Referrred here, (combofix log included)

[jay2009]

ComboFix 09-03-02.01 - Administrator 2009-03-02 23:50:49.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3574.3034 [GMT -5:00]

Running from: c:\documents and settings\administrator.ZTEKCORP\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\administrator.ZTEKCORP\Desktop\CFscript.txt

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

* Created a new restore point

* Resident AV is active

FILE ::

C:\huff_value.dat

c:\windows\_delis32.ini

c:\windows\imsins.BAK

c:\windows\MEMORY.DMP

c:\windows\SET50.tmp

c:\windows\SET51.tmp

c:\windows\SET52.tmp

c:\windows\SET53.tmp

c:\windows\SET54.tmp

c:\windows\SET55.tmp

c:\windows\SET56.tmp

c:\windows\SET57.tmp

c:\windows\SET60.tmp

c:\windows\SET61.tmp

c:\windows\SET62.tmp

c:\windows\SET63.tmp

c:\windows\SET64.tmp

c:\windows\SET65.tmp

c:\windows\SET68.tmp

c:\windows\SET69.tmp

c:\windows\SET70.tmp

c:\windows\SET77.tmp

c:\windows\system32\ddcDssTn.dll.vir

c:\windows\system32\drivers\icfobwmy.sys

c:\windows\system32\hgGwTnmN.dll

c:\windows\system32\uacinit.dll

c:\windows\zdickxvv

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\140099117\

C:\huff_value.dat

c:\windows\_delis32.ini

c:\windows\imsins.BAK

c:\windows\MEMORY.DMP

c:\windows\SET50.tmp

c:\windows\SET51.tmp

c:\windows\SET52.tmp

c:\windows\SET53.tmp

c:\windows\SET54.tmp

c:\windows\SET55.tmp

c:\windows\SET56.tmp

c:\windows\SET57.tmp

c:\windows\SET60.tmp

c:\windows\SET61.tmp

c:\windows\SET62.tmp

c:\windows\SET63.tmp

c:\windows\SET64.tmp

c:\windows\SET65.tmp

c:\windows\SET68.tmp

c:\windows\SET69.tmp

c:\windows\SET70.tmp

c:\windows\SET77.tmp

c:\windows\system32\ddcDssTn.dll.vir

c:\windows\system32\drivers\icfobwmy.sys

c:\windows\system32\hgGwTnmN.dll

c:\windows\system32\uacinit.dll

c:\windows\zdickxvv

.

((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))

.

2009-02-28 00:07 . 2009-02-28 00:07 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\JCap

2009-02-28 00:06 . 2009-02-28 00:06 <DIR> d-------- c:\program files\JCap

2009-02-27 23:52 . 2009-02-27 23:52 <DIR> d-------- c:\program files\Trend Micro

2009-02-26 18:58 . 2009-02-26 19:16 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\vlc

2009-02-26 16:53 . 2009-02-26 16:53 <DIR> d-------- c:\program files\FreshDevices

2009-02-26 13:49 . 2009-02-26 13:49 <DIR> d-------- c:\program files\CONEXANT

2009-02-26 13:49 . 2007-08-02 17:35 989,952 -ra------ c:\windows\system32\drivers\HSF_DPV.sys

2009-02-26 13:49 . 2007-08-02 17:34 731,136 -ra------ c:\windows\system32\drivers\HSF_CNXT.sys

2009-02-26 13:49 . 2007-07-24 15:08 217,088 -ra------ c:\windows\system32\UCI32M21.dll

2009-02-26 13:49 . 2007-08-02 17:34 211,200 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys

2009-02-26 13:49 . 2007-09-06 14:04 143,891 --a------ c:\windows\system32\drivers\del1028.cty

2009-02-26 12:54 . 2009-02-26 12:54 <DIR> d-------- C:\usbdriver

2009-02-26 00:07 . 2009-02-26 00:07 <DIR> d-------- c:\program files\Broadcom

2009-02-23 23:33 . 2008-02-15 19:45 172,032 --a------ c:\windows\system32\igfxres.dll

2009-02-23 22:59 . 2001-08-23 09:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex

2009-02-23 22:58 . 2001-08-23 09:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll

2009-02-23 22:57 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\system32\dllcache\fp4awel.dll

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\WindowsShell.Manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2009-02-23 22:55 . 2009-02-23 22:55 488 -rah----- c:\windows\system32\logonui.exe.manifest

2009-02-23 03:10 . 2009-02-23 03:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-02-23 02:25 . 2009-02-23 21:29 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-02-23 02:25 . 2009-02-23 02:25 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Application Data\SUPERAntiSpyware.com

2009-02-18 20:35 . 2009-02-18 22:52 <DIR> d-------- C:\DSC-BAK

2009-02-16 12:16 . 2009-02-16 12:54 <DIR> d-------- C:\UBCD4Win

2009-02-16 11:48 . 2009-02-16 11:54 <DIR> d-------- C:\XPCDSP2

2009-02-16 01:15 . 2009-01-29 10:25 64,959,349 --a------ C:\DSC-NCR-SUGARLOAF-WWWWEEK-JAN28-29090456-0456.MPG

2009-02-15 22:31 . 2009-02-15 22:31 95,869 --a------ C:\kdk_0150.jpg

2009-02-15 18:05 . 2009-02-15 18:50 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\DoctorWeb

2009-02-15 13:46 . 2008-12-17 01:00 768,024 --a------ c:\windows\system32\drivers\lvrs.sys

2009-02-15 13:46 . 2008-12-17 00:55 195,096 --a------ c:\windows\system32\lvci11901262.dll

2009-02-15 13:34 . 2009-02-15 13:47 <DIR> d-------- c:\program files\Common Files\LogiShrd

2009-02-15 13:34 . 2008-12-17 00:53 2,686,104 --a------ c:\windows\system32\drivers\LV302V32.SYS

2009-02-15 13:34 . 2008-12-17 01:00 494,104 --a------ c:\windows\system32\LVUI2.dll

2009-02-15 13:34 . 2008-12-17 01:01 432,664 --a------ c:\windows\system32\LVUI2RC.dll

2009-02-15 13:34 . 2008-12-17 00:55 416,280 --a------ c:\windows\system32\lvcodec2.dll

2009-02-15 13:34 . 2007-10-11 20:57 195,096 --a------ c:\windows\system32\lvci1150.dll

2009-02-15 13:34 . 2008-12-17 00:37 81,110 --a------ c:\windows\system32\lvcoinst.ini

2009-02-15 13:34 . 2008-12-17 01:01 41,752 --a------ c:\windows\system32\drivers\LVUSBSta.sys

2009-02-15 13:34 . 2008-12-17 00:37 29,562 --a------ c:\windows\system32\Repository.reg

2009-02-15 13:34 . 2008-12-17 00:53 13,848 --a------ c:\windows\system32\drivers\lv302af.sys

2009-02-14 23:07 . 2009-03-02 21:53 <DIR> d-------- C:\lzscratch

2009-02-14 00:08 . 2009-02-14 00:08 76 -rahs---- c:\windows\CT4CET.bin

2009-02-14 00:07 . 2009-02-14 00:08 <DIR> d-------- c:\program files\Creative

2009-02-14 00:07 . 2007-02-14 12:27 5,627,904 --a------ c:\windows\system32\LiveCamVirtual.ocx

2009-02-13 19:17 . 2009-02-13 19:17 <DIR> d-------- c:\program files\R-Studio

2009-02-13 17:39 . 2007-05-10 10:23 4,952,064 --a------ c:\windows\system32\stacgui.cpl

2009-02-13 17:39 . 2007-04-10 17:02 1,601,536 --a------ c:\windows\system32\stlang.dll

2009-02-13 17:39 . 2007-05-10 10:22 405,504 --a------ c:\windows\stsystra.exe

2009-02-13 17:32 . 2007-05-10 10:23 270,336 --a------ c:\windows\system32\stacapi.dll

2009-02-13 13:20 . 2009-02-13 13:20 <DIR> d---s---- c:\windows\system32\config\systemprofile\History

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\Shared

2009-02-13 13:01 . 2009-02-13 13:01 <DIR> d-------- c:\documents and settings\administrator.ZTEKCORP\.etomipro

2009-02-13 12:25 . 2009-02-13 12:33 <DIR> d-------- c:\program files\Common Files\Logitech

2009-02-13 11:57 . 2009-02-15 13:46 <DIR> d-------- c:\program files\Logitech

2009-02-11 00:59 . 2009-02-16 09:56 <DIR> d-------- C:\SmitfraudFix

2009-02-10 16:34 . 2009-02-10 16:34 2 --a------ C:\140099117

2009-02-10 00:04 . 2009-02-10 00:04 <DIR> d-------- c:\program files\interMute

2009-02-10 00:04 . 2009-02-10 00:04 2,150 --a------ c:\windows\system32\ssmute.ini

2009-02-09 23:40 . 2009-02-09 23:40 <DIR> d-------- C:\Arrakis

2009-02-09 23:39 . 1999-12-17 10:13 86,016 --a------ c:\windows\unvise32.exe

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-02-09 23:23 . 2009-02-09 23:23 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-02-09 23:21 . 2009-02-26 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-09 20:04 . 2009-02-09 22:15 <DIR> d-------- c:\program files\Open Adder1

2009-02-09 16:36 . 2009-02-09 16:47 <DIR> d-------- c:\program files\Sickest Adder v2.1

2009-02-09 15:46 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Drastic Promo

2009-02-09 13:50 . 2009-02-09 16:48 <DIR> d-------- c:\program files\Open Adder

2009-02-09 13:50 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL

2009-02-05 18:54 . 2009-02-05 18:54 320,967 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121_lzn.jpg

2009-02-05 18:53 . 2009-01-22 16:24 2,925,853 --a------ C:\DSC-SNOWMBLE-LOOPTRIP-JAN22090121-0121.JPG

2009-02-05 12:52 . 2009-01-19 14:10 186,105,851 --a------ C:\DSC-SADDLEBCK-MLKDAYSKI-JAN19090165-0165.MPG

2009-02-05 12:42 . 2009-02-05 12:42 <DIR> d-------- c:\windows\system32\vmm32

2009-02-05 12:17 . 2009-02-05 13:17 <DIR> d-------- c:\program files\nLite

2009-02-05 11:58 . 2009-02-05 12:35 <DIR> d-------- c:\program files\Intel

2009-02-04 17:39 . 2007-05-06 17:11 144,896 --a------ c:\windows\system32\staco.dll

2009-02-04 17:38 . 2009-02-04 17:38 <DIR> d-------- c:\program files\SigmaTel

2009-02-04 17:35 . 2009-02-04 17:35 <DIR> d-------- c:\program files\DIFX

2009-02-04 17:34 . 2009-02-04 17:34 <DIR> d-------- C:\dell

2009-02-04 17:01 . 2004-08-03 19:56 214,528 --a--c--- c:\windows\system32\dllcache\icwconn1.exe

2009-02-04 17:01 . 2004-08-03 19:56 86,016 --a--c--- c:\windows\system32\dllcache\icwconn2.exe

2009-02-04 17:01 . 2004-08-03 19:56 32,768 --a--c--- c:\windows\system32\dllcache\icwdl.dll

2009-02-04 17:01 . 2004-08-03 19:56 20,480 --a--c--- c:\windows\system32\dllcache\inetwiz.exe

2009-02-04 17:01 . 2001-08-23 09:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe

2009-02-04 15:55 . 2009-02-04 15:55 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Canneverbe_Limited

2009-02-04 15:54 . 2009-02-04 15:54 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\vlc

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\VMware

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\tmp

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride\Application Data\Reallusion

2009-02-04 15:50 . 2009-02-04 15:50 <DIR> d-------- c:\documents and settings\adminoverride

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 04:57 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\VMware

2009-02-28 05:07 --------- d-----w c:\program files\Java

2009-02-26 23:52 --------- d-----w c:\program files\BigSpeed Zipper

2009-02-24 04:33 --------- d-----w c:\documents and settings\Administrator\Application Data\VMware

2009-02-23 07:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-16 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-02-15 18:46 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd

2009-02-14 05:07 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-14 05:07 --------- d-----w c:\program files\DELL

2009-02-14 05:07 --------- d-----w c:\program files\Creative Live! Cam

2009-02-13 16:54 --------- d-----w c:\program files\Pcsx2_0.9.4

2009-02-11 06:39 --------- d-----w c:\program files\DAEMON Tools

2009-02-10 22:45 --------- d-----w c:\program files\Blaze Media Pro

2009-02-09 22:11 --------- d-----w c:\program files\ESET

2009-02-05 16:32 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\TeamViewer

2009-02-03 22:59 --------- d-----w c:\program files\Piolet

2009-02-03 22:32 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware

2009-02-03 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\VMware

2009-02-03 01:50 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\Ulead Systems

2009-02-03 01:42 --------- d-----w c:\program files\Ulead Systems

2009-02-03 01:42 --------- d-----w c:\program files\Common Files\Ulead Systems

2009-02-03 01:35 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems

2009-02-03 01:33 --------- d-----w c:\program files\SmartSound Software

2009-02-03 01:33 --------- d-----w c:\documents and settings\All Users\Application Data\SmartSound Software Inc

2009-02-03 01:32 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime

2009-02-03 01:31 --------- d-----w c:\program files\Common Files\SONY Digital Images

2009-02-03 01:30 --------- d-----w c:\program files\Windows Media Components

2009-01-28 04:52 --------- d-----w c:\program files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\Common Files\Avid

2009-01-27 21:06 --------- d-----w c:\program files\AviSynth 2.5

2009-01-27 14:20 --------- d-----w c:\documents and settings\All Users\Application Data\Avid

2009-01-27 14:20 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\Avid

2009-01-27 10:57 --------- d-----w c:\program files\Common Files\Digidesign

2009-01-27 10:54 --------- d-----w c:\program files\Common Files\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy

2009-01-27 10:54 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\PACE Anti-Piracy

2009-01-27 10:53 --------- d-----w c:\program files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\program files\InterLok

2009-01-27 10:53 --------- d-----w c:\program files\Digidesign

2009-01-27 10:53 --------- d-----w c:\program files\Common Files\SafeNet Sentinel

2009-01-27 10:53 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\InstallShield

2009-01-27 06:10 --------- dc-h--w c:\documents and settings\All Users\Application Data\{DE097E60-7F86-4350-B083-1F09B6906C92}

2009-01-27 04:30 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\.BitTornado

2009-01-24 02:12 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\dvdcss

2009-01-23 17:36 --------- d-----w c:\program files\Red Kawa

2009-01-23 14:53 --------- d-----w c:\program files\TeamViewer

2009-01-23 04:58 --------- d-----w c:\program files\TightVNC

2009-01-18 15:52 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\AdobeUM

2009-01-06 04:22 --------- d-----w c:\documents and settings\administrator.ZTEKCORP\Application Data\LightZone

2009-01-06 01:40 --------- d-----w c:\program files\LightZone 3

2009-01-06 01:40 --------- d-----w c:\program files\Common Files\eSellerate

2008-10-17 18:52 47,360 ----a-w c:\documents and settings\administrator.ZTEKCORP\Application Data\pcouffin.sys

2006-06-16 01:33 233,472 ----a-w c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll

2006-05-25 23:43 204,895 ----a-w c:\program files\mozilla firefox\plugins\ctdomemhelper.dll

2005-09-29 19:41 77,824 ----a-w c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll

2006-06-19 18:10 426,081 ----a-w c:\program files\mozilla firefox\plugins\ctplayerobject.dll

2005-02-02 17:19 458,752 ----a-w c:\program files\mozilla firefox\plugins\imagickrt.dll

2006-04-10 23:35 139,264 ----a-w c:\program files\mozilla firefox\plugins\rlcontentclass.dll

2005-11-09 16:10 204,800 ----a-w c:\program files\mozilla firefox\plugins\RLMusicPacker.dll

2005-11-09 16:42 106,496 ----a-w c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll

2006-01-04 16:22 212,992 ----a-w c:\program files\mozilla firefox\plugins\RLVoicePacker.dll

2006-01-04 16:21 167,936 ----a-w c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll

.

((((((((((((((((((((((((((((( SnapShot_2009-02-27_23.15.07.90 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-02-28 03:52:42 61,128 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-01 00:25:24 61,128 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-28 03:52:42 396,992 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-01 00:25:24 396,992 ----a-w c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-15 72240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"MIDI2"= diomidi.dll

"wave2"= Digi32.dll

"Msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.mpegacm"= mpegacm.acm

"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LemonScreen.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LemonScreen.lnk

backup=c:\windows\pss\LemonScreen.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]

--a------ 2007-07-02 12:29 159744 c:\program files\DellTPad\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]

--a------ 2007-10-09 19:17 2183168 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

--a------ 2006-09-14 15:09 157592 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]

--a------ 2007-06-07 11:14 118784 c:\program files\DELL\DELL Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]

--a------ 2006-11-21 08:01 218112 c:\data storage\software\AV-removal\hijackthis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2008-02-28 16:32 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2008-02-28 16:32 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a------ 2005-02-16 15:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

--a------ 2008-12-20 07:50 2656528 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

--a------ 2009-02-04 16:57 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

--a------ 2007-05-10 01:01 36864 c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-02-28 16:32 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

--a------ 2007-05-10 10:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]

--a------ 2008-05-15 23:51 55856 c:\program files\VMware\VMware Workstation\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmware-tray]

--a------ 2008-05-15 23:51 72240 c:\program files\VMware\VMware Workstation\vmware-tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"sp_rssrv"=2 (0x2)

"wltrysvc"=2 (0x2)

"LVPrcSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-11-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-11-17 55024]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-01-27 11776]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]

R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;c:\windows\system32\drivers\OEM02Afx.sys [2009-02-13 141376]

R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2009-02-13 235648]

R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2009-02-13 7424]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]

S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2008-09-29 7548]

S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [2003-12-01 53248]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

TCP: {0E8290C2-400F-4312-96E0-35667CE879F7} = 192.168.1.1,4.2.2.2

TCP: {1414EC86-24E2-4125-A830-017786A7F9EF} = 192.168.1.2,4.2.2.2

TCP: {29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82} = 4.2.2.2,192.168.1.2

FF - ProfilePath - c:\documents and settings\administrator.ZTEKCORP\Application Data\Mozilla\Firefox\Profiles\47qtbje0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

FF - plugin: c:\program files\Picasa2\npPicasa2.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-02 23:56:38

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\hidfind.exe

c:\program files\DellTPad\ApntEx.exe

.

**************************************************************************

.

Completion time: 2009-03-03 0:01:53 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-03 05:00:35

ComboFix2.txt 2009-03-01 00:47:06

ComboFix3.txt 2009-02-28 04:18:08

ComboFix4.txt 2009-02-10 21:37:29

Pre-Run: 70,717,857,792 bytes free

Post-Run: 70,703,038,464 bytes free

371 --- E O F --- 2008-08-09 17:24:04

[AdvancedSetup]

Did you return MSCONFIG back to NORMAL?

[jay2009]

oooops i knew iforgot something

ill do that now and post an update later sorry!

[jay2009]

UPDATE:

ok i loaded it in normal mode, everything under the sun came up when i logged back in (all the useless stuff i had long since disabled)

FYI: the pc DID NOT freeze on login so thats a good thing i guess,

whats next

standing by (as soon as you give me the green light i am going to disable all this junk as it slows the pc down on reboot which is krap anyway)

thanks and standing by...

[AdvancedSetup]

Removing it from startup with a tool like AutoRuns from Microsoft or by removing the entry in the Startup folder or Registry is better than having MSCONFIG running all the time.

Okay, let's run an Anti-Virus scan now.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
    

  [*]On the Log file tab leave the Log to file checked.

  [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

  [*]Log mode = Append

  [*]Encoding = ANSI

  [*]Details Leave Names of file packers and Statistics checked.

  [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

  [*]On the General tab leave the Scan Priority on High

  [*]Click the Apply button at the bottom, and then the OK button.

  [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

  [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

  [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

  [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

  [*]Click 'Yes to all' if it asks if you want to cure/move the files.

  [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

  [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  [*]Save the report to your Desktop. The report will be called DrWeb.csv

  [*]Close Dr.Web Cureit.

  [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

  

[jay2009]

as requested

dr web log

********************************

ACT!603Update.exe/data002\\Bin\actdiag.exe;C:\data storage\software\Act! 6.0\ACT!603Update.exe/data002;Probably WIN.SCRIPT.Virus;;

data002;C:\data storage\software\Act! 6.0;Archive contains infected objects;;

ACT!603Update.exe;C:\data storage\software\Act! 6.0;Container contains infected objects;Moved.;

backup-20090210-000238-662.dll;C:\data storage\software\AV-removal\hijackthis\backups;Trojan.Packed.213;Deleted.;

backup-20090210-171913-923.dll;C:\data storage\software\AV-removal\hijackthis\backups;Trojan.Packed.213;Deleted.;

backup-20090210-172009-482.dll;C:\data storage\software\AV-removal\hijackthis\backups;Trojan.Packed.213;Deleted.;

adsgone.exe\data002;C:\data storage\software\popup tools\AdsGone Popup Killer Ad Stopper Spyware Blocker 5.3.5Build.16\adsgone.exe;Probably BACKDOOR.Trojan;;

adsgone.exe;C:\data storage\software\popup tools\AdsGone Popup Killer Ad Stopper Spyware Blocker 5.3.5Build.16;Archive contains infected objects;Moved.;

pcspy.exe\data002;C:\data storage\software\starr_commander\RSM\pcspy\pcspy.exe;Probably BACKDOOR.Trojan;;

pcspy.exe;C:\data storage\software\starr_commander\RSM\pcspy;Archive contains infected objects;Moved.;

default.asp;C:\data storage\web projects\Company Web sites\ZTEK Web Site\gallery\gallerybak\includes;Probably SCRIPT.Virus;Moved.;

default.asp;C:\data storage\web projects\Company Web sites\ZTEK Web Site\gallery\simpleaspgal\includes;Probably SCRIPT.Virus;Moved.;

UBCD4WinV322.exe\data938;C:\Documents and Settings\administrator.ZTEKCORP\My Documents\UBCD4WinV322.exe;Trojan.MulDrop.origin;;

UBCD4WinV322.exe\data994;C:\Documents and Settings\administrator.ZTEKCORP\My Documents\UBCD4WinV322.exe;Program.RemoteAdmin;;

UBCD4WinV322.exe;C:\Documents and Settings\administrator.ZTEKCORP\My Documents;Archive contains infected objects;Moved.;

UACbdtgwqln.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;

UAChhiacuau.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;

UACqmueeykr.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.365;Moved.;

UACxppjuwvn.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Packed.365;Deleted.;

A0000001.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Trojan.Packed.365;Deleted.;

A0000002.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Trojan.Packed.365;Deleted.;

A0000003.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Trojan.Packed.365;Deleted.;

A0000004.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Probably Trojan.Packed.365;Moved.;

A0001060.bat;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Probably BATCH.Virus;Moved.;

A0001078.EXE;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP0;Program.PsExec.170;Moved.;

A0001277.bat;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP2;Probably BATCH.Virus;Moved.;

A0001290.EXE;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP2;Program.PsExec.170;Moved.;

A0001447.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Probably Trojan.Packed.213;Moved.;

A0001462.bat;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Probably BATCH.Virus;Moved.;

A0001477.EXE;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Program.PsExec.170;Moved.;

A0001640.exe/data002\\Bin\actdiag.exe;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3\A0001640.exe/data002;Probably WIN.SCRIPT.Virus;;

data002;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Archive contains infected objects;;

A0001640.exe;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Container contains infected objects;Moved.;

A0001641.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Trojan.Packed.213;Deleted.;

A0001642.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Trojan.Packed.213;Deleted.;

A0001643.dll;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Trojan.Packed.213;Deleted.;

A0001644.exe\data002;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3\A0001644.exe;Probably BACKDOOR.Trojan;;

A0001644.exe;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Archive contains infected objects;Moved.;

A0001645.exe\data002;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3\A0001645.exe;Probably BACKDOOR.Trojan;;

A0001645.exe;C:\System Volume Information\_restore{75C7E736-B1C2-4B70-BFA9-22617734BF2E}\RP3;Archive contains infected objects;Moved.;

CurrProcess.exe;C:\UBCD4Win\BartPE\PROGRAMS\Applications;Tool.CurrProcess.110;Moved.;

VNCHooks.dll;C:\UBCD4Win\BartPE\PROGRAMS\Crossloop;Program.RemoteAdmin;Moved.;

winvnc.exe;C:\UBCD4Win\BartPE\PROGRAMS\Crossloop;Program.RemoteAdmin;Moved.;

ipscan.exe;C:\UBCD4Win\BartPE\PROGRAMS\IPScan;Tool.AngryIpscan;Moved.;

CurrProcess.exe;C:\UBCD4Win\oem1\GeoShell\files\Applications;Tool.CurrProcess.110;Moved.;

VNCHooks.dll;C:\UBCD4Win\plugin\Network\CrossLoop\files;Program.RemoteAdmin;Moved.;

winvnc.exe;C:\UBCD4Win\plugin\Network\CrossLoop\files;Program.RemoteAdmin;Moved.;

ipscan.exe;C:\UBCD4Win\plugin\Network\ipscan;Tool.AngryIpscan;Moved.;

vncviewer.exe;C:\UBCD4Win\plugin\Network\VNCServer;Program.RemoteAdmin.51;Moved.;

new HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:39:28, on 03/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\KeyLemon\LemonScreen\LemonScreen.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Creative Live! Cam\VideoFX\StartFX.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

O4 - HKLM\..\Run: [VMware hqtray] ; "C:\Program Files\VMware\VMware Workstation\hqtray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] ; "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [iSUSScheduler] ; "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [DAEMON Tools] ; "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\c2c8aca3-b0b5-4af9-aaaa-403e4fc1278d.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [HijackThis startup scan] C:\data storage\software\AV-removal\hijackthis\HijackThis.exe /startupscan

O4 - HKCU\..\Run: [DELL Webcam Manager] ; "C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe" /s

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: LemonScreen.lnk = ?

O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\Software\..\Telephony: DomainName = ZTEK.corp

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E8290C2-400F-4312-96E0-35667CE879F7}: NameServer = 192.168.1.1,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{1414EC86-24E2-4125-A830-017786A7F9EF}: NameServer = 192.168.1.2,4.2.2.2

O17 - HKLM\System\CCS\Services\Tcpip\..\{29BBAE27-D70B-4D9A-B104-2D8D9C8D4D82}: NameServer = 4.2.2.2,192.168.1.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain = ZTEK.corp

O17 - HKLM\System\CS12\Services\Tcpip\Parameters: Domain = ZTEK.corp

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 6475 bytes

after doing a google search for the query "search for something else" i was able to click on up to 15 results and was brought to the correct page, BUT every few results after brought up a clickfraudmanager redirect, however when i hit back to leave the ad page, i was able to re click and be directed to the right page once again. I dont know but after all we have done i got to think we might have to WIPE OUT FF to get rid of this part, but i am a IT analyst not an AV wizard, thats your corner.

awaiting reply...

[AdvancedSetup]

Well as you can see from those logs a couple of the entries can be restored from the Dr Web quarantine as they are legit files but have the potential for danger thus Dr Web moved them.

Well don't forget that often times a good search by you does not mean that Google/Yahoo has a good entry for it. If the link looks good but is high on the list due to so many users going there falsely then it will appear to be a redirect but in fact it was a link to a bogus entry.

Before we ever started cleaning your box I would assume that almost EVERY search was redirected to them and that's not the case now. Would that be a correct assumption?

Restore a couple of your files from Dr Web quarantine if you want or need them, like from ACT and UBCD4W

Then remove Dr Web and the entire folder where it stores stuff.

Then reset your System Restore points.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.
  

This will remove all restore points except the new one you just created.

Then empty your Anti-Virus quarantine, and MBAM quarantine.

Then delete all cookies, cache from FF and restart the computer and try some more searching and Web browsing and let me know how it goes.

[jay2009]

you are correct, every search was hijacked, its just until this box was invaded i had never seen (or noticed) clickfraudmanager before

as for the rest i will do that today and let you know where we stand!

thanks so much for the help!

[AdvancedSetup]

Please post a follow-up.

Thanks

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.