Author Topic: Firewall issues (Read 2088 times)

Heather · « **on:** September 19, 2007, 07:43:25 PM »

problems with Kerio are causing AVS to refuse to install.
thanks, Heather

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:02 PM, on 9/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Verizon\McciBrowser.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [Sonic RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart (User '?')
O4 - HKUS\S-1-5-21-431566318-4074410564-2899063045-1008.bak\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Unknown owner - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)

--
End of file - 8709 bytes

guestolo · « **Reply #1 on:** September 19, 2007, 09:58:59 PM »

Are you planning to replace Kerio?
Where is you anti-virus software?

Quote

problems with Kerio are causing AVS to refuse to install.

Are you talking about Active Virus Shield?
It is no longer being offered

Heather · « **Reply #2 on:** September 19, 2007, 10:59:42 PM »

yes I would like to replace Kerio,
do you have a good substitute for the Active Virus Shield?
I had AVS and was having problems getting it to run so I tried to un-re-install it, when downloading it there was an alert of problem with firewall, tried to disable firewall, couldn't. Treid to un-install firewall, couldn't. now here I am. I also cannot open Rhapsody, don't know if there are any other problems. I figured something went kaput when I rolled back to June reset date.

guestolo · « **Reply #3 on:** September 20, 2007, 10:32:24 PM »

Kerio looks like it's not running properly
If you can't uninstall it from add/remove programs

Try a manual uninstall

First, go to the following link and download and install CCleaner
DO NOT Install the YAHOO toolbar when installing unless you want it, which you probably don't
So DESELECT it during the installation

We will need CCleaner later

PRINT THE REST OF THESE INSTRUCTIONS OR SAVE THEM TOO A TEXT FILE ON DESKTOP FOR REFERENCE

Afterwards
Reboot into safe mode

In safe mode do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Sunbelt Kerio Personal Firewall 4

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
APPLY it and OK it

Do the same for this service name
Webroot Spy Sweeper Engine

If Ewido is no longer installed, do the same for this service name too
ewido security suite control

Remain in safe mode and go to START>>RUN
type the following EXACTLY as I have posted in bold below and hit OK after each

sc delete KPF4

and then this one

sc delete svcWRSSSDK

Delete this file
C:\WINDOWS\system32\drivers\fwdrv.sys <-file

And these folders if found
C:\Program Files\Sunbelt Software <-folder
C:\Program Files\Webroot <-folder

Reboot the computer
Run CCleaner
Next: click Options click the Advanced button
Uncheck: "Only delete files in Windows temp folders older than 48 hrs."
NEXT: Click the Cleaner
Then click Run Cleaner (bottom right)
OK the prompt, when finished scanning,

Click the Issues (Registry) button
Click Scan for Issues
Let this finish then Select all issues and make a backup and Fix all selected issues

Reboot the computer again
Back In Windows enter the Windows control panel and ensure the Firewall is active

Let me know how things are running afterwards
Also post a fresh hijackthis log

Heather · « **Reply #4 on:** September 21, 2007, 12:11:38 AM »

for some reason when I boot to safe my keyboard will not work therefore I am not able to carry out instructions.

?? it is a regular corded keyboard connector pre-USB

guestolo · « **Reply #5 on:** September 21, 2007, 08:18:32 AM »

Try the instructions in regular windows

Heather · « **Reply #6 on:** September 21, 2007, 05:58:06 PM »

Quote

Delete this file
C:\WINDOWS\system32\drivers\fwdrv.sys <-file

this file was not there but there was a file fwdrv.err I did not touch it

Quote

Back In Windows enter the Windows control panel and ensure the Firewall is active

I did this but it is still showing kerio as active as well. kerio still exists in the add/remove programs area

here's the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:32 PM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7415 bytes

guestolo · « **Reply #7 on:** September 21, 2007, 06:24:15 PM »

Let's see what the following brings

supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Also, if you have an older version of Combofix, Delete it
Then>>Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the log from combofix

Heather · « **Reply #8 on:** September 22, 2007, 01:11:18 AM »

ABBYY FineReader 5.0 Sprint
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Apple Software Update
Before You Know It 3.6
Bonjour
CCleaner (remove only)
CCScore
Championship Bass
Coupon Printer for Windows
DA920EN
DD Tournament Poker 1.2
Dell AIO Printer A920
Dell Digital Jukebox Driver
Dell Media Experience
Dell ResourceCD
Dell Solution Center
Dell Support 5.0.0 (766)
DVDSentry
EA Network Play System
EA SPORTS online 2004
EarthLink Setup Files
EAX(tm) Unified (SHELL)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
EVEREST Home Edition v2.20
FaxTools
FinePixViewer Ver.4.0
FUJIFILM USB Driver
Google Earth
Google Toolbar for Internet Explorer
Hamsterball
HijackThis 2.0.2
HLPPDOCK
HP Imaging Device Functions 7.0
HP Photosmart Cameras 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Solution Center 7.0
ImageMixer VCD for FinePix
IndeoÂ® software
In-Fisherman Freshwater Trophies
Intel® 537EP V9x DF PCI Modem
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-03-23
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Logitech Desktop Messenger
Logitech MouseWare 9.79.1
Logitech Resource Center
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
MSN
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
Muppets - Bright2
MUSICMATCHÂ® Jukebox
My Disney Kitchen
Napster for Windows Media Player
Notifier
OfotoXMI
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
OTtBP
OTtBPSDK
PokÃ©mon
Poker Superstars
PowerDVD
Pro Fishing 3D
ProModule: PowerPoint Support
ProModule: Quick Message
ProModule: SongSelect 3.0 Support
ProModule: SongSelect Lyrics Service Import
ProModule: Transitions 1
ProModule: Transitions 2
ProModule: Transitions 3
ProModule: Transitions 4
ProModule: Video Background
ProModule: Visualizations 1
ProModule: Visualizations 2
ProModule: Visualizations 3
ProModule: Visualizations 4
QuickTime
RAW FILE CONVERTER LE
RealArcade
RealPlayer
Rhapsody
Sansa Media Converter
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
SFR
SHASTA
Shockwave
SKIN0001
SKINXSDK
SongShow Plus
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SonicStage 3.4
SpywareBlaster v3.5.1
SspSamples: Bible Atlas Images
SspSamples: Creative Interlude Sampler 2
SspSamples: Digital Hotcakes
SspSamples: Digital Juice Images
SspSamples: Digital Juice Jumpbacks
SspSamples: Whitmer Photography
SspSamples: WorshipFilms
SspSamples: WorshipScapes Images
SspSamples: WorshipScapes Videos
Starshine Episode 1
staticcr
Sunbelt Kerio Personal Firewall
Tiger Woods PGA TOUR 2004
Verizon Online DSL
Verizon Online Help and Support
VPRINTOL
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinZip
WinZip Self-Extractor
WIRELESS
WordPerfect Office 11
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool

Heather · « **Reply #9 on:** September 22, 2007, 01:13:03 AM »

ComboFix 07-09-21.2 - "Heather" 2007-09-21 23:00:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
* Created a new restore point
.
[color=\"red\"] Rootkit driver pe386 is present. ... attempting disinfection [/color]
[color=\"red\"] Rootkit driver msguard is present. ... attempting disinfection [/color]
[color=\"red\"] Rootkit driver lzx32 is present. ... attempting disinfection [/color]
[color=\"red\"] Rootkit driver huy32 is present. ... attempting disinfection [/color]
[color=\"red\"] Rootkit driver xpdt is present. ... attempting disinfection [/color]
[color=\"red\"] Rootkit driver pe386 is still present. A rootkit scan is required [/color]
[color=\"red\"] Rootkit driver msguard is still present. A rootkit scan is required [/color]
[color=\"red\"] Rootkit driver lzx32 is still present. A rootkit scan is required [/color]
[color=\"red\"] Rootkit driver huy32 is still present. A rootkit scan is required [/color]
[color=\"red\"] Rootkit driver xpdt is still present. A rootkit scan is required [/color]

((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-20 22:25   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-09-20 22:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\LogFiles
2007-09-20 22:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-09-14 00:31   <DIR>   d--------   C:\Program Files\Trend Micro
2007-09-13 23:32   76,560   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-09-13 22:34   <DIR>   d--------   C:\DOCUME~1\Heather\.housecall6.6
2007-09-13 21:49   <DIR>   d--------   C:\Program Files\Error Expert
2007-09-13 19:44   <DIR>   d--------   C:\KAV
2007-09-04 10:08   <DIR>   d--------   C:\Program Files\MyWebSearchWB
2007-09-04 10:08   <DIR>   d--------   C:\Program Files\AWS
2007-09-04 10:08   <DIR>   d--------   C:\DOCUME~1\Heather\APPLIC~1\WeatherBug

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-21 15:37   ---------   d--------   C:\Program Files\ewido anti-malware
2007-09-13 19:33   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-13 19:22   ---------   d--------   C:\Program Files\Rhapsody
2007-09-13 18:49   ---------   d--------   C:\Program Files\Real
2007-09-13 18:47   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\Real
2007-09-08 23:59   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\U3
2007-08-16 00:10   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-13 15:18   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\Ahead
2007-08-13 15:07   ---------   d--------   C:\Program Files\Common Files\LightScribe
2007-08-13 15:00   ---------   d--------   C:\Program Files\Common Files\Ahead
2007-08-13 14:57   ---------   d--------   C:\Program Files\Nero
2007-08-13 14:57   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-12 06:57   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-08-12 06:56   ---------   d--------   C:\Program Files\Verizon
2007-02-20 12:51   439296   --a------   C:\DOCUME~1\Heather\GoToAssist_phone__317_en.exe
2007-02-17 21:07   8   --a------   C:\DOCUME~1\Heather\APPLIC~1\usb.dat.bin
2006-02-19 04:28   12288   --a------   C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 00:24]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 14:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 15:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\Heather\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\Tim\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 00:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2004-04-17 03:57:12 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
"2007-01-02 03:58:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-21 23:07:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-21 23:09:21 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-21 23:09
C:\ComboFix2.txt ... 2007-09-14 00:39
.
   --- E O F ---

guestolo · « **Reply #10 on:** September 22, 2007, 08:44:10 AM »

Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the contents of both logfiles from Rustbfix
Post a fresh hijackthis log

With the above logs, also do the following
Download and save too your desktop
[color=\"#FF0000\"]fsbl.exe[/color]
(F-Secure Blacklight)

Double click to run fsbl.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

It may take more than one reply to post all the info, please do so if needed

Heather · « **Reply #11 on:** September 23, 2007, 01:41:08 AM »

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Sat 09/22/2007 23:39:45.59

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

this was the only log found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:49 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7426 bytes

Heather · « **Reply #12 on:** September 23, 2007, 01:57:12 AM »

09/22/07 23:42:18 [Info]: BlackLight Engine 1.0.64 initialized
09/22/07 23:42:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/22/07 23:42:18 [Note]: 7019 4
09/22/07 23:42:18 [Note]: 7005 0
09/22/07 23:42:22 [Note]: 7006 0
09/22/07 23:42:22 [Note]: 7011 1516
09/22/07 23:42:23 [Note]: 7026 0
09/22/07 23:42:23 [Note]: 7026 0
09/22/07 23:42:29 [Note]: FSRAW library version 1.7.1022
09/22/07 23:55:29 [Note]: 7007 0

hope this is helpful

guestolo · « **Reply #13 on:** September 23, 2007, 12:08:20 PM »

Ensure the Windows Firewall is running
Let's try some cleaning and updating of software that is left behind or outdated

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer

Back in Windows, it does not appear that Symantec's got fully uninstalled when you removed it at one time
I suggest that you follow the instructions on their website for removal
Use STEP 3, the removal tool
Click HERE

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.

Download the latest version of Java Runtime Environment (JRE) 6u2.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement[/i]".
The page will refresh.
Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop (13.90 MB).

DON'T install it yet

Close all browser windows, including this one
# Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
# Check any item with Java Runtime Environment (JRE or J2SE) in the name
# Click the Remove or Change/Remove button.
# Repeat as many times as necessary to remove each Java versions.
Examples of older versions:
Java SE Runtime Environment 5 Update 6
Java SE Runtime Environment 5 Update 11
Java 2 Runtime Environment, SE v1.4.2

Reboot the computer
Back in Windows go ahead and install the latest version for the installer on desktop

Concerning Sunbelt Kerio
Can you try reinstalling the software and then perform a proper uninstall
You can redownload it from here
http://www.sunbelt-software.com/Home-Home-...ewall/Download/

Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double click to run Dr.Web-cureit.exe from desktop

Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer

Post the report from Dr. Web

I think there may have been a false alarm with the Combofix results
Can you delete your copy of combofix
Download it again from [color=\"#2E8B57\"]Here[/color]

Run it and post the new log from it again and a fresh hijackthis log

Heather · « **Reply #14 on:** September 23, 2007, 05:31:27 PM »

Quote

Check any item with Java Runtime Environment (JRE or J2SE) in the name
# Click the Remove or Change/Remove button.
# Repeat as many times as necessary to remove each Java versions.
Examples of older versions:
Java SE Runtime Environment 5 Update 6
Java SE Runtime Environment 5 Update 11
Java 2 Runtime Environment, SE v1.4.2

at the point of uninstalling the older java I recieved this error message [attachment=3911:uninstall_error.bmp]
I recieve same message when trying to uninstall kerio

Quote

Back in Windows go ahead and install the latest version for the installer on desktop

waiting till further instructed regarding failed uninstall

will com-plete and respond to the rest of the instructions in next post

guestolo · « **Reply #15 on:** September 23, 2007, 09:12:18 PM »

Just carry on, do what you can and let me know what you couldn't accomplish afterwards

Heather · « **Reply #16 on:** September 24, 2007, 03:59:10 AM »

pv.exe;C:\Documents and Settings\Heather\Desktop\Unused Desktop Shortcuts\smitRem;Program.PrcView.3741;Moved.;
pnmi3270.dll;C:\Program Files\Common Files\Real\Update_OB;Trojan.Adshow.origin;Incurable.Moved.;
SonicLicenseManager.dll;C:\Program Files\Common Files\Sonic Shared;Trojan.DownLoader.origin;Incurable.Moved.;
Process.exe;C:\Program Files\HaxFix;Tool.Prockill;Moved.;
installmetrics.dll;C:\Program Files\HP\Temp\{3F556FFA-B0C6-404d-992B-05BB0B10849C}\setup;Adware.Ttc.origin;Moved.;
Ojbsir.exe;C:\Program Files\Sony\SonicStage;Adware.Aid.origin;Moved.;
backup-20070923-150803-593.dll;C:\Program Files\Trend Micro\HijackThis\backups;Program.PopcapLoader;Moved.;
HPFix.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
A0035840.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP433;Tool.ShutDown.11;Moved.;
A0035841.ocx;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP433;Adware.Gdown;Moved.;
A0040234.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP436;Program.PopcapLoader;Moved.;
A0145573.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525;Trojan.Adshow.origin;Incurable.Moved.;
A0145574.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525;Trojan.DownLoader.origin;Incurable.Moved.;
A0145575.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP525;Trojan.StartPage.1505;Deleted.;
popcaploader.dll;C:\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Moved.;
process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Moved.;

ComboFix 07-09-21.2 - "Heather" 2007-09-24 1:46:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -7:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-22 23:38   <DIR>   d--------   C:\Rustbfix
2007-09-20 22:25   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-09-20 22:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\LogFiles
2007-09-20 22:24   <DIR>   d--------   C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2007-09-14 00:31   <DIR>   d--------   C:\Program Files\Trend Micro
2007-09-13 23:32   76,560   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-09-13 22:34   <DIR>   d--------   C:\DOCUME~1\Heather\.housecall6.6
2007-09-13 21:49   <DIR>   d--------   C:\Program Files\Error Expert
2007-09-13 19:44   <DIR>   d--------   C:\KAV
2007-09-04 10:08   <DIR>   d--------   C:\Program Files\MyWebSearchWB
2007-09-04 10:08   <DIR>   d--------   C:\Program Files\AWS
2007-09-04 10:08   <DIR>   d--------   C:\DOCUME~1\Heather\APPLIC~1\WeatherBug

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 22:05   ---------   d--------   C:\Program Files\Common Files\Sonic Shared
2007-09-21 15:37   ---------   d--------   C:\Program Files\ewido anti-malware
2007-09-13 19:33   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-13 19:22   ---------   d--------   C:\Program Files\Rhapsody
2007-09-13 18:49   ---------   d--------   C:\Program Files\Real
2007-09-13 18:47   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\Real
2007-09-08 23:59   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\U3
2007-08-16 00:10   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\LightScribe
2007-08-13 15:18   ---------   d--------   C:\DOCUME~1\Heather\APPLIC~1\Ahead
2007-08-13 15:07   ---------   d--------   C:\Program Files\Common Files\LightScribe
2007-08-13 15:00   ---------   d--------   C:\Program Files\Common Files\Ahead
2007-08-13 14:57   ---------   d--------   C:\Program Files\Nero
2007-08-13 14:57   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-12 06:57   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2007-08-12 06:56   ---------   d--------   C:\Program Files\Verizon
2007-07-30 19:19   92504   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 19:19   92504   --a------   C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19   53080   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2007-07-18 23:59   3583488   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-07-12 16:31   765952   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
2007-06-27 07:34   823808   --a-s----   C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-06-27 07:34   671232   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-06-27 07:34   6058496   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-06-27 07:34   52224   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-06-27 07:34   477696   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-06-27 07:34   459264   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-06-27 07:34   44544   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-06-27 07:34   384512   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-06-27 07:34   383488   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-06-27 07:34   27648   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-06-27 07:34   267776   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-06-27 07:34   232960   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-06-27 07:34   230400   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-06-27 07:34   193024   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-06-27 07:34   153088   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-06-27 07:34   132608   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-06-27 07:34   124928   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-06-27 07:34   1152000   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-06-27 07:34   105984   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-06-27 07:34   102400   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-06-27 01:27   63488   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-06-27 01:27   625152   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-06-27 01:27   13824   ---------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-06-27 00:00   161792   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-26 22:10   317440   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\unregmp2.exe
2007-06-25 23:08   1104896   --a------   C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08   1104896   --a------   C:\WINDOWS\SYSTEM32\DLLCACHE\msxml3.dll
2007-02-20 12:51   439296   --a------   C:\DOCUME~1\Heather\GoToAssist_phone__317_en.exe
2007-02-17 21:07   8   --a------   C:\DOCUME~1\Heather\APPLIC~1\usb.dat.bin
2006-02-19 04:28   12288   --a------   C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((( snapshot_2007-09-21_230848.79 )))))))))))))))))))))))))))))))))))))))))
.
-c----w 414,208 2006-10-19 04:47:16 C:\WINDOWS\$NtUninstallKB929399$\msscp.dll
-c----w 213,216 2005-06-28 17:23:26 C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe
-c----w 371,424 2005-06-28 17:23:54 C:\WINDOWS\$NtUninstallKB929399$\spuninst\updspapi.dll
-c----w 10,834,432 2006-10-19 04:47:20 C:\WINDOWS\$NtUninstallKB936782_WMP11$\wmp.dll
-c----w 213,216 2005-06-28 17:23:26 C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe
-c----w 371,424 2005-06-28 17:23:54 C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\updspapi.dll
-c----w 315,904 2006-11-02 01:31:34 C:\WINDOWS\$NtUninstallKB939683$\unregmp2.exe
-c----w 213,216 2005-06-28 17:23:26 C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe
-c----w 371,424 2005-06-28 17:23:54 C:\WINDOWS\$NtUninstallKB939683$\spuninst\updspapi.dll
----a-w 317,440 2007-06-27 05:10:26 C:\WINDOWS\INF\unregmp2.exe
----a-w 414,720 2006-12-04 23:21:50 C:\WINDOWS\SYSTEM32\msscp.dll
----a-w 10,834,944 2007-06-12 06:51:12 C:\WINDOWS\SYSTEM32\wmp.dll
----a-w 414,720 2006-12-04 23:21:50 C:\WINDOWS\SYSTEM32\DLLCACHE\msscp.dll
----a-w 10,834,944 2007-06-12 06:51:12 C:\WINDOWS\SYSTEM32\DLLCACHE\wmp.dll
.
----a-w 315,904 2006-11-02 01:31:34 C:\WINDOWS\INF\unregmp2.exe
----a-w 414,208 2006-10-19 04:47:16 C:\WINDOWS\SYSTEM32\msscp.dll
----a-w 10,834,432 2006-10-19 04:47:20 C:\WINDOWS\SYSTEM32\wmp.dll
----a-w 414,208 2006-10-19 04:47:16 C:\WINDOWS\SYSTEM32\DLLCACHE\msscp.dll
----a-w 10,834,432 2006-10-19 04:47:20 C:\WINDOWS\SYSTEM32\DLLCACHE\wmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 18:12]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-17 00:24]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-03-11 14:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-01 15:24]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\DEFAUL~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\Heather\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\DOCUME~1\Tim\STARTM~1\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

S0 SSI;SSI;C:\WINDOWS\system32\Drivers\SSI.SYS
S1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys
S1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys
S3 VisorUsb;Handspring USB;C:\WINDOWS\system32\DRIVERS\VisorUsb.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{409de366-aeb2-11db-b001-000cf1e5dee4}]
AutoRun\command- G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 00:13:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2004-04-17 03:57:12 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
"2007-01-02 03:58:06 C:\WINDOWS\Tasks\WebReg .job"
- C:\Program Files\HP\digital imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 01:49:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-24 1:51:03
C:\ComboFix-quarantined-files.txt ... 2007-09-24 01:50
C:\ComboFix2.txt ... 2007-09-21 23:09
C:\ComboFix3.txt ... 2007-09-14 00:39
.
   --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:25 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 7041 bytes

guestolo · « **Reply #17 on:** September 25, 2007, 07:46:37 AM »

I'm unsure of what steps you were able to accomplish, by the looks of the combofix log you might of been able to reinstall
Kerio
Did you? Were you then able to uninstall it?

Heather · « **Reply #18 on:** September 26, 2007, 02:48:34 PM »

no it will not uninstall or reinstall. it bog's at the end of installation with the error notice I attached a couple of posts ago. same error shows up when I try to uninstall. my computer shows it running though, I just cannot access it to turn it off or to uninstall it. very frustrating as I suspect it is what is keeping some other programs from working or updating properly.

is there some other way to get rid of it?

guestolo · « **Reply #19 on:** September 27, 2007, 10:16:09 PM »

Download Windows Install cleanup utility
from this link
msicuu2.exe

After installation, go to start>>All programs>>Windows Install Clean Up
Run the tool
Do you see the older version of Java and/or kerio in the list?

News:

Author Topic: Firewall issues (Read 2088 times)