12 replies to this topic

[stef6]

I had an Antivirus 2009 attack and after several techniques gor rid of it, or most of it. I still have windowsclick issues, and Malwarebytes keeps finding UACinit.dll and removing at reboot. Running MBAM again after second removal somtimes finds nothing, sometimes finds UACinit.dll. Regardless within a day it's back and I have the windowsclick redirect.

I am also having problems with Windows Update (can't display page message).

I also had to rename MBAM to get it to run.

The log from HijackThis and MBAM are attached.

Attached Files

•  hijackthis.txt   14.93K   31 downloads
•  mbam_log_2009_02_24__20_43_25_.txt   869bytes   29 downloads

[Tigger93]

Hi.

Please post the logs here directly and I'll look at them. Only attach them if requested.

[stef6]

Ok... one is very long so I figured an attachment would be prefered.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:19 PM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINNT\System32\tcpsvcs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {3FDC1D8F-69FB-46E5-A86F-BE3690F4AA58} - C:\WINNT\system32\rqRLBrpo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Mirar - {55B91784-E211-44E7-9467-1204F0F71059} - C:\WINNT\system32\windk77.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam-new.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Sonic INSTALLit! Setup.lnk = Dad\Local Settings\Temp\VIES5DFD\setup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.5.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1235344633562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235369199875
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...8.38/ttinst.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup144.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...tallComcast.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: mxhkoo.dll C:\WINNT\system32\vusogufa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 15285 bytes


Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 3

2/24/2009 8:43:26 PM
mbam-log-2009-02-24 (20-43-25).txt

Scan type: Quick Scan
Objects scanned: 78093
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

[Tigger93]

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
  
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.

--------------------

Open open notepad and copy and paste in the following:

MD "%USERPROFILE%"\desktop\malware

xcopy C:\WINNT\system32\vusogufa.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /y
xcopy C:\WINNT\system32\mxhkoo.dll "%USERPROFILE%"\desktop\malware /c /q /r /h /y

Attrib -s -r -h "%USERPROFILE%"\desktop\malware\*.*

Save it as getmalware.bat to the desktop and double-click on it to run it. It will create a folder called malware on your desktop. Please zip up this folder and attach it here in a new topic with a link to this thread. I will get back to you once they have been analyzed.

[stef6]

Also, I couldnt figure out how to Link the new topic you requested to the old thread. Here is a link to the new topic (I hope): Here

[Tigger93]

I deleted your other post. I see that you said the folder was empty, so let's try this:

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[stef6]

CombFix downloaded but would not run.
Checked and Spybot SD is completely removed.
Stopped McAffee file services and reran ComboFix, still didnt run.
Rebooted, ComboFix still didnt run.

Note: I had to rename Mbam.exe to get it to run.
Note: I had to rename SpybotSD.exe to get it to run.
Any site I go to that seems related to fixing the computer gets redirected via windowsclick...

Here is the rerun of Hijack...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:28 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\bgsvcgen.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Citrix\GoToMyPC\g2host.exe
C:\Program Files\Citrix\GoToMyPC\g2printh.exe
C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {3FDC1D8F-69FB-46E5-A86F-BE3690F4AA58} - C:\WINNT\system32\rqRLBrpo.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Mirar - {55B91784-E211-44E7-9467-1204F0F71059} - C:\WINNT\system32\windk77.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Sonic INSTALLit! Setup.lnk = Dad\Local Settings\Temp\VIES5DFD\setup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: mxhkoo.dll C:\WINNT\system32\vusogufa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 12567 bytes

[Tigger93]

Does renaming Combofix to something else allow it to run?

[stef6]

Well the previous post suggested not to rename COmboFix so I didn't. I am assuming you want me to now, so I will and rerun it.

[stef6]

Here's the report from ComboFix...


ComboFix 09-02-25.02 - Dad 2009-02-25 19:46:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.512 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFixNew.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\winnt\IE4 Error Log.txt
c:\winnt\system\oeminfo.ini
c:\winnt\system32\bin
c:\winnt\system32\drivers\UACenchgfht.sys
c:\winnt\system32\ki3
c:\winnt\system32\UACdhrgqylm.dll
c:\winnt\system32\UACebbuxqbc.dll
c:\winnt\system32\UACgevfmoch.dll
c:\winnt\system32\UAChjxjylqt.log
c:\winnt\system32\UACluevoklw.dll
c:\winnt\system32\UACohqrbknb.log
c:\winnt\system32\UACsxtwhjga.log
c:\winnt\system32\UACyojvxibi.dat
c:\winnt\system32\uv9
c:\winnt\system32\VC
c:\winnt\Tasks\jyuejmjn.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 16:09 . 2009-02-25 16:09 5,157 --a------ c:\winnt\system32\uacinit.dll
2009-02-24 22:53 . 2009-02-24 22:53 124,688 --a------ c:\winnt\system32\MSWINSCK.OCX
2009-02-24 16:15 . 2009-02-24 16:15 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 23:12 . 2009-02-20 23:12 <DIR> d--hs---- c:\documents and settings\Dad\PrivacIE
2009-02-20 23:11 . 2009-02-20 23:11 <DIR> d--hs---- c:\documents and settings\Dad\IECompatCache
2009-02-20 23:10 . 2009-02-20 23:10 <DIR> d--hs---- c:\documents and settings\Dad\IETldCache
2009-02-20 23:05 . 2009-02-20 23:05 <DIR> d-------- c:\winnt\ie8updates
2009-02-20 23:00 . 2009-02-20 23:04 <DIR> d--h-c--- c:\winnt\ie8
2009-02-20 22:58 . 2009-01-11 00:00 79,360 -----c--- c:\winnt\system32\dllcache\iecompat.dll
2009-02-20 20:30 . 2009-02-21 07:14 7,680 --ahs---- c:\winnt\Thumbs.db
2009-02-19 15:25 . 2009-02-19 15:25 1,409 --a------ c:\winnt\system32\tmpA3F24.FOT
2009-02-19 15:25 . 2009-02-19 15:25 1,409 --a------ c:\winnt\system32\tmp51034.FOT
2009-02-10 20:21 . 2009-02-10 20:21 0 --a------ c:\winnt\ativpsrm.bin
2009-02-10 20:18 . 2007-11-06 09:06 131,672 --a------ c:\winnt\system32\drivers\Uim_IM.sys
2009-02-10 20:18 . 2007-11-06 09:06 32,080 --a------ c:\winnt\system32\drivers\UimBus.sys
2009-02-10 20:18 . 2007-11-06 09:06 11,568 --a------ c:\winnt\system32\drivers\UimFIO.sys
2009-02-10 20:16 . 2008-10-29 20:19 4,244,744 --a------ c:\winnt\system32\qtp-mt334.dll
2009-02-10 20:16 . 2008-10-29 20:19 247,560 --a------ c:\winnt\system32\prgiso.dll
2009-02-10 20:16 . 2008-10-29 20:19 40,368 --a------ c:\winnt\system32\drivers\hotcore3.sys
2009-02-10 20:08 . 2009-02-10 20:08 <DIR> d-------- c:\winnt\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-10 20:06 . 2009-02-10 20:06 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-10 20:02 . 2009-01-15 02:12 10,963,968 --a--c--- c:\winnt\system32\dllcache\ieframe.dll
2009-02-10 20:02 . 2008-12-14 17:12 3,698,040 --a--c--- c:\winnt\system32\dllcache\ieapfltr.dat
2009-02-10 20:02 . 2009-01-15 02:02 1,975,296 --a--c--- c:\winnt\system32\dllcache\iertutil.dll
2009-02-10 20:02 . 2009-01-15 02:22 1,228,800 --a--c--- c:\winnt\system32\dllcache\ieframe.dll.mui
2009-02-10 20:02 . 2009-01-15 02:02 593,920 --a--c--- c:\winnt\system32\dllcache\msfeeds.dll
2009-02-10 20:02 . 2009-01-15 01:35 445,440 --a--c--- c:\winnt\system32\dllcache\ieapfltr.dll
2009-02-10 20:02 . 2009-01-15 02:01 59,904 --a--c--- c:\winnt\system32\dllcache\icardie.dll
2009-02-10 20:02 . 2009-01-15 02:01 54,272 --a--c--- c:\winnt\system32\dllcache\msfeedsbs.dll
2009-02-10 20:02 . 2008-12-19 04:10 13,824 -----c--- c:\winnt\system32\dllcache\ieudinit.exe
2009-02-10 19:37 . 2009-02-10 19:37 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-02-10 19:37 . 2009-02-10 19:37 <DIR> d-------- c:\documents and settings\Dad\Application Data\Yahoo!
2009-02-10 18:59 . 2009-02-10 18:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Future Systems Solutions
2009-02-08 23:06 . 2009-02-08 23:05 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-02-08 22:58 . 2009-02-08 22:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-02-08 22:49 . 2009-02-25 19:54 12,799 --a------ c:\winnt\system32\Config.MPF
2009-02-08 18:51 . 2009-02-08 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 20:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-25 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 21:56 --------- d-----w c:\program files\SpywareBlaster
2009-02-22 23:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 01:21 --------- d-----w c:\program files\Yahoo!
2009-02-11 01:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 01:17 --------- d-----w c:\program files\Paragon Software
2009-02-11 00:33 --------- d-----w c:\program files\McAfee
2009-02-10 23:59 --------- d-----w c:\program files\Future Systems Solutions
2009-02-09 04:05 --------- d-----w c:\program files\Java
2009-01-26 00:47 --------- d-----w c:\program files\Roxio
2009-01-26 00:43 --------- d-----w c:\documents and settings\Dad\Application Data\Roxio
2009-01-09 17:03 79,304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys
2009-01-09 17:03 40,552 ----a-w c:\winnt\system32\drivers\mfesmfk.sys
2009-01-09 17:03 35,272 ----a-w c:\winnt\system32\drivers\mfebopk.sys
2009-01-09 17:03 34,216 ----a-w c:\winnt\system32\drivers\mferkdk.sys
2009-01-09 17:03 213,640 ----a-w c:\winnt\system32\drivers\mfehidk.sys
2007-02-10 19:18 284 ----a-w c:\documents and settings\Dad\Application Data\ViewerApp.dat
2005-03-21 04:34 750 ----a-w c:\documents and settings\vgcwjs\DMOrganizer.dat
2005-01-06 00:03 2,449,408 ----a-w c:\documents and settings\Dad\gosetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-08 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-12-01 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-25 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"Gateway Ink Monitor"="c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 303180]
"EPSON Stylus Photo RX500"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"CTHelper"="CTHELPER.EXE" [2003-01-21 c:\winnt\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"SetDefaultMIDI"="MIDIDef.exe" [2002-12-03 c:\winnt\mididef.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 c:\winnt\mididef.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\WINNT\\system32\\ftp.exe"=
"c:\\Program Files\\Cerberus\\Cerberus.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:@xpsp2res.dll,-22011
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"110:TCP"= 110:TCP:216.150.205.170/255.255.255.255:Enabled:Incoming POP3
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)

R0 hotcore3;hotcore3;c:\winnt\system32\drivers\hotcore3.sys [2009-02-10 40368]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\winnt\system32\drivers\SI3112r.sys [2007-01-06 116264]
R2 Cerberus FTP Server;Cerberus FTP Server;c:\program files\Cerberus\Cerberus.exe -Service --> c:\program files\Cerberus\Cerberus.exe -Service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-08 206096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 mpee;mpee;c:\winnt\system32\drivers\mpee.sys --> c:\winnt\system32\drivers\mpee.sys [?]
S3 AVC2310F;AVC-2310/AVC-2210 USB Loader;c:\winnt\system32\drivers\avcuwfl.sys [2005-03-25 18644]
S3 AvcUWilo;Adaptec AVC-2210/2310 USB Device;c:\winnt\system32\drivers\avcuwilo.sys [2005-03-25 51166]
S3 IRNVPN;Indus River Networks VPN Adapter;c:\winnt\system32\DRIVERS\irndis.sys --> c:\winnt\system32\DRIVERS\irndis.sys [?]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\winnt\system32\DRIVERS\wg121nd5.sys --> c:\winnt\system32\DRIVERS\wg121nd5.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\viewsonic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\winnt\Tasks\McDefragTask.job
- c:\winnt\system32\defrag.exe [2008-04-13 19:12]

2009-02-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-02-26 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-25 c:\winnt\Tasks\{59C6ECB4-91B3-4204-992A-3E1FC2F23B58}_OFFICE_vgcwjs.job
- c:\winnt\system32\mobsync.exe [2008-04-13 19:12]

2009-02-26 c:\winnt\Tasks\{B6F45A8B-1CDD-473E-AC0E-E3C9073663E9}_OFFICE_vgcwjs.job
- c:\winnt\system32\mobsync.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3FDC1D8F-69FB-46E5-A86F-BE3690F4AA58} - c:\winnt\system32\rqRLBrpo.dll
Toolbar-{55B91784-E211-44E7-9467-1204F0F71059} - c:\winnt\system32\windk77.dll
WebBrowser-{55B91784-E211-44E7-9467-1204F0F71059} - c:\winnt\system32\windk77.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 19:53:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,0a,74,cb,85,50,
c0,87,98,c8,28,51,af,b0,29,a3,98,44,80,da,da,24,99,c6,a9,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,e6,9e,24,54,b1,
7a,a7,f2,71,3b,04,66,8b,46,0d,96,79,3d,b0,83,e2,ca,9a,75,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,f4,2f,af,0f,e2,
3c,a7,19,25,da,ec,7e,55,20,c9,26,c6,c8,0c,82,06,01,77,90,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,53,8a,2e,75,c4,
3f,87,0e,3e,1e,9e,e0,57,5a,93,61,7c,b5,50,5e,a6,2c,1d,78,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,fb,b7,e8,a8,d2,
d5,90,07,cd,44,cd,b9,a6,33,6c,cd,4f,1e,5b,f8,93,51,15,83,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b2,27,9e,bf,9b,
d7,eb,1b,b0,18,ed,a7,3f,8d,37,a4,9f,ab,e9,59,6d,45,41,d2,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,1f,3b,97,15,90,
eb,ce,42,31,77,e1,ba,b1,f8,68,02,41,cb,9d,b4,b0,61,ff,68,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,dc,11,9e,0a,bc,
ce,ea,87,83,6c,56,8b,a0,85,96,ab,cf,04,d9,03,8b,8f,53,8b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,03,96,dd,89,fe,
51,80,93,51,fa,6e,91,28,9e,14,cc,56,88,4f,07,6b,39,d2,9f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,33,04,b6,d7,55,
54,6d,fc,b1,cd,45,5a,a8,c4,f8,b9,76,ab,1e,2a,87,fd,bd,f2,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,3b,c1,70,a6,46,
76,a7,1e,e3,0e,66,d5,eb,bc,2f,6b,4a,e7,8f,bd,4e,87,6e,1d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,e6,32,bb,f6,c1,
c3,af,eb,fa,ea,66,7f,d4,3b,6b,70,ed,61,0a,22,b1,48,9d,42,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\winnt\system32\Ati2evxx.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\ati2evxx.exe
c:\winnt\system32\bgsvcgen.exe
c:\program files\Cerberus\Cerberus.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\winnt\system32\tcpsvcs.exe
c:\winnt\system32\snmp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\winnt\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-02-25 19:58:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 00:58:41

Pre-Run: 3,709,321,216 bytes free
Post-Run: 3,778,318,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="XP Primary" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(1)\WINNT="XP Backup" /fastdetect /NoExecute=OptIn

358 --- E O F --- 2009-02-24 04:24:51

[Tigger93]

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\winnt\system32\uacinit.dll
c:\winnt\system32\tmpA3F24.FOT
c:\winnt\system32\tmp51034.FOT
c:\winnt\ativpsrm.bin

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

[stef6]

Ok... I have to tell you that after the first go with ComboFix everything was Good! So first of all - THANK YOU!!!

After ComboFix ran Windows Update worked, MBAM.exe worked (without rename), windowsclick intercepts seem to be gone.

I did go back and redo ComboFix as requested with the input file. Here are the results. And following this are the results from Hijack...

ComboFix 09-02-25.02 - Dad 2009-02-25 22:27:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.469 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\winnt\ativpsrm.bin
c:\winnt\system32\tmp51034.FOT
c:\winnt\system32\tmpA3F24.FOT
c:\winnt\system32\uacinit.dll
.

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 22:24 . 2009-02-25 22:25 <DIR> d-------- C:\32788R22FWJFW
2009-02-25 21:09 . 2009-02-25 21:09 <DIR> d-------- c:\winnt\system32\XPSViewer
2009-02-25 21:09 . 2009-02-25 21:09 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-25 21:09 . 2009-02-25 21:09 <DIR> d-------- c:\program files\MSBuild
2009-02-25 21:08 . 2009-02-25 21:21 <DIR> d-------- c:\winnt\SxsCaPendDel
2009-02-25 21:08 . 2008-07-06 07:06 1,676,288 --------- c:\winnt\system32\xpssvcs.dll
2009-02-25 21:08 . 2008-07-06 07:06 1,676,288 -----c--- c:\winnt\system32\dllcache\xpssvcs.dll
2009-02-25 21:08 . 2008-07-06 05:50 597,504 -----c--- c:\winnt\system32\dllcache\printfilterpipelinesvc.exe
2009-02-25 21:08 . 2008-07-06 07:06 575,488 --------- c:\winnt\system32\xpsshhdr.dll
2009-02-25 21:08 . 2008-07-06 07:06 575,488 -----c--- c:\winnt\system32\dllcache\xpsshhdr.dll
2009-02-25 21:08 . 2008-07-06 07:06 117,760 --------- c:\winnt\system32\prntvpt.dll
2009-02-25 21:08 . 2008-07-06 07:06 89,088 -----c--- c:\winnt\system32\dllcache\filterpipelineprintproc.dll
2009-02-25 21:00 . 2009-02-25 21:00 <DIR> d-------- c:\winnt\system32\GroupPolicy
2009-02-25 21:00 . 2009-02-25 21:00 <DIR> d-------- c:\program files\Windows Desktop Search
2009-02-25 21:00 . 2009-02-25 21:00 <DIR> d-------- c:\documents and settings\Dad\Application Data\Windows Desktop Search
2009-02-25 20:59 . 2008-03-07 12:02 192,000 -----c--- c:\winnt\system32\dllcache\offfilt.dll
2009-02-25 20:59 . 2008-03-07 12:02 98,304 -----c--- c:\winnt\system32\dllcache\nlhtml.dll
2009-02-25 20:59 . 2008-03-07 12:02 29,696 -----c--- c:\winnt\system32\dllcache\mimefilt.dll
2009-02-25 19:23 . 2009-02-25 19:59 <DIR> d-------- C:\ComboFixNew
2009-02-24 22:53 . 2009-02-24 22:53 124,688 --a------ c:\winnt\system32\MSWINSCK.OCX
2009-02-24 16:15 . 2009-02-24 16:15 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 23:12 . 2009-02-20 23:12 <DIR> d--hs---- c:\documents and settings\Dad\PrivacIE
2009-02-20 23:11 . 2009-02-20 23:11 <DIR> d--hs---- c:\documents and settings\Dad\IECompatCache
2009-02-20 23:10 . 2009-02-20 23:10 <DIR> d--hs---- c:\documents and settings\Dad\IETldCache
2009-02-20 23:05 . 2009-02-20 23:05 <DIR> d-------- c:\winnt\ie8updates
2009-02-20 23:00 . 2009-02-20 23:04 <DIR> d--h-c--- c:\winnt\ie8
2009-02-20 22:58 . 2009-01-11 00:00 79,360 -----c--- c:\winnt\system32\dllcache\iecompat.dll
2009-02-20 20:30 . 2009-02-21 07:14 7,680 --ahs---- c:\winnt\Thumbs.db
2009-02-10 20:18 . 2007-11-06 09:06 131,672 --a------ c:\winnt\system32\drivers\Uim_IM.sys
2009-02-10 20:18 . 2007-11-06 09:06 32,080 --a------ c:\winnt\system32\drivers\UimBus.sys
2009-02-10 20:18 . 2007-11-06 09:06 11,568 --a------ c:\winnt\system32\drivers\UimFIO.sys
2009-02-10 20:16 . 2008-10-29 20:19 4,244,744 --a------ c:\winnt\system32\qtp-mt334.dll
2009-02-10 20:16 . 2008-10-29 20:19 247,560 --a------ c:\winnt\system32\prgiso.dll
2009-02-10 20:16 . 2008-10-29 20:19 40,368 --a------ c:\winnt\system32\drivers\hotcore3.sys
2009-02-10 20:08 . 2009-02-10 20:08 <DIR> d-------- c:\winnt\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
2009-02-10 20:06 . 2009-02-10 20:06 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-10 20:02 . 2009-01-15 02:12 10,963,968 --a--c--- c:\winnt\system32\dllcache\ieframe.dll
2009-02-10 20:02 . 2008-12-14 17:12 3,698,040 --a--c--- c:\winnt\system32\dllcache\ieapfltr.dat
2009-02-10 20:02 . 2009-01-15 02:02 1,975,296 --a--c--- c:\winnt\system32\dllcache\iertutil.dll
2009-02-10 20:02 . 2009-01-15 02:22 1,228,800 --a--c--- c:\winnt\system32\dllcache\ieframe.dll.mui
2009-02-10 20:02 . 2009-01-15 02:02 593,920 --a--c--- c:\winnt\system32\dllcache\msfeeds.dll
2009-02-10 20:02 . 2009-01-15 01:35 445,440 --a--c--- c:\winnt\system32\dllcache\ieapfltr.dll
2009-02-10 20:02 . 2009-01-15 02:01 59,904 --a--c--- c:\winnt\system32\dllcache\icardie.dll
2009-02-10 20:02 . 2009-01-15 02:01 54,272 --a--c--- c:\winnt\system32\dllcache\msfeedsbs.dll
2009-02-10 20:02 . 2008-12-19 04:10 13,824 -----c--- c:\winnt\system32\dllcache\ieudinit.exe
2009-02-10 19:37 . 2009-02-10 19:37 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-02-10 19:37 . 2009-02-10 19:37 <DIR> d-------- c:\documents and settings\Dad\Application Data\Yahoo!
2009-02-10 18:59 . 2009-02-10 18:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Future Systems Solutions
2009-02-08 23:06 . 2009-02-08 23:05 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-02-08 22:58 . 2009-02-08 22:58 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-02-08 22:49 . 2009-02-25 22:30 13,483 --a------ c:\winnt\system32\Config.MPF
2009-02-08 18:51 . 2009-02-08 18:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 03:23 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-25 20:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-25 20:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 21:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 21:56 --------- d-----w c:\program files\SpywareBlaster
2009-02-11 01:21 --------- d-----w c:\program files\Yahoo!
2009-02-11 01:17 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 01:17 --------- d-----w c:\program files\Paragon Software
2009-02-11 00:33 --------- d-----w c:\program files\McAfee
2009-02-10 23:59 --------- d-----w c:\program files\Future Systems Solutions
2009-02-09 04:05 --------- d-----w c:\program files\Java
2009-01-26 00:47 --------- d-----w c:\program files\Roxio
2009-01-26 00:43 --------- d-----w c:\documents and settings\Dad\Application Data\Roxio
2009-01-15 07:05 911,872 ----a-w c:\winnt\system32\wininet.dll
2009-01-15 07:05 43,008 ----a-w c:\winnt\system32\licmgr10.dll
2009-01-15 07:04 18,944 ----a-w c:\winnt\system32\corpol.dll
2009-01-15 07:03 72,704 ----a-w c:\winnt\system32\admparse.dll
2009-01-15 07:03 71,680 ----a-w c:\winnt\system32\iesetup.dll
2009-01-15 07:03 420,352 ----a-w c:\winnt\system32\vbscript.dll
2009-01-15 07:01 34,304 ----a-w c:\winnt\system32\imgutil.dll
2009-01-15 07:00 48,128 ----a-w c:\winnt\system32\mshtmler.dll
2009-01-15 07:00 45,568 ----a-w c:\winnt\system32\mshta.exe
2009-01-15 06:50 156,160 ----a-w c:\winnt\system32\msls31.dll
2009-01-09 17:03 79,304 ----a-w c:\winnt\system32\drivers\mfeavfk.sys
2009-01-09 17:03 40,552 ----a-w c:\winnt\system32\drivers\mfesmfk.sys
2009-01-09 17:03 35,272 ----a-w c:\winnt\system32\drivers\mfebopk.sys
2009-01-09 17:03 34,216 ----a-w c:\winnt\system32\drivers\mferkdk.sys
2009-01-09 17:03 213,640 ----a-w c:\winnt\system32\drivers\mfehidk.sys
2008-12-02 21:01 47,598 ----a-w c:\winnt\system32\foamhazbea.exe
2007-02-10 19:18 284 ----a-w c:\documents and settings\Dad\Application Data\ViewerApp.dat
2005-03-21 04:34 750 ----a-w c:\documents and settings\vgcwjs\DMOrganizer.dat
2005-01-06 00:03 2,449,408 ----a-w c:\documents and settings\Dad\gosetup.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-02-25_21.57.17.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-29 07:14:16 499,712 ----a-w c:\winnt\system32\ati2cqag.dll
+ 2008-04-14 01:11:50 229,376 ----a-w c:\winnt\system32\ati2cqag.dll
- 2007-09-29 08:06:18 268,800 ------w c:\winnt\system32\ati2dvag.dll
+ 2008-04-14 01:11:50 201,728 ----a-w c:\winnt\system32\ati2dvag.dll
- 2004-01-21 00:04:20 869,408 ----a-w c:\winnt\system32\ati3d1ag.dll
+ 2008-04-14 01:11:50 870,784 ----a-w c:\winnt\system32\ati3d1ag.dll
- 2007-09-29 07:47:28 3,130,720 ------w c:\winnt\system32\ati3duag.dll
+ 2008-04-14 01:11:50 1,888,992 ----a-w c:\winnt\system32\ati3duag.dll
- 2007-09-29 07:36:26 1,593,600 ------w c:\winnt\system32\ativvaxx.dll
+ 2008-04-14 01:11:50 516,768 ----a-w c:\winnt\system32\ativvaxx.dll
- 2004-01-21 00:48:08 669,696 ----a-w c:\winnt\system32\drivers\ati2mtag.sys
+ 2004-08-04 06:29:26 701,440 ----a-w c:\winnt\system32\drivers\ati2mtag.sys
+ 2009-02-26 03:15:15 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_6fc.dat
+ 2009-02-26 03:20:13 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_714.dat
+ 2009-02-26 03:15:27 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_b44.dat
+ 2009-02-26 03:15:30 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_bac.dat
+ 2009-02-26 03:16:02 16,384 ----atw c:\winnt\Temp\Perflib_Perfdata_d60.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-08 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-12-01 228088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-25 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 249904]
"Gateway Ink Monitor"="c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 303180]
"EPSON Stylus Photo RX500"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 335872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\winnt\system32\CtHelper.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\winnt\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"SetDefaultMIDI"="MIDIDef.exe" [2002-12-03 c:\winnt\mididef.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
"SetDefaultMidi"="MIDIDEF.EXE" [2002-12-03 c:\winnt\mididef.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 17:45 10800 c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\mmc.exe"=
"c:\\WINNT\\system32\\ftp.exe"=
"c:\\Program Files\\Cerberus\\Cerberus.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:@xpsp2res.dll,-22010
"3540:UDP"= 3540:UDP:@xpsp2res.dll,-22011
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"110:TCP"= 110:TCP:216.150.205.170/255.255.255.255:Enabled:Incoming POP3
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)

R0 hotcore3;hotcore3;c:\winnt\system32\drivers\hotcore3.sys [2009-02-10 40368]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\winnt\system32\drivers\SI3112r.sys [2007-01-06 116264]
R2 Cerberus FTP Server;Cerberus FTP Server;c:\program files\Cerberus\Cerberus.exe -Service --> c:\program files\Cerberus\Cerberus.exe -Service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-08 206096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S1 mpee;mpee;c:\winnt\system32\drivers\mpee.sys --> c:\winnt\system32\drivers\mpee.sys [?]
S3 AVC2310F;AVC-2310/AVC-2210 USB Loader;c:\winnt\system32\drivers\avcuwfl.sys [2005-03-25 18644]
S3 AvcUWilo;Adaptec AVC-2210/2310 USB Device;c:\winnt\system32\drivers\avcuwilo.sys [2005-03-25 51166]
S3 IRNVPN;Indus River Networks VPN Adapter;c:\winnt\system32\DRIVERS\irndis.sys --> c:\winnt\system32\DRIVERS\irndis.sys [?]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\winnt\system32\DRIVERS\wg121nd5.sys --> c:\winnt\system32\DRIVERS\wg121nd5.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\viewsonic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\winnt\Tasks\McDefragTask.job
- c:\winnt\system32\defrag.exe [2008-04-13 19:12]

2009-02-01 c:\winnt\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-02-26 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-02-25 c:\winnt\Tasks\{59C6ECB4-91B3-4204-992A-3E1FC2F23B58}_OFFICE_vgcwjs.job
- c:\winnt\system32\mobsync.exe [2008-04-13 19:12]

2009-02-26 c:\winnt\Tasks\{B6F45A8B-1CDD-473E-AC0E-E3C9073663E9}_OFFICE_vgcwjs.job
- c:\winnt\system32\mobsync.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 22:30:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,0a,74,cb,85,50,
c0,87,98,c8,28,51,af,b0,29,a3,98,44,80,da,da,24,99,c6,a9,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,e6,9e,24,54,b1,
7a,a7,f2,71,3b,04,66,8b,46,0d,96,79,3d,b0,83,e2,ca,9a,75,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,f4,2f,af,0f,e2,
3c,a7,19,25,da,ec,7e,55,20,c9,26,c6,c8,0c,82,06,01,77,90,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,53,8a,2e,75,c4,
3f,87,0e,3e,1e,9e,e0,57,5a,93,61,7c,b5,50,5e,a6,2c,1d,78,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,fb,b7,e8,a8,d2,
d5,90,07,cd,44,cd,b9,a6,33,6c,cd,4f,1e,5b,f8,93,51,15,83,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,b2,27,9e,bf,9b,
d7,eb,1b,b0,18,ed,a7,3f,8d,37,a4,9f,ab,e9,59,6d,45,41,d2,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,1f,3b,97,15,90,
eb,ce,42,31,77,e1,ba,b1,f8,68,02,41,cb,9d,b4,b0,61,ff,68,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,dc,11,9e,0a,bc,
ce,ea,87,83,6c,56,8b,a0,85,96,ab,cf,04,d9,03,8b,8f,53,8b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,03,96,dd,89,fe,
51,80,93,51,fa,6e,91,28,9e,14,cc,56,88,4f,07,6b,39,d2,9f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,33,04,b6,d7,55,
54,6d,fc,b1,cd,45,5a,a8,c4,f8,b9,76,ab,1e,2a,87,fd,bd,f2,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,3b,c1,70,a6,46,
76,a7,1e,e3,0e,66,d5,eb,bc,2f,6b,4a,e7,8f,bd,4e,87,6e,1d,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINNT\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,e6,32,bb,f6,c1,
c3,af,eb,fa,ea,66,7f,d4,3b,6b,70,ed,61,0a,22,b1,48,9d,42,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2009-02-25 22:33:27
ComboFix-quarantined-files.txt 2009-02-26 03:33:03
ComboFix2.txt 2009-02-26 02:59:26
ComboFix3.txt 2009-02-26 00:58:53

Pre-Run: 2,672,599,040 bytes free
Post-Run: 2,641,661,952 bytes free

344 --- E O F --- 2009-02-24 04:24:51


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:02 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINNT\system32\bgsvcgen.exe
C:\Program Files\Cerberus\Cerberus.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\SearchIndexer.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Startup: Sonic INSTALLit! Setup.lnk = Dad\Local Settings\Temp\VIES5DFD\setup.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe
O23 - Service: Cerberus FTP Server - Grant Averett - C:\Program Files\Cerberus\Cerberus.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 11784 bytes

[Tigger93]

Go start -> run and type in combofix /u and press OK to remove Combofix.

Everything looks good. Are you still having any problems?