Expert: Brian Benosky - 2/24/2008

Question
QUESTION: Dear Brian

If I give you a question sent a few months ago and answered by Carolyn Meinel (currently on holiday) it will give you the background.

Question:
"Hi I'm a 63-year  old retired school teacher in the UK not really computer literate. It seems to me that the security on my computer is overactive.....or something. I have Windows XP,a CA Security Centre, Windows Defender and a British Telecom device that operates when my computer opens. I am unable to establish a desktop connection with my BT Yahoo email account and other frequently used websites - banks, etc., but each time have to get to them through Google search. Even browsing them won't give me a connection. Also the Google menus don't respond to me. I have set the 'admit Cookies' at medium, the lowest possible. Apologies for what are probably neanderthal statements.

Answer:
Many people have been having problems just like yours when running CA Security Centre. So don't feel bad about your question -- you aren't a "Neanderthal."

Try this: click Control Panel --> add/remove programs --> CA Internet Security Suite. It will offer the option of just removing the firewall. Go ahead and uninstall the firewall but be certain that you have the Windows XP firewall enabled.

If this solves your problem, then I suggest that you install a firewall that is easier to use, as the Windows XP firewall isn't very good. I use Zone Alarm (zonelabs.com), which has an option that makes it easy for novices to use."

Subsequent to Carolyn's response I paid for a Zone Alarm rental for a year (expiry October 2008)

The virus protection part of this does not appear to be functioning. When I try to get through to Zone Alarm in any capacity I come up against a wall - it tells me that I need to disable the true vector service. I'm sorry - I'm just as much a novice as I was six months ago, and I cannot fathom this.

Also as soon as I open up the computer, also when I click on Zone Alarm Security or Zone Alarm Security Tutorial a message appears that 'this application has failed to start because VSPUBAPl.dll was not found, Re-installing the application may fix this problem.' But I can't re-install - or don't know how to. And now I have popups I don't want - some of them downright salacious - and today I had one internet security firm that 'popped up' and told me that my computer is running slow - true - and said they would test for viruses. I clicked on to allow this and they told me I had 12 viruses and they said they would deal with them, if I activated further, but Microsoft Explorer advised me not to enter this unknown territory.

I'm really sorry to trouble you in this matter but I'm getting quite anxious. Can you suggest a way I can directly contact zone alarm or take some action myself with the computer.

As I originally said to Caroln, I'm a novice - maybe I've moved from Neanderthal to the Bronze Age in computer acumen.

Thanks in advance for anything you can suggest


Christine Petter
Isle of Wight
England
www.islandenglish.com

ANSWER: Hello Christine

Let's see if we can't get you out of the Dark Ages and into the Renaissance.  You seem to have a few separate problems here which are combining to cause a big headache.  As Carolyn stated, removing CA Firewall in favor of Zone Alarm Firewall is a smart choice.  However, when you installed the Zone Alarm's full suite with antivirus, you should have also removed the remainder of CA Security Centre.  Zone Alarm Security is possibly running into a conflict with CA Security Centre (two antivirus programs should never be installed at the same time).  If you have not removed the entire CA program, please do so by following Start>Control Panel>Add/Remove Programs>CA Security Centre.  

The pop-ups you are experiencing are a consequence of not having a fully working protection program.  You may have some malware inadvertently installed during the course of normal web browsing.  There is a strict rule if you want your computer to remain healthy...NEVER click on a pop-up.  Trust me, these pop-ups will only get worse.  

Now then, please follow my directions so that we may lift your computer from it's own Dark Ages.  

Please download TrendMicro HijackThis! from the following link:

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis.
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into a follow up here.

I will analyze the results of this HJT log, which basically tells me the running processes on your computer, and advise you further on what actions to take.

Brian

---------- FOLLOW-UP ----------

QUESTION: Dear Brian

Further to my earlier message, I realised that I did not move the incurable files, so the following is an up to date webdr report.

afvqqvce.dll;C:\WINDOWS\SYSTEM32;Trojan.Virtumod.269;Deleted.;
nGpxx011065.exe;C:\WINDOWS\SYSTEM32\nGpxx01;Trojan.DownLoader.24715;Deleted.;
wavvsnet[1].exe;C:\Documents and Settings\Christine Petters\Local Settings\Temporary Internet Files\Content.IE5\E3Q723LO;Trojan.DownLoader.47332;Deleted.;
yazzsnet.exe;C:\Documents and Settings\Christine Petters\Local Settings\Temp;Adware.ClickSpring;Incurable.Moved.;
yazzsnet[1].exe;C:\Documents and Settings\Christine Petters\Local Settings\Temporary Internet Files\Content.IE5\P8YU3BMH;Adware.ClickSpring;Incurable.Moved.;

Also, on completion of everything I re-booted. Opening up was very much faster and no impertinent pop ups, but when I tried to get into Zone Alarm, the following message appeared and prevented me: 'this application has failed to start because VSPUBAPl.dll was not found, Re-installing the application may fix this problem'

Thanks in advance

Christine

ANSWER: Please see previous response.

---------- FOLLOW-UP ----------

QUESTION: Hi Brian

I am responding to the reply before your above last one. The aforementioned seems to have disappeared from my computer but I had a word pasted copy. When I went into combofix.exe, as you indicated, Windows warned it was unknown territory, but I went ahead. Combo then warned, but I authorised it also to go ahead and they said it might take ten minutes. After being in the kitchen, I came back and everything had disappeared from the screen. After jiggling all the knobs and buttons to no avail, I switched the computer off. When it came on again the combofix log eventually appeared which I copied and pasted. But when I tried to contact you through the link on your last email it wouldn't let me. Message appeared: locate link browser. I then pasted your address on to the internet page and here I am. All very convoluted - I don't know if the process has significance for you.

Anyhow, copies of both logs requested follow

I started with you at 7 this morning and it's now approaching 7 in the evening. It's getting to be quite a heavy relationship but quite fascinating in its own way!

All the best

Christine

ComboFix 08-02-24.4 - Christine Petters 2008-02-24 17:23:38.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.133 [GMT 0:00]
Running from: C:\Documents and Settings\Christine Petters\Local Settings\Temporary Internet Files\Content.IE5\SMG82URU\ComboFix[1].exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\isgTi19
C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\aayfsrnb.ini
C:\WINDOWS\SYSTEM32\bebkwqtr.ini
C:\WINDOWS\system32\bpbewumu.dll
C:\WINDOWS\system32\cbxyaay.dll
C:\WINDOWS\SYSTEM32\ddeeg.ini
C:\WINDOWS\SYSTEM32\ddeeg.ini2
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\krdfagmk.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmkhi.dll
C:\WINDOWS\SYSTEM32\rdlrreuu.ini
C:\WINDOWS\system32\rjhydqty.dll
C:\WINDOWS\SYSTEM32\umuwebpb.ini
C:\WINDOWS\system32\uuerrldr.dll

.
(((((((((((((((((((((((((   Files Created from 2008-01-24 to 2008-02-24  )))))))))))))))))))))))))))))))
.

2008-02-24 07:38 . 2008-02-24 09:49   <DIR>   d--------   C:\Documents and Settings\Christine Petters\DoctorWeb
2008-02-23 22:01 . 2008-02-23 22:01   <DIR>   d--------   C:\Program Files\Trend Micro
2008-02-23 06:42 . 2008-02-23 06:42   <DIR>   d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-02-23 06:28 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\SYSTEM32\mucltui.dll
2008-02-23 06:28 . 2007-07-30 19:19   30,072   --a------   C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-02-22 12:20 . 2008-02-22 12:20   <DIR>   d--h-----   C:\WINDOWS\SYSTEM32\GroupPolicy
2008-02-21 10:52 . 2008-02-24 17:24   <DIR>   d--------   C:\Temp
2008-02-07 14:53 . 2008-02-07 14:53   279   --a------   C:\Shortcut to Local Disk (C).lnk
2008-02-07 14:47 . 2008-02-07 14:53   7,680   --ahs----   C:\WINDOWS\Thumbs.db
2008-02-06 20:47 . 2008-02-06 20:47   557,056   --a------   C:\Documents and Settings\Christine Petters\GoToAssist_phone__319_en.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 17:44   7,166,240   --sha-w   C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-24 17:38   97,004   --sha-w   C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-24 17:38   2,967,040   ----a-w   C:\WINDOWS\Internet Logs\xDBA.tmp
2008-02-24 10:02   150,016   ----a-w   C:\WINDOWS\Internet Logs\xDB9.tmp
2008-02-24 07:32   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 23:20   1,543,168   ----a-w   C:\WINDOWS\Internet Logs\xDB8.tmp
2008-02-22 12:37   2,679,296   ----a-w   C:\WINDOWS\Internet Logs\xDB7.tmp
2008-02-21 16:05   ---------   d-----w   C:\Documents and Settings\Christine Petters\Application Data\MailFrontier
2008-02-21 16:05   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-13 07:09   1,246,451   ----a-w   C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-07 22:55   2,699,264   ----a-w   C:\WINDOWS\Internet Logs\xDB6.tmp
2007-12-18 07:42   2,714,624   ----a-w   C:\WINDOWS\Internet Logs\xDB5.tmp
2007-12-12 07:10   2,791,936   ----a-w   C:\WINDOWS\Internet Logs\xDB4.tmp
2007-11-26 07:42   2,750,464   ----a-w   C:\WINDOWS\Internet Logs\xDB3.tmp
2007-11-26 07:42   2,655,232   ----a-w   C:\WINDOWS\Internet Logs\xDB2.tmp
2007-11-20 13:42   61,480   ----a-w   C:\Documents and Settings\Christine Petters\GoToAssistDownloadHelper.exe
2007-11-14 07:19   2,658,304   ----a-w   C:\WINDOWS\Internet Logs\xDB1.tmp
2005-05-11 22:36   12,288   ----a-w   C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-30 17:35 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-03 12:46 4800512]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48 32881]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12 221184]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 09:27 28672]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38 866816]
"BTModemProtection"="BTModemProtection.lnk" [2005-05-31 12:29 1573 C:\WINDOWS\SYSTEM32\BTModemProtection.lnk]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"NewsPoint"="C:\Program Files\Consenda\NewsPoint\Bin\NewsPointLauncher.exe" [ ]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 16:35 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-01 09:01 53248]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-01 09:01 114688]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-29 13:03 180269]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-08-31 09:19:27 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BT Yahoo! Help.lnk - C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe [2004-07-20 17:16:54 217088]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24 73728]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2005-10-01 18:30:01 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R2 GS30d;GS30d;C:\WINDOWS\system32\Drivers\GS30d.sys [2005-11-01 13:27]
R3 ModemProtection;ModemProtection;C:\WINDOWS\System32\ModemProtection.sys [2005-05-15 14:52]
S3 WLAN(WLAN);802.11b+g USB Wireless LAN Adapter Driver(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-08-06 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f560abb6-4ad5-11da-a200-0090d0e0f4f1}]
\Shell\AutoRun\command - F:\GizmoSecure\Windows\GizmoSecure30.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-24 17:45:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 17:43:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\GS30s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\BTModemProtection.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-02-24 17:46:59 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-24 17:46:53
.
2008-02-23 06:43:04   --- E O F ---  

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:26, on 24/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\GS30s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\SYSTEM32\BTModemProtection.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\BT Yahoo\BT Yahoo Help\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.sear
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [BTModemProtection] BTModemProtection.lnk
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [NewsPoint] "C:\Program Files\Consenda\NewsPoint\Bin\NewsPointLauncher.exe"
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo\BT Yahoo Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CBEE119-3960-4AFA-87BD-AB809561695F}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{3CBEE119-3960-4AFA-87BD-AB809561695F}: NameServer = 194.72.0.98 194.72.9.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CBEE119-3960-4AFA-87BD-AB809561695F}: NameServer = 194.72.0.98 194.72.9.38
O23 - Service: BT Modem Lock - Unknown owner - C:\Program Files\BT Yahoo! Internet\ModemLock.exe (file missing)
O23 - Service: GS30s - Unknown owner - C:\WINDOWS\SYSTEM32\GS30s.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10341 bytes


Answer
Good Evening Christine

It seems as if your computer did not want to release hold of the malware, but ComboFix did finally delete the suspect file.  The rest of the log file looks clean as well, so we can call your computer cured of malware.  

As for your error when you clicked on the link, open Internet Explorer and then go to the Tools dropdown. Choose Internet Options and click on the Programs tab. Check to make sure that your Email Program is listed as the default.  Also, under Default Web Browser click the button marked Make Default. Hopefully that will fix the broken links.

Finally, on to Zone Alarm.  You will need to make sure that you have your registration number which you used to activate the program.  Then uninstall Zone Alarm in Add/Remove Programs.  Restart, then reinstall the program.  The error should clear up now.

A final query for you.  Did you say that you had the Zone Alarm Suite with Antivirus?  I ask you this because I do not see an antivirus installed.  This may be due to the program not being fully installed in the first place.  I just want to make sure that you are fully secured before going back on line normally.

Brian