1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

tmp.vbs file not foud on startup - Please help

Discussion in 'Windows - Virus and spyware problems' started by cralford, Aug 18, 2008.

  1. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @cralford,

    I believe it’s ZoneAlarm that has the problem. I just had another member here told me that he had trouble trying to install it..

    2OG
     
  2. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    It looks a little more involved than that but you would probably know best.

    After the restore I no longer have connectivity. I have a yellow yield sign on my networking icon. It says I have "Limited or no network connectivity"

    The repair function says it fails because it was unable to renew the ip address. I also saw something about missing a driver.

    It also does not have CA security suite in the start all programs.

    I am going to run a HJT It does show up in the add/remove program but says it is probably already uninstalled. I think it just did not cleanup when I uninstalled it the first time but do not know why it did not show up after the restore.

    I am including a hjt log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:36:11 PM, on 8/20/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\RSSoft\RedSwoosh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    C:\Program Files\Sierra\Planner\Plnrnote.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\Program Files\Trend Micro\HijackThis\cralford.exe.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?rev=10298
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
    O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
    O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe
    O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
    O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Quick Shelf.lnk = ?
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\windows\system32\vetredir.dll' missing
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
    O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://crystal.petplace.com/viewers/activeXViewer/activexviewer.cab
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.webex.com/client/T25L10NSP41EP2-INTERCALL/webex/ieatgpc.cab
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (file missing)
    O23 - Service: CAISafe - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
    O23 - Service: PPCtlPriv - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe (file missing)
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - Unknown owner - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe (file missing)
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - Unknown owner - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe (file missing)
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - Unknown owner - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe (file missing)
    O23 - Service: HIPS Policy Manager (UmxPol) - Unknown owner - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe (file missing)
    O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe (file missing)

    --
    End of file - 17306 bytes
     
  3. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    The network issue has been resolved.

    Do you think we need to remove the CA and zonealarm entries before I try installing another firewall?

    Windows firewall thinks I have a firewall running although I have uninstalled both CA and zonealarm
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    @cralford,

    This puzzles me very much……

    It is so difficult to picture what the heck is going on there because I can’t see it and don’t have my hands on it…

    If you were able to uninstall CA and ZoneAlarm then there should be no entries for them. Is the windows firewall still running??? Maybe that’s what windows sees.

    If ZoneAlarm didn’t install correctly it may not have turned the windows firewall off.

    Scratching my head::: you said something about a missing driver….. know anymore about that?

    The HJT Log does no good it don’t show this kind of stuff : { dern-it.

    Just fill me in and if I think of something, ???
     
  5. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    Windows shows a firewall running. This is the same if I turn the windows firewall on or off. I have left windows firewall running just for some type of warm ad fuzzy about my security right now.

    Strangely enough it also shows an anti-virus running but there should be none installed.

    I do see the malwarebytes is still installed. I thought your program removed that.

    Do you think it would do any good to delete the entries for zonealarm and CA from the registry? I thought I saw some in the HJT report

    The missing driver I saw was in the MSN Network Connection. I think its al;ways beeen that way and I seem to have connectivity now.
     
  6. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Do you have the CA Internet Security Suite 2007 or 2008?
    From all indications CA is a very poor software………

    From my research I find that either version is "Easy to get- hard to get rid of"

    I haven’t found an un-installer yet, but I’m looking..

    Please do not attempt to install any other firewall or antivirus until you can get rid of CA.
    Uninstall anything you have already installed in the way of a firewall/antivirus. That is ZoneAlarm, Antivir, etc.

    You might just reinstall CA until we can come up with a solution to get rid of it...

    I’ll keep looking and let you know. Keep me informed of what’s happening on your end..
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
  8. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    I have ran the uninstall provided. HJT only shows one entry for CA now

    O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl

    Do you think I should delete that registry entry manually? I tried to run uninstall a second time but it would not let me.

    Or do you think I should just go ahead and try to install zonealarm again?

    Windows still thinks a firewall is running even after I disable the windows firewall.
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    First, did you run the un-install for just the CA firewall? There is a uninstall there for it…

    If No , try it.

    If YES, then use HJT to fix the 04 line and then:

    Start Hijackthis
    Click on the Config button
    Click on the Misc Tools button
    Click on the button labeled Delete a file on reboot...
    A new window will open asking you to select the file that you would like to delete on reboot.
    Navigate to the folder, in red below, and click on it once, and then click on the Open button.

    C:\Program Files\CA


    You will now be asked if you would like to reboot your computer to delete the file.
    Click on the Yes button.


    after the reboot,
    Navigate to that folder and see if it is still there. Let me know…..
     
  10. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    The CA folder is not there now. It was removed on the initial uninstall.

    Should I proceed with using HJT to fix the one CA entry?
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    yes, remove the 04 entry and we'll see if it comes back..

    I know why these guys hide stuff with rootkits but I beleve they should provide an un-installer that will get rid of it...

    See what happens when you delete the 04 line and we'll go from there..
     
  12. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    Good news. Deleting the entry helped windows to realize there was not a firewall if windows firewall was turned off.

    I have installed zonealarm but am a little alarmed that I do not have internet access if I have the "Internet Zone" set to high and this is the suggested setting. It works at medium but that is just suggested for temporary use.

    Should I keep it there or look for another firewall? You mentioned Comodo Pro

    It probably at least good enough for now to install the other layers of protection.
     
  13. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I am also concerned about not being able to use the stealth mode in Zone alarm…

    Do This:

    Download and Run Gmer
    Download Gmer to your Desktop and unzip it to your Desktop -> HERE

    Disconnect from internet and close running programs.
    There is a small chance this application may crash your computer so save any work you have open.
    Double click gmer.exe.
    Let the gmer.sys driver load if asked.
    If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
    If no warning....
    Click the rootkit tab
    To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
    Once done click the Copy button.
    Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

    Please post the Gmer log.

    Also, please re-run Combofix and post the log. We may not be rid of the CA rootkit yet..
     
  14. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    I will be gone for a while. Taking my daughter down for college entrance testing. Its 4:35 PM here. I hope to be back by 7:00 PM EST

    Gmer log

    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2008-08-21 16:16:19
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.14 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF45D6EB0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF45D3870]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF45DE720]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF45D7270]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF45DD520]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF45DD750]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF45E10B0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF45D7360]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF45D3EF0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF45DF740]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF45DF380]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF45DD290]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF45DFA80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF45D3D40]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF45DCFE0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF45DCE00]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF45E01F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF45DFD70]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF45D6B50]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF45E0020]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF45D7060]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF45D4060]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF45DEEF7]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF45DD980]

    ---- Kernel code sections - GMER 1.0.14 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 6 Bytes [ 70, 72, 5D, F4, 20, D5 ]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504854 2 Bytes [ 80, D9 ]
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.14 ----

    .text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2036] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 05051EB5 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
    .text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2036] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 05051E5F C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
    .text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2036] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 05051E8A C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
    .text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[3668] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] kernel32.dll!FindResourceW 7C80BC5E 5 Bytes JMP 0041F1E0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] kernel32.dll!FindResourceA 7C80BF19 5 Bytes JMP 0041F1A0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadStringW 7E419E36 5 Bytes JMP 0041F6E0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!CreateDialogParamW 7E41EA3B 5 Bytes JMP 0041F290 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadBitmapW 7E420242 5 Bytes JMP 0041F640 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadBitmapA 7E42473C 5 Bytes JMP 0041F5A0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadStringA 7E42C908 5 Bytes JMP 0041F790 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadIconW 7E42E8BC 5 Bytes JMP 0041F4B0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadIconA 7E42E8F6 5 Bytes JMP 0041F3C0 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadMenuW 7E42EB48 5 Bytes JMP 0041F360 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!CreateDialogParamA 7E43C7DB 5 Bytes JMP 0041F220 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)
    .text C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe[3984] USER32.dll!LoadMenuA 7E44FA83 5 Bytes JMP 0041F300 C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Download Manager for Audible content/Audible, Inc.)

    ---- Kernel IAT/EAT - GMER 1.0.14 ----

    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F45DBB60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F45DBB60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F45DBB60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F45DBB60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F45DB9F0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F45DBB60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F45DC070] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F45DBF10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

    ---- User IAT/EAT - GMER 1.0.14 ----

    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
    IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1860] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

    ---- Devices - GMER 1.0.14 ----

    Device \FileSystem\Udfs \UdfsCdRom tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Udfs \UdfsDisk tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
    Device \FileSystem\Fastfat \Fat B6DB1D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- Registry - GMER 1.0.14 ----

    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
    Reg HKLM\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
    Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@

    ---- EOF - GMER 1.0.14 ----

    Combofix Log

    ComboFix 08-08-19.06 - cralford 2008-08-21 16:23:12.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.467 [GMT -4:00]
    Running from: C:\Documents and Settings\cralford\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
    .

    2008-08-21 15:58 . 2008-08-21 15:59 250 --a------ C:\WINDOWS\gmer.ini
    2008-08-21 14:59 . 2008-08-21 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-08-21 14:29 . 2008-08-21 14:29 17,319 --a------ C:\ISS4-UNST(N).vbs
    2008-08-20 20:32 . 2008-08-20 20:32 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
    2008-08-20 19:30 . 2008-08-20 20:32 <DIR> d-------- C:\fixwareout
    2008-08-20 18:04 . 2008-08-21 15:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-08-20 18:04 . 2008-08-20 18:04 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-08-20 17:34 . 2008-08-21 16:26 342,048 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-08-20 17:34 . 2008-08-20 20:33 4,028 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-08-20 17:31 . 2008-08-21 15:02 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-08-20 17:12 . 2008-08-20 17:12 <DIR> d-------- C:\Program Files\Zone Labs
    2008-08-20 17:08 . 2008-08-21 16:24 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-08-19 18:01 . 2008-08-19 18:01 <DIR> d--hs---- C:\Documents and Settings\cralford\UserData
    2008-08-18 21:37 . 2008-08-18 21:37 <DIR> d-------- C:\Documents and Settings\cralford\Application Data\Malwarebytes
    2008-08-18 21:37 . 2008-08-18 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-08-18 21:37 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-08-18 21:37 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-08-18 21:36 . 2008-08-18 21:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-08-18 21:14 . 2008-08-18 21:14 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 16:06 . 2008-08-17 16:06 <DIR> d-------- C:\WINDOWS\system32\scripting
    2008-08-17 16:05 . 2008-08-17 16:05 <DIR> d-------- C:\WINDOWS\system32\en
    2008-08-17 16:05 . 2008-08-17 16:05 <DIR> d-------- C:\WINDOWS\system32\bits
    2008-08-17 16:05 . 2008-08-17 16:06 <DIR> d-------- C:\WINDOWS\l2schemas
    2008-08-17 15:56 . 2008-08-17 16:07 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-08-17 15:30 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
    2008-08-17 15:29 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
    2008-08-17 15:28 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
    2008-08-17 15:27 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
    2008-08-17 15:27 . 2008-04-13 20:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
    2008-08-17 15:27 . 2008-04-13 20:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
    2008-08-14 16:54 . 2008-08-14 16:54 92,222,856 --a------ C:\SYM_REGISTRY_BACKUP.reg
    2008-08-14 09:19 . 2008-08-14 09:19 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2008-08-13 17:58 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
    2008-08-13 17:58 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-07-25 12:12 . 2008-07-25 12:12 <DIR> d-------- C:\Program Files\7-Zip

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-21 20:25 --------- d-----w C:\Program Files\RSSoft
    2008-08-21 19:07 --------- d-----w C:\Documents and Settings\cralford\Application Data\OpenOffice.org2
    2008-08-21 17:06 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-08-21 17:04 --------- d-----w C:\Documents and Settings\cralford\Application Data\AdobeUM
    2008-08-21 01:13 31,436 ----a-w C:\Documents and Settings\cralford\Application Data\wklnhst.dat
    2008-08-14 07:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-07-27 03:31 --------- d-----w C:\Program Files\Java
    2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
    2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
    2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
    2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
    2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
    2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
    2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
    2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
    2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
    2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
    2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
    2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
    2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
    2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
    2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
    2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
    2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
    2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
    2008-01-02 11:52 124,288 ----a-w C:\Documents and Settings\cralford\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 14:08 4670968]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-18 17:53 68856]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
    "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-30 06:56 185896]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
    "Red Swoosh"="C:\Program Files\RSSoft\RedSwoosh.exe" [2006-08-14 17:47 61325]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-11 14:29 29744]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-03-16 05:33 127037]
    "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-29 22:05 339968]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 00:20 339968 C:\WINDOWS\STSYSTRA.EXE]

    C:\Documents and Settings\cralford\Start Menu\Programs\Startup\
    HotSync Manager.LNK - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:27:34 471040]
    OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
    APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [2005-07-28 15:25:51 200833]
    Audible Download Manager.lnk - C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe [2006-11-21 11:49:10 800352]
    Event Planner Reminders Tray Icon.lnk - C:\Program Files\Sierra\Planner\Plnrnote.exe [2007-02-11 14:00:51 184320]
    Event Reminder.lnk - C:\Program Files\Broderbund\PrintMaster\PMremind.exe [2005-08-21 16:27:16 323584]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 05:29:26 180224]
    KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423]
    Quick Shelf.lnk - C:\WINDOWS\Installer\{04001101-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE [2006-01-17 23:07:33 11264]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
    @="Driver Group"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    @="DiskDrive"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
    @="Hdc"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
    @="Keyboard"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
    @="Mouse"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
    @="System"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
    @="Volume"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\zonelabsfirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9420:TCP"= 9420:TCP:Red Swoosh
    "5000:UDP"= 5000:UDP:Red Swoosh

    S1 f0b9f792;f0b9f792;C:\WINDOWS\system32\drivers\f0b9f792.sys []
    S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-11 14:29]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa08f1e5-a01b-11da-8e61-00123f9a49cb}]
    \shell\autorun\command - G:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d1e947f1-a800-11da-8e62-00123f9a49cb}]
    \Shell\AutoRun\command - G:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c4618d-a737-11dc-8edc-00123f9a49cb}]
    \shell\autorun\command - F:\setupSNK.exe

    *Newly Created Service* - catchme
    *Newly Created Service* - GMER
    *Newly Created Service* - KLIF
    *Newly Created Service* - SRESCAN
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\cralford\Application Data\Mozilla\Firefox\Profiles\u2mclhp0.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.rr.com/flash/index.cfm
    FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
    FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPcol305.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
    FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-21 16:26:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-21 16:30:34
    ComboFix-quarantined-files.txt 2008-08-21 20:30:28

    Pre-Run: 100,107,198,464 bytes free
    Post-Run: 100,081,487,872 bytes free

    222
     
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    From your ComboFix Log:
    ComboFix says your Safe Mode is corrupt.

    Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP3.reg and merge it into the registry by double-clicking it:
    https://www.didierstevens.com/files/data/SafeBoot.zip


    To repair other System files that may have been corrupted:

    Goto > Start > Run and enter sfc /scannow in the box Click OK

    Let it run and let me know the results – it does not produce a log and if it finds a corrupt file and can’t find the original file on the HD it may ask for a CD. If you have a Recovery CD or a XP disc insert it and the file will be repaired.
     
  16. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    I don't have a xp or recovery cd.

    Can I find them somewhere online with my other pc and transfer them through my jump drive?

    My other pc is xp pro. Can I steal them from it?
     
  17. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    LOL - Just run sfc/scannow it may not even need the disk.

    If it does then stop it and we'll look on your HD and see if we can find what it needs.

    If that is XP then XP pro may or may not work. we'll cross that bridge when we get there..
     
  18. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    What are your hours?

    Couple of issues. It failed and did not tell me the names of the files it was looking for.

    Interestingly enough it asked me to enter the cd for windows xp pro sp3

    I did find the cd I got from dell to restore the system to its original state and the program seems to be running now. I am thinking it probably just wanted a cd. It initiallly failed right away with the prompt for the cd. Hopefully we won't run into further issues

    Since it did prompt for xp pro sp3 I wonder if I could use the other pc. Its only sp2 and I can't install sp3 on it since its a work pc.

    Can I create system cd from my other pc?

    Its still trudging along. The status bar is about 3/5 complete
     
  19. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    My hours are flexible........ real flexible lol

    Let it run with that.. it will do.

    if you want to watch the grass grow, you can watch it and see if it picks something up but I wouldn't suggest it ;)

    it will repair anything it finds and then stop...
     
  20. cralford

    cralford Member

    Joined:
    Aug 18, 2008
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    16
    Unfortunately my grass is no longer growing :)

    After the status bar finished it prompted me for the XP Professional CD2. It says "Files that are required for Windows to run properly must be copied to the DLL Cache"

    The more information tells me I probably have the wrong CD inserted or my CD is broke
     

Share This Page