BTW, ComboFix still refuses to run!!

Ok.Run It in safe mode.....

It still does not run. Nothing happens in safe mode or regular mode when I click CF (and yes, it's on the desktop). Also, I've noticed there's usually an instance of IEXPLORE.exe running when I reboot, even though I've not started it. :/

OK, was able to remove sdra64.exe and ran CF.

ComboFix log:
ComboFix 09-05-16.05 - Michael 05/17/2009 3:34.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3231 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\Combo-Fix.exe
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 06:41 . 2009-05-17 06:41 -------- d-----w C:\_OTMoveIt
2009-05-17 06:27 . 2009-05-17 06:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-05-17 05:14 . 2009-05-17 05:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-17 04:47 . 2009-05-17 04:59 10752 ----a-w c:\windows\system32\iehelper.dll
2009-05-17 04:38 . 2009-05-17 04:38 5592 ----a-w c:\windows\system32\uacinit.dll
2009-05-17 04:38 . 2009-05-17 04:38 66560 ----a-w c:\windows\system32\UACtcpuirevykttbgy.dll
2009-05-17 04:38 . 2009-05-17 04:38 19968 ----a-w c:\windows\system32\UACjhfcufqawivnorx.dll
2009-05-17 04:38 . 2009-05-17 04:38 17408 ----a-w c:\windows\system32\UACybnfrpvcednxhfe.dll
2009-05-17 04:38 . 2009-05-17 04:38 19968 ----a-w c:\windows\system32\UACqemeacouxefgdsh.dll
2009-05-17 04:38 . 2009-05-17 04:38 224 ----a-w c:\windows\system32\UACtqidjgfyxahgpmk.dat
2009-05-17 04:38 . 2009-05-17 04:38 24064 ----a-w c:\windows\system32\UACgqcolmycwkwtcld.dll
2009-05-17 04:38 . 2009-05-17 04:38 52224 ----a-w c:\windows\system32\drivers\UACooyrxkftysnvluk.sys
2009-05-17 04:37 . 2009-05-17 06:59 -------- d-sh--w c:\windows\system32\lowsec
2009-05-13 18:21 . 2009-05-13 18:25 8 ----a-w c:\windows\system32\nvModes.dat
2009-04-25 04:24 . 2009-04-25 04:24 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-25 04:24 . 2009-04-28 01:05 -------- d-----w c:\documents and settings\Michael\Application Data\skypePM
2009-04-25 04:23 . 2009-04-28 01:37 -------- d-----w c:\documents and settings\Michael\Application Data\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\program files\Common Files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----r c:\program files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-21 02:43 . 2008-11-02 07:02 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 02:43 . 2008-11-02 07:02 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 02:43 . 2008-11-02 07:02 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-04-17 04:10 . 2008-11-02 07:03 539136 ----a-w c:\program files\mozilla firefox\components\pbgk1_8.dll
2008-12-21 02:43 . 2008-11-02 07:02 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 02:43 . 2008-11-02 07:02 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBD4551A-9B23-41cd-9BCD-818AA2DA7B63}]
2009-05-17 04:59 10752 ----a-w c:\windows\system32\iehelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WinampAgent"="x:\winamp 5.33\winampa.exe" [2007-02-13 35328]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]
"Acrobat Assistant 8.0"="x:\acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-05-22 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-9-19 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-9 295606]
Adobe Acrobat Synchronizer.lnk - x:\acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-2 113664]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"x:\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"x:\\AIM 4.4\\aim.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Documents and Settings\\Michael\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:Ident
"113:UDP"= 113:UDP:Ident


R0 cfyzonzq;cfyzonzq;c:\windows\system32\drivers\lcyp ekke.sys [x]
R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\Drivers\OEM04Afx.sys [2007-06-08 141376]
S3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\DRIVERS\OEM04Vfx.sys [2007-03-05 7424]
S3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\DRIVERS\OEM04Vid.sys [2007-05-07 234560]

.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1482476501-1417001333-1003.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.law.miami.edu/exchange
IE: Append to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-17 03:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="8FB9460B0EA0A19B 1DE2A47C43D637916D4A7B7DB1BCFA5A024AB1F6C40E359DD1 A30A095B054A8BD0EFD10E2E1202E6C82251B293A833A8F29C 1D1D84992B277A4F251F7F7AF2DDB3EF2906B1A55EB3BB36E2 E3F4BE6FDE52B019831AD27FCE9AAAF55508FCC72F131AAEF9 26A72DF4722377591CCE64F949AD54C558E2DE30F7822EB4F3 2E095D6F04B788594F64E84C6B2B5FC2C85FBBB31D4F800892 07AF0C0C53CDB8CE8C0C02FEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7 4CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667 A6171C11EC38DE3DA6171C11EC38DE3DE131E84871E3ADDA2D 73BA6A9C11F4A6CE5175F153B58B2AE1DEAABC2DFD24B3D4C2 FE0DE1BDC699CD9599A7F871D33F99842DBB7F8F106AB2CC0F 2454A4C266CB03DD7385CAE4F9FBAC354CB6E55F2A6C287815 9B345D4F99E425EA86B0227C276B3B767F4100AEC338B60670 38D2559AE00E77DCA60FA4D58FD37630F860BDAE49D18B96EB 579C9508C6F3E5492C63DDA32B501CFA05698786882364685D A50C3CDC1935ABED5DC2C394A9FC0E2F2A523C8E01565AE451 36DC353CD77C3FE64EBAA07AEA72093E83E353AFBB8EE2B5F6 C9FBDD2C8295C449F2CB8665C7EF64E78B61FC6BC8B2C17337 3A82CE669243B1BDBAAFE34543DD8D03C7B50AEF9A372ECCE8 E58BC8B89C135E02110646CC464B609635E3075F6C37972475 6831322BDCEE05EB47232E3843CFE941D47265E4ED4B5F9DBA C01C75591061E2C5576AC2113687393E9869334D55B669D343 7479ABED688F1A80F2AD6E2285118CC53D304E3DC56CB18283 DDDC8CABD53F25D292F98B0AA154E71F0453531883CA72675E 7A6E1A998A4C5BBD80E796467598A073AFB820E2652B2215C9 01263733E86A67DF0C60C65174128DAAAB44EFFAB0C1910863 09D4E694BF36F75A3F1919458B1DAC2A7C70378D8F3A35F387 F9F8965D972648A8E91D807F6E6563FA0AF7BB538374B2D285 8EBFFB64D9ABB78039865D658D7A678DEA60AD7800F3EEE1EE 1290542D604DE64CC7C7E238172F142E51720CA5E0319B593A 5A451BB6B86A3D22D17AAFC5D9ED0E72A3BDD2CA4C38E8DA0F 52BBB6756615A65A7769ACF9DFCBDAEE173CC7E96491238535 13AFF1E4A31AE9327F89A5B1EFD3C46686A95576223D7E7FF4 1EF18AB953A7B743068686B91EFD5C063E3D36DE02F69EEDD4 76D26FE0DF3B60D46E120D8C89EC145D75FC29848B31C78935 A1F98611DE82AA8610836F3207E6CED9A2376F6B2D969C2C9B 190395C820F68D957ECAF59A8879B8BB57A75CD3D93FB85686 AD550643FC9E2B4FE1626BD065CB264E4CCDF92B66C0D6035B 8746E9300FBDEE0F10B9750C43E7B77B7D1A7D07F35D6C1D07 D776E85759C4701FB52D7DE5DA85EEA9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Fingerprint Reader Suite\homepass.dll
c:\program files\Fingerprint Reader Suite\bio.dll
c:\program files\Fingerprint Reader Suite\crypto.dll
c:\program files\Fingerprint Reader Suite\remote.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2009-05-17 3:36
ComboFix-quarantined-files.txt 2009-05-17 07:36
ComboFix2.txt 2009-04-02 17:45
ComboFix3.txt 2009-03-31 15:05

Pre-Run: 17,591,128,064 bytes free
Post-Run: 17,583,734,784 bytes free

175

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

ComboFix log:
ComboFix 09-05-16.05 - Michael 05/17/2009 9:53.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3088 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt

FILE ::
c:\windows\system32\drivers\UACooyrxkftysnvluk.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\UACgqcolmycwkwtcld.dll
c:\windows\system32\UACjhfcufqawivnorx.dll
c:\windows\system32\UACqemeacouxefgdsh.dll
c:\windows\system32\UACtcpuirevykttbgy.dll
c:\windows\system32\UACtqidjgfyxahgpmk.dat
c:\windows\system32\UACybnfrpvcednxhfe.dll
c:\windows\TEMP\mc21.tmp
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACooyrxkftysnvluk.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\MabryObj.dll
c:\windows\system32\UACgqcolmycwkwtcld.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjhfcufqawivnorx.dll
c:\windows\system32\UACqemeacouxefgdsh.dll
c:\windows\system32\UACtcpuirevykttbgy.dll
c:\windows\system32\UACtqidjgfyxahgpmk.dat
c:\windows\system32\UACybnfrpvcednxhfe.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 06:41 . 2009-05-17 06:41 -------- d-----w C:\_OTMoveIt
2009-05-17 06:27 . 2009-05-17 06:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-05-17 05:14 . 2009-05-17 05:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-13 18:21 . 2009-05-13 18:25 8 ----a-w c:\windows\system32\nvModes.dat
2009-04-25 04:24 . 2009-04-25 04:24 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-25 04:24 . 2009-04-28 01:05 -------- d-----w c:\documents and settings\Michael\Application Data\skypePM
2009-04-25 04:23 . 2009-04-28 01:37 -------- d-----w c:\documents and settings\Michael\Application Data\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\program files\Common Files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----r c:\program files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-17 07:27 . 2008-11-02 06:31 69856 ----a-w c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-08 15:39 . 2008-12-04 15:03 104616 ----a-w c:\windows\jgzr.dat
2009-04-15 19:08 . 2009-04-15 19:08 -------- d-----w c:\program files\MSXML 4.0
2009-04-09 13:56 . 2009-04-09 13:56 -------- d-----w c:\program files\FlashFXP
2009-04-06 19:32 . 2009-01-04 08:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-04 08:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 17:47 . 2009-04-02 12:58 -------- d-----w c:\program files\Google
2009-03-06 14:22 . 2008-04-14 09:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2008-04-14 09:42 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-04-14 09:41 81920 ----a-w c:\windows\system32\ieencode.dll
2008-12-21 02:43 . 2008-11-02 07:02 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 02:43 . 2008-11-02 07:02 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 02:43 . 2008-11-02 07:02 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-04-17 04:10 . 2008-11-02 07:03 539136 ----a-w c:\program files\mozilla firefox\components\pbgk1_8.dll
2008-12-21 02:43 . 2008-11-02 07:02 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 02:43 . 2008-11-02 07:02 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_07.36.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 07:40 . 2009-05-17 07:40 16384 c:\windows\temp\Perflib_Perfdata_130.dat
+ 2004-08-04 12:00 . 2009-05-17 07:44 62746 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-17 07:30 62746 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-17 07:44 401632 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-17 07:30 401632 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"WinampAgent"="x:\winamp 5.33\winampa.exe" [2007-02-13 35328]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"CitiVAN"="c:\program files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 192512]
"Acrobat Assistant 8.0"="x:\acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-05-22 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-9-19 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-9 295606]
Adobe Acrobat Synchronizer.lnk - x:\acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-11-2 113664]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"x:\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"x:\\AIM 4.4\\aim.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Documents and Settings\\Michael\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:Ident
"113:UDP"= 113:UDP:Ident

R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [11/2/2008 2:24 AM 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [11/2/2008 2:24 AM 234560]
S0 cfyzonzq;cfyzonzq;c:\windows\system32\drivers\lcyp ekke.sys --> c:\windows\system32\drivers\lcypekke.sys [?]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [11/2/2008 2:24 AM 141376]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1482476501-1417001333-1003.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.law.miami.edu/exchange
IE: Append to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\2z1383qk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\pbgk1_8.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-17 09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="8FB9460B0EA0A19B 1DE2A47C43D637916D4A7B7DB1BCFA5A024AB1F6C40E359DD1 A30A095B054A8BD0EFD10E2E1202E6C82251B293A833A8F29C 1D1D84992B277A4F251F7F7AF2DDB3EF2906B1A55EB3BB36E2 E3F4BE6FDE52B019831AD27FCE9AAAF55508FCC72F131AAEF9 26A72DF4722377591CCE64F949AD54C558E2DE30F7822EB4F3 2E095D6F04B788594F64E84C6B2B5FC2C85FBBB31D4F800892 07AF0C0C53CDB8CE8C0C02FEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7 4CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667 A6171C11EC38DE3DA6171C11EC38DE3DE131E84871E3ADDA2D 73BA6A9C11F4A6CE5175F153B58B2AE1DEAABC2DFD24B3D4C2 FE0DE1BDC699CD9599A7F871D33F99842DBB7F8F106AB2CC0F 2454A4C266CB03DD7385CAE4F9FBAC354CB6E55F2A6C287815 9B345D4F99E425EA86B0227C276B3B767F4100AEC338B60670 38D2559AE00E77DCA60FA4D58FD37630F860BDAE49D18B96EB 579C9508C6F3E5492C63DDA32B501CFA05698786882364685D A50C3CDC1935ABED5DC2C394A9FC0E2F2A523C8E01565AE451 36DC353CD77C3FE64EBAA07AEA72093E83E353AFBB8EE2B5F6 C9FBDD2C8295C449F2CB8665C7EF64E78B61FC6BC8B2C17337 3A82CE669243B1BDBAAFE34543DD8D03C7B50AEF9A372ECCE8 E58BC8B89C135E02110646CC464B609635E3075F6C37972475 6831322BDCEE05EB47232E3843CFE941D47265E4ED4B5F9DBA C01C75591061E2C5576AC2113687393E9869334D55B669D343 7479ABED688F1A80F2AD6E2285118CC53D304E3DC56CB18283 DDDC8CABD53F25D292F98B0AA154E71F0453531883CA72675E 7A6E1A998A4C5BBD80E796467598A073AFB820E2652B2215C9 01263733E86A67DF0C60C65174128DAAAB44EFFAB0C1910863 09D4E694BF36F75A3F1919458B1DAC2A7C70378D8F3A35F387 F9F8965D972648A8E91D807F6E6563FA0AF7BB538374B2D285 8EBFFB64D9ABB78039865D658D7A678DEA60AD7800F3EEE1EE 1290542D604DE64CC7C7E238172F142E51720CA5E0319B593A 5A451BB6B86A3D22D17AAFC5D9ED0E72A3BDD2CA4C38E8DA0F 52BBB6756615A65A7769ACF9DFCBDAEE173CC7E96491238535 13AFF1E4A31AE9327F89A5B1EFD3C46686A95576223D7E7FF4 1EF18AB953A7B743068686B91EFD5C063E3D36DE02F69EEDD4 76D26FE0DF3B60D46E120D8C89EC145D75FC29848B31C78935 A1F98611DE82AA8610836F3207E6CED9A2376F6B2D969C2C9B 190395C820F68D957ECAF59A8879B8BB57A75CD3D93FB85686 AD550643FC9E2B4FE1626BD065CB264E4CCDF92B66C0D6035B 8746E9300FBDEE0F10B9750C43E7B77B7D1A7D07F35D6C1D07 D776E85759C4701FB52D7DE5DA85EEA9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Fingerprint Reader Suite\homepass.dll
c:\program files\Fingerprint Reader Suite\bio.dll
c:\program files\Fingerprint Reader Suite\remote.dll

- - - - - - - > 'lsass.exe'(1056)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2009-05-17 9:55
ComboFix-quarantined-files.txt 2009-05-17 13:55
ComboFix2.txt 2009-05-17 07:36
ComboFix3.txt 2009-04-02 17:45
ComboFix4.txt 2009-03-31 15:05

Pre-Run: 17,573,203,968 bytes free
Post-Run: 17,562,845,184 bytes free

207

[b]HijackThis log:[b]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:37 AM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\alg.exe
X:\Winamp 5.33\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\OEM04Mon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
X:\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
X:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.law.miami.edu/exchange
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinampAgent] "X:\Winamp 5.33\winampa.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [OEM04Mon.exe] C:\WINDOWS\OEM04Mon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "X:\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = X:\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: Append to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1239821979953
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.na.blackberry.com/html/w...s/TOImport.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9362 bytes

Just this last one to remove and we are done...


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*