know what it does or is supposed to do, but I'd also rather not have it unless it's necessary, or useful.

 

I will appreciate your help removing these or, if I should keep them, help explain why I should keep them.

 

I don't believe I am having any malware problems, at least not that I know of.

 

I'm attaching the logs below.

 

Thank you in advance for your help.

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.13.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Dwain :: DWAIN-PC [administrator]

1/13/2013 12:35:44 PM
mbam-log-2013-01-13 (12-35-44).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 310703
Time elapsed: 22 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:15 PM, on 1/13/2013
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
c:\windows\system32\oem\setEvent.exe
C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\spyware_stuff\hijack_this_204_new\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...45v1m5k4891r250
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zoneal...=&tstsId=&ver=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gate...45v1m5k4891r250
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gate...45v1m5k4891r250
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.3.16\bh\zonealarm.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ZoneAlarm Do Not Track - {6E45F3E8-2683-4824-A6BE-08108022FB36} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.3.16\zonealarmTlbr.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\servicing\TrustedInstaller.exe,-100 (TrustedInstaller) - Unknown owner - C:\Windows\servicing\TrustedInstaller.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11186 bytes
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_37
Run by Dwain at 13:58:06 on 2013-01-13
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6109.4386 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\OEM\RunCmd_X64.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
c:\windows\system32\oem\setEvent.exe
C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Zonealarm Helper Object: {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.3.16\bh\zonealarm.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: ZoneAlarm Do Not Track: {6E45F3E8-2683-4824-A6BE-08108022FB36} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
TB: ZoneAlarm Security Toolbar: {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.3.16\zonealarmTlbr.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
uRun: [SpybotSD TeaTimer] C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{EA8713C9-52CC-42DD-A388-B7B0CCC5398B} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
x64-mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE64.dll
x64-TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [PLD_FrameworkRun] C:\Windows\System32\oem\RunCMD_X64.exe C:\Windows\System32\oem\OKTOLaunch_PLD_Framework.cmd
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-01-10 13:59; ffxtlbr@zonealarm.com; C:\Users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\ffxtlbr@zonealarm.com
FF - ExtSQL: 2013-01-10 13:59; donottrack@checkpoint.com; C:\Users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\donottrack@checkpoint.com
FF - ExtSQL: 2013-01-10 13:59; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 72e4623f000000000000002511ae8ac3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15715
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1613:55:19
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN15253760944344-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;C:\Windows\System32\drivers\pavboot64.sys [2010-4-11 33800]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-6-26 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-1-7 370288]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-1-7 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-1-7 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2012-11-17 44808]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-3 33712]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe [2011-11-3 828072]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
R2 SBSDWSCService;SBSD Security Center Service;C:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe [2010-1-8 1153368]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-27 240160]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y62x64.sys [2009-8-27 287960]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-8-27 138752]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-28 1255736]
.
=============== Created Last 30 ================
.
2013-01-10 20:55:25    --------    d-----w-    C:\Program Files (x86)\DoNotTrackPlus
2013-01-10 20:55:19    --------    d-----w-    C:\Program Files (x86)\Check Point Software Technologies LTD
2013-01-05 18:48:07    --------    d-----w-    C:\Users\Dwain\AppData\Local\Programs
.
==================== Find3M  ====================
.
2012-12-14 23:49:28    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2012-12-13 18:49:42    450136    ----a-w-    C:\Windows\System32\drivers\vsdatant.sys
2012-10-30 23:51:55    984144    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2012-10-30 23:51:55    71600    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2012-10-30 23:51:07    41224    ----a-w-    C:\Windows\avastSS.scr
2012-10-22 21:35:15    73656    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-22 21:35:15    696760    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 13:58:27.55 ===============
 

 Results of screen317's Security Check version 0.99.56  
 Windows 7  x64 (UAC is enabled)  
 Out of date service pack!!
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Out of date HijackThis  installed!
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.70.0.1100  
 HijackThis 2.0.2    
 CCleaner     
 Java™ 6 Update 37  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
  Adobe Flash Player 11.4.402.287 Flash Player out of Date!  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (18.0)
````````Process Check: objlist.exe by Laurent````````  
 Alwil Software Avast5 AvastSvc.exe  
 Alwil Software Avast5 AvastUI.exe  
 CheckPoint ZoneAlarm vsmon.exe  
 CheckPoint ZoneAlarm zatray.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 

 



#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 14 January 2013 - 06:53 PM

Hello blmer2.

I'm sorry you paid for ZA, as the built-in Windows 7 firewall is excellent. If you don't mind losing the money, I'd recommend completely removing ZA (I'll give directions) and enabling the Windows firewall.

If you want to keep ZA we can try to trim it and restore default searches.

The Diagnostic Tool is used if you ever ask for ZA support. Otherwise it just sits there and isn't doing any harm. I'd leave it alone if you keep ZA.
See http://www.zonealarm...4369#post294369

Please download ComboFix.exe to your Desktop. Visit this webpage for download links, and instructions for running the tool:
how-to-use-combofix. Be sure to read the whole page and note the graphics so you know what to expect.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review, and let me know what problems remain.
If ComboFix caused any error message, reboot again should fix it.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 15 January 2013 - 07:40 PM

Hello CNM,

 

I'm actually running the ZoneAlarm free firewall.  I've been using it for several years and just renewed it when these came up. 

 

I don't have any objection to removing it, if that's easiest, whereas I do object to having it take over my browser/search functions like it did.  So we can go ahead with removing it  as far as I'm concerned.

 

I didn't run the Combofix, in case it's not necessary if I remove ZoneAlarm.  But I can go ahead and run it if necessary.

 

Thank you for your help.



#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 15 January 2013 - 07:53 PM

Totally uninstall Zone Alarm, using the Revo Uninstaller.
Download and run the free version of Revo Uninstaller.
Select Zone Alarm and click Uninstall.
Set it to 'Advanced' and click Scan.
Revo will do this:
Step 1. Create restore point.
Step 2. Run the official Zone Alarm uninstaller.
Step 3. When uninstaller finishes, click Scan in Revo and it will search for remnants (make sure it is set to Advanced). Delete everything found (Select All, Delete All).
Reboot if asked to.

 

Edit: Be sure to enable Windows Firewall after you uninstall Zone Alarm.  

Start > Windows Firewall, click 'Windows Firewall Properties' and turn it on.

 

You have some questionable addons so it would be a good idea to run ComboFix.  


Edited by cnm, 15 January 2013 - 10:48 PM.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 16 January 2013 - 05:52 PM

Hello CNM,

 

I uninstalled the ZoneAlarm per your instructions.  I haven't run the Combofix yet, but I wanted to check out some of the uninstall results with you first.  I just want to be sure everything went the way it was supposed to go.

 

When I ran the uninstaller it found ZoneAlarm Firewall, ZoneAlarm Security Toolbar (which I assume was what was coming up on Firefox), and a ZoneAlarm "Do Not Track".  I didn't know this last one was on there, so I assume it came with the new installation.  I uninstalled all three.  When I ran the uninstaller it already started to run at the moderate level, so I couldn't check the Advanced button.  I was able to check the advanced button afterward, when I did the scan. 

 

When I went to start the Windows firewall it indicated the firewall was on.  I had checked before I started, just to make sure I knew what to do before I uninstalled the ZoneAlarm, and it indicated the the firewall was off.  So, did it start automatically when I uninstalled ZoneAlarm? 

 

Also, the firewall status shows that it's connected for a public network, but not for a home or private network.  Is this the way it's supposed to be?  I'm not quite sure what this means.

 

And, one more thing, I don't see anything on the taskbar showing that the firewall is functioning.  It did previouly show that ZoneAlarm was running and does still show that my antivirus is running.  Is this the way it's supposed to be?

 

If everything is in order at this point I'll go ahead and run the Combofix.

 

Thank you for your help.



#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 16 January 2013 - 07:06 PM

The Windows Firewall won't show on the taskbar.

But I find there are two versions of it - who knew - and I think I told you the wrong one. Or anyway the wrong interface.

Please go to Control Panel > System and Security > Windows Firewall. Make sure "Home or work (private) networks" shows as Connected.

Click "Turn Windows Firewall on or off" (on the left) to make sure it is On.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 January 2013 - 12:07 AM

Hello cnm,

 

Well, this is getting interesting, it's taking me places I've never been before.

 

I couldn't get to the firewall the way you described originally, so I did use the control panel to check on it in the first place.

 

I went back to the firewall settings and when I clicked the down arrow on the "Home or Work Network" bar, near where it says I'm not connected, it shows that the windows firewall is on.  The same as it shows for the public network. 

 

I found the Network and Sharing Center.  When I open it it shows that my PC is connected to a public network which is connected to the internet.  But I'm not sure what all that means.

 

What I have is just a single PC connected to a cable modem from my provider.  I'm not using wireless or anything, and I don't have a laptop to take out and use a wireless connection.  So this PC is it.  I do see that there is an option to connect to another network, but I wouldn't know of anything to connect to if I wanted to (which I guess I don't).  As far as I know this is the only network connection I've ever had, although I'm not sure what it means that my providers network is public.

 

So, anyway, does this mean I'm protected by the firewall? 

 

Thank you for your help.



#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 17 January 2013 - 12:13 AM

Is NewTech Infosystems your ISP? 

Do please run ComboFix (directions  above) and we'll see what it makes of the situation.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 January 2013 - 04:24 PM

Hello cnm,

 

I ran Combofix and will post the log below.

 

My ISP is Comcast (or maybe Xfinity, I'm not exactly sure which name they go by at the moment). 

 

I haven't heard of Newtech Infosystems before, so I looked them up to see if they're in the internet business, or maybe related to Comcast.  It looks like they're a software comapny making backup programs and such.  I don't know what the program on my computer is, it's not something I've ever knowingly used.  So I don't know what to think about it.

 

I'm not sure it's worth noting, but when I was preparing to run Combofix, the Windows firewall was on for both the public and private network settings.  I disabled both and re-enabled them afterwards, so maybe it's working regardless of the type of network connection (which still isn't clear to me).

 

Here is the Combofix log.

 

Thank you for your help.

 

ComboFix 13-01-17.03 - Dwain 01/17/2013  13:58:18.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6109.4933 [GMT -7:00]
Running from: c:\users\Dwain\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Dwain\eppexwin306en.exe
c:\users\Dwain\mp760vst64620en.exe
c:\users\Dwain\mpnmp760win116ea13.exe
c:\users\Dwain\mypwin230en.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-17 to 2013-01-17  )))))))))))))))))))))))))))))))
.
.
2013-01-17 21:02 . 2013-01-17 21:02    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-01-16 22:15 . 2013-01-16 22:15    --------    d-----w-    c:\users\Dwain\AppData\Local\VS Revo Group
2013-01-16 22:15 . 2009-12-30 18:21    31800    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2013-01-05 18:48 . 2013-01-05 18:48    --------    d-----w-    c:\users\Dwain\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 23:49 . 2010-01-09 01:10    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-10-30 23:51 . 2010-01-08 00:50    59728    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2011-06-26 23:56    984144    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2010-01-08 00:50    370288    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2010-01-08 00:50    71600    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2012-10-30 23:51 . 2010-01-08 00:50    25232    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2010-07-01 15:55    41224    ----a-w-    c:\windows\avastSS.scr
2012-10-30 23:50 . 2010-01-08 00:50    227648    ----a-w-    c:\windows\SysWow64\aswBoot.exe
2012-10-30 23:50 . 2011-01-21 21:46    285328    ----a-w-    c:\windows\system32\aswBoot.exe
2012-10-22 21:35 . 2012-10-22 21:35    696760    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-22 21:35 . 2012-02-07 00:54    73656    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2011-06-25 273544]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1255736]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
S2 SBSDWSCService;SBSD Security Center Service;c:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2009-06-12 287960]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
2013-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50    133400    ----a-w-    c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-09 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-09 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-09 365080]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"PLD_FrameworkRun"="c:\windows\System32\oem\RunCMD_X64.exe" [2009-08-11 337920]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - ExtSQL: 2013-01-10 13:59; donottrack@checkpoint.com; c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\donottrack@checkpoint.com
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 72e4623f000000000000002511ae8ac3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15715
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1613:55
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN15253760944344-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-17  14:04:02
ComboFix-quarantined-files.txt  2013-01-17 21:04
.
Pre-Run: 907,868,270,592 bytes free
Post-Run: 907,504,914,432 bytes free
.
- - End Of File - - 061C8193C98C8F29CB533FDAA8722738
 



#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 17 January 2013 - 05:11 PM

I find that the NewTech is a backup manager which is preinstalled on various PCs, including Gateway. I gather that you have a Gateway PC. If you use some other backup method you can consider uninstalling it with Revo; otherwise keep it.  Currently it is automatically starting with Windows and is a waste of resources if you don't use it.  If you decide to uninstall it, please do that before running ComboFIx.

Windows Firewall: Go to Control Panel > Network and Internet.  If there is a network  shown, click on its blue link. In the window you get, select 'Home network '.  

Make sure the box for 'Treat all future networks..' is unchecked.

Then when you go to Windows Firewall it should show Public as Not connected.  Let me know how that goes.

 

A lot of ZoneAlarm settings are showing in the ComboFix log.  (Did you really delete everything  Revo found?)

Since the log is three days old:

Please run ComboFix again and post the new log

 

 

 


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 17 January 2013 - 07:03 PM

Hello cnm,

 

I don't know about the Newtech backup manager.  It's not something I've ever conciously used, but I don't know if it's doing something in the background.  As far as backups go, I backup my data and documents, and occasionally photos or something, on CD's, but I don't do anything else.  I don't have a lot else to back up, except program files and such.  I don't believe the Newtech is bothering me, since I didn't know it was there.  So I can unitstall, or not if it might be useful.

 

 

Regarding the firewall, under "network and Sharing Center" (which was under "Network and Internet"), I found a network shown as "Network 2".  Underneath this is a "public network" blue link which opens up the window I believe you referred to.  It has options for Home network, work network and public network.  I didn't change anything, wanting to double check first.  I just want to be sure this won't affect the connection or something.  And I'm not sure why it should be "network 2", or if that's important.  I've never had another network, to my knowledge, and I don't see a "network 1" anywhere.  Is any of this a problem?, or should I just go ahead and make the change?

 

I think I deleted everything, but Revo did start running at the "moderate" level before I could select "advanced", so maybe that was a problem.  Should I run it again?

 

Actually, I just ran Combofix a few minutes before I posted the log in my last reply.  So I don't know where an earlier date came from.  I can run it again if needed, but I've already restored the firewall, antivirus and Spybot after the last time I ran it.  Not a big deal.

 

Thank you for your help.

 



#12 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 17 January 2013 - 08:07 PM

For some reason Windows 7 always calls it Network 2.  Go ahead and click its link, and change it to Home (and make sure the 'Treat all..' box is unchecked).

 

I'm sort of baffled by the ZoneAlarm items in the ComboFix log.  (You're right, it was run today.  I was looking at the wrong date.)  I'll give directions for fixing but first I'd like your Windows Firewall to be in order.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#13 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 January 2013 - 06:14 PM

Hello cnm,

 

I've switched the network setting over to Home network.  Then I rebooted just for good measure.  Now the firewall window shows that I'm connected to the Home network, and the firewall is on.  It also shows that I'm not connected to the Public network, although the firewall is shown as on there as well.  I guess this means everything is in order?

 

I await your further instructions.

 

Thank you for your help.



#14 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 18 January 2013 - 06:47 PM

That's a relief..
 
Now please do these important security updates:
Update Adobe Reader (uncheck the option box for McAfee scan) 
Update Adobe Flash Player
Updating Java:

  • Go here and download the latest version of Java:
  • Go to Start -> Control Panel -> Add or Remove Programs.
    • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    • They should have this icon next to any that are there:  javaicon.gif
    • Select any found and choose Uninstall.
  • Then install the version you downloaded earlier - but note that even the latest version is vulnerable, so don't install unless you use some web site that requires it..

After that =============================
Please do the following to get rid of ZoneAlarm remnants:

1. Open notepad and copy/paste the text in the quotebox below into it:

 

KILLALL::
ClearJavaCache::
DDS::
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&

Firefox::
FF - ProfilePath - c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\
FF - ExtSQL: 2013-01-10 13:59; donottrack@checkpoint.com; c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\donottrack@checkpoint.com
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 72e4623f000000000000002511ae8ac3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15715
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1613:55
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN15253760944344-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe
 
2. Close any open browsers.
 
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
 
Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#15 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 18 January 2013 - 07:31 PM

Hello cnm,

 

I've updated Adobe reader, it had been prompting me to do that for a few days now, anyway.  I left the McAfee box unchecked, I normally try to avoid such things as it is. The update didn't say anything about Adobe Flash, and I wasn't sure I was using it, although I thought so.  I found these 2 programs on the program list:  "Adobe Flash Player 10 Active X" and "Adobe Flash Player 11 Plugin".  I don't know exactly what they are, or if they comprise a Flash Player program.  Should I uninstall them and install a new one?

 

I downloaded the Java update and uninstalled the one old version in the program list.  I'm not sure if I should install the new one or not.  I don't know that I use a specific website that requires it, but I occasionally encounter some website, on no regular basis, that makes me update, which is normally when I do an update.  Otherwise I never think about it.  Right now the exe file is just sitting on my desktop. 

 

Thank you for your help.



#16 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 18 January 2013 - 07:36 PM

If a site requires Java you can install it then.  That is probably the safest thing.

I think you can also wait to install the Flash until asked for it.

 

Now please run the ComboFix script and post the new log...


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#17 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 January 2013 - 01:57 PM

Hellol cnm,

 

I just ran Combofix with the script.  I'll attach the log below.

 

I don't know if it's worth noting or not but in both Combofix runs I received a prompt that a newer version was available.  I updated in both cases.  

 

Anyway, here is the log.

 

Thank you for your help.

 

ComboFix 13-01-17.04 - Dwain 01/19/2013  11:20:33.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6109.4967 [GMT -7:00]
Running from: c:\users\Dwain\Desktop\ComboFix.exe
Command switches used :: c:\users\Dwain\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2012-12-19 to 2013-01-19  )))))))))))))))))))))))))))))))
.
.
2013-01-19 18:36 . 2013-01-19 18:38    --------    d-----w-    c:\users\Dwain\AppData\Local\temp
2013-01-19 18:36 . 2013-01-19 18:36    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-01-16 22:15 . 2013-01-16 22:15    --------    d-----w-    c:\users\Dwain\AppData\Local\VS Revo Group
2013-01-16 22:15 . 2009-12-30 18:21    31800    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2013-01-05 18:48 . 2013-01-05 18:48    --------    d-----w-    c:\users\Dwain\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 23:49 . 2010-01-09 01:10    24176    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-10-30 23:51 . 2010-01-08 00:50    59728    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2012-10-30 23:51 . 2011-06-26 23:56    984144    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51 . 2010-01-08 00:50    370288    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2012-10-30 23:51 . 2010-01-08 00:50    71600    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2012-10-30 23:51 . 2010-01-08 00:50    25232    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2012-10-30 23:51 . 2010-07-01 15:55    41224    ----a-w-    c:\windows\avastSS.scr
2012-10-30 23:50 . 2010-01-08 00:50    227648    ----a-w-    c:\windows\SysWow64\aswBoot.exe
2012-10-30 23:50 . 2011-01-21 21:46    285328    ----a-w-    c:\windows\system32\aswBoot.exe
2012-10-22 21:35 . 2012-10-22 21:35    696760    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-22 21:35 . 2012-02-07 00:54    73656    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BackupManagerTray"="c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" [2009-08-12 244480]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2011-06-25 273544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-28 1255736]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot64.sys [2009-06-30 33800]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
S2 SBSDWSCService;SBSD Security Center Service;c:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [2009-06-12 287960]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-05-25 138752]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-06 18:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50    133400    ----a-w-    c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-09 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-09 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-09 365080]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
"PLD_FrameworkRun"="c:\windows\System32\oem\RunCMD_X64.exe" [2009-08-11 337920]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - ExtSQL: 2013-01-10 13:59; donottrack@checkpoint.com; c:\users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\donottrack@checkpoint.com
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 72e4623f000000000000002511ae8ac3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15715
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1613:55
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN15253760944344-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-igfxcui - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\oem\setEvent.exe
.
**************************************************************************
.
Completion time: 2013-01-19  11:40:49 - machine was rebooted
ComboFix-quarantined-files.txt  2013-01-19 18:40
ComboFix2.txt  2013-01-17 21:04
.
Pre-Run: 906,841,493,504 bytes free
Post-Run: 906,539,720,704 bytes free
.
- - End Of File - - 535668497F82B0A1E4EBD223223F8139
 



#18 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 19 January 2013 - 03:29 PM

Hmm. Combofix didn't take those extensions out.

Please run Firefox.
In the Firefox (Alt) menu bar, click "Help" and select "Troubleshooting Information".
Under Application Basics, next to Profile Folder click "Show Folder".
In the profile that opens, there may be a ZoneAlarm or Checkpoint folder. Delete that folder or let me know that it wasn't there.

 

If delete succeeded please close Firefox, then run DDS again and post its DDS.txt log so we can see if ZA is all gone.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#19 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 19 January 2013 - 07:45 PM

Hello cnm,

 

There wasn't a ZoneAlarm or a Checkpoint folder in that location.  I did notice a ZoneAlarm Do Not Track extension farther down the troubleshooting information page, if that's important in any way.

 

Thank you for your help.



#20 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 19 January 2013 - 07:56 PM

Delete (or disable if you can't delete) any ZoneAlarm extensions you find.

The simplest way to get rid of them would be to uninstall Firefox and reinstall it. If you want to remove your Firefox user data and settings, put a check mark in the box that says Remove my Firefox personal data and customizations. If you select this option, Firefox will not preserve your bookmarks, saved passwords, and other data if it is installed again.

I don't know if this is practical for you - do you have user data you wouldn't want to lose?

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#21 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 January 2013 - 12:55 AM

Hello cnm,

 

I guess I could uninstall Firefox.  I don't think I'd lose much, but I don't know exactly what user data might be there.  I have only a few bookmarks, which could easily be put back.  But I have been using it for quite a while, so I don't know what could be there.

 

I'm not sure I know how to uninstall it.  Would I just use the control panel?  And how would I get it back, just download it with Internet Explorer?  Which I never use.  I did notice a reset Firefox button on the troubleshooting window, would that do it?

 

I guess I'd also want to know what other alternatives are there for removing the extensions?  Or, what if they're just left as is?  I'm in pretty unfamiliar territory here, obviously.

 

Thanks again for your help.



#22 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 20 January 2013 - 01:33 AM

The main thing that would make you want to save your data is if you have your passwords stored in FF.  Removing your user data will remove  everything in your FF profile.  

Uninstall Firefox via Control Panel

An uninstall wizard will run.  Steps 6 - 7.
If you want to remove your Firefox user data and settings, put a check mark in the box that says Remove my Firefox personal data and customizations.

 

Then just reinstall it.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#23 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 January 2013 - 03:08 PM

Hello cnm,

 

I've uninstalled and reinstalled Firefox.  No apparent problems, other than it doesn't exactly perform the way I was used to. I expect it will come to approximate the way I had it as I use it a while.

 

The ZoneAlarm extension does not show up in the troubleshooting window now. 

 

Where do we go from here?

 

Thank you for your help.



#24 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 20 January 2013 - 04:18 PM

It looks as though your Windows 7  doesn't have Service Pack 1.

It would be a good idea to defragment your C: disk first (it's somewhat heavily fragmented).:  

Start > Disk Defragmenter.  Schedule it for once a week or so.  Then click 'Defragment disk'

The first defrag may take a long time but you can do other things while it is running.

 

 

Read  Learn how to install Windows 7 Service Pack 1 (SP1)

Summarizing:

To learn if Windows 7 SP1 is already installed

  • Click the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_818, right-click Computer, and then click Properties.

    If Service Pack 1 is listed under Windows edition, SP1 is already installed on your computer.

If it doesn't say Service Pack 1 under Windows edition:

Click 'Windows Update' near the bottom of the left column.  Click 'Change settings' and make sure it is set to automatically install updates.  Then 'Check for updates'. Get SP 1. 

 


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#25 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 January 2013 - 06:29 PM

Hello cnm,

 

I can go ahead and defrag.  I've never thought to check since there's so much free disk space.

 

The properties window doesn't show SP1, so I guess I don't have it.  I can do that too.

 

In the meantime, I did actually find one issue since I re-installed.  I've found that now I can't control my printer from within Firefox, i.e. I can't access the printer properties to change to greyscale printing, for example.  I can do this normally ouside Firefox, and could within Firefox before I re-installed.  I wonder if you know what I might need to do to fix this?

 

Thank you for your help.

 

 



#26 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 20 January 2013 - 07:11 PM

You had Canon\Easy-PhotoPrint plugin.  However I don't see it on the Mozilla site and I think it may be somewhat questionable.
 
See if you like either of these:
https://addons.mozil...update/?src=api

https://addons.mozil...niversal-print/

 

Or open Firefox,  do Tools > Add-ons, 'Get Add-ons'.  Search for 'print'.

 

 

Make sure you get SP 1 and then all other security updates.  You are very vulnerable.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#27 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 20 January 2013 - 08:16 PM

Hello cnm,

 

I ran the defrag.  The program showed that it was 15% fragmented to start.

 

I'll look at the add-on's.  I've since been able to access teh printer properties while on a different webpage, but haven't been back to check where I first encountered the problem.

 

As far as the windows updates go, I'm not able to check for updates and am getting an "unknown" error message, code 8007002, when I click "Check for updates".  This error code does not show up in the pop-up error help list.

 

I should probably note that I've kept the windows update set to the "notify me about updates" setting for quite a while now.  I normally only have the computer on when I want to do something in particular and I became annoyed when updates would run all of a sudden then pop up and want me to reboot the computer while I was right in the middle of something.  I'm not sure if that has anything to do with this or not.  I did change it back to automatic, as advised.

 

Anyway, where do we go from here.

 

Thank you for your help.



#28 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 20 January 2013 - 08:21 PM

You can set the updates to "Download updates but let me choose whether to install them", or "Check for updates but let me choose whether to download and install them".

 

But there seems to be something wrong.

 

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Check all the boxes.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#29 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 21 January 2013 - 02:44 PM

Hello cnm,

 

I ran the scan and will post the log below.

 

I thinks that second update option you described is what I'd been running.  I was just paraphrasing off the top of my head.  Anyway, I guess I'll use that option after we're done here, whether it's what I used before or not.

 

Incidentally, when I turned the computer on today, there was a notice that Windows coulod not automatically check for updates.  Clicking the notice to check for updates now returned the same error message.  Not sure if that's significant or not.

 

Here is the log.

 

Thank you for your help.

 

Farbar Service Scanner Version: 16-01-2013
Ran by Dwain (administrator) on 21-01-2013 at 12:33:51
Running from "C:\Users\Dwain\Desktop"
Windows 7 Home Premium  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2009-07-13 16:25] - [2009-07-13 18:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#30 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 21 January 2013 - 03:14 PM

That looks all in order - no problem seen for Windows Update.

Please try the "Check for updates" in Safe Mode.
(Hit F8 several times while booting to get the boot menu and choose Safe mode with internet.)
Make sure you run Windows Update as an administrator.

If it doesn't work, please tell me any error or other messages you get and still in Safe mode with networking, run this Fixit.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#31 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 21 January 2013 - 05:41 PM

Hello cnm,

 

I attempted to update in Safe Mode.  When attempting to do this, the Windows page (after right-clicking "computer) did not have the Windows update option.  There was, however, a warning that the Windows Security Service Center was turned off, with a button to turn it on now. After clicking this button I received the message "Windows Security Center can't be started".  The same warning appeared at the the little flag icon on the task bar.  And the same message appeared when I attempted to turn it on there.  (I did look for an updates link using control panel, and couldn't find one, before going back to the "right-click computer screen and attempting to turn on the Secuirity center, incidentally.)

 

Also, the warning about the Windows Security Center does not appear with the flag icon at this time, only the message that windows could not check for updated automatically (like before).

 

Should I go ahead and run the Fixit now?

 

Thank you for your help.



#32 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 21 January 2013 - 05:52 PM

This is all pretty puzzling.   Seems you are better off in normal mode.  

Please try once more in normal mode:

Disable Avast (Shields control, Disable until computer is rebooted)

Then Start > Windows Update, and Check for updates.

 

If that still doesn't work, run the Fixit (in normal mode with Avast disabled).

Then reboot and do the above update attempt again.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#33 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 21 January 2013 - 06:48 PM

Hello cnm,

 

I went through the advised proceudres.

 

When I first tried to update, with Avast disabled, I received the same could not check for updates message.

 

I then ran Fixit.  I chose the option to let it check for problems and fix automatically.  It ran then gave me a prompt window advising to try Windows update again. There was an "open windows update" button which took me back to the update screen.  Checking for updates here still had the same result, that it could not check for updates.  Continuing with the Fixit program, I next got a window advising that troubleshooting was complete.  This window also contained the message that "We did not detect any problems and therefore no fixes were applied".  The window also contained two more buttons:  "Explore additional solutions online" and Get your PC's support in one place".  I did not select either one. The program then ended (there was no option to proceed).

 

So I then rebooted and tried updates again, with the same result and error message.

 

Puzzling indeed.

 

Thank you for your help.

 

One other question, are there any of these diagnostic programs I can remove from my desktop at this time?



#34 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 21 January 2013 - 07:08 PM

You can delete the DDS files from your Desktop.  We may need the others again.

 

Try downloading the SP 1. For 64-Bit Windows 7 download: windows6.1-KB976932-X64.exe

Get it from http://www.microsoft...ls.aspx?id=5842

 

Read down to the bottom of the page to see Instructions..


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#35 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 21 January 2013 - 08:16 PM

Hello cnm,

 

I tried downlaoding the update as advised.  First I saved the exe file to my desktop, fortunately.

 

When I tried to install I received the message "Installation was not succesful".  Follwed by "system error prevented the service pack from installing".  It further instructed to download and run the "Check for system update readiness tool".  It further advised that if the tool did not fix the problem to visit the Microsoft website.  The included "details" button returned "Error: ERROR_FILE_NOT_FOUND (0x80070002) - the same eroor message I'd received previously. 

 

Then the download link advised to use the Microsoft Download Center to install the tool.

 

I was thinking that's where you sent me to get the service pack so I came back here.  I decided to run this all by you before proceeding.

 

Should I go ahead and downlaod the tool?  And is that the link you posted previously?

 

Thank you for your help.



#36 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 21 January 2013 - 08:29 PM

I think that is the SP you downloaded.

 

This person has similar error: http://answers.micro...fc-68b599b31bf5

 

"Free unlimited installation and compatibility support is available for issues related to Windows 7 Service Packs. Availability of chat, phone or e-mail support differs depending on your geographic location. Some issues may require more advanced support for which there may be a charge: https://support.micr...edirect=1&sd=gn"

 

See if that gets you anywhere.  Free unlimited sounds good...


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#37 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 22 January 2013 - 12:23 PM

Hello cnm,

 

So, should I go over to the Microsoft support resource(?) and work on the service pack/update Issue?

 

I didn't understand a lot of the other thread/info concerning this problem, but it did seem to have quite a bit of information on the Check update readiness tool.  So I think I can proceed there.

 

I clicked the link to to Microsoft service, but the window, which was apparently going to permit me to enter some sort of location data, was not opening.  So I quit, since I didn't really have time to do anything, anyway.  I will check again.

 

Should I post back here after, or if, I get this update issue resolved?

 

Thank you for your help.

 



#38 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 22 January 2013 - 02:19 PM

Yes, definitely please keep me posted.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#39 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 24 January 2013 - 05:55 PM

Hello cnm,

 

I'm back.

 

Long story short.  After much analysis over the past two days by the Microsoft techs, it's been determined that I can't check updates, or install SP 1, because some files are missing or corrupt.  (Although I now have received a notice that updates were available and was able to install those, still can't check updates.)

 

The only apparent remaining fix is for me to reload the operating system.  However, I think I'll upgrade, using my corporate discount, which will take a few days to achieve (probably next week at this point).

 

Part of what was done included completely uninstalling my antivirus, and letting the techs remotely access and control my computer for a few hours. 

 

With that in mind, I wonder if we can just make sure my computer is still clean, and that the techs did not leave something malicious behind?  This last is highly unlikely I suppose.

 

I think some of the diagnostic programs we used before were removed, but some are left on my desktop.

 

I appreciate your help, and await your instructions.



#40 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 24 January 2013 - 06:01 PM

Wow.  Upgrade sounds like wise choice.

 

Please read the Instructions and post new MBAM, DDS and Security Check  logs . I'll be glad to have a look.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#41 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 24 January 2013 - 06:17 PM

Hello cnm,

 

Thank you for the quick reply.

 

I still have the DDS and Security Check executeables on my desktop from the other day.  Would they be good to run again, or should I download new ones? 

 

I've kept Malwarebytes on my computer for a while now for an occasional scan, so I presume I can just update and run it.

 

I can run these programs and get the logs posted, probably in the morning.

 

Thanks.

 

 



#42 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 24 January 2013 - 07:45 PM

Yes, you can just update MBAM, and use the DDS you have.  However  Security Check gets updated fairly often so you should download it again.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#43 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 25 January 2013 - 01:38 PM

Hello cnm,

 

I have run the programs and will post the logs below.

 

Thank you for your help.



#44 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 25 January 2013 - 01:41 PM

Ooops, wrong click,  here are the logs.

 

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.25.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Dwain :: DWAIN-PC [administrator]

1/25/2013 10:24:07 AM
mbam-log-2013-01-25 (10-24-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 316639
Time elapsed: 29 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_37
Run by Dwain at 10:56:45 on 2013-01-25
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.6109.4478 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\OEM\RunCmd_X64.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
c:\windows\system32\oem\setEvent.exe
C:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe
C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\real\realplayer\Update\realsched.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [SpybotSD TeaTimer] C:\spyware_stuff\Spybot - Search & Destroy\TeaTimer.exe
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\spyware_stuff\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{EA8713C9-52CC-42DD-A388-B7B0CCC5398B} : DHCPNameServer = 75.75.76.76 75.75.75.75
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Notify: igfxcui - <no file>
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4822&r=173601106206p0345v1m5k4891r250
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [PLD_FrameworkRun] C:\Windows\System32\oem\RunCMD_X64.exe C:\Windows\System32\oem\OKTOLaunch_PLD_Framework.cmd
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-01-22 18:31; {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF - ExtSQL: 2013-01-22 18:31; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - ExtSQL: 2013-01-22 18:31; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2013-01-22 22:04; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Dwain\AppData\Roaming\Mozilla\Firefox\Profiles\yv0pqt1v.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-01-24 15:36; wrc@avast.com; C:\Program Files\AVAST Software\Avast\WebRep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=76cd7793f3664e98a3385667460a02b6&tu=10GX000632B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 72e4623f000000000000002511ae8ac3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15715
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1613:55:19
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN15253760944344-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;C:\Windows\System32\drivers\pavboot64.sys [2010-4-11 33800]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-1-24 984144]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-1-24 370288]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-1-24 25232]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-1-24 71600]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-1-24 44808]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-6-4 1150496]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
R2 SBSDWSCService;SBSD Security Center Service;C:\spyware_stuff\Spybot - Search & Destroy\SDWinSec.exe [2010-1-8 1153368]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-27 240160]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y62x64.sys [2009-8-27 287960]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-8-27 138752]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2013-1-16 31800]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-28 1255736]
.
=============== Created Last 30 ================
.
2013-01-24 22:33:06    54072    ----a-w-    C:\Windows\System32\drivers\aswRdr2.sys
2013-01-24 22:33:03    984144    ----a-w-    C:\Windows\System32\drivers\aswSnx.sys
2013-01-24 22:33:03    71600    ----a-w-    C:\Windows\System32\drivers\aswMonFlt.sys
2013-01-24 22:32:31    --------    d-----w-    C:\ProgramData\AVAST Software
2013-01-24 22:32:31    --------    d-----w-    C:\Program Files\AVAST Software
2013-01-24 20:21:52    --------    d---a-w-    C:\Windows\System32\catroot2.old
2013-01-24 20:04:20    --------    d-----w-    C:\Windows\System32\catroot2
2013-01-23 00:34:09    --------    d-----w-    C:\Windows\softwaredistribution.bak2
2013-01-22 23:49:52    --------    d-----w-    C:\Windows\SoftwareDistribution.old
2013-01-22 23:37:32    --------    d-----w-    C:\Users\Dwain\AppData\Local\LogMeIn Rescue Applet
2013-01-22 22:34:15    --------    d-----w-    C:\Windows\softwaredistribution.bak1
2013-01-22 20:15:52    --------    d-----w-    C:\Windows\CheckSur
2013-01-22 00:49:41    --------    d-----w-    C:\Windows\System32\EventProviders
2013-01-19 18:40:51    --------    d-----w-    C:\Users\Dwain\AppData\Local\temp
2013-01-17 21:10:14    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-01-17 20:56:42    98816    ----a-w-    C:\Windows\sed.exe
2013-01-17 20:56:42    256000    ----a-w-    C:\Windows\PEV.exe
2013-01-17 20:56:42    208896    ----a-w-    C:\Windows\MBR.exe
2013-01-16 22:15:47    --------    d-----w-    C:\Users\Dwain\AppData\Local\VS Revo Group
2013-01-16 22:15:42    31800    ----a-w-    C:\Windows\System32\drivers\revoflt.sys
2013-01-11 22:41:13    --------    d-----w-    C:\Program Files (x86)\Mozilla Firefox.bak
2013-01-05 18:48:07    --------    d-----w-    C:\Users\Dwain\AppData\Local\Programs
.
==================== Find3M  ====================
.
2012-12-14 23:49:28    24176    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2012-10-30 23:51:07    41224    ----a-w-    C:\Windows\avastSS.scr
.
============= FINISH: 10:57:05.83 ===============
 

 

 Results of screen317's Security Check version 0.99.57  
 Windows 7  x64 (UAC is enabled)  
 Out of date service pack!!
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Out of date HijackThis  installed!
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.70.0.1100  
 HijackThis 2.0.2    
 CCleaner     
 Java™ 6 Update 37  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
  Adobe Flash Player 11.4.402.287 Flash Player out of Date!  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (18.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 



#45 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 25 January 2013 - 02:12 PM

Your antivirus and firewall look fine.
Your Firefox is still infested with ZoneAlarm.
You should get IE 9 and update Adobe Reader and Flash Player.

Windows is vulnerable without SP 1 but nothing you can do about it.


In view of all the recent warnings about vulnerabilities in Java I recommend uninstalling all Java.
If you find you need it then you can install the latest version.

  • Go to Start -> Control Panel -> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have this icon next to any that are there: javaicon.gif
    Select any found and choose Uninstall.

I don't see any obvious malware but you could optionally run the MB Anti-Rootkit.

Follow the directions here.

 

Good luck with the upgrade!


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#46 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 25 January 2013 - 06:46 PM

Hello cnm,

 

One of the things the Microsoft tech tried was a system restore back to a point preceding some of the fixes that we did.  So I guess that's why some of the items are back.  Too bad it didn't work.

 

I uninstalled the Java, again.  And I can go ahead and update Adobe.  I hadn't thought at all about updating Internet Explorer, since I never use it.  I suppose IE 9 is easy to come by, if I should update even though I don't use it. 

 

How important is it to remove those remnants of ZoneAlarm?  There were a couple of issues that resulted when I uninstalled Firefox.

 

I ran the MB Anti-rootkit. It said that no malicious items were found.  It did produce the 2 logs, which I can post if you need to see them.

 

Thank you for your help.



#47 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 25 January 2013 - 07:15 PM

No I don't need to see those logs if nothing was found.
The ZA isn't important if you don't mind it.
You should update IE as it is part of Windows and makes you vulnerable even if not used. http://windows.micro...dwide-languages


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#48 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 26 January 2013 - 12:04 AM

Hello cnm,

 

I'll go ahead and get the Internet Explorer.

 

Can I just uninstall all these other diagnostics we used, or is there some particular way to remove some of them?

 

Thank you for your help.



#49 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,279 posts

Posted 26 January 2013 - 01:04 AM

Yes.
  
Start > Run and enter 'combofix /uninstall'. Note the space after 'combofix'.  Among other things your Restore Points will be purged and a new clean one created.
 
Delete the DDS files and Security Check folder from your Desktop.

 

Are you happy with the way your PC is running now?


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#50 blmer2

blmer2

    Advanced Member

  • Full Member
  • PipPipPip
  • 192 posts

Posted 26 January 2013 - 03:17 PM

Hello cnm,

 

I uninstalled the combofix and deleted the other 2.  I still have the Revo-uninstaller, FSS and the MBAR anti-rootkit.  Are there any special procedures for uninstalling these?

 

The PC is running fine.  For some reason I'm not getting the 'windows can't automatically check for updates" warning each time I turn it on.  But I still can't check for updates.  A new operating system should take care of that, I presume.

 

Thank you for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button