I have run Spyware removals and McAfee AV but havent been able to kick it.

I ran Hijackthis and I am including the logs as I have no idea what to do from here.
This is bitter sweet as if this had never happened I would not have found out about GEEKSTOGO.
Thanks in advance for your help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:01 PM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\tinyproxy\tinyproxy.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 351631 helper - {6A26574A-DD6D-4382-8C76-0DF06C478D3A} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWRESET] C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1226638402580
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Network Configuration Service (netcfgsvr) - AT&T - C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 9753 bytes


This post has been edited by torr_tom: Dec 5 2008, 12:30 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Thanks For your Help!! Her are the logs you requested.

Combofixit:

ComboFix 08-12-05.06 - Tom 2008-12-06 8:17:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.220 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\program files\tinyproxy\tinyproxy.exe
c:\windows\fmark2.dat
c:\windows\system32\351631
c:\windows\system32\351631\351631.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROTECTED_STORAGE_(PROTECTEDSTORAGE)_
-------\Service_Protected Storage (ProtectedStorage)


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 16:12 . 2008-12-05 16:12 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.jpi_cache
2008-12-05 16:12 . 2008-12-05 16:12 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.java
2008-12-05 10:53 . 2008-12-05 10:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 08:39 . 2008-12-05 08:44 1,374 --a------ c:\windows\imsins.BAK
2008-12-05 08:36 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-05 08:36 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-05 08:36 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-05 08:36 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-05 08:36 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-05 08:36 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-05 08:36 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 23:36 . 2008-12-05 09:02 <DIR> d-------- c:\program files\Yahoo!
2008-12-04 23:36 . 2008-12-04 23:36 <DIR> d-------- c:\program files\CCleaner
2008-12-04 11:09 . 2008-12-04 15:53 1 ---h----- c:\windows\f49f4daa.dat
2008-12-01 22:01 . 2008-12-01 22:01 <DIR> d-------- c:\documents and settings\Annette.IBM-C0E8620BCD8\Application Data\IBM
2008-12-01 08:58 . 2008-12-01 08:58 <DIR> d-------- c:\program files\Smilebox
2008-12-01 08:56 . 2008-12-04 23:24 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox
2008-12-01 08:44 . 2008-12-01 08:44 <DIR> d-------- C:\Photos
2008-11-23 22:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-11-14 22:13 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-14 22:13 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-14 00:51 . 2008-11-14 03:30 <DIR> d-------- C:\AVIDEOS
2008-11-14 00:42 . 2008-11-14 00:42 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.javaws141
2008-11-12 21:07 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 21:07 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 13:58 . 2008-11-06 13:58 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\InterVideo
2008-11-06 13:56 . 2005-07-17 09:42 7,987,897 --a------ c:\documents and settings\MOV01170.MPG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 02:51 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:55 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\rlalog
2008-11-13 03:23 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Move Networks
2008-11-05 14:50 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-05 14:49 --------- d-----w c:\program files\Microsoft.NET
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-10-16 20:42 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\AdobeUM
2008-10-13 07:01 --------- d-----w c:\program files\MSXML 4.0
2008-10-13 04:28 --------- d-----w c:\program files\McAfee.com
2008-10-13 04:28 --------- d-----w c:\program files\Common Files\McAfee
2008-10-13 04:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 04:23 --------- d-----w c:\program files\Symantec
2008-10-13 04:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-13 03:56 --------- d-----w c:\program files\AT&T Global Network Client
2008-10-13 03:20 15,648 ----a-w c:\windows\system32\drivers\NSDriver.sys
2008-10-13 03:20 15,648 ----a-w c:\windows\system32\drivers\AWRTRD.sys
2008-10-13 03:20 12,960 ----a-w c:\windows\system32\drivers\AWRTPD.sys
2008-10-13 03:20 --------- d-----w c:\program files\Lavasoft
2008-10-13 03:20 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-13 03:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-13 02:33 94 ----a-w c:\windows\system32\drivers\IBM_2374_WKZ.MRK
2008-10-13 02:32 --------- d-----w c:\program files\Bonjour
2008-10-13 02:28 --------- d-----w c:\program files\McAfee
2008-10-13 02:22 --------- d-----w c:\program files\QuickTime
2008-10-13 02:22 --------- d-----w c:\program files\iTunes
2008-10-13 02:22 --------- d-----w c:\program files\Apple Software Update
2008-10-13 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-13 01:57 0 --sha-r C:\MSDOS(2).SYS
2008-10-12 19:09 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-10 12:04 --------- d-----w c:\documents and settings\Tom\Application Data\rlalog
2008-10-10 05:24 --------- d-----w c:\documents and settings\Natasha\Application Data\Apple Computer
2008-10-10 03:25 --------- d-----w c:\program files\iPod
2008-10-10 03:22 --------- d-----w c:\program files\Common Files\Apple
2008-10-07 18:02 --------- d-----w c:\program files\Avaya
2008-10-06 22:41 --------- d-----w c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-06-27 42264]
"SmileboxTray"="c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox\SmileboxTray.exe" [2008-10-16 254600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-05 218240]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2004-08-18 708608]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2008-01-10 45056]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2004-03-26 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-30 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 05:30 258048 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Avaya\\Avaya IP Softphone\\ipsoftphone.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-09-30 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-09-30 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2008-09-30 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-09-30 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2008-09-30 16384]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\DRIVERS\agnwifi.sys [2008-10-12 19328]
R2 ibmfilter;ibmfilter;\??\c:\windows\system32\drivers\ibmfilter.sys [2004-09-23 64256]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-14 203280]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\DRIVERS\agnfilt.sys [2008-10-12 218368]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2008-10-12 11264]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.SYS [2008-09-30 12288]
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-09-30 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-07-29 03:37]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-09-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 20:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6A26574A-DD6D-4382-8C76-0DF06C478D3A} - c:\windows\system32\351631\351631.dll
HKLM-Run-UC_SMB - (no file)
HKLM-Run-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 08:27:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1264)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\qosservm.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\progra~1\ThinkPad\CONNEC~1\QCTRAY.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-06 8:29:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 13:29:45

Pre-Run: 17,846,325,248 bytes free
Post-Run: 17,846,022,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

223 --- E O F --- 2008-12-06 13:00:18


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Hijackthis:

ComboFix 08-12-05.06 - Tom 2008-12-06 8:17:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.220 [GMT -5:00]
Running from: c:\downloads\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\program files\tinyproxy\tinyproxy.exe
c:\windows\fmark2.dat
c:\windows\system32\351631
c:\windows\system32\351631\351631.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROTECTED_STORAGE_(PROTECTEDSTORAGE)_
-------\Service_Protected Storage (ProtectedStorage)


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 16:12 . 2008-12-05 16:12 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.jpi_cache
2008-12-05 16:12 . 2008-12-05 16:12 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.java
2008-12-05 10:53 . 2008-12-05 10:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 08:39 . 2008-12-05 08:44 1,374 --a------ c:\windows\imsins.BAK
2008-12-05 08:36 . 2008-10-03 12:41 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-05 08:36 . 2008-08-26 02:24 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-05 08:36 . 2008-08-26 02:24 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-05 08:36 . 2008-08-26 02:24 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-05 08:36 . 2008-08-26 02:24 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-05 08:36 . 2008-08-26 02:24 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-05 08:36 . 2008-08-25 03:38 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-04 23:36 . 2008-12-05 09:02 <DIR> d-------- c:\program files\Yahoo!
2008-12-04 23:36 . 2008-12-04 23:36 <DIR> d-------- c:\program files\CCleaner
2008-12-04 11:09 . 2008-12-04 15:53 1 ---h----- c:\windows\f49f4daa.dat
2008-12-01 22:01 . 2008-12-01 22:01 <DIR> d-------- c:\documents and settings\Annette.IBM-C0E8620BCD8\Application Data\IBM
2008-12-01 08:58 . 2008-12-01 08:58 <DIR> d-------- c:\program files\Smilebox
2008-12-01 08:56 . 2008-12-04 23:24 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox
2008-12-01 08:44 . 2008-12-01 08:44 <DIR> d-------- C:\Photos
2008-11-23 22:30 . 2008-10-15 11:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-11-14 22:13 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-11-14 22:13 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-11-14 00:51 . 2008-11-14 03:30 <DIR> d-------- C:\AVIDEOS
2008-11-14 00:42 . 2008-11-14 00:42 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\.javaws141
2008-11-12 21:07 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 21:07 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-06 13:58 . 2008-11-06 13:58 <DIR> d-------- c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\InterVideo
2008-11-06 13:56 . 2005-07-17 09:42 7,987,897 --a------ c:\documents and settings\MOV01170.MPG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 02:51 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:55 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\rlalog
2008-11-13 03:23 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Move Networks
2008-11-05 14:50 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-05 14:49 --------- d-----w c:\program files\Microsoft.NET
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-10-16 20:42 --------- d-----w c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\AdobeUM
2008-10-13 07:01 --------- d-----w c:\program files\MSXML 4.0
2008-10-13 04:28 --------- d-----w c:\program files\McAfee.com
2008-10-13 04:28 --------- d-----w c:\program files\Common Files\McAfee
2008-10-13 04:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-13 04:23 --------- d-----w c:\program files\Symantec
2008-10-13 04:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-13 03:56 --------- d-----w c:\program files\AT&T Global Network Client
2008-10-13 03:20 15,648 ----a-w c:\windows\system32\drivers\NSDriver.sys
2008-10-13 03:20 15,648 ----a-w c:\windows\system32\drivers\AWRTRD.sys
2008-10-13 03:20 12,960 ----a-w c:\windows\system32\drivers\AWRTPD.sys
2008-10-13 03:20 --------- d-----w c:\program files\Lavasoft
2008-10-13 03:20 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-13 03:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-13 02:33 94 ----a-w c:\windows\system32\drivers\IBM_2374_WKZ.MRK
2008-10-13 02:32 --------- d-----w c:\program files\Bonjour
2008-10-13 02:28 --------- d-----w c:\program files\McAfee
2008-10-13 02:22 --------- d-----w c:\program files\QuickTime
2008-10-13 02:22 --------- d-----w c:\program files\iTunes
2008-10-13 02:22 --------- d-----w c:\program files\Apple Software Update
2008-10-13 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-13 01:57 0 --sha-r C:\MSDOS(2).SYS
2008-10-12 19:09 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-10 12:04 --------- d-----w c:\documents and settings\Tom\Application Data\rlalog
2008-10-10 05:24 --------- d-----w c:\documents and settings\Natasha\Application Data\Apple Computer
2008-10-10 03:25 --------- d-----w c:\program files\iPod
2008-10-10 03:22 --------- d-----w c:\program files\Common Files\Apple
2008-10-07 18:02 --------- d-----w c:\program files\Avaya
2008-10-06 22:41 --------- d-----w c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-06-27 42264]
"SmileboxTray"="c:\documents and settings\Tom.IBM-C0E8620BCD8\Application Data\Smilebox\SmileboxTray.exe" [2008-10-16 254600]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 897024]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 94208]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-12-25 208896]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-14 36864]
"ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-05 218240]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2004-03-19 90112]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY.EXE" [2004-08-18 708608]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-08-18 81920]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-07-29 110592]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-07-29 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-07-29 395776]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2008-01-10 45056]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 c:\windows\system32\S3Tray2.exe]
"TpShocks"="TpShocks.exe" [2004-03-26 c:\windows\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2002-09-04 c:\windows\system32\TP4EX.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-30 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2004-08-18 05:30 258048 c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"c:\\Program Files\\AT&T Global Network Client\\NetClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Avaya\\Avaya IP Softphone\\ipsoftphone.exe"=

R0 Shockprf;Shockprf;c:\windows\system32\drivers\Shockprf.sys [2008-09-30 59520]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-09-30 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2008-09-30 2432]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2008-09-30 4608]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\Tppwr.sys [2008-09-30 16384]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\DRIVERS\agnwifi.sys [2008-10-12 19328]
R2 ibmfilter;ibmfilter;\??\c:\windows\system32\drivers\ibmfilter.sys [2004-09-23 64256]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-14 203280]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\DRIVERS\agnfilt.sys [2008-10-12 218368]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\DRIVERS\avpnnic.sys [2008-10-12 11264]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.SYS [2008-09-30 12288]
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-09-30 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-07-29 03:37]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-09-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 20:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6A26574A-DD6D-4382-8C76-0DF06C478D3A} - c:\windows\system32\351631\351631.dll
HKLM-Run-UC_SMB - (no file)
HKLM-Run-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 08:27:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1264)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
c:\windows\system32\qosservm.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\windows\system32\QCONSVC.EXE
c:\windows\system32\RegSrvc.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
c:\progra~1\ThinkPad\CONNEC~1\QCTRAY.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-06 8:29:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 13:29:45

Pre-Run: 17,846,325,248 bytes free
Post-Run: 17,846,022,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

223 --- E O F --- 2008-12-06 13:00:18

Hi,

This looks Ok again. Just 1 file you have to delete, so navigate to and delete the following file:

c:\windows\f49f4daa.dat

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

I was Unable to find the f49f4daa.dat file in my c:\Windows folder. I actually did a search of the C: drive and nothing came up. Would you like to see another log to see if it was renamed ... Please let me know how to proceed.
And Thanks Again for your help.

Hi,

The file is hidden (I forgot to tell you that), so Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Miekiemoes, Thanks So much. I was able to:
G

et rid of that .dat file in /Windows folder.
Set the view folders ba

ck to default.
Uninstall Combofix

5 Stars Dank je! or Merci Boucoup!

Can you recommend the better Anti malware downloads ? or anything SW that can protect better?

I currently use Lavasoft Ad-Aware

Hi,

Best protection starts with yourself, so Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.