Disabled regedit and Task Manager, Pc incredibly slow, Popups at increasing

Hello, the infection may have entered while visiting a brazilian site. As the home page opened my antivirus SpySweeper immediately reported that W32/Sality-AM was trying to install itself. Although it should have been blocked, SpySweeper detected it again on the subsequent scan along with W32/Allaple-F and some behavioral threats.

Soon enough my Pc began to slow down. Task Manager and regedit were disabled and a popup: "Windows-Virtual Memory too Low" began to appear with increasing frequency. Another smaller popup: "Runtime error 203 at 031249C5" began to appear as well. Recently, at startup I get another popup: "%WINDIR%\System32\ashDsp.exe" telling me "cannot find the file....â€.

In desperation, I downloaded and ran Malwarebytes’ antimalware and it detected and removed the W32/Sality-F. However, the problems continued. After some research, I was able to access the registry and enable the Task Manager (I set the DisableTaskManager value to 0). But that turned out to be just temporary as both regedit and the Task Manager are continuosly disabled.

In another attempt I downloaded and ran SpyBot who detected a number of problems including the Task Manager and some blocks on windows update. Again, the removal was only temporary.

I do not know if it is of any help but I’ve noticed that the LAN icon (the tiny monitors on the bottom right) indicates packets sent and received even if I’m not browsing or navigating. If I put the modem on standby the Pc seems to keep trying to send packets continuosly.
I disabled LAN and the Pc seems to be significantly faster(?).

I’ve included below the DDS main.txt file. Any help would be greatly appreciated!

------------

main.txt2

Deckard's System Scanner v20071014.68
Run by Tank on 2008-08-05 15:39:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 94% (more than 75%).
Total Physical Memory: 127 MiB (256 MiB recommended).


-- HijackThis (run as Tank.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:31 PM, on 8/5/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINNT4\System32\smss.exe
D:\WINNT4\system32\winlogon.exe
D:\WINNT4\system32\services.exe
D:\WINNT4\system32\lsass.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\spoolsv.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\MSTask.exe
D:\WINNT4\system32\SnMgrSvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT4\System32\WBEM\WinMgmt.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\SnAgOS.exe
D:\WINNT4\Explorer.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINNT4\system32\internat.exe
D:\WINNT4\system32\ashDsp.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
D:\WINNT4\system32\SnEngine.EXE
D:\Documents and Settings\Tank\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\Tank.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\ashDsp.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT4\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ashDsp.exe] D:\WINNT4\system32\ashDsp.exe
O4 - HKLM\..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT4\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT4\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217906105164
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT4\System32\dmadmin.exe
O23 - Service: SNMgrSvc - Open Communications Security S/A - D:\WINNT4\system32\SnMgrSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3264 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 10:26:19 16384 --a-----t D:\WINNT4\system32\Perflib_Perfdata_2dc.dat
2008-08-05 09:55:20 0 d-------- D:\Program Files\Trend Micro
2008-08-05 08:23:07 0 -----n--- D:\WINNT4\system32\SWM0012
2008-08-05 08:17:25 22784 -----n--- D:\WINNT4\system32\drivers\SNSID.SYS <Not Verified; Open Communications Security; Precise>
2008-08-05 08:17:20 2560 -----n--- D:\WINNT4\system32\SNLINK.DLL
2008-08-05 08:17:16 186504 -----n--- D:\WINNT4\system32\SnAgOS.DLL
2008-08-04 20:51:32 0 d-------- D:\WINNT4\system32\BITS
2008-08-04 20:15:45 0 d-------- D:\WINNT4\SoftwareDistribution
2008-08-03 14:06:17 0 d-------- D:\Documents and Settings\Tank\Application Data\OpenOffice.org2
2008-08-02 11:03:19 0 d-------- D:\Documents and Settings\Tank\Application Data\Macromedia
2008-08-02 11:03:18 0 d-------- D:\Documents and Settings\Tank\Application Data\Adobe
2008-08-02 11:02:58 0 d-------- D:\WINNT4\system32\Macromed
2008-08-02 09:22:00 0 d-------- D:\Documents and Settings\Tank\Application Data\Help
2008-08-01 20:22:24 0 d-------- D:\WINNT4\RegisteredPackages
2008-08-01 20:16:51 0 d--h----- D:\WINNT4\msdownld.tmp
2008-08-01 20:16:47 0 d-------- D:\WINNT4\Windows Update Setup Files
2008-08-01 16:01:33 0 d-a------ D:\Documents and Settings\All Users.WINNT4\Application Data\Spybot - Search & Destroy
2008-07-31 21:56:54 0 d-------- D:\Documents and Settings\Tank\Application Data\Malwarebytes
2008-07-31 21:56:51 0 d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Malwarebytes
2008-07-31 21:21:36 643562 ---h----- D:\WINNT4\ShellIconCache
2008-07-31 21:15:37 0 d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Webroot
2008-07-31 21:15:36 0 d-------- D:\Documents and Settings\Tank\Application Data\Webroot
2008-07-31 21:08:33 98816 ---h----- D:\WINNT4\system32\ashDsp.exe
2008-07-31 21:01:46 0 d--hs---- D:\WINNT4\Installer
2008-07-31 21:01:45 0 d-------- D:\Documents and Settings\Tank\Application Data\Identities
2008-07-31 21:01:42 0 d-------- D:\WINNT4\system32\NtmsData
2008-07-31 21:01:38 0 d--h----- D:\WINNT4\system32\GroupPolicy
2008-07-31 21:01:36 0 d--hs---- D:\WINNT4\CSC
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\Templates
2008-07-31 21:01:36 0 d-------- D:\Documents and Settings\Tank\Start Menu
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\SendTo
2008-07-31 21:01:36 0 dr-h----- D:\Documents and Settings\Tank\Recent
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\PrintHood
2008-07-31 21:01:36 3092480 --ah----- D:\Documents and Settings\Tank\NTUSER.DAT
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\NetHood
2008-07-31 21:01:36 0 d-------- D:\Documents and Settings\Tank\My Documents
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\Local Settings
2008-07-31 21:01:36 0 dr------- D:\Documents and Settings\Tank\Favorites
2008-07-31 21:01:36 0 d-------- D:\Documents and Settings\Tank\Desktop
2008-07-31 21:01:36 0 d---s---- D:\Documents and Settings\Tank\Cookies
2008-07-31 21:01:36 0 d--h----- D:\Documents and Settings\Tank\Application Data
2008-07-31 21:00:58 0 d-------- D:\WINNT4\system32\Microsoft
2008-07-31 20:55:41 0 d-------- D:\WINNT4\system32\rpcproxy
2008-07-31 20:55:41 0 d-------- D:\WINNT4\system32\rocket
2008-07-31 20:55:41 0 d-------- D:\WINNT4\system32\inetsrv
2008-07-31 20:55:41 0 d-------- D:\WINNT4\mww32
2008-07-31 20:55:41 0 d-------- D:\WINNT4\ime
2008-07-31 20:54:44 122880 ---h----- D:\Documents and Settings\Default User.WINNT4\NTUSER.DAT
2008-07-31 20:53:08 0 d---s---- D:\Documents and Settings\Default User.WINNT4\Application Data\Microsoft
2008-07-31 20:52:49 0 d--hs---- D:\Documents and Settings\All Users.WINNT4\DRM
2008-07-31 20:52:42 0 dr------- D:\WINNT4\Offline Web Pages
2008-07-31 20:52:42 0 d---s---- D:\WINNT4\Downloaded Program Files
2008-07-31 20:52:16 0 d-a-s---- D:\WINNT4\Tasks
2008-07-31 20:51:47 15016 --a------ D:\WINNT4\system32\emptyregdb.dat
2008-07-31 20:51:01 0 d-------- D:\WINNT4\Registration
2008-07-31 20:50:44 0 d-------- D:\WINNT4\system32\DTCLog
2008-07-31 20:50:21 1785160 -ra------ D:\WINNT4\system32\dtcsetup.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-07-31 20:50:20 0 d-------- D:\WINNT4\system32\Com
2008-07-31 20:49:03 0 d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Microsoft
2008-07-31 13:42:18 0 d-a------ D:\WINNT4\Speech
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\Templates
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\Default User.WINNT4\Start Menu
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\SendTo
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\Recent
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\PrintHood
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\NetHood
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\Default User.WINNT4\My Documents
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\Local Settings
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\Default User.WINNT4\Favorites
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\Default User.WINNT4\Desktop
2008-07-31 13:42:03 0 d---s---- D:\Documents and Settings\Default User.WINNT4\Cookies
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\Default User.WINNT4\Application Data
2008-07-31 13:42:03 0 d--h----- D:\Documents and Settings\All Users.WINNT4\Templates
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\All Users.WINNT4\Start Menu
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\All Users.WINNT4\Favorites
2008-07-31 13:42:03 0 d-a------ D:\Documents and Settings\All Users.WINNT4\Documents
2008-07-31 13:42:03 0 d-------- D:\Documents and Settings\All Users.WINNT4\Desktop
2008-07-31 13:42:03 0 d-ah----- D:\Documents and Settings\All Users.WINNT4\Application Data
2008-07-31 13:41:48 0 d-a------ D:\WINNT4\system32\CatRoot
2008-07-31 13:38:21 0 d-a------ D:\WINNT4
2008-07-31 13:38:21 0 d---s---- D:\WINNT4\Web
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\twain_32
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\wins
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\wbem
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\spool
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\ShellExt
2008-07-31 13:38:21 0 d-------- D:\WINNT4\system32\Setup
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\ras
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\os2
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\npp
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\mui
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\ie_de
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\ias
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\export
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\drivers
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\drivers\etc
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\drivers\disdn
2008-07-31 13:38:21 0 drahs--c- D:\WINNT4\system32\dllcache
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\dhcp
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system32\config
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\system
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\security
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\repair
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\msapps
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\msagent
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Media
2008-07-31 13:38:21 0 d--h----- D:\WINNT4\inf
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Help
2008-07-31 13:38:21 0 dra-s---- D:\WINNT4\Fonts
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Driver Cache
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Debug
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Cursors
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Connection Wizard
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\Config
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\AppPatch
2008-07-31 13:38:21 0 d-a------ D:\WINNT4\addins
2008-07-31 13:00:05 17680 --a------ D:\WINNT4\system32\tftp.exe
2008-07-31 12:59:39 95024 --a------ D:\WINNT4\system32\sfc.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-07-31 12:57:32 39696 --a------ D:\WINNT4\system32\ftp.exe
2008-07-30 16:07:00 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Help
2008-07-30 15:58:40 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Hewlett-Packard
2008-07-30 15:23:19 0 d-a------ D:\Program Files\Common Files\Hewlett-Packard
2008-07-30 15:20:50 0 d-a------ D:\Program Files\Common Files\MSSoap
2008-07-30 15:20:25 0 d-a------ D:\Program Files\Hewlett-Packard
2008-07-29 22:12:31 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\OpenOffice.org2
2008-07-29 22:03:23 0 d-a------ D:\Program Files\OpenOffice.org 2.4
2008-07-29 21:55:24 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Sun
2008-07-29 20:28:48 0 d-a------ D:\Program Files\Enkad
2008-07-27 23:14:19 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Orbit
2008-07-27 23:14:05 0 d-a------ D:\Program Files\Orbitdownloader
2008-07-27 22:56:29 0 d-a------ D:\Program Files\Java
2008-07-27 22:52:41 0 d-a------ D:\Program Files\Common Files\Java
2008-07-27 21:10:24 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\TypingMaster7
2008-07-27 21:07:21 0 dra------ D:\Program Files\TypingMaster
2008-07-27 17:52:28 0 d-a------ D:\Program Files\BitComet
2008-07-26 20:37:13 0 d-a------ D:\Program Files\Common Files\Adobe
2008-07-26 11:16:35 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\RegSweep
2008-07-23 22:28:50 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Malwarebytes
2008-07-23 22:28:36 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-23 22:28:30 0 d-a------ D:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 20:05:39 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Macromedia
2008-07-23 20:05:38 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Adobe
2008-07-23 15:27:18 0 d-------- D:\Documents and Settings\All Users\Application Data\Webroot
2008-07-23 13:02:50 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Webroot
2008-07-23 11:18:03 0 d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Identities
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\Templates
2008-07-23 11:17:56 0 d-------- D:\Documents and Settings\Tank Fortaleza\Start Menu
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\SendTo
2008-07-23 11:17:56 0 dr-h----- D:\Documents and Settings\Tank Fortaleza\Recent
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\PrintHood
2008-07-23 11:17:56 3321856 --ah----- D:\Documents and Settings\Tank Fortaleza\NTUSER.DAT
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\NetHood
2008-07-23 11:17:56 0 d-------- D:\Documents and Settings\Tank Fortaleza\My Documents
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\Local Settings
2008-07-23 11:17:56 0 dr------- D:\Documents and Settings\Tank Fortaleza\Favorites
2008-07-23 11:17:56 0 d-------- D:\Documents and Settings\Tank Fortaleza\Desktop
2008-07-23 11:17:56 0 d---s---- D:\Documents and Settings\Tank Fortaleza\Cookies
2008-07-23 11:17:56 0 d--h----- D:\Documents and Settings\Tank Fortaleza\Application Data
2008-07-23 11:17:56 0 d---s---- D:\Documents and Settings\Tank Fortaleza\Application Data\Microsoft
2008-07-23 11:08:02 0 d-a------ D:\Program Files\microsoft frontpage
2008-07-23 11:07:08 122880 ---h----- D:\Documents and Settings\Default User\NTUSER.DAT
2008-07-23 11:05:41 0 d---s---- D:\Documents and Settings\Default User\Application Data\Microsoft
2008-07-23 11:05:24 0 d--hs---- D:\Documents and Settings\All Users\DRM
2008-07-23 11:03:04 0 d-ah----- D:\Program Files\WindowsUpdate
2008-07-23 11:02:49 0 d-a------ D:\Program Files\Accessories
2008-07-23 11:02:47 0 d-a------ D:\Program Files\Windows NT
2008-07-23 11:00:56 0 d-------- D:\Documents and Settings\All Users\Application Data\Microsoft
2008-07-23 05:18:36 0 d-------- D:\WIN2K
2008-07-23 02:51:28 0 d-a------ D:\Program Files\Common Files\ODBC
2008-07-23 02:51:25 0 d-a------ D:\Program Files\Common Files
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\Templates
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\Default User\Start Menu
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\SendTo
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\Recent
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\PrintHood
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\NetHood
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\Default User\My Documents
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\Local Settings
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\Default User\Favorites
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\Default User\Desktop
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\Cookies
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\Default User\Application Data
2008-07-23 02:51:10 0 d--h----- D:\Documents and Settings\All Users\Templates
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\All Users\Start Menu
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\All Users\Favorites
2008-07-23 02:51:10 0 d-a------ D:\Documents and Settings\All Users\Documents
2008-07-23 02:51:10 0 d-------- D:\Documents and Settings\All Users\Desktop
2008-07-23 02:51:10 0 d-ah----- D:\Documents and Settings\All Users\Application Data
2008-07-22 16:01:34 7738 ---hs---- D:\SUHDLOG.DAT
2008-07-22 16:00:55 164 --a------ D:\install.dat
2008-07-22 16:00:55 14330 --a------ D:\htoejh.exe
2008-07-22 16:00:53 6236595 --a------ D:\yamaha_dsxg_driver.exe <Not Verified; InstallShield Software Corporation; PackageForTheWeb Stub>
2008-07-22 15:59:28 95698 ---hs---- D:\COMMAND.COM
2008-07-22 15:59:19 32768 --ahs---- D:\VIDEOROM.BIN
2008-07-22 15:59:19 102400 --a------ D:\adware.exe
2008-07-22 15:58:24 0 d-a------ D:\Program Files\Webroot
2008-07-22 15:58:24 0 d-a------ D:\Program Files\Messenger
2008-07-22 15:58:17 0 d-a------ D:\Program Files\GbPlugin
2008-07-22 15:58:16 0 dra------ D:\Program Files
2008-07-22 15:58:16 0 d-a------ D:\Program Files\CCleaner
2008-07-22 15:58:05 0 d-------- D:\Modem
2008-07-22 15:58:05 0 d-------- D:\Meus documentos
2008-07-22 15:58:01 0 d-------- D:\Lan
2008-07-22 15:57:32 0 d-------- D:\Globalink
2008-07-22 15:57:32 0 d-------- D:\FOUND.000
2008-07-22 15:57:31 0 d-------- D:\Downloads
2008-07-22 15:54:57 0 d-a------ D:\Documents and Settings
2008-07-22 15:48:25 0 dr------- D:\Arquivos de programas


-- Find3M Report ---------------------------------------------------------------

2008-07-16 09:20:02 100 ---h----- D:\CONFIG.SYS
2008-07-16 09:20:02 175 ---h----- D:\AUTOEXEC.BAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [06/18/03 02:00a D:\WINNT4\system32\mobsync.exe]
"ashDsp.exe "= "D:\WINNT4\system32\ashDsp.exe" [07/31/08 09:08p]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/08 08:56p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/08 09:42a]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [01/04/08 08:56p]
"internat.exe "= "internat.exe" [06/18/03 02:00a D:\WINNT4\system32\internat.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

D:\Documents and Settings\Tank\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 5:41:28 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=1 (0x1)
"DisableTaskMgr "=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=1 (0x1)
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell "= "Explorer.exe %WINDIR%\system32\ashDsp.exe "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@= "Service "




-- End of Deckard's System Scanner: finished at 2008-08-05 15:57:37 ------------

 

Hi Tank
Welcome to Windowsbbs.

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Thanks
Geri

 

Hello Geri, and thanks for the help. I ran ComboFix after disabling real time protection and here follows the log:

ComboFix 08-08-04.09 - Tank 08/06/2008 0:31:32.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.38 [GMT -7:00]
Running from: D:\Documents and Settings\Tank\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINNT4\system32\Microsoft\backup.ftp
D:\WINNT4\system32\Microsoft\backup.tftp
D:\WINNT4\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 00:31 . 08-08-06 00:31 16,384 --a----t- D:\WINNT4\system32\Perflib_Perfdata_364.dat
2008-08-05 10:26 . 08-08-05 10:26 16,384 --a----t- D:\WINNT4\system32\Perflib_Perfdata_2dc.dat
2008-08-05 10:02 . 08-08-05 10:02 <DIR> d-------- D:\Deckard
2008-08-05 09:55 . 08-08-05 09:55 <DIR> d-------- D:\Program Files\Trend Micro
2008-08-05 08:23 . 08-05-12 10:40 0 --------- D:\WINNT4\system32\SWM0012
2008-08-05 08:21 . 99-10-04 15:04 13,744 --a------ D:\WINNT4\system32\drivers\kbdhid.sys
2008-08-05 08:20 . 03-06-19 12:05 11,632 --a------ D:\WINNT4\system32\drivers\mouhid.sys
2008-08-05 08:19 . 03-06-19 12:05 24,752 --a------ D:\WINNT4\system32\drivers\HidClass.sys
2008-08-05 08:19 . 03-06-19 12:05 23,056 --a------ D:\WINNT4\system32\drivers\HidParse.sys
2008-08-05 08:18 . 08-08-05 08:18 186,504 --a------ D:\WINNT4\system32\SnAgOS.TMP
2008-08-04 20:51 . 08-08-04 20:51 <DIR> d-------- D:\WINNT4\system32\BITS
2008-08-04 20:18 . 07-07-30 19:19 43,352 --a------ D:\WINNT4\system32\wups2.dll
2008-08-04 20:18 . 07-07-30 19:18 34,136 --a------ D:\WINNT4\system32\wucltui.dll.mui
2008-08-04 20:18 . 07-07-30 19:18 33,624 --a------ D:\WINNT4\system32\wups.dll
2008-08-04 20:17 . 07-07-30 19:19 549,720 --a------ D:\WINNT4\system32\wuapi.dll
2008-08-04 20:17 . 07-07-30 19:19 325,976 --a------ D:\WINNT4\system32\wucltui.dll
2008-08-04 20:17 . 07-07-30 19:19 25,944 --a------ D:\WINNT4\system32\wuaucpl.cpl.mui
2008-08-04 20:17 . 07-07-30 19:19 25,944 --a------ D:\WINNT4\system32\wuapi.dll.mui
2008-08-04 20:17 . 07-07-30 19:18 20,312 --a------ D:\WINNT4\system32\wuaueng.dll.mui
2008-08-04 10:13 . 03-06-19 12:05 21,872 --a------ D:\WINNT4\system32\drivers\usbprint.sys
2008-08-04 09:59 . 08-08-04 09:59 28 --a------ D:\WINNT4\Tank.acl
2008-08-03 14:06 . 08-08-05 15:47 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\OpenOffice.org2
2008-08-02 11:02 . 08-08-02 11:02 <DIR> d-------- D:\WINNT4\system32\Macromed
2008-08-01 20:35 . 08-01-04 20:56 1,526,640 --a------ D:\WINNT4\WRSetup.dll
2008-08-01 20:35 . 08-01-04 20:34 163,696 --a------ D:\WINNT4\system32\drivers\ssidrv.sys
2008-08-01 20:35 . 08-01-04 20:34 23,920 --a------ D:\WINNT4\system32\drivers\sskbfd.sys
2008-08-01 20:35 . 08-01-04 20:34 21,872 --a------ D:\WINNT4\system32\drivers\sshrmd.sys
2008-08-01 20:35 . 08-01-04 20:34 20,336 --a------ D:\WINNT4\system32\drivers\SSFS0BB9.sys
2008-08-01 20:16 . 08-08-01 20:20 <DIR> d-------- D:\WINNT4\Windows Update Setup Files
2008-08-01 20:16 . 08-08-01 20:23 <DIR> d--h----- D:\WINNT4\msdownld.tmp
2008-08-01 19:57 . 03-06-19 12:05 35,344 --a------ D:\WINNT4\system32\drivers\redbook.sys
2008-08-01 16:01 . 08-08-01 16:01 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-08-01 16:01 . 08-08-01 16:06 <DIR> d-a------ D:\Documents and Settings\All Users.WINNT4\Application Data\Spybot - Search & Destroy
2008-07-31 21:58 . 08-07-30 20:07 38,472 --a------ D:\WINNT4\system32\drivers\mbamswissarmy.sys
2008-07-31 21:56 . 08-07-31 21:56 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\Malwarebytes
2008-07-31 21:56 . 08-07-31 21:56 <DIR> d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Malwarebytes
2008-07-31 21:56 . 08-07-30 20:07 17,144 --a------ D:\WINNT4\system32\drivers\mbam.sys
2008-07-31 21:21 . 08-08-04 23:34 643,562 ---h----- D:\WINNT4\ShellIconCache
2008-07-31 21:15 . 08-07-31 21:15 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\Webroot
2008-07-31 21:15 . 08-07-31 21:15 <DIR> d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Webroot
2008-07-31 21:08 . 08-07-31 21:08 98,816 ---h----- D:\WINNT4\system32\ashDsp.exe
2008-07-31 21:08 . 08-07-31 21:08 8,192 --a------ D:\WINNT4\REGLOCS.OLD
2008-07-31 21:01 . 08-08-05 08:01 <DIR> d-------- D:\WINNT4\system32\NtmsData
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d--h----- D:\WINNT4\system32\GroupPolicy
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d--hs---- D:\WINNT4\Installer
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d-------- D:\Documents and Settings\Tank
2008-07-31 21:00 . 08-08-06 00:32 <DIR> d-------- D:\WINNT4\system32\Microsoft
2008-07-31 19:30 . 03-06-18 09:00 61,200 --a--c--- D:\WINNT4\system32\dllcache\icwconn2.exe
2008-07-31 19:30 . 03-06-18 09:00 12,048 --a--c--- D:\WINNT4\system32\dllcache\inetwiz.exe
2008-07-31 19:30 . 03-06-18 09:00 6,416 --a--c--- D:\WINNT4\system32\dllcache\isignup.exe
2008-07-31 15:57 . 03-06-18 05:00 214,432 -rahs---- D:\ntldr
2008-07-31 12:58 . 05-05-04 14:45 2,890,240 --a------ D:\WINNT4\system32\msi.dll
2008-07-31 12:57 . 03-06-18 02:00 3,440,660 --a------ D:\WINNT4\system32\drivers\gm.dls
2008-07-31 12:56 . 03-06-18 02:00 2,531,088 --a--c--- D:\WINNT4\system32\dllcache\cdosys.dll
2008-07-31 12:55 . 03-06-18 02:00 2,233 --a--c--- D:\WINNT4\system32\dllcache\12520850.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,233 --a------ D:\WINNT4\system32\12520850.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,151 --a--c--- D:\WINNT4\system32\dllcache\12520437.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,151 --a------ D:\WINNT4\system32\12520437.cpx
2008-07-31 12:55 . 03-06-18 02:00 707 --a------ D:\WINNT4\_default.pif
2008-07-30 15:58 . 08-07-30 15:58 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Hewlett-Packard
2008-07-30 15:23 . 08-07-30 15:23 <DIR> d-a------ D:\Program Files\Common Files\Hewlett-Packard
2008-07-30 15:20 . 08-07-30 15:30 <DIR> d-a------ D:\Program Files\Hewlett-Packard
2008-07-29 22:12 . 08-07-31 10:19 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\OpenOffice.org2
2008-07-29 22:03 . 08-07-29 22:04 <DIR> d-a------ D:\Program Files\OpenOffice.org 2.4
2008-07-29 20:28 . 08-07-29 20:28 <DIR> d-a------ D:\Program Files\Enkad
2008-07-27 23:14 . 08-07-27 23:14 <DIR> d-a------ D:\Program Files\Orbitdownloader
2008-07-27 23:14 . 08-07-31 15:57 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Orbit
2008-07-27 22:56 . 08-07-29 22:02 <DIR> d-a------ D:\Program Files\Java
2008-07-27 22:52 . 08-07-27 22:52 <DIR> d-a------ D:\Program Files\Common Files\Java
2008-07-27 21:10 . 08-07-27 21:12 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\TypingMaster7
2008-07-27 21:07 . 08-07-27 21:11 <DIR> dra------ D:\Program Files\TypingMaster
2008-07-27 17:52 . 08-07-27 20:31 <DIR> d-a------ D:\Program Files\BitComet
2008-07-26 20:37 . 08-07-26 20:37 <DIR> d-a------ D:\Program Files\Common Files\Adobe
2008-07-26 11:16 . 08-07-30 22:59 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\RegSweep
2008-07-23 22:28 . 08-07-31 21:58 <DIR> d-a------ D:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 22:28 . 08-07-23 22:28 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Malwarebytes
2008-07-23 13:02 . 08-07-23 13:02 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Webroot
2008-07-23 12:53 . 08-07-31 08:03 285 --ahs---- D:\bootincSetup.ini
2008-07-23 11:17 . 08-07-23 11:17 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza
2008-07-23 11:08 . 08-07-23 11:08 <DIR> d-a------ D:\Program Files\microsoft frontpage
2008-07-23 11:08 . 03-03-24 17:52 618,605 --a--c--- D:\WINNT4\system32\dllcache\fp4autl.dll
2008-07-23 11:05 . 08-07-23 11:05 <DIR> d--hs---- D:\Documents and Settings\All Users\DRM
2008-07-23 11:04 . 03-06-18 09:00 186,640 --a--c--- D:\WINNT4\system32\dllcache\icwconn1.exe
2008-07-23 11:03 . 03-06-18 05:00 185,104 --a--c--- D:\WINNT4\system32\dllcache\wordpad.exe
2008-07-23 11:02 . 08-07-23 11:02 <DIR> d-a------ D:\Program Files\Accessories
2008-07-23 11:02 . 03-06-18 05:00 512,784 --a--c--- D:\WINNT4\system32\dllcache\dialer.exe
2008-07-23 11:02 . 03-06-18 05:00 302,352 --a--c--- D:\WINNT4\system32\dllcache\pinball.exe
2008-07-23 11:02 . 03-06-18 05:00 11,536 --a--c--- D:\WINNT4\system32\dllcache\htrn_jis.dll
2008-07-23 05:18 . 08-07-23 05:19 <DIR> d-------- D:\WIN2K
2008-07-23 02:51 . 08-07-29 20:49 <DIR> d-a------ D:\Documents and Settings\All Users\Documents
2008-07-23 02:51 . 03-06-18 05:00 838,416 --a--c--- D:\WINNT4\system32\dllcache\msttssyn.dll
2008-07-23 02:51 . 03-06-18 05:00 48,912 --a--c--- D:\WINNT4\system32\dllcache\wttss22.dll
2008-07-23 02:50 . 08-07-23 13:03 <DIR> d--h----- D:\Documents and Settings\Default User
2008-07-23 02:50 . 08-07-23 11:17 <DIR> d-a------ D:\Documents and Settings\All Users
2008-07-22 16:01 . 07-10-17 05:34 557,834 --a------ D:\RTL8139D.rar
2008-07-22 16:01 . 99-03-03 03:29 540,704 ---hs---- D:\SYSTEM.1ST
2008-07-22 16:01 . 03-06-18 05:00 335,081 -ra------ D:\txtsetup.sif
2008-07-22 16:01 . 99-03-03 03:29 7,738 ---hs---- D:\SUHDLOG.DAT
2008-07-22 16:01 . 99-03-03 03:17 22 ---hs---- D:\MSDOS.---
2008-07-22 16:00 . 08-07-24 18:01 6,236,595 --a------ D:\yamaha_dsxg_driver.exe
2008-07-22 16:00 . 08-04-18 12:02 14,330 --a------ D:\htoejh.exe
2008-07-22 16:00 . 08-08-01 20:34 164 --a------ D:\install.dat
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-a------ D:\Program Files\Webroot
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-a------ D:\Program Files\GbPlugin
2008-07-22 15:58 . 08-07-31 00:48 <DIR> d-a------ D:\Program Files\CCleaner
2008-07-22 15:58 . 08-08-05 09:55 <DIR> dra------ D:\Program Files
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Modem
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Meus documentos
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Lan
2008-07-22 15:57 . 08-07-22 15:58 <DIR> d-------- D:\Globalink
2008-07-22 15:57 . 08-07-22 15:57 <DIR> d-------- D:\FOUND.000
2008-07-22 15:57 . 08-08-05 19:02 <DIR> d-------- D:\Downloads
2008-07-22 15:54 . 08-07-22 15:54 <DIR> d-------- D:\Documents and Settings\Tank.FORTALEZ-85CF75
2008-07-22 15:54 . 08-07-31 21:01 <DIR> d-a------ D:\Documents and Settings
2008-07-22 15:48 . 08-07-22 15:54 <DIR> dr------- D:\Arquivos de programas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 22:33 39,696 ----a-w D:\WINNT4\system32\ftp.exe
2008-08-05 22:33 17,680 ----a-w D:\WINNT4\system32\tftp.exe
2008-08-02 02:56 95,024 ----a-w D:\WINNT4\system32\sfc.dll
2008-08-01 03:52 271 ---h--w D:\Program Files\desktop.ini
2008-08-01 03:52 21,952 ---h--w D:\Program Files\folder.htt
2008-07-24 03:14 102,400 ----a-w D:\adware.exe
2003-06-18 09:00 32,528 ----a-w D:\WINNT4\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [08-01-04 20:56 3572592]
"internat.exe "= "internat.exe" [03-06-18 02:00 20752 D:\WINNT4\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ashDsp.exe "= "D:\WINNT4\system32\ashDsp.exe" [08-07-31 21:08 98816]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [08-01-04 20:56 5367664]
"Synchronization Manager "= "mobsync.exe" [03-06-18 02:00 111376 D:\WINNT4\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-18 09:00 186640]

D:\Documents and Settings\Tank\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 17:41:28 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

R1 SNSID;SNSID;D:\WINNT4\system32\Drivers\SNSID.sys [07-05-30 11:23 ]
R1 SNSMS;SNSMS;D:\WINNT4\system32\Drivers\SNSMS.sys [07-05-30 11:35 ]
R2 Ps2KSecureKeyboard;SecureKbd;D:\WINNT4\system32\DRIVERS\psseckbd.sys [07-05-30 11:21 ]
R2 SNMgrSvc;SNMgrSvc;D:\WINNT4\system32\SnMgrSvc.exe [07-05-30 11:34 ]
R3 NtApm;NT Apm/Legacy Interface Driver;D:\WINNT4\system32\DRIVERS\NtApm.sys [99-09-25 03:36 ]
R3 vhidmini;Secure Mouse;D:\WINNT4\system32\DRIVERS\vhsecmou.sys [07-05-30 11:21 ]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 00:42:11
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 0:47:48
ComboFix-quarantined-files.txt 2008-08-06 07:47:27

Pre-Run: 35,212,021,760 bytes free
Post-Run: 35,409,993,728 bytes free

191

 

Hi Tank
Please do this.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\ashDsp.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
D:\WINNT4\system32\ashDsp.exe
D:\htoejh.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "ashDsp.exe "=- 

Please post the combofix log and a new HJT log.

Thanks
Geri

 

Hello Geri,
Here is the ComboFix log and the HijackThis. for the sake of completeness: The Pc did reboot and on startup a popup from "Registry Editor" appeared stating: " Cannot import creg.dat: Not all data was successfully written to the registry. Some keys are open by the system or other processes ". Subsequently the log appeared, but there was no desktop. I waited 3 hours and when I saw no change I closed the popup and used Task Manager to open explorer.exe and the desktop loaded. That's when I ran HijackThis.

Thanx!


ComboFix 08-08-04.09 - Tank 08/06/2008 7:44:00.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2 [GMT -7:00]
Running from: D:\Documents and Settings\Tank\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Tank\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
D:\htoejh.exe
D:\WINNT4\system32\ashDsp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\htoejh.exe
D:\WINNT4\system32\ashDsp.exe
D:\WINNT4\system32\Microsoft\backup.ftp
D:\WINNT4\system32\Microsoft\backup.tftp

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-06 07:44 . 08-08-06 07:44 16,384 --a----t- D:\WINNT4\system32\Perflib_Perfdata_2e4.dat
2008-08-06 07:10 . 08-08-06 07:10 186,504 --a------ D:\WINNT4\system32\SnAgOS.TMP
2008-08-06 00:31 . 08-08-06 00:31 16,384 --a----t- D:\WINNT4\system32\Perflib_Perfdata_364.dat
2008-08-05 10:26 . 08-08-05 10:26 16,384 --a----t- D:\WINNT4\system32\Perflib_Perfdata_2dc.dat
2008-08-05 10:02 . 08-08-05 10:02 <DIR> d-------- D:\Deckard
2008-08-05 09:55 . 08-08-05 09:55 <DIR> d-------- D:\Program Files\Trend Micro
2008-08-05 08:23 . 08-05-12 10:40 0 --------- D:\WINNT4\system32\SWM0012
2008-08-05 08:21 . 99-10-04 15:04 13,744 --a------ D:\WINNT4\system32\drivers\kbdhid.sys
2008-08-05 08:20 . 03-06-19 12:05 11,632 --a------ D:\WINNT4\system32\drivers\mouhid.sys
2008-08-05 08:19 . 03-06-19 12:05 24,752 --a------ D:\WINNT4\system32\drivers\HidClass.sys
2008-08-05 08:19 . 03-06-19 12:05 23,056 --a------ D:\WINNT4\system32\drivers\HidParse.sys
2008-08-04 20:51 . 08-08-04 20:51 <DIR> d-------- D:\WINNT4\system32\BITS
2008-08-04 20:18 . 07-07-30 19:19 43,352 --a------ D:\WINNT4\system32\wups2.dll
2008-08-04 20:18 . 07-07-30 19:18 34,136 --a------ D:\WINNT4\system32\wucltui.dll.mui
2008-08-04 20:18 . 07-07-30 19:18 33,624 --a------ D:\WINNT4\system32\wups.dll
2008-08-04 20:17 . 07-07-30 19:19 549,720 --a------ D:\WINNT4\system32\wuapi.dll
2008-08-04 20:17 . 07-07-30 19:19 325,976 --a------ D:\WINNT4\system32\wucltui.dll
2008-08-04 20:17 . 07-07-30 19:19 25,944 --a------ D:\WINNT4\system32\wuaucpl.cpl.mui
2008-08-04 20:17 . 07-07-30 19:19 25,944 --a------ D:\WINNT4\system32\wuapi.dll.mui
2008-08-04 20:17 . 07-07-30 19:18 20,312 --a------ D:\WINNT4\system32\wuaueng.dll.mui
2008-08-04 10:13 . 03-06-19 12:05 21,872 --a------ D:\WINNT4\system32\drivers\usbprint.sys
2008-08-04 09:59 . 08-08-04 09:59 28 --a------ D:\WINNT4\Tank.acl
2008-08-03 14:06 . 08-08-06 07:11 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\OpenOffice.org2
2008-08-02 11:02 . 08-08-02 11:02 <DIR> d-------- D:\WINNT4\system32\Macromed
2008-08-01 20:35 . 08-01-04 20:56 1,526,640 --a------ D:\WINNT4\WRSetup.dll
2008-08-01 20:35 . 08-01-04 20:34 163,696 --a------ D:\WINNT4\system32\drivers\ssidrv.sys
2008-08-01 20:35 . 08-01-04 20:34 23,920 --a------ D:\WINNT4\system32\drivers\sskbfd.sys
2008-08-01 20:35 . 08-01-04 20:34 21,872 --a------ D:\WINNT4\system32\drivers\sshrmd.sys
2008-08-01 20:35 . 08-01-04 20:34 20,336 --a------ D:\WINNT4\system32\drivers\SSFS0BB9.sys
2008-08-01 20:16 . 08-08-01 20:20 <DIR> d-------- D:\WINNT4\Windows Update Setup Files
2008-08-01 20:16 . 08-08-01 20:23 <DIR> d--h----- D:\WINNT4\msdownld.tmp
2008-08-01 19:57 . 03-06-19 12:05 35,344 --a------ D:\WINNT4\system32\drivers\redbook.sys
2008-08-01 16:01 . 08-08-01 16:01 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-08-01 16:01 . 08-08-01 16:06 <DIR> d-a------ D:\Documents and Settings\All Users.WINNT4\Application Data\Spybot - Search & Destroy
2008-07-31 21:58 . 08-07-30 20:07 38,472 --a------ D:\WINNT4\system32\drivers\mbamswissarmy.sys
2008-07-31 21:56 . 08-07-31 21:56 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\Malwarebytes
2008-07-31 21:56 . 08-07-31 21:56 <DIR> d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Malwarebytes
2008-07-31 21:56 . 08-07-30 20:07 17,144 --a------ D:\WINNT4\system32\drivers\mbam.sys
2008-07-31 21:21 . 08-08-06 01:12 644,176 ---h----- D:\WINNT4\ShellIconCache
2008-07-31 21:15 . 08-07-31 21:15 <DIR> d-------- D:\Documents and Settings\Tank\Application Data\Webroot
2008-07-31 21:15 . 08-07-31 21:15 <DIR> d-------- D:\Documents and Settings\All Users.WINNT4\Application Data\Webroot
2008-07-31 21:08 . 08-07-31 21:08 8,192 --a------ D:\WINNT4\REGLOCS.OLD
2008-07-31 21:01 . 08-08-06 07:11 <DIR> d-------- D:\WINNT4\system32\NtmsData
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d--h----- D:\WINNT4\system32\GroupPolicy
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d--hs---- D:\WINNT4\Installer
2008-07-31 21:01 . 08-07-31 21:01 <DIR> d-------- D:\Documents and Settings\Tank
2008-07-31 21:00 . 08-08-06 07:45 <DIR> d-------- D:\WINNT4\system32\Microsoft
2008-07-31 19:30 . 03-06-18 09:00 61,200 --a--c--- D:\WINNT4\system32\dllcache\icwconn2.exe
2008-07-31 19:30 . 03-06-18 09:00 12,048 --a--c--- D:\WINNT4\system32\dllcache\inetwiz.exe
2008-07-31 19:30 . 03-06-18 09:00 6,416 --a--c--- D:\WINNT4\system32\dllcache\isignup.exe
2008-07-31 15:57 . 03-06-18 05:00 214,432 -rahs---- D:\ntldr
2008-07-31 12:58 . 05-05-04 14:45 2,890,240 --a------ D:\WINNT4\system32\msi.dll
2008-07-31 12:57 . 03-06-18 02:00 3,440,660 --a------ D:\WINNT4\system32\drivers\gm.dls
2008-07-31 12:56 . 03-06-18 02:00 2,531,088 --a--c--- D:\WINNT4\system32\dllcache\cdosys.dll
2008-07-31 12:55 . 03-06-18 02:00 2,233 --a--c--- D:\WINNT4\system32\dllcache\12520850.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,233 --a------ D:\WINNT4\system32\12520850.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,151 --a--c--- D:\WINNT4\system32\dllcache\12520437.cpx
2008-07-31 12:55 . 03-06-18 02:00 2,151 --a------ D:\WINNT4\system32\12520437.cpx
2008-07-31 12:55 . 03-06-18 02:00 707 --a------ D:\WINNT4\_default.pif
2008-07-30 15:58 . 08-07-30 15:58 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Hewlett-Packard
2008-07-30 15:23 . 08-07-30 15:23 <DIR> d-a------ D:\Program Files\Common Files\Hewlett-Packard
2008-07-30 15:20 . 08-07-30 15:30 <DIR> d-a------ D:\Program Files\Hewlett-Packard
2008-07-29 22:12 . 08-07-31 10:19 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\OpenOffice.org2
2008-07-29 22:03 . 08-07-29 22:04 <DIR> d-a------ D:\Program Files\OpenOffice.org 2.4
2008-07-29 20:28 . 08-07-29 20:28 <DIR> d-a------ D:\Program Files\Enkad
2008-07-27 23:14 . 08-07-27 23:14 <DIR> d-a------ D:\Program Files\Orbitdownloader
2008-07-27 23:14 . 08-07-31 15:57 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Orbit
2008-07-27 22:56 . 08-07-29 22:02 <DIR> d-a------ D:\Program Files\Java
2008-07-27 22:52 . 08-07-27 22:52 <DIR> d-a------ D:\Program Files\Common Files\Java
2008-07-27 21:10 . 08-07-27 21:12 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\TypingMaster7
2008-07-27 21:07 . 08-07-27 21:11 <DIR> dra------ D:\Program Files\TypingMaster
2008-07-27 17:52 . 08-07-27 20:31 <DIR> d-a------ D:\Program Files\BitComet
2008-07-26 20:37 . 08-07-26 20:37 <DIR> d-a------ D:\Program Files\Common Files\Adobe
2008-07-26 11:16 . 08-07-30 22:59 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\RegSweep
2008-07-23 22:28 . 08-07-31 21:58 <DIR> d-a------ D:\Program Files\Malwarebytes' Anti-Malware
2008-07-23 22:28 . 08-07-23 22:28 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Malwarebytes
2008-07-23 13:02 . 08-07-23 13:02 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza\Application Data\Webroot
2008-07-23 12:53 . 08-07-31 08:03 285 --ahs---- D:\bootincSetup.ini
2008-07-23 11:17 . 08-07-23 11:17 <DIR> d-------- D:\Documents and Settings\Tank Fortaleza
2008-07-23 11:08 . 08-07-23 11:08 <DIR> d-a------ D:\Program Files\microsoft frontpage
2008-07-23 11:08 . 03-03-24 17:52 618,605 --a--c--- D:\WINNT4\system32\dllcache\fp4autl.dll
2008-07-23 11:05 . 08-07-23 11:05 <DIR> d--hs---- D:\Documents and Settings\All Users\DRM
2008-07-23 11:04 . 03-06-18 09:00 186,640 --a--c--- D:\WINNT4\system32\dllcache\icwconn1.exe
2008-07-23 11:03 . 03-06-18 05:00 185,104 --a--c--- D:\WINNT4\system32\dllcache\wordpad.exe
2008-07-23 11:02 . 08-07-23 11:02 <DIR> d-a------ D:\Program Files\Accessories
2008-07-23 11:02 . 03-06-18 05:00 512,784 --a--c--- D:\WINNT4\system32\dllcache\dialer.exe
2008-07-23 11:02 . 03-06-18 05:00 302,352 --a--c--- D:\WINNT4\system32\dllcache\pinball.exe
2008-07-23 11:02 . 03-06-18 05:00 11,536 --a--c--- D:\WINNT4\system32\dllcache\htrn_jis.dll
2008-07-23 05:18 . 08-07-23 05:19 <DIR> d-------- D:\WIN2K
2008-07-23 02:51 . 08-07-29 20:49 <DIR> d-a------ D:\Documents and Settings\All Users\Documents
2008-07-23 02:51 . 03-06-18 05:00 838,416 --a--c--- D:\WINNT4\system32\dllcache\msttssyn.dll
2008-07-23 02:51 . 03-06-18 05:00 48,912 --a--c--- D:\WINNT4\system32\dllcache\wttss22.dll
2008-07-23 02:50 . 08-07-23 13:03 <DIR> d--h----- D:\Documents and Settings\Default User
2008-07-23 02:50 . 08-07-23 11:17 <DIR> d-a------ D:\Documents and Settings\All Users
2008-07-22 16:01 . 07-10-17 05:34 557,834 --a------ D:\RTL8139D.rar
2008-07-22 16:01 . 99-03-03 03:29 540,704 ---hs---- D:\SYSTEM.1ST
2008-07-22 16:01 . 03-06-18 05:00 335,081 -ra------ D:\txtsetup.sif
2008-07-22 16:01 . 99-03-03 03:29 7,738 ---hs---- D:\SUHDLOG.DAT
2008-07-22 16:01 . 99-03-03 03:17 22 ---hs---- D:\MSDOS.---
2008-07-22 16:00 . 08-07-24 18:01 6,236,595 --a------ D:\yamaha_dsxg_driver.exe
2008-07-22 16:00 . 08-08-01 20:34 164 --a------ D:\install.dat
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-a------ D:\Program Files\Webroot
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-a------ D:\Program Files\GbPlugin
2008-07-22 15:58 . 08-07-31 00:48 <DIR> d-a------ D:\Program Files\CCleaner
2008-07-22 15:58 . 08-08-05 09:55 <DIR> dra------ D:\Program Files
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Modem
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Meus documentos
2008-07-22 15:58 . 08-07-22 15:58 <DIR> d-------- D:\Lan
2008-07-22 15:57 . 08-07-22 15:58 <DIR> d-------- D:\Globalink
2008-07-22 15:57 . 08-07-22 15:57 <DIR> d-------- D:\FOUND.000
2008-07-22 15:57 . 08-08-05 19:02 <DIR> d-------- D:\Downloads
2008-07-22 15:54 . 08-07-22 15:54 <DIR> d-------- D:\Documents and Settings\Tank.FORTALEZ-85CF75
2008-07-22 15:54 . 08-07-31 21:01 <DIR> d-a------ D:\Documents and Settings
2008-07-22 15:48 . 08-07-22 15:54 <DIR> dr------- D:\Arquivos de programas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 14:10 39,696 ----a-w D:\WINNT4\system32\ftp.exe
2008-08-06 14:10 17,680 ----a-w D:\WINNT4\system32\tftp.exe
2008-08-02 02:56 95,024 ----a-w D:\WINNT4\system32\sfc.dll
2008-08-01 03:52 271 ---h--w D:\Program Files\desktop.ini
2008-08-01 03:52 21,952 ---h--w D:\Program Files\folder.htt
2008-07-24 03:14 102,400 ----a-w D:\adware.exe
2003-06-18 09:00 32,528 ----a-w D:\WINNT4\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Wed 2008-08-06_ 0.44.14.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-05 22:33:05 39,696 -c--a-w D:\WINNT4\system32\dllcache\ftp.exe
+ 2008-08-06 14:10:50 39,696 -c--a-w D:\WINNT4\system32\dllcache\ftp.exe
- 2008-08-05 22:33:05 17,680 -c--a-w D:\WINNT4\system32\dllcache\tftp.exe
+ 2008-08-06 14:10:50 17,680 -c--a-w D:\WINNT4\system32\dllcache\tftp.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [08-01-04 20:56 3572592]
"internat.exe "= "internat.exe" [03-06-18 02:00 20752 D:\WINNT4\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper "= "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [08-01-04 20:56 5367664]
"Synchronization Manager "= "mobsync.exe" [03-06-18 02:00 111376 D:\WINNT4\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-18 09:00 186640]

D:\Documents and Settings\Tank\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 17:41:28 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux "= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

R1 SNSID;SNSID;D:\WINNT4\system32\Drivers\SNSID.sys [07-05-30 11:23 ]
R1 SNSMS;SNSMS;D:\WINNT4\system32\Drivers\SNSMS.sys [07-05-30 11:35 ]
R2 Ps2KSecureKeyboard;SecureKbd;D:\WINNT4\system32\DRIVERS\psseckbd.sys [07-05-30 11:21 ]
R2 SNMgrSvc;SNMgrSvc;D:\WINNT4\system32\SnMgrSvc.exe [07-05-30 11:34 ]
R3 NtApm;NT Apm/Legacy Interface Driver;D:\WINNT4\system32\DRIVERS\NtApm.sys [99-09-25 03:36 ]
R3 vhidmini;Secure Mouse;D:\WINNT4\system32\DRIVERS\vhsecmou.sys [07-05-30 11:21 ]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 09:55:34
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 10:01:20
ComboFix-quarantined-files.txt 2008-08-06 17:01:01
ComboFix2.txt 2008-08-06 07:47:55

Pre-Run: 35,429,715,968 bytes free
Post-Run: 35,428,458,496 bytes free

196


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:41 AM, on 8/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINNT4\System32\smss.exe
D:\WINNT4\system32\winlogon.exe
D:\WINNT4\system32\services.exe
D:\WINNT4\system32\lsass.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\spoolsv.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\SnMgrSvc.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINNT4\System32\WBEM\WinMgmt.exe
D:\WINNT4\system32\svchost.exe
D:\WINNT4\system32\SnAgOS.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINNT4\system32\internat.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
D:\WINNT4\system32\SnEngine.EXE
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\WINNT4\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT4\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT4\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT4\web\related.htm (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1217906105164
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT4\System32\dmadmin.exe
O23 - Service: SNMgrSvc - Open Communications Security S/A - D:\WINNT4\system32\SnMgrSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 2477 bytes

 

Hi Tank
Please do another reboot and let me know if it boots up correctly and without the error message.

Thanks
Geri

 

Hi Geri,
I rebooted and this time the desktop loaded and NO popups. Only SpySweeper issued an alert: "Error Report-- SpySweeper encountered an error during a previous session. Click Send to send a log of the problem to WebRoot support, or click Delete to delete the log without sending it. ".

thanks

 

Hi Tank
OK good, That error was part of a combofix file.
Not sure what the problem is with SpySweeper, I would send the report and see what they may say.

I'm not seeing a Anti-Virus program running on your machine, Do you not have one?
This is a must have.

One of your first defenses against infections is an Anti-virus.
This is a Must Have to help keep you protected in today’s Internet world.
Here are some good ones and the best part, they are Free!

Please Download only 1 AV.

Anti-Virus
AVGFree
Avast

Download, Update and scan your computer with the AV. Quarantine/Delete anything it finds.
Check for updates at the least once a week and do regular scans. Most AV’s can be scheduled to scan at a given time, this is also recommended.

After that then lets get a on-line scan to make sure everythings looks OK.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Hi Geri,
I was using WebRoot SpySweeper with AntiVirus which tryed to block the incoming infection but apparently wasn't able to. Anyhow, I updated and scanned the Pc with the above program and it only found saome cookies that I promptly deleted. Then I ran ATF and cleaned everything. Lastly I tried the Kaspersky on-line scan but my Pc was set to hibernate after 25 min. and the scan was taking very long. So I went to Control Panel to change the settings and surprise! When I tried to open Power Options I was greeted by a popup saying: "cannot find the file rundll32.exe(or one of its components)... ".
This also appears if I try to open System and probably other Control Panel items. So if I can't change the Hibernation time, I won't be able to carry out the on-line scan.
I downloaded and installed Avast, updated and scanned including boot. It foud Win32:Banker-BKL on boot and ashDsp.vir in Qoobox/Quarantine which was probably the one I eliminated with your instructions.
But the Control Panel problem persists. I searched for rundll32.exe and found it in D:/WINNT4/system32/dllcache.
Is it the right place for it or is it corrupt/virus?

 

Hi Tank
Please go to D:\Winnt\System32 and look to see if rundll32.exe is listed in the system32 folder.

Thanks
Geri

 

Hi Geri,
It's in D:/WINNT4/system32/dllcache

 

Hi Tank
OK, I seen you post that.
Can you manually get to the system32 folder? or was that just by a search?

If you can't get to the folder manually, then please post a new dss log.

Thanks
Geri

 

Hello Geri,
In fact, after a closer look, the search returns 6 instances of RUNDLL32.EXE-169CA248.pf with differing 8 digit/letter sequences in D:/WINDOSW2/prefetch.

WINDOWS2 is a remnant of a previous Windows Os which could have been Xp. I hadn't deleted it because there are some programs that I use occasionally(although I could delete with no regrets, if advisable).

The search also found rundll32.exe in D:/WINNT4/system32 with a blank icon(white sheet)

I opened D:/WINNT4/system32 with explorer(showing hidden files) but I could not find this file.

Lastly, the search found rundll32.exe in D:/WINNT4/system32/dllcache
and this one has a microsoft icon.

 

Hi Tank
OK please go to D:/WINNT4/system32/dllcache and find the file RUNDLL32.EXE file Right click on it and click copy

Now go to the D:/WINNT4/system32 folder and find the RUNDLL32.EXE that is there and right click on it and click on rename, rename it to RUNDLL32.OLD

Now right click on a blank spot in the system32 folder and click on paste, This should put the RUNDLL32.EXE file in the folder.

If it did that, then reboot and let me know if you still received the error on boot up.
Also check to see if you can open control panel

No you don't have to delete it.

Thanks
Geri

 

Hello Geri,

Get ready for this:

As I was about to look for your latest advice, Avast warned that it had detected a potentially malicious item and asked whether to delete it or ignore it. The item it reported was Fs_Rec.sús. I looked at it and decided that there could be no legitimate file with an accent as part of its extension. So I chose to delete it. then I went to open IE to look for advice on the latest issue(the rundll32.exe problem). IE kept telling me that it encountered an error and had to close. Finally I decided to reboot the machine. But when the Windows screen appeared(the blue and white one with the progress bar) I got a BLUE SCREEN reporting: STOP: 000026c {unable to load device driver} SystemRot/system32/Drivers/Fs_Rec.sys device driver could not be loaded. Error status 0xC0000221
I rebooted: same thing.
Since I don't have the cd, I disconnected the cd drive and reconnected the old 5Gb drive as master and booted into its operating system. So I am able to see the D: partition. I searched for Fs_Rec.sys and it still seems to be there. Yet I get the blue screen saying it can't be loaded?

Is there anything I can do?

Thanks

 

Hi Tank
So I understand correctly
There is a file in D:WINN4/system32/Drivers/Fs_Rec.sys. Don't know why it's still there if Avast removed it??
That is a system file and is required.

You typed this and I'm guessing it was a typo Fs_Rec.sús.

If you don't think this was a typo then do not do the below. Run dss again and post the log.
--------------------------------------------------------------------

I believe there is a Fs_Rec.sys file in your dllcache also.

If so please do the same as you were going to do with the RUNDLL32.EXE.

You will have to do one at a time.

Then reboot and let me know.

Thanks
Geri

 

I have same problem but worse.

I cant even run hijack this.
Items disappeard from start menu, regedit is disabled, so it the task manager and desktop properties who knows what else.
and its all same for safe mode.

All i can do is press windows key+R and use RUN, cmd.

i would normally have avast block this but i didnt have it installed.

 

Hi H2O
Please do not jump threads, we can only work on one person in one thread so there will be no confusion.
Please start a topic of your own and someone will help you out.

Thanks
Geri

 

Hello Geri,

No typo. The file that Avast picked up was indeed Fs_Rec.sús. The accent was the reason I concluded it wasn't a legit system file. But after I agreed to delete it the problem with IE began, and since I couldn't surf I decided to reboot. And on that startup(and every subsequent startup) the blue screen came up. Also, the Pc would yield the same blue screen with every choice of the F8 menu. So I can only access the D: drive because I removed the cd drive and replaced it with an old 5Gb disk that also has win2k. But I cannot boot the D: partition. Startup stops with the blue screen.
I checked using explorer and, as you mentioned, Fs_Rec.sys appears both in D:/... /Drivers and in D:/... /dllcache.

 

Hi Tank
OK, if that was not a typo then do not do the Fs_Rec.sys file.

Please post a dss log.

Thanks
Geri