Antvirus_System_pro_alert

[dreinowski]

One user account in this computer has been hit with the fake "Anitvirus System Pro Alert". All of the other user accounts are ok so far. I could not run Hijackthis under the infected account, the virus keep shutting me down.
I have run Combofix, Malwarebytes, and Hijackthis
Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:55 PM, on 11/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gtnapp/gtn/GTN_Portal.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Gateway Official Site: Notebooks, Laptops, Desktops, All-in-Ones, Displays, Monitors, Accessories
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Windows Update
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [OE] C:\Program Files\Trend Micro\OfficeScan Client\TMAS_OE\TMAS_OEMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ringsidecreative.com/#/home
O15 - Trusted Zone: http://reports.gtn.net (HKLM)
O15 - Trusted Zone: http://*.gtnapp (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127321873320
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gtn.net
O17 - HKLM\Software\..\Telephony: DomainName = gtn.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gtn.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gtn.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gtn.net
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 6790 bytes

Combo fix log:
ComboFix 09-11-11.02 - Administrator 11/11/2009 13:56.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1007.497 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {2A5E35F7-C5F2-4AAC-9BFA-41EA016D2912}
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {2A5E35F7-C5F2-4AAC-9BFA-41EA016D2912}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

(((((((((((((((((((( Other Deletions )))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-3134346367-103317917-45493102-500
c:\recycler\S-1-5-21-484763869-1035525444-1801674531-500

----- BITS: Possible infected sites -----

hxxp://gtnad2
.
((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 ))))))))))))))))))))
.

2009-11-11 13:53 . 2009-11-11 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-11 13:53 . 2009-11-11 13:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 12:44 . 2009-11-11 12:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-11-10 18:10 . 2009-11-10 18:10 -------- d-----w- c:\documents and settings\SSweik\Local Settings\Application Data\pqjvaq
2009-11-06 18:05 . 2009-11-06 18:05 -------- d-----w- c:\program files\iPod
2009-11-06 18:05 . 2009-11-06 18:06 -------- d-----w- c:\program files\iTunes
2009-11-06 18:05 . 2009-11-06 18:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-06 18:04 . 2009-11-06 18:04 -------- d-----w- c:\program files\Bonjour
2009-11-06 18:01 . 2009-11-06 18:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2009-11-06 18:01 . 2009-11-06 18:01 -------- d-----w- c:\program files\Apple Software Update
2009-11-06 18:01 . 2009-11-06 18:06 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-06 17:53 . 2009-11-06 17:53 -------- d-----w- c:\program files\Common Files\Apple
2009-11-06 17:53 . 2009-11-06 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-29 01:58 . 2009-10-29 01:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-14 12:56 . 2009-09-04 20:45 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 16:28 . 2005-10-06 13:03 -------- d-----w- c:\documents and settings\SSweik\Application Data\Apple Computer
2009-11-06 18:03 . 2006-02-23 19:01 -------- d-----w- c:\program files\QuickTime
2009-11-06 18:03 . 2005-09-22 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-25 05:49 . 2004-01-08 19:23 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:33 . 2001-08-23 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2001-08-23 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-04-05 77824]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Persistence"="c:\windows\System32\igfxpers.exe" [2005-04-05 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Mediafour Mac Volume Notifications"="c:\program files\Common Files\Mediafour\MACVNTFY.EXE" [2002-12-17 61440]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-11-18 882048]
"OE"="c:\program files\Trend Micro\OfficeScan Client\TMAS_OE\TMAS_OEMon.exe" [2008-04-03 492808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MacDrive-iTunes compatibility]
2003-11-07 16:24 61440 ----a-r- c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1007\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1007\Scripts\Logon\1\0]
"Script"=mislogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1007\Scripts\Logon\2\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1057\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1057\Scripts\Logon\1\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1057\Scripts\Logon\2\0]
"Script"=mislogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1077\Scripts\Logon\0\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1080\Scripts\Logon\0\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1080\Scripts\Logon\1\0]
"Script"=poslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1227\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1227\Scripts\Logon\1\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1227\Scripts\Logon\2\0]
"Script"=poslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1418\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1418\Scripts\Logon\1\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1418\Scripts\Logon\2\0]
"Script"=poslogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1605\Scripts\Logon\0\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-1853\Scripts\Logon\0\0]
"Script"=mislogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3294\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3294\Scripts\Logon\1\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3294\Scripts\Logon\2\0]
"Script"=mislogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3611\Scripts\Logon\0\0]
"Script"=sus.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3611\Scripts\Logon\1\0]
"Script"=mislogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1408327146-1106867913-1093625069-3611\Scripts\Logon\2\0]
"Script"=expense.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [11/5/2003 5:06 PM 26272]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/27/2007 4:01 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/27/2007 4:01 PM 334352]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [9/27/2007 4:01 PM 225296]
S3 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [6/18/2004 2:50 PM 281104]
S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [3/31/2009 1:47 PM 492888]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [3/31/2009 1:47 PM 677128]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gtnapp/gtn/GTN_Portal.asp
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gtn.net
Trusted Zone: gtn.net\mail
Trusted Zone: gtn.net\reports
Trusted Zone: gtnapp
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6wj7m0qx.default\
FF - prefs.js: browser.startup.homepage - hxxp://gtnapp/gtn/GTN_Portal.asp
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-11 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\Common Files\Mediafour\MacDriveiTunesPatch.dll

- - - - - - - > 'lsass.exe'(1016)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-11-11 14:03
ComboFix-quarantined-files.txt 2009-11-11 19:03

Pre-Run: 15,085,137,920 bytes free
Post-Run: 15,609,405,440 bytes free

- - End Of File - - AF1A6C97E6DBE79A2F632EC8CDDD36B1

 

[Osiris]

Even after running those programs, you still have issues with that one account?

Remove these entries if they are not legit

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gtn.net

O17 - HKLM\Software\..\Telephony: DomainName = gtn.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gtn.net

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gtn.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gtn.net

 

[dreinowski]

gtn.net is our internal domain.

Ended up using spyware-doctor. It was the only thing found the antivirus system pro.

 

[Osiris]

So you are all set?