Zone Alarm configuration frozen/changed

Win Me
5000US Compaq
512 SDRAM

I have ran AdAware, SpyBot S&D, Avast!, Hijack This and everything appears to be clean. I have not been able to update these proggies for over a week.

I looked in Zone Alarm and........every program has been to changed to "allow as server". ALL programs that deal with virii, bots and adware have been changed to block access to the internet. Plus, it will not allow itself to be reset to allow, block or ask. It is like it is frozen.
I can find nothing suspicious on my computer. Any ideas?? TIA boccemon

EDIT: BTW, housecall shows a clean slate also.

 

Hey Bocce, you have run stinger, cwshredder and your av or is everything of that nature blocked?

 

Thanks for the reply Bill. Everything that has to do with baddies is stuck. PLUS, after I posted I ran housecall again and it would not run, McAfee online scan would not run. I am at work right now so cannot play around with the box. This confuses me because the computer is running as good as it ever did. As I was leaving my son reminded me of an incident that happened several days ago. I use OE for e-mail and it showed that I had one message. When I went to the inbox it was empty. I blew it off at that time as just a vagarity of the proggie. I'm thinking that something got in there, but I cannot find it. I recognize everything on Hijack This. AdAware, spyBot S/D, and SpyWareBlaster, and Avast! show nothing.....

 

The nature of the block/allow seems deliberately set up to make your computer a drone. Are there any unfamiliar programs listed in ZA?

Try booting into safe mode, updating the software and run the scans and hijackthis. I've seen trojans that intercept known maintenance tools to prevent them from working and/or hide their presence.

 

Hmmm . . . sounds like sasser. You can run both stinger and cwshredder off line. There''s a killer for sasser too sasser You might give all three of these a go. It's a headscratcher for sure. Your XP updates current?

 

I doubt if it is sasser.......I run ME. However, I posted recently that ME can pass Sasser along, and not get infected. I had a friend run the Sasser tool and he said that I had the bug, but that he got rid of it. I have not run stinger or CWshredder. I'll try to d/l them tonight and run them. I'm at work right now.

@freddie......There are no new proggies in ZA, all there have been there forever. Do I know what all of them do?.......No. I'll try the safe mode trip and see if that helps.

 

I agree, sounds like a trojan the other scanners aren't picking up.

TDS-3 might snag it. Update defs before scanning from here:
http://tds.diamondcs.com.au/index.php?page=update

 

I've been Googling.....

I was sent a picture, with no text, and got a dialogue box stating "can't find viewer".
I recieve blank e-mails.
All Av/bot proggies are screwed.

W32. beagleX.....perfect description of this virus and my box. However, Avast! missed it and this has been around awhile.......Hmmmmmm...

 

Okay guys............I'm really tired and I'm confused. Got home from work and did the following: d/l CWShredder and ran it, clean. D/L stinger and ran it, clean. Attempted to access housecall trendMicro, denied. Attempted to do McAfee online scan, completed and found to be c;ean. AdAware found three dialer cookies. AvAst! found nothing. BTW: I've been getting pop-ups after start-up telling me that Avast! has updated, but the date of my definitions is 05/05/04. I then went to PestPatrol and did an online scan, and it found the following:

KeenValue,Incredifind:
C:\program files~1\bho
C:\program files\incredifind
C:\Incred~1\bho\incfin~1.dll
C:\program files\incred~1\bho\incfindbho.dll
C:\program files\incredifind\bho\incfindbho.dll

CWS.googleMS.3
hkey_current_user\software\microsoft\windows\currentversion\internetsettings\zonemap\domains\xxxtoolbar.com

What is this?????? AND please, how do I get rid of it?

I never go to poRnsites, what's with the "xxxtoolbar"??? (BTW: this is one of the sites that the beagle virus tries to contact).

So, what's next??? help please...................

 

I'm going to attempt to post my HJT log. This thread probably needs moved to spyware......

Logfile of HijackThis v1.97.7
Scan saved at 2:02:18 AM, on 5/19/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by HighSpeed Communications!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.highspeed.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/us/sa/common/common/bin/cabsa.cab
O16 - DPF: {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} (VoilaXctl Class) - http://www.belarc.com/Programs/advisor.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.7339583333
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4361/mcfscan.cab

Thank you for any help that you may offer,,,,,,,,,,,,boccemon

 

CWShredder should take care of the CWS.googleMS.3 hijacker.

Info and removal of keenvalue/incredifind here:
http://pestpatrol.com/pestinfo/e/euniverse.asp

That'll get you started, just took a quick look at your HJT log and nothing jumped out at me. Make sure you disable System Restore and reboot to take it out of the equation.

 

Thanks for the response Alan. CWShredder DOES NOT see this on my puter. I just tried a d/l of a proggie called "SpyFerret" and it found it, then they wanted $$$ to remove it. I'll try the pestpatrol link. I went to kephyr.com and they instruct to remove it in add/remove programs...........but it is not there!! So confusing...............

 

Man, Bocce. What a mess. Sorry, for your troubles buddy. Have you tried emailing or telephoning Zone Alarm?

 

I've been at this most of the night and have come up with the following. I did some stuff I've never done and it's been quite a learning experience. I googled until my eyes fell out and found much information.

I do not think that the ZA problem and the incredifind and the CWS.googleMS.3 are related.

Incredifind was deleted through Win explorer and deleting the file. None of the registry entries were there. I've never used regedit before and it was quite the experience.

I think that the CWS.GoogleMS.3 is a false positive. All of the programs that I trust simply do not see it. Pest Patrol, Spyferret found it. McAfee online, TrendMicro, SpyBot S/D, AdAware 6, Avast!, Stinger and CWShredder do not see it.

And as far as the ZA issue I think that when I deleted and re-installed I corrupted it due to the fact that I just deleted it, I didnot prepare the program for deletion. I'm gonna try it again and see. I'll let you know. Thanks all..................

 

Good luck Bocce. I agree with you. I've picked a few false positives from pestpatrol myself. At least the only thing I can assume is that they were false after exhausting and determined looking through every file in my pooter one by freakin' one and finding nothing. You might be on the right track about ZA. Be sure to let us know.
Bill

 

Hey Bill!! I've just has a lot of fun and did a bunch of stuff that I've never done before. Played in the registry, found multitudinous cooties that I'm gonna let Crapcleaner deal with. Re installed ZA. As it turns out it was my bad...last time I installed I goofed up. It's in there correctly and working. Found the key that pestPatrol was excited about.....it was a baddie, but not CWSgoogleMS.3. Oddly, after I got rid of Incredifind, all of my proggies would update. I was up most of the night, but it's running clean now. Thanks for your help.

 

Never a problem Buddy Now . . . GO GET SOME SLEEP
ps: You did an up and walkin' good job on this. many back pats, huzzahs and you done good kiddos.

 

Thanks