AumHa Forums

Hi All
I was directed to post my problem here. I was requested to use safe mode to allow me to download a program to help me. F8 will do nothing, I repeatedly tapped F8 at start-up but Windows XP opens, I tried F1 same thing! F10 did get me the proper screen but I could not highlight Safe Mode the arrow key did nothin g,it timed out and Windows opened! No matter what I try I can not get into Safe Mode.
I have 11 months (maybe slightly less) on my paid license for ZoneAlarm Extream security and have accepted all patches from Microsoft. From time to time I went to Microsofts download site,allowed them to scan my computer an downloaded all upgrades. Zone Alarm seems to be working as it is preventing suspicious connections.
However as I mentioned in my post in XP I can not connect to the sites I want on IE, my home page will not open yet IE will self start and open porn sites and http://www.viagra.com. OE will not open. The Microsoft Yellow sheild is now green and will open AV Security Suite to scan my computer. I will try to connect me to antispeye.com/purch. What can I do to remove what ever is causing the problem. I am connected here via my laptop.
Frank

Try this in Normal Mode. If you need to download RKill on a non-infected system and transfer it to the infected one via portable media (e.g. flash drive, CD), please do so.

Starting instructions
The following instructions are only for this Forum member and machine. If you use these instructions on another machine, you risk seriously damaging the system and doing so will make clean up much more difficult and complicated. If you think you have a similar problem, please begin your own, new thread. I do not offer free private support.

A few things before we begin:

1. Please follow my instructions exactly as specified and in the order given.
2. Please do not make any software additions/subtractions unless I ask you to until we're finished. It helps me clearly understand what's happening with your system.
3. It's best to print these instructions for reference as you work through the steps.
4. If you get stuck on a step, keep going and do as much as you can. It's best to perform this in one session.

Do Not Use The Attachment Feature
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.

RKill
Please download Rkill from one of the following links and save to your Desktop:

One, Two, Three or Four

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Do not reboot!

Note:
If you see a message telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Preliminary Setup
First, do this ==> show all files:
Windows XP

-Click Start.
-Open My Computer.
-Select the Tools menu and click Folder Options.
-Select the View Tab.
-Under the Hidden files and folders heading select Show hidden files and folders.
-Uncheck the Hide protected operating system files (recommended) option.
-Click Yes to confirm..

Malwarebytes' Anti-Malware
If you have an earlier version, you must uninstall it via Add or Remove Programs before performing the following.

You need to uninstall your earlier version

Please download by clicking here:
http://www.besttechie.net/tools/mbam-setup.exe

• Re-name the downloaded file Nailmalware
• Once re-named, close all programs and Windows on your computer (including this one.)
• Double-click on the icon on your desktop named Nailmalware.exe. This will start the installation of MBAM onto your computer.
• When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
• MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
• On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer.
• MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
• When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results.
• Make sure all entries have a Checkmark at their far left. If you do not, the program will have done nothing..
• Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine.
• When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then do a File, Save and then close the Notepad window. Remember where you saved the log file, as we will want to see it later. If MBAM suggests a reboot is necessary, be sure to do so. Otherwise there can be active infectors still on your system that would only be removed finally with the reboot sequence.

ComboFix
If you have an earlier version, delete it before performing the following.

Download ComboFix from any of the links below. You must rename it to Combo-Fix before saving it. Save it to your Desktop.

If you are using Firefox, go to Tools > Options > Main and select 'Always ask me where to save files' and click OK.

Link 1
Link 2
Link 3





* IMPORTANT !!! Save Combo-Fix.exe to your Desktop

------------------------------------------------------

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Help with disabling your antivirus application can be found here => here
  
• Double-click on Combo-Fix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Position Hijackthis
To download and scan with HijackThis:

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked.
• Double click the desktop icon for HJTInstall.exe.
• By default it will install to C:\Program Files\Trend Micro\Hijackthis and make an entry called HijackThis in your start menu.
• Continue to click Run/Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and HijackThis (HT) will launch.
• Close any/all browser, messenger, mediaplayer, Office and mail client windows and applications.
• Click on the Do a system scan and save a logfile button; HT will then scan and a log showing the results should open in notepad.
• Click on Edit > Select All (or CTRL+A) then click on Edit > Copy (or CTRL+C) to copy the contents of the log to your clipboard.
• Save the file in Notepad for subsequent posting.

Post Back (copy/paste the .txt files, do not use attachments)
After following the above, post back with:

1. Contents of C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
2. Contents of C:\Combofix.txt;
3. Hijackthis log;
4. System status...how are things now???

Please number your answers to match my questions.

Good Luck

Hi KB
Thanks for your reply.
I have my PC running, I tried to open a number of programs provided by XP, nothing will open. IE will self open and attempt to connect to a porn site. Nothing will happen as I'm not connected directly and I added secutity to my wireless router so nothing happens. However prior to disconnecting I was not able to use IE to connect to anything yet it self connected to porn and viagra. ZoneAlarm is the only program that will open and I'm scanning now but I doubt it will help. Therefore downloading anything at this time is not possible on the PC.
I can download and copy Rkill to CD or Flash Drive.
What should I do next? I assume try to open it in my PC and let it run.
Frank

Yes, that is what KB stated at the start:
"If you need to download RKill on a non-infected system and transfer it to the infected one via portable media (e.g. flash drive, CD), please do so."

Please read and follow his instructions exactly, and don't try running any scans other than what he has directed you to do.

<~Moderator kibbitz>

@Frank: Please do not edit a post of yours after someone's replied to it or a later post in the thread.

</~Moderator kibbitz>

Hi All
I ran Rkill my system now seems "normal" I don't get the pop-up messages nor is the automatic attempt to connect to porn via IE running. The green sheild no longer shown. However IE will not connect to the web hense I can not download the aditional files requested. If I use Diagnostics for Windows I'm told I'm not connected to my ISP. Wireless Network Connection states I'm connected (very good signal strenght) OE works fine so I e-mailed my Rkill logs to my laptop and pasted below.
Should I now get the programs requested installed on Flash Drive and transfer them to my PC. I assume this is correct but I do not want to assume wrong! I want to follow your expert advice as stated so please forgive my dumb questions

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 06/23/2010 at 9:50:28.


Processes terminated by Rkill or while it was running:


C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\drwcveinm\xwyoayetssd.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe


Rkill completed on 06/23/2010 at 9:52:32.

In Internet Explorer, click the Tools menu> Internet Options> Connections tab.

(If you don't have the Menus visible, right-click in the Tabs bar and click to checkmark "Menu Bar" then do as described above.)

Near the bottom of the Connections page, click the LAN Settings button.

UNCHECK ALL the boxes in the LAN Settings, then click OK, then click OK again to close.

Close and reopen IE and see if it will connect.

Hi All
Thanks glee IE is working I'm here with my PC
Again another question, mbam does not show-up in add/remove programs but found mbam.exe in downloaded programs. Wanting to follow instructions to a letter I ask be for acting on my assumptions.
I'm requested to remove all earlier versions of mbam so I assume I'm to simply delete the file then download the latest version. Correct??
Please understand I'm an expert in a few other subjects not computers. Computer Dummie here! However I know how fustrating it is for me when I try to help someone that doesn't follow instructions elevating themselves to expert status eventually causing me more work when everything fails! Naturally somehow it becomes my fault! Anyway this dummie will ask before leaping!!
Frank

Yes, if it isn't in Add\Remove Programs, delete the copy you found, then download and install the latest version as KB directed, and follow his instructions. I imagine KB will be back later...he is probably busy earning a living right now!

What Glee described is the correct method of action for you.

One thing you might want to keep in mind is that Malwarebytes' and ComboFix may not initially kill the malware on your system. If after running them (which will trigger a reboot) you experience the same re-direct behavior you initially had you'll need to re-run RKill and possibly reset your internet connection as Glee had you do.

Post the RKill report should you need to run it again as well as the requested reports from my initial post.

Good Luck

Hi KB
My system has shut down and rebooted a few times with out any problems (yet) I did down load and renamed Combo-Fix. However I tried to run it but it stopped, I don't remember what the error message said. One question when I tried to run Combo-Fix I received a large number of Alerts from Zone Alarm. Should I shut down Zone Alarm before running Combo-Fix? Some messages do reference Combo-Fix but the majority don't however I do not receive any ZoneAlarm alerts re-starting my system or while I'm running my PC until I run Combo-Fix so I assume Combo-Fix is creating them.
Pasted below is the mbam log. I did change the name to Nailmalware and it's listed in my download file as Nailmalware but it opened and is on my Desktop as Malwarebytes.
Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4230

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/23/2010 7:48:09 PM
mbam-log-2010-06-23 (19-48-09).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 252308
Time elapsed: 2 hour(s), 11 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Search Toolbar\SearchToolbar.dll (Adware.Zugo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\searchtoolbarlib.csearchtoolbarimpl (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\searchtoolbarlib.csearchtoolbarimpl.1 (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\search toolbar (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Zugo (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9d425283-d487-4337-bab6-ab8354a81457} (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpuoreqv (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpuoreqv (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Search Toolbar\SearchToolbar.dll (Adware.Zugo) -> Quarantined and deleted successfully.
C:\Program Files\Search Toolbar\SearchToolbarUninstall.exe (Adware.Zugo) -> Quarantined and deleted successfully.

Frank

You'll need to disable the AntiVirus component of Zone Alarm in order to run ComboFix.

By no means disable the Firewall component of Zone Alarm unless the computer is physically (or wirelessly) disconnected from the internet and the Windows Firewall is enabled before re-connecting to the internet.

You should now be able to run ComboFix. Please do so as well as performing the balance of my original instructions.

Good Luck

Any progress?

If you think your system is clean of malware, guess again as there is certainly more to do.

Let me know, please.

Hi KB
I didn't assume all was done. I know virus like to hide. I don't know what happened I did the scans and posted the resutls yesterday. Oh well I might have goofed and forgot to click submit! Anyway I posted the logs again and hope this time I do it right Thanks again for the reminder.
Frank

Duplicate of MBAM log posted Thursday 24 Jun-10 12:31 am (EDT) removed by ~Moderator

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:39:23 PM, on 6/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
D:\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Translator - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: ERUNT AutoBackup.lnk = D:\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = D:\ERUNT\AUTOBACK.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Translate - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Customize translation options - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4533678250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6937 bytes

Unfortunately you haven't done well in following my instructions which clearly detail the steps you need to take in order to remove the malware from your system.

Were you able to run Combo-Fix after you disabled the AntiVirus component of ZoneAlarm?

Your system still shows malware.

When we help users remove malware from their systems it's hard to recover from "I goofed" and save the system.

Hijackthis Cleanup
Start Hijackthis using the shortcut (not the installer) it created on your desktop and hit the "Do a System Scan Only" button.

Place a check to the left of these lines:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Then hit the "Fix Checked" button and accept the removal.

Reboot now

Run Hijackthis and save log
Start Hijackthis using the shortcut (not the installer) it created on your desktop and hit the "Do a System Scan and Save a logfile" button. Save the log for posting back.

Post Back
Please post back with the following:

1. Answer to Combo-Fix question;
2. New HijackThis log;
3. I'd normally ask how the system is running but it doesn't matter in your case because a system that doesn't show signs of infection can still be infected. That is where you are.

Good Luck