Jump to content

Referrred here, (combofix log included)


jay2009
 Share

Recommended Posts

referred here as shown in this post

http://www.malwarebytes.org/forums/index.p...amp;#entry56664

(please note someone is spamming my name on this and other forums, disregard or remove their posts,)

thanks for all the help!

i was able to run combofix earleir, but after trying to generate a log it seems that i cannot launch either combofix or mbam

i click on them and they say run but they do not launch?

awaiting help

Link to post
Share on other sites

  • Root Admin

Well if neither program will run in either Normal or Safe Mode and trying a few different names then please run the following.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

will try that disc today, as long as it doesnt interfere with the files in this system (FYI thanks for closing that other post, if possible you can just delete it, having it show up in search results just fuels the flames for people in the future.

I dont know who that person was but they came from annoyances.org NUFF SAID!

thanks for the tip will try it today!

Well if neither program will run in either Normal or Safe Mode and trying a few different names then please run the following.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.
  • Download the
    Avira AntiVir Rescue System
    from
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner
    [*]
    Click on
    Start scanner
    at the bottom of the screen
    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings
The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post
http://forum.avira.com/wbb/index.php?page=Thread&threadID=82578' rel="external nofollow">
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

Just a follow up, i installed and burned the anti

when i launched the CD in linux (via boot) i was unable to get it to scan, i tried to point the mnt/ to sda5 (which is the disk with the infected system on it) but every time i clicked scan it said finished, nothing happened

in linux i am familiar with the normal operations, yet it seemed like it was not even responding

awaiting advice!

Link to post
Share on other sites

anyone?

Just a follow up, i installed and burned the anti

when i launched the CD in linux (via boot) i was unable to get it to scan, i tried to point the mnt/ to sda5 (which is the disk with the infected system on it) but every time i clicked scan it said finished, nothing happened

in linux i am familiar with the normal operations, yet it seemed like it was not even responding

awaiting advice!

Link to post
Share on other sites

  • Root Admin

Please be patient - there are many users requesting help as well. When replying please click on the ADDREPLY button - not on the REPLY button.

Please run the following scanner on the system then.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Also try to run a Disk Check on the volume. From DOS - CHKDSK C: /F

Link to post
Share on other sites

ok just so you know thanks for the help

ran a scan with the dr program, then an advanced scan which locked up the pc after 3 hours, so if i do another it will be after i turn in for the night

this pc is still functional for now

the pc seems to be crashing every second after that scan went down though, i will try a reboot as nothing seems to work without freezing on me

(another weird thing is now happening, may not be related to the bugs though) the firefox thumbnails are no longer showing up on some webpages, or even regular images for that matter

thats the update

Link to post
Share on other sites

  • Root Admin

Well maybe do a disk check on the drive

CHKDSK C: /F

or what drive it is. Then reboot.

If these don't work then take the drive out and slave it to a working PC with Dr Web installed or Kaspersky.

If you can't get it to stop crashing as is and can't run an Avira boot CD then your options are getting limited.

Link to post
Share on other sites

just so were all on the same page, i was able to complete a scan with drweb last night during the overnight (while the pc was idel) it found some very intersting things in my system32 directory, i am reverting back to the instructions given for that step in this post for now, before moving further

will update after a reboot!

Link to post
Share on other sites

drweb report

vremover.exe;C:\data storage\software;Program.AnalogProxy;Incurable.Moved.;

CurrProcess.exe;C:\data storage\software\bart boot cd\PROGRAMS\Applications;Tool.CurrProcess.110;Incurable.Moved.;

ipscan.exe;C:\data storage\software\bart boot cd\PROGRAMS\IPScan;Tool.AngryIpscan;Incurable.Moved.;

vncconfig.exe;C:\data storage\software\bart boot cd\PROGRAMS\vncserver;Program.RemoteAdmin;Incurable.Moved.;

winvnc4.exe;C:\data storage\software\bart boot cd\PROGRAMS\vncserver;Program.RemoteAdmin;Incurable.Moved.;

WM_HOOKS.DLL;C:\data storage\software\bart boot cd\SYSTEM32;Program.RemoteAdmin;Incurable.Moved.;

Process.exe;C:\Documents and Settings\administrator.ZTEKCORP\My Documents\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;

restart.exe;C:\Documents and Settings\administrator.ZTEKCORP\My Documents\SmitfraudFix\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;

rc10ancd.EXE;C:\Program Files\Psygnosis\Rollcage Stage II;Tool.GameCrack;Incurable.Moved.;

rc10ancd.EXE;C:\Program Files\Psygnosis\Rollcage Stage II\rc10ancd;Tool.GameCrack;Incurable.Moved.;

Sample.dll;C:\Program Files\Rightload\plugins;Trojan.DownLoader.origin;Incurable.Moved.;

WinVNC.exe;C:\Program Files\TightVNC;Program.WinVnc;Incurable.Moved.;

senekamnvaqgrr.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;BackDoor.Tdss.57;Deleted.;

Process.exe;C:\SmitfraudFix;Tool.Prockill;Incurable.Moved.;

restart.exe;C:\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;

xihahcck.dll;C:\WINDOWS\system32;Trojan.DownLoad.28016;Deleted.;

hijackthis log

Logfile of HijackThis v1.99.1

Scan saved at 10:23:36, on 02/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\OEM02Mon.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\data storage\software\AV-removal\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\Software\..\Telephony: DomainName = ZTEK.corp

O17 - HKLM\System\CCS\Services\Tcpip\..\{1414EC86-24E2-4125-A830-017786A7F9EF}: NameServer = 192.168.1.2,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82}: NameServer = 4.2.2.2,192.168.1.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBB5200-8BB1-44A5-B336-66359E0A8B71}: NameServer = 4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ZTEK.corp

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

standing by...

Link to post
Share on other sites

ok heres the full update

took the pc out of network and ran the ubcd on it

the following was performed

ran a squared FULL SCAN removed several low priority threats

ran full scan using antivir no problems found

checked several things using ezpcfix (no problems found)

after reboot malwarebytes software STILL WILL NOT LOAD

hijackthis will work if using an older file, however the newer install will not launch, i suspect i just might have some corrupt installs though (wishful thinking?)

not sure where we go from here, a test of TEN consecutive clicks off of google results brings me to the pages requested, so i am not sure if that demon is still lurking

maybe whatever this was is gone, i will await further instructions (FYI, i am a tech as stated, but i never saw something riddle so fast through a system, i know that we get security updates everyday and tehy are getting smarter at virus and spyware malware placements, but this thing was viscuios.)

I do appreciate all the help from this forum!

HIJACKTHIS LOG (most current)

Logfile of HijackThis v1.99.1

Scan saved at 4:09:22, on 02/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\data storage\software\AV-removal\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\Software\..\Telephony: DomainName = ZTEK.corp

O17 - HKLM\System\CCS\Services\Tcpip\..\{1414EC86-24E2-4125-A830-017786A7F9EF}: NameServer = 192.168.1.2,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82}: NameServer = 4.2.2.2,192.168.1.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{5DBB5200-8BB1-44A5-B336-66359E0A8B71}: NameServer = 4.2.2.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ZTEK.corp

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Link to post
Share on other sites

  • Root Admin

Please use the Ultimate Boot CD again and do a DISK CHECK of that drive.

CHKDSK C: /F /V

Then disable, remove if you have to Anti-Virus so it does not disable or interrupt the running of Combofix.

Then delete any copy of Combofix you have on the system and download a NEW fresh copy and run it.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...

hi there

sorry for the long delay in my reply

here is the status of the system at this time

I have run the UMBCD or whatever and done several checkdisks, all come back normal

I was told about a program we have started using to clean customers pcs from a tech the other day and attempted to run it on my infected pc, this program is called "superantispyware" after a 3 hour scan it found 70 or so infections including the now famous vundo malware variant, several variants to be exact.

I used this program to clean the system, thinking my problems were over, however they are not, i do feel that we are MUCH closer to the end though, if this pc didn't have so much sensitive stuff on it a format would have been easier i suppose, and we might still end up doing that as well

as of now this is the state of the pc

1. when logging into the pc from a full restart, the pc will login to the wallpaper sometimes and just freeze, the pc doesn't lock up, but nothing can make it go further short of a reboot, and sometimes it will lock when at the login (we use the advanced login not the welcome screen, as we are on a domain) it will take between 4-7 times force booting the pc to login successfully. i did notice however that if i login as a user on the computer and NOT the domain it will log right into the desktop, and once i logoff sometimes i can log back in under the domain user right away, but this is hit or miss, so something still lurks in the system causing it to hang on boot/login

I have noticed that while not gone completely the "hijack" sending my firefox search results to ad pages has lessened, a quick way around this to use the pc in the past few days is to use the "cached results" in google. whatever this infection is it goes to a page with something like the following link in it "http://clickfraudmanager.com/check.php?t=59a782db8948b2de2addbd1819a57161&q=test+results&p=ff&a=998&s=3&e=google&v=icv270109ff&f=income&b=0.0136&u=http%3A%2F%2Ft.websearchmaster.net%2F%3Fd%3DrAbIypaBf8bBEE8V6DBXbuipDruWNty9Z7zvXRttgNz98iNailmYN8hFen21KK1czhsuSjt0-7KdUA5x6iuFskGAja8SfS9NHFVSNNqbjRC-v_KjjYX0c7SAV8Z9itYY5JKOjVmYNJN4vfpSuOOECSKvtuCD_lxOVNnJrHSENtg4xDZ5LuvLyktvOtC-X36Mo2U3LGNI8-N_UCY8Gerg2FB9cpjEX8q7q_0GMltnDpnKMuekBNMqkUZgDPGWUR9OVvNihB2qfk2QaSxbRUIBtJgWuN

aWZ-BB7YCpoF9SfvbK0UQ1jIChZg7lOqSjfzHAJ-cV9_dDPx45ld1FVqIyoqm5hCJZn6kJ8AR9y0Hr3yvsjGZh0RuJUSR61jDG2GhOo_2Qcod3o-xwz_J2ZNuYqW7TLmAhCenbuRvJh88p3rOGyA2wX5D31FKb81H2TZhG0wHvNzP-6qD3r_SFFplQ0p2n0AFos3uObSr5tm7bBcGEfusiTY2Xt0itbEy2pkCP1T0Mw2rAN2sndlS6Xvj2vaf9

gQpfMU4ZaecjKTqGwog6aUH3s18dCKWDCnb8rq0iPGvsgAOEmc-xP2MU-bk82ipOgkEH-SYlORIV0WXpXx7B3hoImpKDFkbHF6CiU8wcQ_V165fl8BobOhca4yJvnUSYkLXy-Qqjz3JbameGRhr6ADM1qxFey5JK-TlqH5cTteTxe_inXzsfNFBsJR3iflP_lMCc6-ftBdag-yJg-4mixUdvCMl0vCOWI3zjCB3Syl9QC2H0Xkv4ybMvoq4pJG4_Mp6xgaH80BCcf0qynhwwUgkwieiAc5cGx

eo2u0qOuwAuTDZp0kaGyr4NksBr-hOfy4G_eTXiXfHN-a3utNick_14sEUKYvEGfK9bkHKFPUsSmfrj5Zen7wL4HJBuHZRD2sj0GjeGMaWniAczwBg6S7ZznM5Dl

FpBX7d25UKcLhc3aW2M7qwp7gSat7aKzsRVArKH8zykYld52r5u0RgPxcEvMvRiV_zZTUJlbD6UVSFyf

T

ONSYHFZ--uh9B9UBr8wzX0qvCwzpCbvXrwgPNkdryrgKlHvMQA_IptJIntguYk2kyPDk0ibU0JB4ejZaKzagl0GMj

rok3mmG5G14CvqiRDnh1HKEee-JccEnbYUPeYxpwvhKZnaaVSbuWPeH27-2W3oC8Fg_UquiYL1cAPJAA9zIEcR5s75tzwqMF82Mu6xCFUkdaARu7ajl57nEtUZ-tnmx_O5DTw6ADzygnldY99fQbkrC1cfr8SZouASQV4i0Usledkbb_fgbrW6d5G2tOU7WNAIQHgx9jH6J

ZBEyzEOaV_y1ZMEwSzcqq8i8c-te2IrFA3qRHi_sUv-Dd9HJXTNwB7mI5uEaA_CbIh0S_zuh6fdBGEv5UL9iBraCsQH2m2fzEatEogs5D--EZ2Yue88TGYKsqlaI13T69vvqgcsX-e67EuB3ngLe3Gu3pOkElTI4AkuyTCf3CmAW75w_cfJuBIiS93Cb26IzCCaAJoA7WIMkD88wK-BYsGCCmzHg-sOQXZOab9KuN10z7KT12Ef0iTspREsojwxinolCoMS7Acr7YJy_GEJVvDuVh8wfU_iwm3E_CvUj1--oC4elQ8PrlslCm9sfQ3P76Ljpl1pMpNuR1TdKZPkBaK-Ep_686ZpZnTiJokrpNlB6N2Ko65FAZV0ymOZjkTNWDpXdzFkkmYDfkv-O_XOPAW---AwDhZGRkYwR5Av4kZGpiLl5jnUN%2Fp3jlAmt4sQA8AwNjsUEyp3DtpzImqJk0p3jkZQR4AGS8AKjkZQLjAwR1sQD5LGp0MzR0sQH4AGH1MQ

N0sQO8ZGSvMTDlBQM8ATAvZmtkBGA8nUIhqUAjnKWcqP5cozMi---f51351c31970&rf=http://huntspirit.info/?qa=test+result"

as you can see it is clearly a hijack (And the people who invented this thing should be sodomized with a hot poker, what a bunch of wasted human beings they must be) sorry frustrations of not being allowed to join the domain till this is solved is getting to me.

I have also tried to launch malwarebytes, even deleting the old copies and saving it to the DESKTOP as requested, it does install but when executed it simply kills the process and the program never starts, same with the new version of hijackthis, the older hjt version i have still works though.

I also had some problems with the time display but one of the apps you recommended fixed that as well

Finally although annoying but not crucial one other thing i noticed is no matter how many times i restart upon reboot WHEN i can get back in the msconfig comes up and when i close it it tells me to resart to make changes, since i didn't change anything between those reboots it shouldn't do that!

So thats where we are at, sorry for the delay awaiting you next advice, FYI, most current hjt log below

****************************

Logfile of HijackThis v1.99.1

Scan saved at 9:32:02 PM, on 02/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\OEM02Mon.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\dell\drivers\R174291\wltray.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\mstsc.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\LightZone 3\LightZone.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\data storage\software\AV-removal\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\Software\..\Telephony: DomainName = ZTEK.corp

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8290C2-400F-4312-96E0-35667CE879F7}: NameServer = 192.168.1.1,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{1414EC86-24E2-4125-A830-017786A7F9EF}: NameServer = 192.168.1.2,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82}: NameServer = 4.2.2.2,192.168.1.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain = ZTEK.corp

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Link to post
Share on other sites

  • Root Admin

Okay please try to run Combofix again. Delete combofix.exe and download a new fresh one.

rename if you have to, start in safe mode if you have to, but best to try in normal mode if you can.

Maybe try renaming it a few times and see.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

So here is where we are at last

I attempted to run combo under normal mode (even tried renaming the file several times) with no luck whatsoever.

I loaded the safe mode and combofix loaded up no problem, it immediately detected rootkit activity

I let combofix reboot the pc and it tried to run a diskcheck which i let go through, it then rebooted and tried to run it again, after the 2nd time of the diskcheck running it attempted to load windows and blue screened ( i could not get the error as it was rebooting to fast) I intervened with it manually and after it ran one more disk check i tried to laod windows using "last known good"

combofix tried to prepare a log but froze and halted in the process, i manually restarted the pc and ran combofix once more, t his generated the log after some time

I am awaiting further advice, and thanks again!

*************************************

ComboFix 09-02-27.02 - Administrator 2009-02-27 22:43:24.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3164 [GMT -5:00]

Running from: c:\documents and settings\administrator.ZTEKCORP\Desktop\wtf.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\drivers\UACcrxwaosd.sys

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\NmnTwGgh.ini

c:\windows\system32\NmnTwGgh.ini2

c:\windows\system32\nTssDcdd.ini

c:\windows\system32\nTssDcdd.ini2

c:\windows\system32\o4Patch.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\UACbdtgwqln.dll

c:\windows\system32\UAChhiacuau.dll

c:\windows\system32\UACkjmtuamd.dat

c:\windows\system32\UACoylmnult.log

c:\windows\system32\UACqabnkotp.log

c:\windows\system32\UACqmueeykr.dll

c:\windows\system32\UACxppjuwvn.dll

c:\windows\system32\UACyiulagux.log

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))

.

2009-02-26 18:58 . 2009-02-26 19:16 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\vlc

2009-02-26 16:53 . 2009-02-26 16:53 <DIR> d-------- c:\program files\FreshDevices

2009-02-26 13:49 . 2009-02-26 13:49 <DIR> d-------- c:\program files\CONEXANT

2009-02-26 13:49 . 2007-08-02 17:35 989,952 -ra------ c:\windows\system32\drivers\HSF_DPV.sys

2009-02-26 13:49 . 2007-08-02 17:34 731,136 -ra------ c:\windows\system32\drivers\HSF_CNXT.sys

2009-02-26 13:49 . 2007-07-24 15:08 217,088 -ra------ c:\windows\system32\UCI32M21.dll

2009-02-26 13:49 . 2007-08-02 17:34 211,200 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys

2009-02-26 13:49 . 2007-09-06 14:04 143,891 --a------ c:\windows\system32\drivers\del1028.cty

2009-02-26 12:54 . 2009-02-26 12:54 <DIR> d-------- C:\usbdriver

2009-02-26 00:07 . 2009-02-26 00:07 <DIR> d-------- c:\program files\Broadcom

2009-02-23 23:33 . 2008-02-15 19:45 172,032 --a------ c:\windows\system32\igfxres.dll

2009-02-23 22:59 . 2001-08-23 09:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex

2009-02-23 22:58 . 2001-08-23 09:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2009-02-23 22:57 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\WindowsShell.Manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 488 -rah----- c:\windows\system32\logonui.exe.manifest

2009-02-23 22:03 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET69.tmp

2009-02-23 22:03 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET65.tmp

2009-02-23 22:03 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET77.tmp

2009-02-23 03:10 . 2009-02-23 03:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-23 02:25 . 2009-02-23 21:29 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-23 02:25 . 2009-02-23 02:25 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\SUPERAntiSpyware.com

2009-02-18 20:35 . 2009-02-18 22:52 <DIR> d-------- C:\DSC-BAK

2009-02-16 12:16 . 2009-02-16 12:54 <DIR> d-------- C:\UBCD4Win

2009-02-16 11:48 . 2009-02-16 11:54 <DIR> d-------- C:\XPCDSP2

2009-02-16 01:15 . 2009-01-29 10:25 64,959,349 --a------ C:\DSC-NCR-SUGARLOAF-WWWWEEK-JAN28-29090456-0456.MPG

2009-02-15 22:31 . 2009-02-15 22:31 95,869 --a------ C:\kdk_0150.jpg

2009-02-15 18:05 . 2009-02-15 18:50 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\DoctorWeb

2009-02-15 13:46 . 2008-12-17 01:00 768,024 --a------ c:\windows\system32\drivers\lvrs.sys

2009-02-15 13:46 . 2008-12-17 00:55 195,096 --a------ c:\windows\system32\lvci11901262.dll

2009-02-15 13:34 . 2009-02-15 13:47 <DIR> d-------- c:\program files\Common Files\LogiShrd

2009-02-15 13:34 . 2008-12-17 00:53 2,686,104 --a------ c:\windows\system32\drivers\LV302V32.SYS

2009-02-15 13:34 . 2008-12-17 01:00 494,104 --a------ c:\windows\system32\LVUI2.dll

2009-02-15 13:34 . 2008-12-17 01:01 432,664 --a------ c:\windows\system32\LVUI2RC.dll

2009-02-15 13:34 . 2008-12-17 00:55 416,280 --a------ c:\windows\system32\lvcodec2.dll

2009-02-15 13:34 . 2007-10-11 20:57 195,096 --a------ c:\windows\system32\lvci1150.dll

2009-02-15 13:34 . 2008-12-17 00:37 81,110 --a------ c:\windows\system32\lvcoinst.ini

2009-02-15 13:34 . 2008-12-17 01:01 41,752 --a------ c:\windows\system32\drivers\LVUSBSta.sys

2009-02-15 13:34 . 2008-12-17 00:37 29,562 --a------ c:\windows\system32\Repository.reg

2009-02-15 13:34 . 2008-12-17 00:53 13,848 --a------ c:\windows\system32\drivers\lv302af.sys

2009-02-14 23:07 . 2009-02-26 20:05 <DIR> d-------- C:\lzscratch

2009-02-14 00:08 . 2009-02-14 00:08 76 -rahs---- c:\windows\CT4CET.bin

2009-02-14 00:07 . 2009-02-14 00:08 <DIR> d-------- c:\program files\Creative

2009-02-14 00:07 . 2007-02-14 12:27 5,627,904 --a------ c:\windows\system32\LiveCamVirtual.ocx

2009-02-13 19:17 . 2009-02-13 19:17 <DIR> d-------- c:\program files\R-Studio

2009-02-13 17:39 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl

2009-02-13 17:39 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll

2009-02-13 17:39 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe

2009-02-13 17:32 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll

2009-02-13 16:40 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET57.tmp

2009-02-13 16:40 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET52.tmp

2009-02-13 16:40 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET68.tmp

2009-02-13 16:25 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET55.tmp

2009-02-13 16:25 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET51.tmp

2009-02-13 16:25 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET63.tmp

2009-02-13 13:43 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET54.tmp

2009-02-13 13:43 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET50.tmp

2009-02-13 13:43 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET60.tmp

2009-02-13 13:21 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET56.tmp

2009-02-13 13:21 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET53.tmp

2009-02-13 13:21 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET62.tmp

2009-02-13 13:20 . 2009-02-13 13:20 <DIR> d---s---- c:\windows\system32\config\systemprofile\History

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Shared

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\.etomipro

2009-02-13 12:33 . 2009-02-13 12:33 288 --a------ c:\windows\_delis32.ini

2009-02-13 12:25 . 2009-02-13 12:33 <DIR> d-------- c:\program files\Common Files\Logitech

2009-02-13 11:57 . 2009-02-15 13:46 <DIR> d-------- c:\program files\Logitech

2009-02-11 00:59 . 2009-02-16 09:56 <DIR> d-------- C:\SmitfraudFix

2009-02-10 16:35 . 2009-02-10 16:35 5,365 --a------ c:\windows\system32\uacinit.dll

2009-02-10 16:34 . 2009-02-10 16:34 40,448 --a------ C:\pfgiuuo.exe

2009-02-10 16:34 . 2009-02-10 16:34 2 --a------ C:\140099117

2009-02-10 00:04 . 2009-02-10 00:04 <DIR> d-------- c:\program files\interMute

2009-02-10 00:04 . 2009-02-10 00:04 2,150 --a------ c:\windows\system32\ssmute.ini

2009-02-09 23:40 . 2009-02-09 23:40 <DIR> d-------- C:\Arrakis

2009-02-09 23:39 . 1999-12-17 10:13 86,016 --a------ c:\windows\unvise32.exe

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-09 20:04 . 2009-02-09 22:15 <DIR> d-------- c:\program files\Open Adder1

2009-02-09 16:47 . 2009-02-27 22:47 1,476 --a------ c:\windows\zdickxvv

2009-02-09 16:36 . 2009-02-09 16:47 <DIR> d-------- c:\program files\Sickest Adder v2.1

2009-02-09 15:46 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Drastic Promo

2009-02-09 13:50 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Open Adder

2009-02-09 13:50 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL

2009-02-07 01:00 . 2009-02-08 16:51 0 --a------ C:\huff_value.dat

2009-02-05 18:54 . 2009-02-05 18:54 320,967 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121_lzn.jpg

2009-02-05 18:53 . 2009-01-22 16:24 2,925,853 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121-0121.JPG

2009-02-05 12:52 . 2009-01-19 14:10 186,105,851 --a------ C:\DSC-SADDLEBCK-MLKDAYSKI-JAN19090165-0165.MPG

2009-02-05 12:42 . 2009-02-05 12:42 <DIR> d-------- c:\windows\system32\vmm32

2009-02-05 12:17 . 2009-02-05 13:17 <DIR> d-------- c:\program files\nLite

2009-02-05 11:58 . 2009-02-05 12:35 <DIR> d-------- c:\program files\Intel

2009-02-04 17:39 . 2007-05-06 17:11 144,896 --a------ c:\windows\system32\staco.dll

2009-02-04 17:38 . 2009-02-04 17:38 <DIR> d-------- c:\program files\SigmaTel

2009-02-04 17:35 . 2009-02-04 17:35 <DIR> d-------- c:\program files\DIFX

2009-02-04 17:34 . 2009-02-04 17:34 <DIR> d-------- C:\dell

2009-02-04 17:01 . 2004-08-03 19:56 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe

2009-02-04 17:01 . 2004-08-03 19:56 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe

2009-02-04 17:01 . 2004-08-03 19:56 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll

2009-02-04 17:01 . 2004-08-03 19:56 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe

2009-02-04 17:01 . 2001-08-23 09:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe

2009-02-04 16:50 . 2009-02-15 13:45 1,374 --a------ c:\windows\imsins.BAK

2009-02-04 16:49 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET64.tmp

2009-02-04 16:49 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET61.tmp

2009-02-04 16:49 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET70.tmp

2009-02-04 15:55 . 2009-02-04 15:55 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Canneverbe_Limited

2009-02-04 15:54 . 2009-02-04 15:54 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\vlc

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\VMware

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\tmp

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Reallusion

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride

2009-02-04 11:40 . 2009-02-23 08:44 2,145,386,496 --a------ c:\windows\MEMORY.DMP

2009-02-02 22:11 . 2009-02-07 00:40 1,048 --a------ c:\windows\aeditor.INI

2009-02-02 21:05 . 2009-02-07 00:40 862 --a------ c:\windows\ULEAD32.INI

2009-02-02 20:50 . 2009-02-02 20:50 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\Ulead Systems

2009-02-02 20:33 . 2009-02-02 20:33 <DIR> d-------- c:\program files\SmartSound Software

2009-02-02 20:33 . 2009-02-02 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SmartSound Software Inc

2009-02-02 20:32 . 2009-02-02 21:11 <DIR> d-------- C:\MSP8 Preview Files

2009-02-02 20:32 . 2009-02-02 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-28 04:11 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\VMware

2009-02-26 23:52 --------- d-----w c:\program files\BigSpeed Zipper

2009-02-24 04:33 --------- d-----w c:\documents and settings\Administrator\Application Data\VMware

2009-02-23 07:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-16 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-02-15 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd

2009-02-14 05:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 05:07 --------- d-----w c:\program files\DELL

2009-02-14 05:07 --------- d-----w c:\program files\Creative Live! Cam

2009-02-13 16:54 --------- d-----w c:\program files\Pcsx2_0.9.4

2009-02-11 06:39 --------- d-----w c:\program files\DAEMON Tools

2009-02-10 22:45 --------- d-----w c:\program files\Blaze Media Pro

2009-02-09 22:11 --------- d-----w c:\program files\ESET

2009-02-05 16:32 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\TeamViewer

2009-02-03 22:59 --------- d-----w c:\program files\Piolet

2009-02-03 22:32 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware

2009-02-03 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\VMware

2009-01-28 04:52 --------- d-----w c:\program files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\Common Files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\AviSynth 2.5

2009-01-27 14:20 --------- d-----w c:\documents and settings\All Users\Application Data\Avid

2009-01-27 14:20 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\Avid

2009-01-27 10:57 --------- d-----w c:\program files\Common Files\Digidesign

2009-01-27 10:54 --------- d-----w c:\program files\Common Files\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\PACE Anti-Piracy

2009-01-27 10:53 --------- d-----w c:\program files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\program files\InterLok

2009-01-27 10:53 --------- d-----w c:\program files\Digidesign

2009-01-27 10:53 --------- d-----w c:\program files\Common Files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\InstallShield

2009-01-27 06:10 --------- dc-h--w c:\documents and settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}

2009-01-27 04:30 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\.BitTornado

2009-01-24 02:12 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\dvdcss

2009-01-23 17:36 --------- d-----w c:\program files\Red Kawa

2009-01-23 14:53 --------- d-----w c:\program files\TeamViewer

2009-01-23 04:58 --------- d-----w c:\program files\TightVNC

2009-01-18 15:52 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\AdobeUM

2009-01-06 04:22 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\LightZone

2009-01-06 01:40 --------- d-----w c:\program files\LightZone 3

2009-01-06 01:40 --------- d-----w c:\program files\Common Files\eSellerate

2008-10-17 18:52 47,360 ----a-w c:\documents and settings\administrator.ZTEKCORP\Application Data\pcouffin.sys

2006-06-16 01:33 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll

2006-05-25 23:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll

2005-09-29 19:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll

2006-06-19 18:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll

2005-02-02 17:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll

2006-04-10 23:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll

2005-11-09 16:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll

2005-11-09 16:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll

2006-01-04 16:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll

2006-01-04 16:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-02-10_16.35.48.70 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-07-18 23:51:26 90,112 ----a-w c:\windows\CtDrvIns.exe

+ 2007-07-19 00:51:26 90,112 ----a-w c:\windows\CtDrvIns.exe

+ 2009-02-26 05:07:24 3,262 ----a-r c:\windows\Installer\{612B9183-67A9-4B44-9877-2F059E35B86A}\ARPPRODUCTICON.exe

+ 2009-02-15 18:46:20 57,344 ----a-r c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\ARPPRODUCTICON.exe

+ 2009-02-15 18:46:20 57,344 ----a-r c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamDesktopSho_C0678C37AA5341A4BE4781BAF94DE0CC.exe

+ 2009-02-15 18:46:20 57,344 ----a-r c:\windows\Installer\{937B232D-9776-471E-92BD-D424E514EF14}\QuickCamStartMenuS_65895B9BA1A04BCBAB7BF5673B44A0E4.exe

+ 2009-02-23 07:25:26 34,304 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe

- 1998-10-29 20:45:06 306,688 ----a-w c:\windows\IsUninst.exe

+ 1998-10-29 22:45:06 306,688 ----a-w c:\windows\IsUninst.exe

- 2007-10-11 05:02:00 28,672 ----a-w c:\windows\OEM02Cfg.exe

+ 2007-10-11 06:02:00 28,672 ----a-w c:\windows\OEM02Cfg.exe

- 2007-05-10 05:01:00 36,864 ----a-w c:\windows\OEM02Mon.exe

+ 2007-05-10 06:01:00 36,864 ----a-w c:\windows\OEM02Mon.exe

- 2009-02-04 22:03:49 258,048 ---ha-w c:\windows\repair\ntuser.dat

+ 2009-02-24 03:57:01 3,264,512 ---ha-w c:\windows\repair\ntuser.dat

- 2007-10-30 15:21:10 89,088 ----a-w c:\windows\system32\atl71.dll

+ 2003-03-19 01:05:50 89,088 ----a-w c:\windows\system32\atl71.dll

- 2009-02-10 05:40:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-28 02:51:20 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-24 03:03:01 16,384 ----a-w c:\windows\system32\config\systemprofile\History\History.IE5\index.dat

- 2009-02-10 05:40:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-28 02:51:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-13 22:28:01 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009020220090209\index.dat

+ 2009-02-24 04:03:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009020920090216\index.dat

+ 2009-02-24 04:03:07 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009022320090224\index.dat

- 2005-07-07 05:07:02 36,864 ----a-w c:\windows\system32\CtCamMgr.dll

+ 2005-07-07 06:07:02 36,864 ----a-w c:\windows\system32\CtCamMgr.dll

- 2006-11-24 22:33:30 811,008 ----a-w c:\windows\system32\cximage.dll

+ 2006-11-24 23:33:30 811,008 ----a-w c:\windows\system32\cximage.dll

- 2008-06-24 11:52:20 32,384 ----a-w c:\windows\system32\drivers\ax88772.sys

+ 2004-10-29 03:22:18 17,920 ----a-w c:\windows\system32\drivers\ax88772.sys

- 2006-11-21 08:25:44 45,568 ----a-r c:\windows\system32\drivers\bcm4sbxp.sys

+ 2006-11-21 09:25:44 45,568 ----a-r c:\windows\system32\drivers\bcm4sbxp.sys

- 2004-08-04 04:08:00 60,288 ----a-w c:\windows\system32\drivers\drmk.sys

+ 2004-08-04 01:05:44 60,288 ----a-w c:\windows\system32\drivers\drmk.sys

+ 2008-12-17 02:50:56 13,584 ----a-w c:\windows\system32\drivers\iKeyLgFT.dll

- 2004-08-04 04:15:22 140,928 ----a-w c:\windows\system32\drivers\ks.sys

+ 2004-08-04 01:05:44 140,928 ----a-w c:\windows\system32\drivers\ks.sys

- 2007-10-11 23:59:24 25,624 ----a-w c:\windows\system32\drivers\LVPr2Mon.sys

+ 2008-12-17 02:58:54 25,624 ----a-w c:\windows\system32\drivers\LVPr2Mon.sys

- 2008-04-14 03:53:58 11,868 ----a-w c:\windows\system32\drivers\mdmxsdk.sys

+ 2006-06-19 19:26:58 12,672 ----a-r c:\windows\system32\drivers\mdmxsdk.sys

- 2007-06-08 05:00:02 141,376 ----a-w c:\windows\system32\drivers\OEM02Afx.sys

+ 2007-06-08 06:00:02 141,376 ----a-w c:\windows\system32\drivers\OEM02Afx.sys

- 2007-10-11 05:03:00 235,648 ----a-w c:\windows\system32\drivers\OEM02Dev.sys

+ 2007-10-11 06:03:00 235,648 ----a-w c:\windows\system32\drivers\OEM02Dev.sys

- 2007-03-05 22:45:04 7,424 ----a-w c:\windows\system32\drivers\OEM02Vfx.sys

+ 2007-03-05 23:45:04 7,424 ----a-w c:\windows\system32\drivers\OEM02Vfx.sys

- 2004-03-16 16:58:20 136,960 ----a-w c:\windows\system32\drivers\portcls.sys

+ 2004-08-04 01:05:44 145,792 ----a-w c:\windows\system32\drivers\portcls.sys

- 2007-05-06 22:12:00 1,222,840 ----a-w c:\windows\system32\drivers\sthda.sys

+ 2007-05-10 15:24:34 1,222,840 ----a-w c:\windows\system32\drivers\sthda.sys

- 2004-08-04 04:08:04 48,640 ----a-w c:\windows\system32\drivers\stream.sys

+ 2004-08-04 01:05:44 48,640 ----a-w c:\windows\system32\drivers\stream.sys

+ 2006-11-21 09:20:26 49,507 -c--a-r c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbe5.sys

+ 2006-11-21 09:25:44 45,568 -c--a-r c:\windows\system32\DRVSTORE\b44win_A4FF09C646CF97A72E7241C9A8D160636A21E4F9\bcm4sbxp.sys

+ 2008-12-17 05:54:30 495,640 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\LV561AV.sys

+ 2008-12-17 05:55:16 416,280 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\lvcodec2.dll

+ 2008-12-17 05:55:38 195,096 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\lvcoinst.dll

+ 2008-12-17 06:00:46 494,104 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\LVUI2.dll

+ 2008-12-17 06:01:08 432,664 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\LVUI2RC.dll

+ 2008-12-17 06:01:20 41,752 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\LVUSBSta.sys

+ 2008-12-17 06:02:50 145,944 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\lvWIAext.dll

+ 2008-12-17 05:51:04 443,664 -c--a-w c:\windows\system32\DRVSTORE\lvELCHv_89D63E450CD00B62BAE1D53FC3B914A5EBF13271\WUApp32.exe

+ 2008-12-17 05:53:22 13,848 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2s_C7E59535DB2D9328DFA15B65064636A46C5F0D63\lv302af.sys

+ 2008-12-17 05:55:38 195,096 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2s_C7E59535DB2D9328DFA15B65064636A46C5F0D63\lvcoinst.dll

+ 2008-12-17 06:00:12 768,024 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2s_C7E59535DB2D9328DFA15B65064636A46C5F0D63\lvrs.sys

+ 2008-12-17 06:01:20 41,752 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2s_C7E59535DB2D9328DFA15B65064636A46C5F0D63\LVUSBSta.sys

+ 2008-12-17 05:51:04 443,664 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2s_C7E59535DB2D9328DFA15B65064636A46C5F0D63\WUApp32.exe

+ 2008-12-17 05:53:44 2,686,104 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\LV302V32.SYS

+ 2008-12-17 05:55:16 416,280 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\lvcodec2.dll

+ 2008-12-17 05:55:38 195,096 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\lvcoinst.dll

+ 2008-12-17 06:00:46 494,104 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\LVUI2.dll

+ 2008-12-17 06:01:08 432,664 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\LVUI2RC.dll

+ 2008-12-17 06:01:20 41,752 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\LVUSBSta.sys

+ 2008-12-17 06:02:50 145,944 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\lvWIAext.dll

+ 2008-12-17 05:51:04 443,664 -c--a-w c:\windows\system32\DRVSTORE\lvPEPI2v_64757B9EAE6D93AE33E6B1F663346906CC2D8A16\WUApp32.exe

+ 2008-12-17 06:02:06 23,832 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5c_E59B32AD8625D841BC7296DA66E465D57E9EA5E9\lvuvcflt.sys

+ 2008-12-17 05:55:38 195,096 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\lvcoinst.dll

+ 2008-12-17 05:58:30 114,712 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\lvpopflt.sys

+ 2008-12-17 06:00:12 768,024 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\lvrs.sys

+ 2008-12-17 06:00:34 66,456 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\lvselsus.sys

+ 2008-12-17 06:01:20 41,752 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\LVUSBSta.sys

+ 2008-12-17 05:51:04 443,664 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5s_9FC2121D88FC967CEF080BD575E14D11259C7669\WUApp32.exe

+ 2008-12-17 05:55:16 416,280 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\lvcodec2.dll

+ 2008-12-17 05:55:38 195,096 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\lvcoinst.dll

+ 2008-12-17 06:00:46 494,104 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\LVUI2.dll

+ 2008-12-17 06:01:08 432,664 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\LVUI2RC.dll

+ 2008-12-17 06:01:20 41,752 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\LVUSBSta.sys

+ 2008-12-17 06:01:42 6,364,440 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\lvuvc.sys

+ 2008-12-17 06:02:50 145,944 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\lvWIAext.dll

+ 2008-12-17 05:51:04 443,664 -c--a-w c:\windows\system32\DRVSTORE\lvPRO5v_3494EAD41DC64D05E46AE15EF9CDDD2B02428AB3\WUApp32.exe

- 2009-02-04 22:00:11 22,720 ----a-w c:\windows\system32\emptyregdb.dat

+ 2009-02-24 03:54:02 22,736 ----a-w c:\windows\system32\emptyregdb.dat

- 2009-02-04 22:08:47 138,056 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-02-24 04:02:34 138,056 ----a-w c:\windows\system32\FNTCACHE.DAT

- 2009-01-23 18:42:52 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

+ 2009-02-16 03:52:56 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

- 2008-04-14 09:41:58 86,016 ----a-w c:\windows\system32\mdmxsdk.dll

+ 2006-06-19 19:26:50 94,208 ----a-r c:\windows\system32\mdmxsdk.dll

- 2007-11-29 02:18:44 1,060,864 ----a-w c:\windows\system32\MFC71.dll

+ 2003-03-19 13:19:58 1,060,864 ----a-w c:\windows\system32\MFC71.DLL

- 2003-03-19 02:44:36 57,344 ----a-w c:\windows\system32\MFC71ENU.DLL

+ 2003-03-19 02:44:38 57,344 ----a-w c:\windows\system32\MFC71ENU.DLL

- 2003-03-19 02:44:34 61,440 ----a-w c:\windows\system32\MFC71ESP.DLL

+ 2003-03-19 02:44:36 61,440 ----a-w c:\windows\system32\MFC71ESP.DLL

- 2003-03-19 02:44:34 61,440 ----a-w c:\windows\system32\MFC71ITA.DLL

+ 2003-03-19 02:44:36 61,440 ----a-w c:\windows\system32\MFC71ITA.DLL

- 2003-03-19 02:44:36 49,152 ----a-w c:\windows\system32\MFC71KOR.DLL

+ 2003-03-19 02:44:38 49,152 ----a-w c:\windows\system32\MFC71KOR.DLL

- 2007-11-29 02:18:44 1,047,552 ----a-w c:\windows\system32\MFC71u.dll

+ 2003-03-19 03:12:12 1,047,552 ----a-w c:\windows\system32\MFC71u.dll

- 2004-02-23 19:42:40 1,386,496 ----a-w c:\windows\system32\msvbvm60.dll

+ 2004-08-04 00:56:44 1,392,671 ----a-w c:\windows\system32\msvbvm60.dll

- 2007-11-29 02:18:42 499,712 ----a-w c:\windows\system32\msvcp71.dll

+ 2003-03-19 02:14:52 499,712 ----a-w c:\windows\system32\msvcp71.dll

- 2007-11-29 02:18:42 348,160 ----a-w c:\windows\system32\msvcr71.dll

+ 2003-02-21 10:42:22 348,160 ----a-w c:\windows\system32\msvcr71.dll

- 2007-10-11 05:04:00 393,216 ----a-w c:\windows\system32\OEM02Cvw.dll

+ 2007-10-11 06:04:00 393,216 ----a-w c:\windows\system32\OEM02Cvw.dll

- 2007-02-02 05:00:00 32,768 ----a-w c:\windows\system32\OEM02Hwx.dll

+ 2007-02-02 06:00:00 32,768 ----a-w c:\windows\system32\OEM02Hwx.dll

- 2007-07-18 05:02:00 40,960 ----a-w c:\windows\system32\OEM02Pin.dll

+ 2007-07-18 06:02:00 40,960 ----a-w c:\windows\system32\OEM02Pin.dll

- 2007-03-02 05:00:00 24,576 ----a-w c:\windows\system32\OEM02Srv.exe

+ 2007-03-02 06:00:00 24,576 ----a-w c:\windows\system32\OEM02Srv.exe

- 2009-02-10 20:10:16 60,208 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-28 03:52:42 61,128 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-10 20:10:16 395,548 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-28 03:52:42 396,992 ----a-w c:\windows\system32\perfh009.dat

+ 2008-06-24 11:52:20 32,384 ----a-w c:\windows\system32\ReinstallBackups\0169\DriverFiles\ax88772.sys

+ 2005-10-12 23:12:25 14,048 ----a-w c:\windows\system32\spmsg.dll

- 2007-08-21 13:58:12 146,944 ----a-w c:\windows\system32\st325602.dll

+ 2007-08-21 14:58:12 146,944 ----a-w c:\windows\system32\st325602.dll

+ 2006-01-09 14:36:06 40,960 ----a-w c:\windows\system32\swsc.exe

- 2004-08-04 05:56:58 23,552 ----a-w c:\windows\system32\wdmaud.drv

+ 2004-08-04 01:05:44 23,552 ----a-w c:\windows\system32\wdmaud.drv

- 2006-04-17 15:09:42 286,720 ----a-w c:\windows\twain_32\Creative\OEM002\HookWnd.dll

+ 2006-04-17 16:09:42 286,720 ----a-w c:\windows\twain_32\Creative\OEM002\HookWnd.dll

- 2007-10-12 02:01:28 236,056 ----a-w c:\windows\twain_32\QuickCam\lvWIAext.dll

+ 2008-12-17 06:02:50 145,944 ----a-w c:\windows\twain_32\QuickCam\lvWIAext.dll

+ 2001-08-23 14:00:00 921,088 ----a-w c:\windows\WinSxS\InstallTemp\95254\comctl32.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 158208]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-15 72240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\Jay\Start Menu\Programs\Startup\

LemonScreen.lnk - c:\documents and settings\Jay\Application Data\Microsoft\Installer\{C75C9EFC-260B-4565-A801-904CEE81CBC8}\_bb32ea6.exe [2008-09-04 12862]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI2"= diomidi.dll

"wave2"= Digi32.dll

"Msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LemonScreen.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LemonScreen.lnk

backup=c:\windows\pss\LemonScreen.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

--a------ 2007-07-02 12:29 159744 c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

--a------ 2007-10-09 19:17 2183168 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 15:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]

--a------ 2007-06-07 11:14 118784 c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]

--a------ 2006-11-21 08:01 218112 c:\data storage\software\AV-removal\hijackthis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2008-02-28 16:32 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2008-02-28 16:32 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

--a------ 2008-12-20 07:50 2656528 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

--a------ 2009-02-04 16:57 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

--a------ 2007-05-10 01:01 36864 c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-02-28 16:32 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

--a------ 2007-05-10 10:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2008-05-15 23:51 55856 c:\program files\VMware\VMware Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]

--a------ 2008-05-15 23:51 72240 c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"sp_rssrv"=2 (0x2)

"wltrysvc"=2 (0x2)

"LVPrcSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-01-27 11776]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2009-02-13 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-02-13 235648]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-02-13 7424]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

S0 zdickxvv;zdickxvv;c:\windows\system32\drivers\icfobwmy.sys []

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-09-29 7548]

S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

TCP: {0E8290C2-400F-4312-96E0-35667CE879F7} = 192.168.1.1,4.2.2.2

TCP: {1414EC86-24E2-4125-A830-017786A7F9EF} = 192.168.1.2,4.2.2.2

TCP: {29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82} = 4.2.2.2,192.168.1.2

FF - ProfilePath - c:\documents and settings\administrator.ZTEKCORP\Application Data\Mozilla\Firefox\Profiles\47qtbje0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-27 23:12:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\icfobwmy.sys 25088 bytes executable

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\hidfind.exe

c:\program files\DellTPad\ApntEx.exe

c:\windows\system32\taskmgr.exe

.

**************************************************************************

.

Completion time: 2009-02-27 23:18:07 - machine was rebooted [Administrator]

ComboFix-quarantined-files.txt 2009-02-28 04:16:48

ComboFix2.txt 2009-02-10 21:37:29

Pre-Run: 73,962,438,656 bytes free

Post-Run: 73,942,286,336 bytes free

507 --- E O F --- 2008-08-09 17:24:04

****************************************

HJT LOG

Logfile of HijackThis v1.99.1

Scan saved at 23:49, on 2009-02-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\data storage\software\AV-removal\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\Software\..\Telephony: DomainName = ZTEK.corp

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8290C2-400F-4312-96E0-35667CE879F7}: NameServer = 192.168.1.1,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{1414EC86-24E2-4125-A830-017786A7F9EF}: NameServer = 192.168.1.2,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82}: NameServer = 4.2.2.2,192.168.1.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS12\Services\Tcpip\Parameters: Domain = ZTEK.corp

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

PLEASE NOTE: while trying to run hjt (via the my computer) my virus scanner which is ESET immediately detected a trojan and qaurantined it , i am not sure if this is combofix or something else!

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
zdickxvv

File::
c:\documents and settings\Jay\Application Data\Microsoft\Installer\{C75C9EFC-260B-4565-A801-904CEE81CBC8}\_bb32ea6.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\LemonScreen.lnk
c:\windows\system32\drivers\icfobwmy.sys

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

as requested

combofix was rerun using above options

dds was run and logs were saved

posted now are combofixlog

dds.txt

attach.txt

awaiting further instructions....

COMBOFIX LOG

ComboFix 09-02-28.01 - Administrator 2009-02-28 19:16:32.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3064 [GMT -5:00]

Running from: c:\documents and settings\administrator.ZTEKCORP\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\administrator.ZTEKCORP\Desktop\CFscript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

* Created a new restore point

* Resident AV is active

FILE ::

c:\documents and settings\All Users\Start Menu\Programs\Startup\LemonScreen.lnk

c:\documents and settings\Jay\Application Data\Microsoft\Installer\{C75C9EFC-260B-4565-A801-904CEE81CBC8}\_bb32ea6.exe

c:\windows\system32\drivers\icfobwmy.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jay\Application Data\Microsoft\Installer\{C75C9EFC-260B-4565-A801-904CEE81CBC8}\_bb32ea6.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ZDICKXVV

-------\Service_zdickxvv

((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))

.

2009-02-28 00:07 . 2009-02-28 00:07 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\JCap

2009-02-28 00:06 . 2009-02-28 00:06 <DIR> d-------- c:\program files\JCap

2009-02-27 23:52 . 2009-02-27 23:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-26 18:58 . 2009-02-26 19:16 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\vlc

2009-02-26 16:53 . 2009-02-26 16:53 <DIR> d-------- c:\program files\FreshDevices

2009-02-26 13:49 . 2009-02-26 13:49 <DIR> d-------- c:\program files\CONEXANT

2009-02-26 13:49 . 2007-08-02 17:35 989,952 -ra------ c:\windows\system32\drivers\HSF_DPV.sys

2009-02-26 13:49 . 2007-08-02 17:34 731,136 -ra------ c:\windows\system32\drivers\HSF_CNXT.sys

2009-02-26 13:49 . 2007-07-24 15:08 217,088 -ra------ c:\windows\system32\UCI32M21.dll

2009-02-26 13:49 . 2007-08-02 17:34 211,200 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys

2009-02-26 13:49 . 2007-09-06 14:04 143,891 --a------ c:\windows\system32\drivers\del1028.cty

2009-02-26 12:54 . 2009-02-26 12:54 <DIR> d-------- C:\usbdriver

2009-02-26 00:07 . 2009-02-26 00:07 <DIR> d-------- c:\program files\Broadcom

2009-02-23 23:33 . 2008-02-15 19:45 172,032 --a------ c:\windows\system32\igfxres.dll

2009-02-23 22:59 . 2001-08-23 09:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex

2009-02-23 22:58 . 2001-08-23 09:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2009-02-23 22:57 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\WindowsShell.Manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 488 -rah----- c:\windows\system32\logonui.exe.manifest

2009-02-23 22:03 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET69.tmp

2009-02-23 22:03 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET65.tmp

2009-02-23 22:03 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET77.tmp

2009-02-23 03:10 . 2009-02-23 03:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-23 02:25 . 2009-02-23 21:29 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-23 02:25 . 2009-02-23 02:25 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\SUPERAntiSpyware.com

2009-02-18 20:35 . 2009-02-18 22:52 <DIR> d-------- C:\DSC-BAK

2009-02-16 12:16 . 2009-02-16 12:54 <DIR> d-------- C:\UBCD4Win

2009-02-16 11:48 . 2009-02-16 11:54 <DIR> d-------- C:\XPCDSP2

2009-02-16 01:15 . 2009-01-29 10:25 64,959,349 --a------ C:\DSC-NCR-SUGARLOAF-WWWWEEK-JAN28-29090456-0456.MPG

2009-02-15 22:31 . 2009-02-15 22:31 95,869 --a------ C:\kdk_0150.jpg

2009-02-15 18:05 . 2009-02-15 18:50 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\DoctorWeb

2009-02-15 13:46 . 2008-12-17 01:00 768,024 --a------ c:\windows\system32\drivers\lvrs.sys

2009-02-15 13:46 . 2008-12-17 00:55 195,096 --a------ c:\windows\system32\lvci11901262.dll

2009-02-15 13:34 . 2009-02-15 13:47 <DIR> d-------- c:\program files\Common Files\LogiShrd

2009-02-15 13:34 . 2008-12-17 00:53 2,686,104 --a------ c:\windows\system32\drivers\LV302V32.SYS

2009-02-15 13:34 . 2008-12-17 01:00 494,104 --a------ c:\windows\system32\LVUI2.dll

2009-02-15 13:34 . 2008-12-17 01:01 432,664 --a------ c:\windows\system32\LVUI2RC.dll

2009-02-15 13:34 . 2008-12-17 00:55 416,280 --a------ c:\windows\system32\lvcodec2.dll

2009-02-15 13:34 . 2007-10-11 20:57 195,096 --a------ c:\windows\system32\lvci1150.dll

2009-02-15 13:34 . 2008-12-17 00:37 81,110 --a------ c:\windows\system32\lvcoinst.ini

2009-02-15 13:34 . 2008-12-17 01:01 41,752 --a------ c:\windows\system32\drivers\LVUSBSta.sys

2009-02-15 13:34 . 2008-12-17 00:37 29,562 --a------ c:\windows\system32\Repository.reg

2009-02-15 13:34 . 2008-12-17 00:53 13,848 --a------ c:\windows\system32\drivers\lv302af.sys

2009-02-14 23:07 . 2009-02-26 20:05 <DIR> d-------- C:\lzscratch

2009-02-14 00:08 . 2009-02-14 00:08 76 -rahs---- c:\windows\CT4CET.bin

2009-02-14 00:07 . 2009-02-14 00:08 <DIR> d-------- c:\program files\Creative

2009-02-14 00:07 . 2007-02-14 12:27 5,627,904 --a------ c:\windows\system32\LiveCamVirtual.ocx

2009-02-13 19:17 . 2009-02-13 19:17 <DIR> d-------- c:\program files\R-Studio

2009-02-13 17:39 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl

2009-02-13 17:39 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll

2009-02-13 17:39 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe

2009-02-13 17:32 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll

2009-02-13 16:40 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET57.tmp

2009-02-13 16:40 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET52.tmp

2009-02-13 16:40 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET68.tmp

2009-02-13 16:25 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET55.tmp

2009-02-13 16:25 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET51.tmp

2009-02-13 16:25 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET63.tmp

2009-02-13 13:43 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET54.tmp

2009-02-13 13:43 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET50.tmp

2009-02-13 13:43 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET60.tmp

2009-02-13 13:21 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET56.tmp

2009-02-13 13:21 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET53.tmp

2009-02-13 13:21 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET62.tmp

2009-02-13 13:20 . 2009-02-13 13:20 <DIR> d---s---- c:\windows\system32\config\systemprofile\History

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Shared

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\.etomipro

2009-02-13 12:33 . 2009-02-13 12:33 288 --a------ c:\windows\_delis32.ini

2009-02-13 12:25 . 2009-02-13 12:33 <DIR> d-------- c:\program files\Common Files\Logitech

2009-02-13 11:57 . 2009-02-15 13:46 <DIR> d-------- c:\program files\Logitech

2009-02-11 00:59 . 2009-02-16 09:56 <DIR> d-------- C:\SmitfraudFix

2009-02-10 16:35 . 2009-02-10 16:35 5,365 --a------ c:\windows\system32\uacinit.dll

2009-02-10 16:34 . 2009-02-10 16:34 2 --a------ C:\140099117

2009-02-10 16:33 . 2009-02-10 16:33 301,568 --a------ c:\windows\system32\ddcDssTn.dll.vir

2009-02-10 00:04 . 2009-02-10 00:04 <DIR> d-------- c:\program files\interMute

2009-02-10 00:04 . 2009-02-10 00:04 2,150 --a------ c:\windows\system32\ssmute.ini

2009-02-09 23:40 . 2009-02-09 23:40 <DIR> d-------- C:\Arrakis

2009-02-09 23:39 . 1999-12-17 10:13 86,016 --a------ c:\windows\unvise32.exe

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-09 20:04 . 2009-02-09 22:15 <DIR> d-------- c:\program files\Open Adder1

2009-02-09 16:47 . 2009-02-09 16:47 306,176 --a------ c:\windows\system32\hgGwTnmN.dll

2009-02-09 16:47 . 2009-02-09 16:47 25,088 --a------ c:\windows\system32\drivers\icfobwmy.sys

2009-02-09 16:47 . 2009-02-28 19:20 1,476 --a------ c:\windows\zdickxvv

2009-02-09 16:36 . 2009-02-09 16:47 <DIR> d-------- c:\program files\Sickest Adder v2.1

2009-02-09 15:46 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Drastic Promo

2009-02-09 13:50 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Open Adder

2009-02-09 13:50 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL

2009-02-07 01:00 . 2009-02-08 16:51 0 --a------ C:\huff_value.dat

2009-02-05 18:54 . 2009-02-05 18:54 320,967 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121_lzn.jpg

2009-02-05 18:53 . 2009-01-22 16:24 2,925,853 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121-0121.JPG

2009-02-05 12:52 . 2009-01-19 14:10 186,105,851 --a------ C:\DSC-SADDLEBCK-MLKDAYSKI-JAN19090165-0165.MPG

2009-02-05 12:42 . 2009-02-05 12:42 <DIR> d-------- c:\windows\system32\vmm32

2009-02-05 12:17 . 2009-02-05 13:17 <DIR> d-------- c:\program files\nLite

2009-02-05 11:58 . 2009-02-05 12:35 <DIR> d-------- c:\program files\Intel

2009-02-04 17:39 . 2007-05-06 17:11 144,896 --a------ c:\windows\system32\staco.dll

2009-02-04 17:38 . 2009-02-04 17:38 <DIR> d-------- c:\program files\SigmaTel

2009-02-04 17:35 . 2009-02-04 17:35 <DIR> d-------- c:\program files\DIFX

2009-02-04 17:34 . 2009-02-04 17:34 <DIR> d-------- C:\dell

2009-02-04 17:01 . 2004-08-03 19:56 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe

2009-02-04 17:01 . 2004-08-03 19:56 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe

2009-02-04 17:01 . 2004-08-03 19:56 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll

2009-02-04 17:01 . 2004-08-03 19:56 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe

2009-02-04 17:01 . 2001-08-23 09:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe

2009-02-04 16:50 . 2009-02-15 13:45 1,374 --a------ c:\windows\imsins.BAK

2009-02-04 16:49 . 2004-08-03 20:57 1,086,058 -ra------ c:\windows\SET64.tmp

2009-02-04 16:49 . 2004-08-03 21:03 1,042,903 -ra------ c:\windows\SET61.tmp

2009-02-04 16:49 . 2004-08-03 20:58 13,753 -ra------ c:\windows\SET70.tmp

2009-02-04 15:55 . 2009-02-04 15:55 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Canneverbe_Limited

2009-02-04 15:54 . 2009-02-04 15:54 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\vlc

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\VMware

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\tmp

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Reallusion

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride

2009-02-04 11:40 . 2009-02-23 08:44 2,145,386,496 --a------ c:\windows\MEMORY.DMP

2009-02-02 22:11 . 2009-02-07 00:40 1,048 --a------ c:\windows\aeditor.INI

2009-02-02 21:05 . 2009-02-07 00:40 862 --a------ c:\windows\ULEAD32.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-01 00:41 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\VMware

2009-02-28 05:07 --------- d-----w c:\program files\Java

2009-02-26 23:52 --------- d-----w c:\program files\BigSpeed Zipper

2009-02-24 04:33 --------- d-----w c:\documents and settings\Administrator\Application Data\VMware

2009-02-23 07:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-16 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-02-15 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd

2009-02-14 05:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 05:07 --------- d-----w c:\program files\DELL

2009-02-14 05:07 --------- d-----w c:\program files\Creative Live! Cam

2009-02-13 16:54 --------- d-----w c:\program files\Pcsx2_0.9.4

2009-02-11 06:39 --------- d-----w c:\program files\DAEMON Tools

2009-02-10 22:45 --------- d-----w c:\program files\Blaze Media Pro

2009-02-09 22:11 --------- d-----w c:\program files\ESET

2009-02-05 16:32 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\TeamViewer

2009-02-03 22:59 --------- d-----w c:\program files\Piolet

2009-02-03 22:32 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware

2009-02-03 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\VMware

2009-01-28 04:52 --------- d-----w c:\program files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\Common Files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\AviSynth 2.5

2009-01-27 14:20 --------- d-----w c:\documents and settings\All Users\Application Data\Avid

2009-01-27 14:20 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\Avid

2009-01-27 10:57 --------- d-----w c:\program files\Common Files\Digidesign

2009-01-27 10:54 --------- d-----w c:\program files\Common Files\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\PACE Anti-Piracy

2009-01-27 10:53 --------- d-----w c:\program files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\program files\InterLok

2009-01-27 10:53 --------- d-----w c:\program files\Digidesign

2009-01-27 10:53 --------- d-----w c:\program files\Common Files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\InstallShield

2009-01-27 06:10 --------- dc-h--w c:\documents and settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}

2009-01-27 04:30 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\.BitTornado

2009-01-24 02:12 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\dvdcss

2009-01-23 17:36 --------- d-----w c:\program files\Red Kawa

2009-01-23 14:53 --------- d-----w c:\program files\TeamViewer

2009-01-23 04:58 --------- d-----w c:\program files\TightVNC

2009-01-18 15:52 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\AdobeUM

2009-01-06 04:22 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\LightZone

2009-01-06 01:40 --------- d-----w c:\program files\LightZone 3

2009-01-06 01:40 --------- d-----w c:\program files\Common Files\eSellerate

2008-10-17 18:52 47,360 ----a-w c:\documents and settings\administrator.ZTEKCORP\Application Data\pcouffin.sys

2006-06-16 01:33 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll

2006-05-25 23:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll

2005-09-29 19:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll

2006-06-19 18:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll

2005-02-02 17:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll

2006-04-10 23:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll

2005-11-09 16:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll

2005-11-09 16:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll

2006-01-04 16:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll

2006-01-04 16:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll

.

((((((((((((((((((((((((((((( SnapShot_2009-02-27_23.15.07.90 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-28 03:52:42 61,128 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-01 00:25:24 61,128 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-28 03:52:42 396,992 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-01 00:25:24 396,992 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-15 72240]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI2"= diomidi.dll

"wave2"= Digi32.dll

"Msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LemonScreen.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LemonScreen.lnk

backup=c:\windows\pss\LemonScreen.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

--a------ 2007-07-02 12:29 159744 c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

--a------ 2007-10-09 19:17 2183168 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 15:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]

--a------ 2007-06-07 11:14 118784 c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]

--a------ 2006-11-21 08:01 218112 c:\data storage\software\AV-removal\hijackthis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2008-02-28 16:32 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2008-02-28 16:32 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

--a------ 2008-12-20 07:50 2656528 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

--a------ 2009-02-04 16:57 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

--a------ 2007-05-10 01:01 36864 c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-02-28 16:32 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

--a------ 2007-05-10 10:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2008-05-15 23:51 55856 c:\program files\VMware\VMware Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]

--a------ 2008-05-15 23:51 72240 c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"sp_rssrv"=2 (0x2)

"wltrysvc"=2 (0x2)

"LVPrcSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-01-27 11776]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2009-02-13 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-02-13 235648]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-02-13 7424]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-09-29 7548]

S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

TCP: {0E8290C2-400F-4312-96E0-35667CE879F7} = 192.168.1.1,4.2.2.2

TCP: {1414EC86-24E2-4125-A830-017786A7F9EF} = 192.168.1.2,4.2.2.2

TCP: {29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82} = 4.2.2.2,192.168.1.2

FF - ProfilePath - c:\documents and settings\administrator.ZTEKCORP\Application Data\Mozilla\Firefox\Profiles\47qtbje0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-28 19:41:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\hidfind.exe

c:\program files\DellTPad\ApntEx.exe

c:\program files\ESET\ESET NOD32 Antivirus\egui.exe

.

**************************************************************************

.

Completion time: 2009-02-28 19:47:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-01 00:45:48

ComboFix2.txt 2009-02-28 04:18:08

ComboFix3.txt 2009-02-10 21:37:29

Pre-Run: 73,815,236,608 bytes free

Post-Run: 73,797,160,960 bytes free

347 --- E O F --- 2008-08-09 17:24:04

DDSLOG.TXT

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrator at 19:49:10.43 on 2009-02-28

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3088 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\administrator.ZTEKCORP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.6.0_07\bin\jusched.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {0E8290C2-400F-4312-96E0-35667CE879F7} = 192.168.1.1,4.2.2.2

TCP: {1414EC86-24E2-4125-A830-017786A7F9EF} = 192.168.1.2,4.2.2.2

TCP: {29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82} = 4.2.2.2,192.168.1.2

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.zte\applic~1\mozilla\firefox\profiles\47qtbje0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-1-27 11776]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2009-2-13 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-2-13 235648]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-2-13 7424]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-9-29 7548]

S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 53248]

=============== Created Last 30 ================

2009-02-28 00:07 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\JCap

2009-02-28 00:06 <DIR> --d----- c:\program files\JCap

2009-02-27 23:52 <DIR> --d----- c:\program files\Trend Micro

2009-02-27 21:57 <DIR> --d----- C:\cmdcons

2009-02-26 16:53 <DIR> --d----- c:\program files\FreshDevices

2009-02-26 13:49 217,088 a----r-- c:\windows\system32\UCI32M21.dll

2009-02-26 13:49 <DIR> --d----- c:\program files\CONEXANT

2009-02-26 13:49 989,952 a----r-- c:\windows\system32\drivers\HSF_DPV.sys

2009-02-26 13:49 731,136 a----r-- c:\windows\system32\drivers\HSF_CNXT.sys

2009-02-26 13:49 211,200 a----r-- c:\windows\system32\drivers\HSFHWAZL.sys

2009-02-26 13:49 143,891 a------- c:\windows\system32\drivers\del1028.cty

2009-02-26 12:54 <DIR> --d----- C:\usbdriver

2009-02-26 00:07 <DIR> --d----- c:\program files\Broadcom

2009-02-23 23:33 172,032 a------- c:\windows\system32\igfxres.dll

2009-02-23 22:59 46,592 ac------ c:\windows\system32\dllcache\svcext51.dll

2009-02-23 22:58 6,144 ac------ c:\windows\system32\dllcache\kbdinpun.dll

2009-02-23 22:57 54,528 ac------ c:\windows\system32\dllcache\cap7146.sys

2009-02-23 22:55 488 a---hr-- c:\windows\system32\logonui.exe.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\WindowsShell.Manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\sapi.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\nwc.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest

2009-02-23 22:03 13,753 a----r-- c:\windows\SET77.tmp

2009-02-23 22:03 1,086,058 a----r-- c:\windows\SET69.tmp

2009-02-23 22:03 1,042,903 a----r-- c:\windows\SET65.tmp

2009-02-23 03:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-02-23 02:25 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-02-23 02:25 <DIR> --d----- c:\docume~1\admini~1.zte\applic~1\SUPERAntiSpyware.com

2009-02-18 20:35 <DIR> --d----- C:\DSC-BAK

2009-02-16 12:16 <DIR> --d----- C:\UBCD4Win

2009-02-16 11:48 <DIR> --d----- C:\XPCDSP2

2009-02-16 01:15 64,959,349 a------- C:\DSC-NCR-SUGARLOAF-WWWWEEK-JAN28-29090456-0456.MPG

2009-02-15 22:31 95,869 a------- C:\kdk_0150.jpg

2009-02-15 18:05 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\DoctorWeb

2009-02-15 13:46 768,024 a------- c:\windows\system32\drivers\lvrs.sys

2009-02-15 13:46 195,096 a------- c:\windows\system32\lvci11901262.dll

2009-02-15 13:34 2,686,104 a------- c:\windows\system32\drivers\LV302V32.SYS

2009-02-15 13:34 494,104 a------- c:\windows\system32\LVUI2.dll

2009-02-15 13:34 432,664 a------- c:\windows\system32\LVUI2RC.dll

2009-02-15 13:34 416,280 a------- c:\windows\system32\lvcodec2.dll

2009-02-15 13:34 195,096 a------- c:\windows\system32\lvci1150.dll

2009-02-15 13:34 81,110 a------- c:\windows\system32\lvcoinst.ini

2009-02-15 13:34 41,752 a------- c:\windows\system32\drivers\LVUSBSta.sys

2009-02-15 13:34 29,562 a------- c:\windows\system32\Repository.reg

2009-02-15 13:34 13,848 a------- c:\windows\system32\drivers\lv302af.sys

2009-02-14 23:07 <DIR> --d----- C:\lzscratch

2009-02-14 00:08 76 a--shr-- c:\windows\CT4CET.bin

2009-02-14 00:07 5,627,904 a------- c:\windows\system32\LiveCamVirtual.ocx

2009-02-14 00:07 <DIR> --d----- c:\program files\Creative

2009-02-13 19:17 <DIR> --d----- c:\program files\R-Studio

2009-02-13 17:39 4,952,064 a------- c:\windows\system32\stacgui.cpl

2009-02-13 17:39 1,601,536 a------- c:\windows\system32\stlang.dll

2009-02-13 17:39 405,504 a------- c:\windows\stsystra.exe

2009-02-13 17:32 270,336 a------- c:\windows\system32\stacapi.dll

2009-02-13 16:40 13,753 a----r-- c:\windows\SET68.tmp

2009-02-13 16:40 1,086,058 a----r-- c:\windows\SET57.tmp

2009-02-13 16:40 1,042,903 a----r-- c:\windows\SET52.tmp

2009-02-13 16:25 13,753 a----r-- c:\windows\SET63.tmp

2009-02-13 16:25 1,086,058 a----r-- c:\windows\SET55.tmp

2009-02-13 16:25 1,042,903 a----r-- c:\windows\SET51.tmp

2009-02-13 13:43 13,753 a----r-- c:\windows\SET60.tmp

2009-02-13 13:43 1,086,058 a----r-- c:\windows\SET54.tmp

2009-02-13 13:43 1,042,903 a----r-- c:\windows\SET50.tmp

2009-02-13 13:21 13,753 a----r-- c:\windows\SET62.tmp

2009-02-13 13:21 1,086,058 a----r-- c:\windows\SET56.tmp

2009-02-13 13:21 1,042,903 a----r-- c:\windows\SET53.tmp

2009-02-13 13:01 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\.etomipro

2009-02-13 13:01 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\Shared

2009-02-13 12:33 288 a------- c:\windows\_delis32.ini

2009-02-13 12:25 <DIR> --d----- c:\program files\common files\Logitech

2009-02-11 00:59 <DIR> --d----- C:\SmitfraudFix

2009-02-10 16:35 5,365 a------- c:\windows\system32\uacinit.dll

2009-02-10 16:34 2 a------- C:\140099117

2009-02-10 16:33 301,568 a------- c:\windows\system32\ddcDssTn.dll.vir

2009-02-10 14:39 161,792 a------- c:\windows\SWREG.exe

2009-02-10 14:39 98,816 a------- c:\windows\sed.exe

2009-02-10 00:04 2,150 a------- c:\windows\system32\ssmute.ini

2009-02-10 00:04 <DIR> --d----- c:\program files\interMute

2009-02-09 23:40 <DIR> --d----- C:\Arrakis

2009-02-09 23:39 86,016 a------- c:\windows\unvise32.exe

2009-02-09 23:23 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-02-09 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-02-09 23:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-02-09 20:04 <DIR> --d----- c:\program files\Open Adder1

2009-02-09 16:47 1,476 a------- c:\windows\zdickxvv

2009-02-09 16:47 25,088 a------- c:\windows\system32\drivers\icfobwmy.sys

2009-02-09 16:47 306,176 a------- c:\windows\system32\hgGwTnmN.dll

2009-02-09 16:36 <DIR> --d----- c:\program files\Sickest Adder v2.1

2009-02-09 15:46 <DIR> --d----- c:\program files\Drastic Promo

2009-02-09 13:50 101,888 a------- c:\windows\system32\VB6STKIT.DLL

2009-02-09 13:50 <DIR> --d----- c:\program files\Open Adder

2009-02-07 01:00 0 a------- C:\huff_value.dat

2009-02-05 18:54 320,967 a------- C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121_lzn.jpg

2009-02-05 18:53 2,925,853 a------- C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121-0121.JPG

2009-02-05 12:52 186,105,851 a------- C:\DSC-SADDLEBCK-MLKDAYSKI-JAN19090165-0165.MPG

2009-02-05 12:42 <DIR> --d----- c:\windows\system32\vmm32

2009-02-05 12:17 <DIR> --d----- c:\program files\nLite

2009-02-04 17:39 144,896 a------- c:\windows\system32\staco.dll

2009-02-04 17:38 <DIR> --d----- c:\program files\SigmaTel

2009-02-04 17:34 <DIR> --d----- C:\dell

2009-02-04 17:01 16,384 ac------ c:\windows\system32\dllcache\isignup.exe

2009-02-04 17:01 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll

2009-02-04 17:01 214,528 ac------ c:\windows\system32\dllcache\icwconn1.exe

2009-02-04 17:01 86,016 ac------ c:\windows\system32\dllcache\icwconn2.exe

2009-02-04 17:01 20,480 ac------ c:\windows\system32\dllcache\inetwiz.exe

2009-02-04 16:49 13,753 a----r-- c:\windows\SET70.tmp

2009-02-04 16:49 1,086,058 a----r-- c:\windows\SET64.tmp

2009-02-04 16:49 1,042,903 a----r-- c:\windows\SET61.tmp

2009-02-04 11:40 2,145,386,496 a------- c:\windows\MEMORY.DMP

2009-02-02 22:11 1,048 a------- c:\windows\aeditor.INI

2009-02-02 21:05 862 a------- c:\windows\ULEAD32.INI

2009-02-02 20:33 <DIR> --d----- c:\program files\SmartSound Software

2009-02-02 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc

2009-02-02 20:32 87 a------- c:\windows\dswplug.ini

2009-02-02 20:32 <DIR> --d----- C:\MSP8 Preview Files

2009-02-02 20:32 73,728 a------- c:\windows\system32\mplaw7.dll

2009-02-02 20:32 73,728 a------- c:\windows\system32\mplaa6.dll

2009-02-02 20:32 61,440 a------- c:\windows\system32\mplam6.dll

2009-02-02 20:32 19,968 a------- c:\windows\system32\cpuinf32.dll

2009-02-02 20:31 <DIR> --d----- c:\program files\common files\SONY Digital Images

2009-02-02 20:31 <DIR> --d----- c:\program files\Ulead Systems

2009-02-02 20:31 <DIR> --d----- c:\program files\common files\Ulead Systems

2009-02-02 20:30 <DIR> --d----- c:\windows\system32\windows media

2009-02-02 20:30 <DIR> --d----- c:\windows\RegisteredPackages

2009-02-02 20:30 <DIR> --d-h--- c:\windows\msdownld.tmp

2009-02-02 20:30 <DIR> --d----- c:\program files\Windows Media Components

==================== Find3M ====================

2009-02-23 22:54 22,736 a------- c:\windows\system32\emptyregdb.dat

2008-10-17 13:52 47,360 a------- c:\docume~1\admini~1.zte\applic~1\pcouffin.sys

============= FINISH: 19:49:31.39 ===============

ATTACH.TXT

DDS (Ver_09-02-01.01) - NTFSx86

Run by Administrator at 19:49:10.43 on 2009-02-28

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3088 [GMT -5:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\administrator.ZTEKCORP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [vmware-tray] c:\program files\vmware\vmware workstation\vmware-tray.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.6.0_07\bin\jusched.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {0E8290C2-400F-4312-96E0-35667CE879F7} = 192.168.1.1,4.2.2.2

TCP: {1414EC86-24E2-4125-A830-017786A7F9EF} = 192.168.1.2,4.2.2.2

TCP: {29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82} = 4.2.2.2,192.168.1.2

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.zte\applic~1\mozilla\firefox\profiles\47qtbje0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\picasa2\npPicasa2.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 55024]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-1-27 11776]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2009-2-13 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-2-13 235648]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-2-13 7424]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-9-29 7548]

S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-1 53248]

=============== Created Last 30 ================

2009-02-28 00:07 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\JCap

2009-02-28 00:06 <DIR> --d----- c:\program files\JCap

2009-02-27 23:52 <DIR> --d----- c:\program files\Trend Micro

2009-02-27 21:57 <DIR> --d----- C:\cmdcons

2009-02-26 16:53 <DIR> --d----- c:\program files\FreshDevices

2009-02-26 13:49 217,088 a----r-- c:\windows\system32\UCI32M21.dll

2009-02-26 13:49 <DIR> --d----- c:\program files\CONEXANT

2009-02-26 13:49 989,952 a----r-- c:\windows\system32\drivers\HSF_DPV.sys

2009-02-26 13:49 731,136 a----r-- c:\windows\system32\drivers\HSF_CNXT.sys

2009-02-26 13:49 211,200 a----r-- c:\windows\system32\drivers\HSFHWAZL.sys

2009-02-26 13:49 143,891 a------- c:\windows\system32\drivers\del1028.cty

2009-02-26 12:54 <DIR> --d----- C:\usbdriver

2009-02-26 00:07 <DIR> --d----- c:\program files\Broadcom

2009-02-23 23:33 172,032 a------- c:\windows\system32\igfxres.dll

2009-02-23 22:59 46,592 ac------ c:\windows\system32\dllcache\svcext51.dll

2009-02-23 22:58 6,144 ac------ c:\windows\system32\dllcache\kbdinpun.dll

2009-02-23 22:57 54,528 ac------ c:\windows\system32\dllcache\cap7146.sys

2009-02-23 22:55 488 a---hr-- c:\windows\system32\logonui.exe.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\WindowsShell.Manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\sapi.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\nwc.cpl.manifest

2009-02-23 22:55 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest

2009-02-23 22:03 13,753 a----r-- c:\windows\SET77.tmp

2009-02-23 22:03 1,086,058 a----r-- c:\windows\SET69.tmp

2009-02-23 22:03 1,042,903 a----r-- c:\windows\SET65.tmp

2009-02-23 03:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-02-23 02:25 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-02-23 02:25 <DIR> --d----- c:\docume~1\admini~1.zte\applic~1\SUPERAntiSpyware.com

2009-02-18 20:35 <DIR> --d----- C:\DSC-BAK

2009-02-16 12:16 <DIR> --d----- C:\UBCD4Win

2009-02-16 11:48 <DIR> --d----- C:\XPCDSP2

2009-02-16 01:15 64,959,349 a------- C:\DSC-NCR-SUGARLOAF-WWWWEEK-JAN28-29090456-0456.MPG

2009-02-15 22:31 95,869 a------- C:\kdk_0150.jpg

2009-02-15 18:05 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\DoctorWeb

2009-02-15 13:46 768,024 a------- c:\windows\system32\drivers\lvrs.sys

2009-02-15 13:46 195,096 a------- c:\windows\system32\lvci11901262.dll

2009-02-15 13:34 2,686,104 a------- c:\windows\system32\drivers\LV302V32.SYS

2009-02-15 13:34 494,104 a------- c:\windows\system32\LVUI2.dll

2009-02-15 13:34 432,664 a------- c:\windows\system32\LVUI2RC.dll

2009-02-15 13:34 416,280 a------- c:\windows\system32\lvcodec2.dll

2009-02-15 13:34 195,096 a------- c:\windows\system32\lvci1150.dll

2009-02-15 13:34 81,110 a------- c:\windows\system32\lvcoinst.ini

2009-02-15 13:34 41,752 a------- c:\windows\system32\drivers\LVUSBSta.sys

2009-02-15 13:34 29,562 a------- c:\windows\system32\Repository.reg

2009-02-15 13:34 13,848 a------- c:\windows\system32\drivers\lv302af.sys

2009-02-14 23:07 <DIR> --d----- C:\lzscratch

2009-02-14 00:08 76 a--shr-- c:\windows\CT4CET.bin

2009-02-14 00:07 5,627,904 a------- c:\windows\system32\LiveCamVirtual.ocx

2009-02-14 00:07 <DIR> --d----- c:\program files\Creative

2009-02-13 19:17 <DIR> --d----- c:\program files\R-Studio

2009-02-13 17:39 4,952,064 a------- c:\windows\system32\stacgui.cpl

2009-02-13 17:39 1,601,536 a------- c:\windows\system32\stlang.dll

2009-02-13 17:39 405,504 a------- c:\windows\stsystra.exe

2009-02-13 17:32 270,336 a------- c:\windows\system32\stacapi.dll

2009-02-13 16:40 13,753 a----r-- c:\windows\SET68.tmp

2009-02-13 16:40 1,086,058 a----r-- c:\windows\SET57.tmp

2009-02-13 16:40 1,042,903 a----r-- c:\windows\SET52.tmp

2009-02-13 16:25 13,753 a----r-- c:\windows\SET63.tmp

2009-02-13 16:25 1,086,058 a----r-- c:\windows\SET55.tmp

2009-02-13 16:25 1,042,903 a----r-- c:\windows\SET51.tmp

2009-02-13 13:43 13,753 a----r-- c:\windows\SET60.tmp

2009-02-13 13:43 1,086,058 a----r-- c:\windows\SET54.tmp

2009-02-13 13:43 1,042,903 a----r-- c:\windows\SET50.tmp

2009-02-13 13:21 13,753 a----r-- c:\windows\SET62.tmp

2009-02-13 13:21 1,086,058 a----r-- c:\windows\SET56.tmp

2009-02-13 13:21 1,042,903 a----r-- c:\windows\SET53.tmp

2009-02-13 13:01 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\.etomipro

2009-02-13 13:01 <DIR> --d----- c:\documents and settings\administrator.ztekcorp\Shared

2009-02-13 12:33 288 a------- c:\windows\_delis32.ini

2009-02-13 12:25 <DIR> --d----- c:\program files\common files\Logitech

2009-02-11 00:59 <DIR> --d----- C:\SmitfraudFix

2009-02-10 16:35 5,365 a------- c:\windows\system32\uacinit.dll

2009-02-10 16:34 2 a------- C:\140099117

2009-02-10 16:33 301,568 a------- c:\windows\system32\ddcDssTn.dll.vir

2009-02-10 14:39 161,792 a------- c:\windows\SWREG.exe

2009-02-10 14:39 98,816 a------- c:\windows\sed.exe

2009-02-10 00:04 2,150 a------- c:\windows\system32\ssmute.ini

2009-02-10 00:04 <DIR> --d----- c:\program files\interMute

2009-02-09 23:40 <DIR> --d----- C:\Arrakis

2009-02-09 23:39 86,016 a------- c:\windows\unvise32.exe

2009-02-09 23:23 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-02-09 23:23 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-02-09 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-02-09 23:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-02-09 20:04 <DIR> --d----- c:\program files\Open Adder1

2009-02-09 16:47 1,476 a------- c:\windows\zdickxvv

2009-02-09 16:47 25,088 a------- c:\windows\system32\drivers\icfobwmy.sys

2009-02-09 16:47 306,176 a------- c:\windows\system32\hgGwTnmN.dll

2009-02-09 16:36 <DIR> --d----- c:\program files\Sickest Adder v2.1

2009-02-09 15:46 <DIR> --d----- c:\program files\Drastic Promo

2009-02-09 13:50 101,888 a------- c:\windows\system32\VB6STKIT.DLL

2009-02-09 13:50 <DIR> --d----- c:\program files\Open Adder

2009-02-07 01:00 0 a------- C:\huff_value.dat

2009-02-05 18:54 320,967 a------- C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121_lzn.jpg

2009-02-05 18:53 2,925,853 a------- C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121-0121.JPG

2009-02-05 12:52 186,105,851 a------- C:\DSC-SADDLEBCK-MLKDAYSKI-JAN19090165-0165.MPG

2009-02-05 12:42 <DIR> --d----- c:\windows\system32\vmm32

2009-02-05 12:17 <DIR> --d----- c:\program files\nLite

2009-02-04 17:39 144,896 a------- c:\windows\system32\staco.dll

2009-02-04 17:38 <DIR> --d----- c:\program files\SigmaTel

2009-02-04 17:34 <DIR> --d----- C:\dell

2009-02-04 17:01 16,384 ac------ c:\windows\system32\dllcache\isignup.exe

2009-02-04 17:01 32,768 ac------ c:\windows\system32\dllcache\icwdl.dll

2009-02-04 17:01 214,528 ac------ c:\windows\system32\dllcache\icwconn1.exe

2009-02-04 17:01 86,016 ac------ c:\windows\system32\dllcache\icwconn2.exe

2009-02-04 17:01 20,480 ac------ c:\windows\system32\dllcache\inetwiz.exe

2009-02-04 16:49 13,753 a----r-- c:\windows\SET70.tmp

2009-02-04 16:49 1,086,058 a----r-- c:\windows\SET64.tmp

2009-02-04 16:49 1,042,903 a----r-- c:\windows\SET61.tmp

2009-02-04 11:40 2,145,386,496 a------- c:\windows\MEMORY.DMP

2009-02-02 22:11 1,048 a------- c:\windows\aeditor.INI

2009-02-02 21:05 862 a------- c:\windows\ULEAD32.INI

2009-02-02 20:33 <DIR> --d----- c:\program files\SmartSound Software

2009-02-02 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc

2009-02-02 20:32 87 a------- c:\windows\dswplug.ini

2009-02-02 20:32 <DIR> --d----- C:\MSP8 Preview Files

2009-02-02 20:32 73,728 a------- c:\windows\system32\mplaw7.dll

2009-02-02 20:32 73,728 a------- c:\windows\system32\mplaa6.dll

2009-02-02 20:32 61,440 a------- c:\windows\system32\mplam6.dll

2009-02-02 20:32 19,968 a------- c:\windows\system32\cpuinf32.dll

2009-02-02 20:31 <DIR> --d----- c:\program files\common files\SONY Digital Images

2009-02-02 20:31 <DIR> --d----- c:\program files\Ulead Systems

2009-02-02 20:31 <DIR> --d----- c:\program files\common files\Ulead Systems

2009-02-02 20:30 <DIR> --d----- c:\windows\system32\windows media

2009-02-02 20:30 <DIR> --d----- c:\windows\RegisteredPackages

2009-02-02 20:30 <DIR> --d-h--- c:\windows\msdownld.tmp

2009-02-02 20:30 <DIR> --d----- c:\program files\Windows Media Components

==================== Find3M ====================

2009-02-23 22:54 22,736 a------- c:\windows\system32\emptyregdb.dat

2008-10-17 13:52 47,360 a------- c:\docume~1\admini~1.zte\applic~1\pcouffin.sys

============= FINISH: 19:49:31.39 ===============

Link to post
Share on other sites

  • Root Admin

Please click on START-RUN and type in MSCONFIG and make sure it is set to NORMAL if it's not then set it to NORMAL and reboot the computer.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Folder::
C:\140099117

File::
c:\windows\SET69.tmp
c:\windows\SET65.tmp
c:\windows\SET77.tmp
c:\windows\SET57.tmp
c:\windows\SET52.tmp
c:\windows\SET68.tmp
c:\windows\SET55.tmp
c:\windows\SET51.tmp
c:\windows\SET63.tmp
c:\windows\SET54.tmp
c:\windows\SET50.tmp
c:\windows\SET60.tmp
c:\windows\SET56.tmp
c:\windows\SET53.tmp
c:\windows\SET62.tmp
c:\windows\_delis32.ini
c:\windows\system32\uacinit.dll
c:\windows\system32\ddcDssTn.dll.vir
c:\windows\system32\hgGwTnmN.dll
c:\windows\system32\drivers\icfobwmy.sys
c:\windows\zdickxvv
C:\huff_value.dat
c:\windows\imsins.BAK
c:\windows\SET64.tmp
c:\windows\SET61.tmp
c:\windows\SET70.tmp
c:\windows\MEMORY.DMP


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.