Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange programs in zone alarm


  • This topic is locked This topic is locked
17 replies to this topic

#1 lucidstorm

lucidstorm

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 19 October 2016 - 07:28 AM

Hi

I already got a PC repaired here and that was a laptop, thank you again

 

but I have several other PC and this power computer in which I;ve recently found this strange programs appearing very fast in zone alarm program management: 

 

they have added somewhat random lines and when I block them they reappear again in other forms, with  exer.exe added and much more

 

ZONE ALARM'S VIEW PROGRAMS TAB:

 

2i05irm.jpg

 

167721w.jpg

20t34ug.jpg

 

this is just a question if this is fine, I have no slowdows or anything, no strange behavior apart this, no antivirus found anything, 

 

SPEC:windows 7x64, i5 4.7ghz, 980 ti, 3 ssds +2 hddt (disabled cd autorun with defogger), 16 gig ram, 300 down/ 60 up mb/s internet 

 

Security: bitdefender free edition, zone alarm, I am a bit paranoid so I have crypto prevent on and I run multiple scans every day 

 

 I have win 10x64 on different partition same PC, using windows 7 now (win 10 is on C: but I use D:)

 

I've ran scans with the same programs as in this post: ''gmer has found rootkit activity'', http://www.bleepingcomputer.com/forums/t/628646/gmer-has-found-rootkit-activity/        they found nothing, MBAR, ESET all show zero threats, recently added to it dr web cure it and sofos, even gmer shows nothing in red, only combofix runs forever but I think it's compatibility issue with zone alarm as ''service application was prevented from changing the behavior of zone alarm'' pops up and its at stage 27 in some sort of loop

 

I am posting because I never seen something like this:P and this is not just opera but every program, I found it somewhat funny because PC is super fast

 

anyway I would prefer not post any logs for now and it is just a question about zone alarm, if this is normal for the program and your opinion, if this is suspicious we do logs (since I am working on this PC)

 

best


Edited by lucidstorm, 19 October 2016 - 12:58 PM.


BC AdBot (Login to Remove)

 


#2 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 21 October 2016 - 05:15 PM

Hi lucidstorm,

 

I will be handling your question and try to help you get cleaned anything that is malicious removed. Please give me some time to look it over and I will get back to you as soon as possible.

Thank you for your patience,

 

packetanalyzer



#3 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 22 October 2016 - 04:16 AM

Hi thanks for reply

 

I am only afraid to loose my long built setup, that extensions worries me

 

so when u are ready I am ready

 

this does not happen on same PC but partition C: windows 10 x64


Edited by lucidstorm, 22 October 2016 - 02:55 PM.


#4 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 22 October 2016 - 04:26 PM

Welcome to Bleeping Computer. You can call me packetanalyzer and I will be helping you with your removing malware from your computer. Please take a moment to review the following.

Please read my instructions completely and follow them closely.

Please do not run any tools unless and until I ask you to do so.

Please only run the tools I ask you to run.

If you have any questions at any point, please stop and ask me before you try to complete the step.

 

Please do not edit your posts. We do not always get a notification if you edit your post but if you create a new post you will know for certain I will get a notification.

Please refrain from using your computer for any purpose other than us working together to clean malware from it until I have notified you your computer is clean.

Please be patient as most of us at Bleeping Computer are volunteers and your logs take time to closely analyze. If you do not hear back from me in 48 hours, please feel free to send me a PM.

If I do not hear from you within 3 days after any post, this thread will be closed.


++++ Step 1 Create an FRST Log ++++

We need to run a scan using FRST to collect some information from your computer. Once we have this information we can analyze it and determine what we need to do next.

  • Please go to http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/.
  • Download the appropriate version for the computer you are going to run FRST on. If you aren't sure which version you need, please download both versions and save the program to your desktop.
  • Right click FRST (the file will be named FRST.exe or FRST64.exe depending on which version you are using) and select Run as administrator. If you downloaded both versions of FRST, please try FRST.exe first and if it tells you it is the wrong version then please run FRST64.exe as administrator.
  • You will be asked if you accept the user agreement. If you do, please accept the agreement.
  • Click Scan.
  • When FRST completes the scan, two notepad windows will open. One will be named FRST.txt and another will be named Addition.txt. Please copy and paste these into your next reply.

 

Thank you,

 

packetanalyzer



#5 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 26 October 2016 - 07:36 AM

Hi lucidstorm, are you still here? If we do not receive a reply from you this topic will be closed in the next 48 hours.

 

Thanks!

 

packetanalyzer


Edited by packetanalyzer, 26 October 2016 - 07:36 AM.


#6 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 27 October 2016 - 03:51 AM

Hi lucidstorm, are you still here? If we do not receive a reply from you this topic will be closed in the next 48 hours.

 

Thanks!

 

packetanalyzer

 

Hi I will do logs of both windows 7 and 10 since they are on same PC, I will also post screens of gmer (it has found something new)

 

Sorry I've been quite buisy with life

 

best regards

Lucidstorm



#7 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 28 October 2016 - 09:42 AM

Hi lucidstorm,

 

For this thread, please ONLY use the Windows 7 installation. That is where you observed a concern and what this question is about so we must limit ourselves to working on the Windows 7 installation. If that changes based on information we discover in the course of working on this problem I will let you know, but it is very important that we know what we are working on and where information you have is coming from.

 

Also, you seem to have run GMER again. We are not at a point where we need to do that yet. We might do that or we might not do that. It will depend based on what we find. For now, please do NOT run any tools unless instructed to.

 

You can certainly do what you want with a computer you own and you don't have to follow the instructions we provide you. If at any time you decide you want to do something other than what we requested you to do please immediately let us know so we can close the thread.

 

If you would like to continue please generate and post the FRST scan log for the Windows 7 installation.



#8 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 28 October 2016 - 04:01 PM

Hi,

 

posting logs directly causes an infinite web page loop (culprit: logs are too long), I can attach files no problem though

 

for the sake of the post I will not use this install, at all. 

 

Spoiler

Attached Files


Edited by lucidstorm, 28 October 2016 - 04:10 PM.


#9 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 30 October 2016 - 10:07 AM

Hi lucidstorm,

 

Thank you for the FRST log.

 

++++ Step 1 Uninstall the rest of Kaspersky Anti-Virus ++++
 
It appears you may have more than one anti-virus program installed. Having more than one anti-virus program on your computer installed can cause problems including false positives and computer crashes.
 
Please make sure that you have only one anti-virus program installed on your computer. Your FRST log indicates you may have BitDefender and Kaspersky Anti-Virus installed. It appears you tried to uninstall Kaspersky Anti-Virus but it did not entirely uninstall.

 

  1. Save the file http://media.kaspersky.com/utilities/ConsumerUtilities/kavremvr.exe to your desktop
  2. Right click kavremvr.exe
  3. Select Run as administrator
  4. If you agree with the terms of use, click Accept
  5. Enter the number displayed in the picture in the first box
  6. The program will try to detect the version of Kaspersky Anti-Virus that is on your computer. If it cannot detect the version of Kaspersky Anti-Virus, please manually select the version of Kaspersky Anti-Virus that was installed on your computer. If you aren't sure, please select Kaspersky Anti-Virus\Internet Security\Kaspersky Total Security 2016\Kaspersky 365 1/4
  7. Click Remove
  8. Do not restart the computer yet

++++ Step 2 FRST Fix ++++

  • Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time (this will open Run)
  • Type notepad.exe
  • Press Enter
  • Copy and paste the code below in the open notepad window
  • Save the file as fixlist.txt in the same folder where the Farbar tool is running from (FRST should be on your desktop).
  • Right click FRST64.exe
  • Click Run as administrator
  • Click the Fix button
  • When FRST finishes running, your computer will restart itself
RemoveDirectory: D:\Qoobox
FF Extension: (No Name) - D:\Users\Natalia Michal\AppData\Roaming\Mozilla\Firefox\Profiles\4x90lfln.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [not found]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> D:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> D:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 b06bdrv; \SystemRoot\system32\drivers\bxvbda.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
D:\SystemRoot\system32\drivers\bxvbda.sys
EmptyTemp:

++++ Step 3 Share Your Logs++++

  1. Please post the contents of the Kaspersky AV Removal Tool log file that was created when you ran kavrmvr.exe in your next reply
  2. Please post the contents of the fixlog.txt file that was created when you ran the FRST fix in your next reply


#10 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 03 November 2016 - 04:29 AM

hI ZONE ALARM is preventing any change to kasperksy, kkh.sys can't be removed trying without zone alarm



#11 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 03 November 2016 - 04:39 AM

Hi sory for multiple logs, I was fighting with zone alarm that prevented any change to 2 sys files (I can't remember name). 

 

I think it was uninstalled at the end but I am not certain, zone alarm prevention works

 

also D:\SystemRoot\system32\drivers\bxvbda.sys" => not found. (WHAT?)

 

as I said I am not using this build at all. 

Attached Files


Edited by lucidstorm, 03 November 2016 - 04:44 AM.


#12 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 05 November 2016 - 08:14 AM

Hi lucidstorm,
 
Thank you for the new logs. Don't worry about the one that said "not found". It isn't malicious and everything else ran correctly.
 
Given the contents of your newly documented logs, what you have already done, the existence of multiple security programs on your computer, and multiple operating systems installed, it doesn't appear there is anything malicious on your computer. In response to your original question, there may be some "weirdness" with ZoneAlarm given the use of other security programs and multiple Windows Operating Systems installed on the same computer.
 
You have four different anti-virus products installed on your computer (BitDefender, ESET Online Scanner, Sophos Virus Removal Tool, and ZoneAlarm). Let's get that down to one. I think you will find you have fewer problems in general. :)
 
++++ Step 4 Uninstall unused anti-virus programs ++++
 
Based on your use of multiple ZoneAlarm programs, I assume that is the anti-virus you want to keep. For all of the anti-virus programs you need to remove, please follow the steps below to uninstall them:
  • Press the windows key + r on your keyboard at the same time (his will open Run)
  • In the Run window type control appwiz.cpl
  • Press Enter
  • Select the anti-virus program you want to uninstall (if listed) and click Uninstall
  • Follow the steps in the uninstallation wizard
  • Restart your computer
Please only uninstall one anti-virus program at a time and repeat the process for each anti-virus program you want to uninstall.
 
++++ Step 5 Create an FRST Log ++++

We need to run a scan using FRST to collect some information from your computer. Once we have this information we can analyze it and determine what we need to do next.
  • Please go to http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/.
  • Download the appropriate version for the computer you are going to run FRST on. If you aren't sure which version you need, please download both versions and save the program to your desktop.
  • Right click FRST64.exe and select Run as administrator.
  • Click Scan.
  • When FRST completes the scan, please paste the contents of FRST.txt in your post.
++++ Step 6 Share Your Logs ++++
  • Please post the contents of the FRST.txt file that was created when you ran the FRST fix in your next reply


#13 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 05 November 2016 - 01:13 PM

Hi before I proceed I would ask you a question since I've used to run bitdefender+zone alarm firewall on 4 systems for quite some time and I got used to it (perhaps a sentimental value attached)

 

I disabled antivirus in zone alarm - while keeping firewall -  and left bitdefender running for that (let's face it bitdefender has better aniti-pishing, anti-malware and anti-virus than zone alarm, while zone alarm is famous for its firewall score on AV tests)

 

I always thought that is a perfect combo: zonealarm for firewall and bitdefender for antivir. (I use to run anti-exploit from mbam or search and destroy in the background too sometimes)

 

eset nod and sofos are ONLY second opinion scanners I run once a day that is (eset is supposed to be online scanner with no installation on drive), they're off all the time (sofos and eset)

 

what about crypto prevent, should I leave it on?

 

sory for multiple questions, but just by responding to one you are giving me a huge feedback (who to ask if not you)

 

Best regards and a huge thanks


Edited by lucidstorm, 05 November 2016 - 01:22 PM.


#14 packetanalyzer

packetanalyzer

  • Members
  • 954 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 AM

Posted 06 November 2016 - 03:55 PM

Hi lucidstorm,

 

Those are great questions!

 

The key problem with how the programs were configured is that you have multiple anti-virus programs running. It is one thing to have a stand alone anti-virus scanner but you don't want multiple anti-virus programs (such as Kaspsersky and BitDefender) running at the same time. There are two ways anti-virus programs can detect an infection. One is from a signature when the file is a "known bad" file. Another is from heuristics or the behavior of a file. Now, you have to consider that anti-virus to do its job has to have access to everything on your computer and be able to stop and test any file before it runs. That kind of access is very invasive. It makes sense that an anti-virus program might view any other program with that amount of access as a virus. This includes other anti-virus programs and can cause several problems. Can you only enable specific portions of an anti-virus suite like only enabling the firewall? Yes, but what happens when you upgrade that program? Will the anti-virus turn itself on when you upgrade the program? If it does then you are going to have multiple anti-virus programs running on this computer again. Obviously we want to keep that from happening. The Windows Firewall beginning in Windows Vista really was an improvement over the Windows Firewall in XP, in my opinion. Windows 7, Windows 8, and Windows 10 have improved the Windows Firewall over the years more in my opinion.

 

Really ask yourself what threats are you trying to protect against? No single solution will protect from everything but you have protection from exploit kits with MBAE, protection from viruses from BitDefender, and your router should address most firewall issues. Your router used with Windows Firewall is fairly comprehensive and will likely handle what you are doing. The exception to this in my opinion is commercial networks and special instances where you need custom firewall rulesets. If you want the ability to scan outbound traffic with anti-virus or block specific forms of outbound network traffic then you might want to consider using a router that offers these capabilities rather than install extra software on your computer.

 

If you want to have a stand alone anti-virus scanning product, I would tend to lean towards an online scanner as a tool to find a second opinion or uploading the file I am not sure about to VT rather than installing another anti-virus program.

 

MBAM will search for malware and PUPs. If you have the Professional version it will run in the background. If you have the free version you can run it when you need to.

 

MBAE will monitor your web browsers and if activity that appears to be related to an exploit kit takes place, it will be blocked. This runs in the background.

 

ESET Online Scanner is an online scanner, but certain files need to be downloaded for the scan to work. This is true of all anti-virus scanners online or offline.

 

CryptoPrevent was originally built using software restriction policies which will not interfere with your anti-virus. Over the years CryptoPrevent has evolved but should not create any problems with your anti-virus.



#15 lucidstorm

lucidstorm
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 09 November 2016 - 05:35 AM

Hi

 

after your last post I decided to run the new bitdefender beta, I also run a pass of tweaking.com from bleeping computers since I was not able to restore windows firewall (sorry I know but leaving PC without any firewall scares me), I  did the firewall repair

 

now it should be 1 antivir wiht default win 7 firewall -it was not an easy decision but thx again for professional replies- they helped me

 

posted logs

 

best regards

Attached Files


Edited by lucidstorm, 09 November 2016 - 09:47 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users