Hi Vince,
Sorry for the delay - busy weekend.

Quote Originally Posted by ALL THUMBS View Post
The Rootkit Revealer utility was hanging after it finished when I asked it to save a log file. I had to ALT-CONT-DEL to get to shutdown because it wasn't responding.
That is odd. Though, this is a "touchy" app - you pretty much need to leave the compy alone until it completely finishes.

Anyhoo, I recognize a few of the items in the screen capture:

I've seen these before and I think they are harmless --> HKLM\SECURITY\Policy\Secrets\SAC*
HKLM\SECURITY\Policy\Secrets\SAI*

This is the one belonging to Daemon Tools that I mentioned --> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg
I do not know why this did not show in the Gmer portion of the ComboFix log or your other rootkit scans. The security community must've whitelisted it, though that would seem counter-intuitive to me . . . LOL!

I do not know what these are and they bother me a bit because of their recent appearance:
HKU\.DEFAULT\Control Panel\International
HKU\.DEFAULT\Control Panel\International\Geo
HKU\S-1-5-21-........\Control Panel\International
HKU\S-1-5-21-........\Control Panel\International\Geo
HKU\S-1-5-18\Control Panel\International
HKU\S-1-5-18\Control Panel\International\Geo

When we start getting into these, we are really pushing the limits of my expertise. I would not be the best authority to advise you on them.
I would rather see a number of different scans from, say, Sophos - AVG - F-secure Blacklight and the like which would probably do a better job of designating which are bad and which are benign....


Quote Originally Posted by ALL THUMBS View Post
Can I also add which was very strange. A little GUI window had popped up when I tried to download the ultility. I have never seen it before.
That is strange -I've not experienced that from Sysinternals/M$...
Could you get a screenshot of that?

Quote Originally Posted by ALL THUMBS View Post
Could this be a hidden trojan or someone trying to gain remote access?
Anything is possible, but I doubt that is the case there. It certainly would not ask for permission

Quote Originally Posted by ALL THUMBS View Post
I did find the in the registry for the vchost.exe where you told me to look, however, i had to doubleclick on the submusk key to see if it was there. I did a find in that folder and looked like it found something but it didn't show the file that i asked it to look for, hence why i double clicked on the sub something file to see if was there. Should i delete this key or value?
I'm not following you here - Do you mean subnet mask?

-- That whole key [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{06FAFF59-A4D6-198C-0003-050508020107}] seems out of whack to me.
I think we tried to delete it earlier and it would not go.

Go ahead and delete that registry key, if it will allow you to do so. If it turns out to be something legit and needed, we can put it back.
We do need to find that vchost.exe if it is still on your compy. It reeks of being malware.....

I'll try to put together a small batch file to try to deal with it as soon as I am able.

Sorry I can't be more help at the moment.

Best
PP