I just got an old Windows 2000 machine given to me, I added it to my network and though it has a small hard drive I would like to use it for something(dont know what yet)

When I first started it it was a million popups and crazyness going on. So I did the prerequistes(atf, mambam, eudit etc...)
And also a full Windows Update, wanna make sure its clear and upto par and then maybe some suggestions on using it for server or something.(Only 20 gb harddrive)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:09 AM, on 11/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEHost.exe
C:\WINNT\Explorer.Exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fairview IMS (Dec05)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=C:\WINNT\Explorer.Exe
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\ppctoolbar.dll_7.0.0.2.dll (file missing)
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\ppctoolbar.dll_7.0.0.2.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels1118.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\npwemunm.dll",setvm
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\djsi.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Printkey2000.lnk = C:\WIN2K\OTHER\Printkey2000.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227891084148
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://63.228.250.70/TouchWorks/DictateBar.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll
O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
O20 - Winlogon Notify: CSEWLPackage - C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

--
End of file - 6413 bytes

Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following...


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode

1. In Safe Mode, right click the SDFix.zip folder and choose Extract All,
2. A new folder will be extracted to your %systemdrive%, typically C:\SDFix
3. Open the extracted folder and double click RunThis.bat to start the script.
4. Type Y to begin the script.
5. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
6. Press any Key and it will restart the PC.
7. Your system will take longer that normal to restart as the fixtool will be running and removing files.
8. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
9. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.

NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Post these logs in your next reply.. Post each log in separate post..

1. SDFix
2. ComboFix
3. A fresh HijackThis log

Upon restart of SDFIX I got an error dialog box stating



Im sure it probably says it in the log just thought I would let you know.


SDFix: Version 1.240
Run by Administrator on Sat 11/29/2008 at 3:02a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\o.exe - Deleted
C:\WINNT\system32\qvxga6met3.exe - Deleted
C:\WINNT\system32\qvxga7met4.exe - Deleted
C:\WINNT\system32\qvx5gamet2.exe - Deleted
C:\WINNT\system32\vxga4m1et4.exe - Deleted
C:\WINNT\system32\i - Deleted



Folder C:\Documents and Settings\All Users\Documents\Settings - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 03:06:09
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Jul 2008 74 ..SH. --- "C:\WINNT\SYSTEM32\qstss.tmp"
Tue 25 Jan 2000 42,768 A.SHR --- "C:\WINNT\SYSTEM32\DLLCACHE\webhits.dll.tmp"
Tue 25 Jan 2000 1,411,344 A.SHR --- "C:\WINNT\SYSTEM32\DLLCACHE\query.dll.tmp"
Tue 25 Jan 2000 121,104 A.SHR --- "C:\WINNT\SYSTEM32\DLLCACHE\idq.dll.tmp"
Wed 5 Jan 2000 143,632 A.SHR --- "C:\WINNT\SYSTEM32\DLLCACHE\asycfilt.dll.tmp"
Wed 5 Jan 2000 614,672 A.SHR --- "C:\WINNT\SYSTEM32\DLLCACHE\oleaut32.dll.tmp"
Thu 26 Oct 2006 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1569.tmp"
Thu 26 Oct 2006 33,280 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3988.tmp"
Thu 26 Oct 2006 33,280 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2522.tmp"
Thu 26 Oct 2006 19,456 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1308.tmp"
Thu 26 Oct 2006 23,552 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL4053.tmp"
Thu 26 Oct 2006 37,376 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1257.tmp"
Thu 26 Oct 2006 31,232 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2630.tmp"
Thu 26 Oct 2006 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL1264.tmp"
Thu 26 Oct 2006 57,344 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0311.tmp"
Thu 26 Oct 2006 33,792 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2968.tmp"
Thu 26 Oct 2006 25,600 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3193.tmp"
Thu 26 Oct 2006 31,744 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2120.tmp"
Thu 26 Oct 2006 35,328 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL0744.tmp"
Thu 26 Oct 2006 37,888 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2307.tmp"
Thu 26 Oct 2006 24,576 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2841.tmp"

Finished!

Didnt request install of recovery console


ComboFix 08-11-28.03 - Administrator 11/29/2008 3:12:16.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.287 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\ksl48.bin
c:\winnt\system32\mdm.exe
c:\winnt\Web\default.htt
c:\winnt\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_K53LOCK
-------\Legacy_WINLOGON
-------\Service_k53lock


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 03:16 . 08-11-29 03:16 16,384 --a----t- c:\winnt\SYSTEM32\Perflib_Perfdata_46c.dat
2008-11-29 03:00 . 08-11-29 03:00 <DIR> d-------- c:\winnt\ERUNT
2008-11-29 02:53 . 08-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-28 11:24 . 08-11-28 11:24 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 11:23 . 08-11-28 11:23 <DIR> d-------- c:\program files\ERUNT
2008-11-28 11:14 . 08-11-28 11:14 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-28 11:07 . 08-11-28 11:07 957 --a------ c:\winnt\setup.inf
2008-11-28 11:07 . 08-11-28 11:07 283 --a------ c:\winnt\setup.rpt
2008-11-28 11:05 . 08-08-20 11:54 587,776 --a------ c:\winnt\SYSTEM32\WININET.DLL
2008-11-28 10:55 . 06-07-24 23:08 840,976 --------- c:\winnt\SYSTEM32\DLLCACHE\mmcndmgr.dll
2008-11-28 10:51 . 08-10-16 14:09 31,768 --a------ c:\winnt\SYSTEM32\wucltui.dll.mui
2008-11-28 10:51 . 08-10-16 14:07 23,576 --a------ c:\winnt\SYSTEM32\wuaucpl.cpl.mui
2008-11-28 10:51 . 08-10-16 14:07 23,576 --a------ c:\winnt\SYSTEM32\wuapi.dll.mui
2008-11-28 10:51 . 08-10-16 14:07 18,456 --a------ c:\winnt\SYSTEM32\wuaueng.dll.mui
2008-11-27 07:49 . 08-11-27 07:49 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-27 07:46 . 08-11-27 07:46 <DIR> d-------- c:\winnt\winsxs
2008-11-27 07:46 . 08-11-27 07:46 <DIR> d-------- c:\winnt\SYSTEM32\DRIVERS\Avg
2008-11-27 07:46 . 08-11-27 07:46 <DIR> d-------- c:\program files\AVG
2008-11-27 07:46 . 08-11-27 07:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-27 07:46 . 08-11-27 07:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2008-11-27 07:46 . 08-11-27 07:46 97,928 --a------ c:\winnt\SYSTEM32\DRIVERS\avgldx86.sys
2008-11-27 07:46 . 08-11-27 07:46 10,520 --a------ c:\winnt\SYSTEM32\avgrsstx.dll
2008-11-27 07:33 . 08-11-27 07:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-27 07:33 . 08-10-26 21:53 15,504 --a------ c:\winnt\SYSTEM32\DRIVERS\mbam.sys
2008-11-27 07:32 . 08-11-27 07:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-27 07:32 . 08-11-27 07:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-27 07:32 . 08-10-26 21:53 38,496 --a------ c:\winnt\SYSTEM32\DRIVERS\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 17:41 310,032 ------w c:\winnt\SYSTEM32\DLLCACHE\NETAPI32.DLL
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\SYSTEM32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\winnt\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\winnt\SYSTEM32\WUAPI.DLL
2008-10-16 20:12 323,608 ----a-w c:\winnt\SYSTEM32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\winnt\SYSTEM32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\winnt\SYSTEM32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\winnt\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\winnt\SYSTEM32\WUPS2.DLL
2008-10-16 20:08 34,328 ----a-w c:\winnt\SYSTEM32\WUPS.DLL
2008-09-30 22:43 1,286,152 ----a-w c:\winnt\SYSTEM32\msxml4.dll
2008-09-15 05:13 1,644,432 ----a-w c:\winnt\SYSTEM32\WIN32K.SYS
2008-09-15 05:13 1,644,432 ------w c:\winnt\SYSTEM32\DLLCACHE\win32k.sys
2008-09-08 08:14 1,121,280 ----a-w c:\winnt\SYSTEM32\msxml3.dll
2008-09-08 08:14 1,121,280 ------w c:\winnt\SYSTEM32\DLLCACHE\msxml3.dll
2001-02-14 14:36 271 ---h--w c:\program files\DESKTOP.INI
2001-02-14 14:36 21,952 ---h--w c:\program files\FOLDER.HTT
1999-12-07 12:00 32,528 ----a-w c:\winnt\INF\WBFIRDMA.SYS
1998-12-09 08:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 08:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 08:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 08:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 08:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 08:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [06-08-01 15:35 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [08-11-27 09:29 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [07-01-07 20:27 155648]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [05-06-21 16:48 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [05-06-21 16:44 126976]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 c:\winnt\SYSTEM32\MOBSYNC.EXE]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Printkey2000.lnk - c:\win2k\OTHER\Printkey2000.exe [1980-01-01 772608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_PrintPreview"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CSEWLPackage]
05-04-11 19:48 45056 c:\program files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=NVDESK32.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\Drivers\avgldx86.sys [2008-11-27 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-27 231704]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [1980-01-01 49776]
S3 oce5xnd5;Olicom NDIS 5.0 Ethernet 10/100 Adapters;c:\winnt\system32\DRIVERS\oce5xnd5.sys [1980-01-01 57936]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\BIN\ONRSD.EXE []

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
ShellExecuteHooks-{B4870B70-F390-11d2-9FB9-F4ED725EA20D} - c:\program files\Novell\ZENworks\NalExpEx.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SystemRoot%\system32\msafd.dll

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\winnt\Downloaded Program Files\DictateBar.dll - O16 -: {B7EA9615-586E-4193-9C3C-A29CA577E040}
hxxps://63.228.250.70/TouchWorks/DictateBar.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 03:16:35
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(168)
c:\program files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2008-11-29 3:18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 09:18:50

Pre-Run: 13,380,616,192 bytes free
Post-Run: 13,297,025,024 bytes free

161

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:09 AM, on 11/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEHost.exe
C:\WINNT\Explorer.Exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fairview IMS (Dec05)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=C:\WINNT\Explorer.Exe
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\ppctoolbar.dll_7.0.0.2.dll (file missing)
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\ppctoolbar.dll_7.0.0.2.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels1118.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\npwemunm.dll",setvm
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\djsi.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Printkey2000.lnk = C:\WIN2K\OTHER\Printkey2000.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227891084148
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://63.228.250.70/TouchWorks/DictateBar.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll
O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
O20 - Winlogon Notify: CSEWLPackage - C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

--
End of file - 6413 bytes

Please run HijackThis again and post the latest log here.. You just post the old HijackThis log.. Then please do below..

Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

Then, please download and install the latest Java from HERE



NEXT


Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
• Click Accept.
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
• In the File name area use KScan, or something similar.
• In Save as type: click the drop arrow and select: Text file [*.txt]
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.




Post me these logs in your next reply.. Post each log in separate post..

1. Kaspersky Online
2. A fresh HijackThis log

Records in database: 1428416
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 41473
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:03:56


File name / Threat name / Threats count
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.BAT.Ftp.ab 1

The selected area was scanned.

Im sure this happens often, software takes a backup before fixing your computer, but backups the virus. HAHA

This post has been edited by Jay Worner: Nov 30 2008, 08:07 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:08 PM, on 11/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEHost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WIN2K\OTHER\Printkey2000.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator\Local Settings\temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINNT\DOWNLO~1\DICTAT~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Printkey2000.lnk = C:\WIN2K\OTHER\Printkey2000.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227891084148
O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://63.228.250.70/TouchWorks/DictateBar.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: NVDESK32.DLL,avgrsstx.dll
O20 - Winlogon Notify: CSEWLPackage - C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)

--
End of file - 5967 bytes

Please show hidden files and folders. Please visit HERE if you don't know how.

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEHost.exe
  C:\Program Files\Common Files\Quest Shared\Group Policy Extensions for Desktops\CSE\CSEWLPackage.dll
  
  
• Click on the Upload button. You can upload only one file at a time..
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

If VirScan.org server is too busy, please submit the file to VirusTotal instead.

VirSCAN.org Scanned Report :
Scanned time : 2008/12/01 01:10:51 (CST)
Scanner results: All Scanners reported not find malware!
File Name : CSEHost.exe
File Size : 65536 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : b813ad90dd4ee40046f13df2f196ca1a
SHA1 : 2f7e67c06fd11cc970be862fb28ce5602724f1f9
Online report : http://virscan.org/report/df2744a453a62fd1...7e65a414ae.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081130163126 2008-11-30 3.15 -
AhnLab V3 2008.12.01.01 2008.12.01 2008-12-01 1.09 -
AntiVir 7.9.0.36 7.1.0.161 2008-11-30 1.80 -
Antiy 2.0.18 20081130.1772504 2008-11-30 0.45 -
Arcavir 1.0.5 200811291125 2008-11-29 1.22 -
Authentium 5.1.1 200811301454 2008-11-30 1.09 -
AVAST! 3.0.1 081130-0 2008-11-30 0.01 -
AVG 7.5.52.442 270.9.12/1821 2008-11-30 1.78 -
BitDefender 7.81008.2304695 7.22212 2008-12-01 2.25 -
CA (VET) 9.0.0.143 31.6.6234 2008-11-28 5.92 -
ClamAV 0.94.1 8698 2008-11-30 0.02 -
Comodo 2.11 2.0.0.712 2008-11-20 0.56 -
CP Secure 1.1.0.715 2008.12.01 2008-12-01 6.24 -
Dr.Web 4.44.0.9170 2008.12.01 2008-12-01 4.17 -
ewido 4.0.0.2 2008.11.30 2008-11-30 5.03 -
F-Prot 4.4.4.56 20081130 2008-11-30 1.08 -
F-Secure 5.51.6100 2008.11.30.02 2008-11-30 0.04 -
Fortinet 2.81-3.117 9.762 2008-11-30 0.20 -
GData 19.1753/19.129 20081201 2008-12-01 3.12 -
ViRobot 20081129 2008.11.29 2008-11-29 0.41 -
Ikarus T3.1.01.45 2008.12.01.71937 2008-12-01 4.80 -
JiangMin 11.0.706 2008.12.01 2008-12-01 1.38 -
Kaspersky 5.5.10 2008.12.01 2008-12-01 0.04 -
KingSoft 2008.9.8.18 2008.12.1.13 2008-12-01 0.73 -
McAfee 5.3.00 5450 2008-11-30 2.80 -
Microsoft 1.4104 2008.11.30 2008-11-30 8.50 -
mks_vir 2.01 2008.12.01 2008-12-01 2.72 -
Norman 5.93.01 5.93.00 2008-11-28 5.84 -
Panda 9.05.01 2008.11.30 2008-11-30 4.13 -
Trend Micro 8.700-1004 5.684.01 2008-11-30 0.03 -
Quick Heal 10.00 2008.12.01 2008-12-01 0.94 -
Rising 20.0 21.06.00.00 2008-12-01 1.70 -
Sophos 2.81.2 4.36 2008-12-01 2.03 -
Sunbelt 4674 4674 2008-11-04 0.62 -
Symantec 1.3.0.24 20081130.004 2008-11-30 0.05 -
nProtect 2008-12-01.00 2632093 2008-12-01 3.20 -
The Hacker 6.3.1.1 v00169 2008-11-29 0.60 -
VBA32 3.12.8.9 20081130.1001 2008-11-30 1.47 -
VirusBuster 4.5.11.10 10.94.11/729504 2008-11-30 1.02 -



VirSCAN.org Scanned Report :
Scanned time : 2008/12/01 01:14:12 (CST)
Scanner results: All Scanners reported not find malware!
File Name : CSEWLPackage.dll
File Size : 45056 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 7de1366a168f192dfd1224f5dd30f68b
SHA1 : f7387fc7277b1debd64bfd9e797f7ff8bb336c49
Online report : http://virscan.org/report/cca608e3bfce832a...6297be5c30.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081130163126 2008-11-30 3.15 -
AhnLab V3 2008.12.01.01 2008.12.01 2008-12-01 1.03 -
AntiVir 7.9.0.36 7.1.0.161 2008-11-30 1.84 -
Antiy 2.0.18 20081130.1772504 2008-11-30 0.13 -
Arcavir 1.0.5 200811291125 2008-11-29 1.90 -
Authentium 5.1.1 200811301454 2008-11-30 1.47 -
AVAST! 3.0.1 081130-0 2008-11-30 0.01 -
AVG 7.5.52.442 270.9.12/1821 2008-11-30 1.83 -
BitDefender 7.81008.2304695 7.22212 2008-12-01 2.13 -
CA (VET) 9.0.0.143 31.6.6234 2008-11-28 4.37 -
ClamAV 0.94.1 8698 2008-11-30 0.02 -
Comodo 2.11 2.0.0.712 2008-11-20 0.42 -
CP Secure 1.1.0.715 2008.12.01 2008-12-01 6.15 -
Dr.Web 4.44.0.9170 2008.12.01 2008-12-01 3.71 -
ewido 4.0.0.2 2008.11.30 2008-11-30 4.29 -
F-Prot 4.4.4.56 20081130 2008-11-30 1.12 -
F-Secure 5.51.6100 2008.11.30.02 2008-11-30 0.06 -
Fortinet 2.81-3.117 9.762 2008-11-30 0.26 -
GData 19.1753/19.129 20081201 2008-12-01 3.05 -
ViRobot 20081129 2008.11.29 2008-11-29 0.41 -
Ikarus T3.1.01.45 2008.12.01.71937 2008-12-01 3.60 -
JiangMin 11.0.706 2008.12.01 2008-12-01 1.37 -
Kaspersky 5.5.10 2008.12.01 2008-12-01 0.06 -
KingSoft 2008.9.8.18 2008.12.1.13 2008-12-01 0.69 -
McAfee 5.3.00 5450 2008-11-30 2.54 -
Microsoft 1.4104 2008.11.30 2008-11-30 4.35 -
mks_vir 2.01 2008.12.01 2008-12-01 2.72 -
Norman 5.93.01 5.93.00 2008-11-28 5.63 -
Panda 9.05.01 2008.11.30 2008-11-30 3.24 -
Trend Micro 8.700-1004 5.684.01 2008-11-30 0.03 -
Quick Heal 10.00 2008.12.01 2008-12-01 0.90 -
Rising 20.0 21.06.00.00 2008-12-01 0.81 -
Sophos 2.81.2 4.36 2008-12-01 1.89 -
Sunbelt 4674 4674 2008-11-04 1.21 -
Symantec 1.3.0.24 20081130.004 2008-11-30 0.05 -
nProtect 2008-12-01.00 2632093 2008-12-01 3.11 -
The Hacker 6.3.1.1 v00169 2008-11-29 0.47 -
VBA32 3.12.8.9 20081130.1001 2008-11-30 1.47 -
VirusBuster 4.5.11.10 10.94.11/729504 2008-11-30 0.94 -

Well... Looks good to me...


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  Please note that the space between combofix and /u is needed
  
  

Lastly, to keep your operating system up to date please visit the link below monthly

• Microsoft Windows Update

Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread



Have a safe and happy computing day!


Regards
fenzodahl512

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.