Spyware Protect 2009 - Page 3

gordian · 05-17-2009

ComboFix:
ComboFix 09-05-16.05 - Michael 05/17/2009 18:51.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3018 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt

FILE ::
c:\windows\jgzr.dat
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\jgzr.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 06:41 . 2009-05-17 06:41 -------- d-----w C:\_OTMoveIt
2009-05-17 06:27 . 2009-05-17 06:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-05-17 05:14 . 2009-05-17 05:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-13 18:21 . 2009-05-13 18:25 8 ----a-w c:\windows\system32\nvModes.dat
2009-04-25 04:24 . 2009-04-25 04:24 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-04-25 04:24 . 2009-04-28 01:05 -------- d-----w c:\documents and settings\Michael\Application Data\skypePM
2009-04-25 04:23 . 2009-04-28 01:37 -------- d-----w c:\documents and settings\Michael\Application Data\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\program files\Common Files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----r c:\program files\Skype
2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-17 07:27 . 2008-11-02 06:31 69856 ----a-w c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 19:08 . 2009-04-15 19:08 -------- d-----w c:\program files\MSXML 4.0
2009-04-09 13:56 . 2009-04-09 13:56 -------- d-----w c:\program files\FlashFXP
2009-04-06 19:32 . 2009-01-04 08:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-01-04 08:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 17:47 . 2009-04-02 12:58 -------- d-----w c:\program files\Google
2009-03-06 14:22 . 2008-04-14 09:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2008-04-14 09:42 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2008-04-14 09:41 81920 ----a-w c:\windows\system32\ieencode.dll
2008-12-21 02:43 . 2008-11-02 07:02 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 02:43 . 2008-11-02 07:02 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 02:43 . 2008-11-02 07:02 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-04-17 04:10 . 2008-11-02 07:03 539136 ----a-w c:\program files\mozilla firefox\components\pbgk1_8.dll
2008-12-21 02:43 . 2008-11-02 07:02 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 02:43 . 2008-11-02 07:02 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-17_07.36.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 14:04 . 2009-05-17 14:04 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2004-08-04 12:00 . 2009-05-17 14:08 62746 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-17 07:30 62746 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-05-17 14:08 401632 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-17 07:30 401632 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168]
"OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-05-22 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-17 04:04 86528 ----a-w c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommo n Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"x:\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"x:\\AIM 4.4\\aim.exe"=
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Documents and Settings\\Michael\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:Ident
"113:UDP"= 113:UDP:Ident

R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [11/2/2008 2:24 AM 7424]
R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [11/2/2008 2:24 AM 234560]
S0 cfyzonzq;cfyzonzq;c:\windows\system32\drivers\lcyp ekke.sys --> c:\windows\system32\drivers\lcypekke.sys [?]
S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [11/2/2008 2:24 AM 141376]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1482476501-1417001333-1003.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 02:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmail.law.miami.edu/exchange
IE: Append to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\2z1383qk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\Mozilla Firefox\components\pbgk1_8.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-17 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="8FB9460B0EA0A19B 1DE2A47C43D637916D4A7B7DB1BCFA5A024AB1F6C40E359DD1 A30A095B054A8BD0EFD10E2E1202E6C82251B293A833A8F29C 1D1D84992B277A4F251F7F7AF2DDB3EF2906B1A55EB3BB36E2 E3F4BE6FDE52B019831AD27FCE9AAAF55508FCC72F131AAEF9 26A72DF4722377591CCE64F949AD54C558E2DE30F7822EB4F3 2E095D6F04B788594F64E84C6B2B5FC2C85FBBB31D4F800892 07AF0C0C53CDB8CE8C0C02FEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7 4CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667 A6171C11EC38DE3DA6171C11EC38DE3DE131E84871E3ADDA2D 73BA6A9C11F4A6CE5175F153B58B2AE1DEAABC2DFD24B3D4C2 FE0DE1BDC699CD9599A7F871D33F99842DBB7F8F106AB2CC0F 2454A4C266CB03DD7385CAE4F9FBAC354CB6E55F2A6C287815 9B345D4F99E425EA86B0227C276B3B767F4100AEC338B60670 38D2559AE00E77DCA60FA4D58FD37630F860BDAE49D18B96EB 579C9508C6F3E5492C63DDA32B501CFA05698786882364685D A50C3CDC1935ABED5DC2C394A9FC0E2F2A523C8E01565AE451 36DC353CD77C3FE64EBAA07AEA72093E83E353AFBB8EE2B5F6 C9FBDD2C8295C449F2CB8665C7EF64E78B61FC6BC8B2C17337 3A82CE669243B1BDBAAFE34543DD8D03C7B50AEF9A372ECCE8 E58BC8B89C135E02110646CC464B609635E3075F6C37972475 6831322BDCEE05EB47232E3843CFE941D47265E4ED4B5F9DBA C01C75591061E2C5576AC2113687393E9869334D55B669D343 7479ABED688F1A80F2AD6E2285118CC53D304E3DC56CB18283 DDDC8CABD53F25D292F98B0AA154E71F0453531883CA72675E 7A6E1A998A4C5BBD80E796467598A073AFB820E2652B2215C9 01263733E86A67DF0C60C65174128DAAAB44EFFAB0C1910863 09D4E694BF36F75A3F1919458B1DAC2A7C70378D8F3A35F387 F9F8965D972648A8E91D807F6E6563FA0AF7BB538374B2D285 8EBFFB64D9ABB78039865D658D7A678DEA60AD7800F3EEE1EE 1290542D604DE64CC7C7E238172F142E51720CA5E0319B593A 5A451BB6B86A3D22D17AAFC5D9ED0E72A3BDD2CA4C38E8DA0F 52BBB6756615A65A7769ACF9DFCBDAEE173CC7E96491238535 13AFF1E4A31AE9327F89A5B1EFD3C46686A95576223D7E7FF4 1EF18AB953A7B743068686B91EFD5C063E3D36DE02F69EEDD4 76D26FE0DF3B60D46E120D8C89EC145D75FC29848B31C78935 A1F98611DE82AA8610836F3207E6CED9A2376F6B2D969C2C9B 190395C820F68D957ECAF59A8879B8BB57A75CD3D93FB85686 AD550643FC9E2B4FE1626BD065CB264E4CCDF92B66C0D6035B 8746E9300FBDEE0F10B9750C43E7B77B7D1A7D07F35D6C1D07 D776E85759C4701FB52D7DE5DA85EEA9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\program files\Fingerprint Reader Suite\homepass.dll
c:\program files\Fingerprint Reader Suite\bio.dll
c:\program files\Fingerprint Reader Suite\crypto.dll
c:\program files\Fingerprint Reader Suite\remote.dll
c:\program files\Fingerprint Reader Suite\biokmd.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'explorer.exe'(2240)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2009-05-17 18:52
ComboFix-quarantined-files.txt 2009-05-17 22:52
ComboFix2.txt 2009-05-17 13:55
ComboFix3.txt 2009-05-17 07:36
ComboFix4.txt 2009-04-02 17:45
ComboFix5.txt 2009-05-17 22:51

Pre-Run: 17,497,915,392 bytes free
Post-Run: 17,496,117,248 bytes free

195

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:32 PM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\OEM04Mon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fingerprint Reader Suite\psqltray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
X:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.law.miami.edu/exchange
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup
O4 - HKLM\..\Run: [OEM04Mon.exe] C:\WINDOWS\OEM04Mon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1239821979953
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.na.blackberry.com/html/w...s/TOImport.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8229 bytes

Thanks again for all your help!

Pancake · 05-18-2009

Ok.All done.All malware gone.You should be fine now....

This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted text below into the box and click OK.

ComboFix /u

Please read these for future reference it may save you future problems:
http://www.pchelpforum.com/new-hijac...ing-sites.html
http://www.pchelpforum.com/new-hijac...-infected.html
http://www.pchelpforum.com/progress-...afterwork.html

05-17-2009	#15
gordian Bronze Member Join Date: Jan 2009 Posts: 36 PC Experience: Some Experience	Re: Spyware Protect 2009 ComboFix: ComboFix 09-05-16.05 - Michael 05/17/2009 18:51.13 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3018 [GMT -4:00] Running from: c:\documents and settings\Michael\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt FILE :: c:\windows\jgzr.dat . The following files were disabled during the run: c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\jgzr.dat . ((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 ))))))))))))))))))))))))))))))) . 2009-05-17 06:41 . 2009-05-17 06:41 -------- d-----w C:\_OTMoveIt 2009-05-17 06:27 . 2009-05-17 06:27 -------- d-----w c:\documents and settings\Administrator\Application Data\Media Player Classic 2009-05-17 05:14 . 2009-05-17 05:14 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-05-13 18:21 . 2009-05-13 18:25 8 ----a-w c:\windows\system32\nvModes.dat 2009-04-25 04:24 . 2009-04-25 04:24 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-04-25 04:24 . 2009-04-28 01:05 -------- d-----w c:\documents and settings\Michael\Application Data\skypePM 2009-04-25 04:23 . 2009-04-28 01:37 -------- d-----w c:\documents and settings\Michael\Application Data\Skype 2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\program files\Common Files\Skype 2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----r c:\program files\Skype 2009-04-25 04:23 . 2009-04-25 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Skype . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-05-17 07:27 . 2008-11-02 06:31 69856 ----a-w c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 19:08 . 2009-04-15 19:08 -------- d-----w c:\program files\MSXML 4.0 2009-04-09 13:56 . 2009-04-09 13:56 -------- d-----w c:\program files\FlashFXP 2009-04-06 19:32 . 2009-01-04 08:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-01-04 08:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-02 17:47 . 2009-04-02 12:58 -------- d-----w c:\program files\Google 2009-03-06 14:22 . 2008-04-14 09:42 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2008-04-14 09:42 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2008-04-14 09:41 81920 ----a-w c:\windows\system32\ieencode.dll 2008-12-21 02:43 . 2008-11-02 07:02 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-21 02:43 . 2008-11-02 07:02 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-21 02:43 . 2008-11-02 07:02 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2007-04-17 04:10 . 2008-11-02 07:03 539136 ----a-w c:\program files\mozilla firefox\components\pbgk1_8.dll 2008-12-21 02:43 . 2008-11-02 07:02 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-21 02:43 . 2008-11-02 07:02 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-17_07.36.00 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-17 14:04 . 2009-05-17 14:04 16384 c:\windows\temp\Perflib_Perfdata_d4.dat + 2004-08-04 12:00 . 2009-05-17 14:08 62746 c:\windows\system32\perfc009.dat - 2004-08-04 12:00 . 2009-05-17 07:30 62746 c:\windows\system32\perfc009.dat + 2004-08-04 12:00 . 2009-05-17 14:08 401632 c:\windows\system32\perfh009.dat - 2004-08-04 12:00 . 2009-05-17 07:30 401632 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\UE AFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2007-04-17 04:13 721408 ----a-w c:\program files\Fingerprint Reader Suite\farchns.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "PSQLLauncher"="c:\program files\Fingerprint Reader Suite\launcher.exe" [2007-04-17 49168] "OEM04Mon.exe"="c:\windows\OEM04Mon.exe" [2007-06-11 36864] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112] "NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-05-22 81920] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-04-17 04:04 86528 ----a-w c:\windows\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0OODBS [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommo n Startup [HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^palmOne Registration.lnk] path=c:\documents and settings\Michael\Start Menu\Programs\Startup\palmOne Registration.lnk backup=c:\windows\pss\palmOne Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "x:\\mIRC\\mirc.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "x:\\AIM 4.4\\aim.exe"= "c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe "c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe "c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"= "c:\\Documents and Settings\\Michael\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Michael\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "113:TCP"= 113:TCP:Ident "113:UDP"= 113:UDP:Ident R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [11/2/2008 2:24 AM 7424] R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [11/2/2008 2:24 AM 234560] S0 cfyzonzq;cfyzonzq;c:\windows\system32\drivers\lcyp ekke.sys --> c:\windows\system32\drivers\lcypekke.sys [?] S3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [11/2/2008 2:24 AM 141376] --- Other Services/Drivers In Memory --- Deregistered* - mchInjDrv . Contents of the 'Scheduled Tasks' folder 2009-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1482476501-1417001333-1003.job - c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-22 02:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://webmail.law.miami.edu/exchange IE: Append to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - x:\acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\2z1383qk.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com FF - component: c:\program files\Mozilla Firefox\components\pbgk1_8.dll FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************ ******************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2009-05-17 18:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv] "ImagePath"="\??\c:\windows\TEMP\mc21.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\System] "OODEFRAG08.00.00.01WORKSTATION"="8FB9460B0EA0A19B 1DE2A47C43D637916D4A7B7DB1BCFA5A024AB1F6C40E359DD1 A30A095B054A8BD0EFD10E2E1202E6C82251B293A833A8F29C 1D1D84992B277A4F251F7F7AF2DDB3EF2906B1A55EB3BB36E2 E3F4BE6FDE52B019831AD27FCE9AAAF55508FCC72F131AAEF9 26A72DF4722377591CCE64F949AD54C558E2DE30F7822EB4F3 2E095D6F04B788594F64E84C6B2B5FC2C85FBBB31D4F800892 07AF0C0C53CDB8CE8C0C02FEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC7 4CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667 A6171C11EC38DE3DA6171C11EC38DE3DE131E84871E3ADDA2D 73BA6A9C11F4A6CE5175F153B58B2AE1DEAABC2DFD24B3D4C2 FE0DE1BDC699CD9599A7F871D33F99842DBB7F8F106AB2CC0F 2454A4C266CB03DD7385CAE4F9FBAC354CB6E55F2A6C287815 9B345D4F99E425EA86B0227C276B3B767F4100AEC338B60670 38D2559AE00E77DCA60FA4D58FD37630F860BDAE49D18B96EB 579C9508C6F3E5492C63DDA32B501CFA05698786882364685D A50C3CDC1935ABED5DC2C394A9FC0E2F2A523C8E01565AE451 36DC353CD77C3FE64EBAA07AEA72093E83E353AFBB8EE2B5F6 C9FBDD2C8295C449F2CB8665C7EF64E78B61FC6BC8B2C17337 3A82CE669243B1BDBAAFE34543DD8D03C7B50AEF9A372ECCE8 E58BC8B89C135E02110646CC464B609635E3075F6C37972475 6831322BDCEE05EB47232E3843CFE941D47265E4ED4B5F9DBA C01C75591061E2C5576AC2113687393E9869334D55B669D343 7479ABED688F1A80F2AD6E2285118CC53D304E3DC56CB18283 DDDC8CABD53F25D292F98B0AA154E71F0453531883CA72675E 7A6E1A998A4C5BBD80E796467598A073AFB820E2652B2215C9 01263733E86A67DF0C60C65174128DAAAB44EFFAB0C1910863 09D4E694BF36F75A3F1919458B1DAC2A7C70378D8F3A35F387 F9F8965D972648A8E91D807F6E6563FA0AF7BB538374B2D285 8EBFFB64D9ABB78039865D658D7A678DEA60AD7800F3EEE1EE 1290542D604DE64CC7C7E238172F142E51720CA5E0319B593A 5A451BB6B86A3D22D17AAFC5D9ED0E72A3BDD2CA4C38E8DA0F 52BBB6756615A65A7769ACF9DFCBDAEE173CC7E96491238535 13AFF1E4A31AE9327F89A5B1EFD3C46686A95576223D7E7FF4 1EF18AB953A7B743068686B91EFD5C063E3D36DE02F69EEDD4 76D26FE0DF3B60D46E120D8C89EC145D75FC29848B31C78935 A1F98611DE82AA8610836F3207E6CED9A2376F6B2D969C2C9B 190395C820F68D957ECAF59A8879B8BB57A75CD3D93FB85686 AD550643FC9E2B4FE1626BD065CB264E4CCDF92B66C0D6035B 8746E9300FBDEE0F10B9750C43E7B77B7D1A7D07F35D6C1D07 D776E85759C4701FB52D7DE5DA85EEA9" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(992) c:\windows\system32\psqlpwd.dll c:\program files\Fingerprint Reader Suite\homefus2.dll c:\program files\Fingerprint Reader Suite\infra.dll c:\program files\Fingerprint Reader Suite\homepass.dll c:\program files\Fingerprint Reader Suite\bio.dll c:\program files\Fingerprint Reader Suite\crypto.dll c:\program files\Fingerprint Reader Suite\remote.dll c:\program files\Fingerprint Reader Suite\biokmd.dll - - - - - - - > 'lsass.exe'(1048) c:\windows\system32\psqlpwd.dll c:\program files\Fingerprint Reader Suite\homefus2.dll c:\program files\Fingerprint Reader Suite\infra.dll - - - - - - - > 'explorer.exe'(2240) c:\program files\Fingerprint Reader Suite\farchns.dll c:\program files\Fingerprint Reader Suite\infra.dll . Completion time: 2009-05-17 18:52 ComboFix-quarantined-files.txt 2009-05-17 22:52 ComboFix2.txt 2009-05-17 13:55 ComboFix3.txt 2009-05-17 07:36 ComboFix4.txt 2009-04-02 17:45 ComboFix5.txt 2009-05-17 22:51 Pre-Run: 17,497,915,392 bytes free Post-Run: 17,496,117,248 bytes free 195 HijackThis:* Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:53:32 PM, on 5/17/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\STacSV.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\OEM04Mon.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Fingerprint Reader Suite\psqltray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe X:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.law.miami.edu/exchange R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup O4 - HKLM\..\Run: [OEM04Mon.exe] C:\WINDOWS\OEM04Mon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Append to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://X:\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1239821979953 O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.na.blackberry.com/html/w...s/TOImport.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 8229 bytes Thanks again for all your help!

05-18-2009	#16
Pancake Senior Security Analyst Join Date: Jun 2006 Location: Victoria, Australia Posts: 6,862 PC Experience: Elite PC Guru	Re: Spyware Protect 2009 Ok.All done.All malware gone.You should be fine now.... This will clear away any of the files and folders that were created by ComboFix. Go to : Start > Run then copy and paste the following highlighted text below into the box and click OK. ComboFix /u Please read these for future reference it may save you future problems: http://www.pchelpforum.com/new-hijac...ing-sites.html http://www.pchelpforum.com/new-hijac...-infected.html http://www.pchelpforum.com/progress-...afterwork.html __________________ An Australian Member of and My real name is Eddy

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Infected with Spyware Protect 2009	FAVEHOUR	[Fixed] Hijackthis! Logs	44	04-24-2009 03:04 PM
Pending: Spyware Protect 2009	agradziel	[Pending] HJT Logs	3	04-15-2009 03:49 AM
INFECTION: Anti Spyware Master/Antivirus 2009	rustydusty10	[Pending] HJT Logs	8	04-03-2009 12:46 AM
Fixed: This all started because of Spyware Protect	spfudurich2	[Fixed] Hijackthis! Logs	1	03-04-2009 03:03 AM
Pending: Malware - Spyware Protect 2009	toribum	Windows XP/2000	2	02-12-2009 06:56 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode