Member Avatar for quezl

I don't know exactly what's going on but I'm getting an alert from NT Authority/System that either services.exe or lsass.exe has terminated unexpectedly... status code 128... system will now shutdown and restart.

I know spyware has something to do with the whole thing since I have instances of root.exe and FireDaemon.exe in the services section according to hijackthis.

Here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 1:54:30 PM, on 8/20/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\WINNT\System32\mousebm.exe
C:\WINNT\System32\mousecrm.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wpa.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IPSEC NT Service (IPSECM) - Cat Soft - C:\WINNT\WUPDATE_TEMP\sys32.exe
O23 - Service: FireDaemon Service: mmtask (mmtask) - Unknown owner - C:\WINNT\WUPDATE_TEMP\FireDaemon.EXE
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\System32\mousebm.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINNT\System32\mousecrm.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - C:\WINNT\WUPDATE_TEMP\FireDaemon.EXE
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\System32\wpa.exe
O23 - Service: WUPDATE_TEMP - Unknown owner - C:\WINNT\WUPDATE_TEMP\root.exe

I have used daniweb before when working on a friend's pc and you guys were a big help so I know if it can be fixed someone here will know what to do.

Thanks!

  • 3 Contributors
  • 8 Replies
  • 398 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by swatkat

Recommended Answers

All 8 Replies

Member Avatar for swatkat

Hi,

Please download AgoBot and SDBot removal tools from Sophos.

Download Ewido and install it. Double-click on its icon to run it, you will get "Database not found" error, click "OK" to it. Next, click "Update" button in the left pane and click "Start update" button to start the update process. After this, exit from Ewido.


Boot the PC in safe mode.


Go to Start > Run nad type services.msc and press ENTER. This will bring you Services window. Here navigate to the service named IPSEC NT Service (IPSECM) - Cat Soft and click "Properties". Here, in the "Status" dialog box, click "Stop". Next, in the "Startup type" dialog box, select "Disabled". Click "Apply" and "OK".

Do the above mentioned steps for these services too:-
FireDaemon Service: mmtask (mmtask)
Mouse Button Monitor (mousebm)
Mouse Cursor Monitor (mousecrm)
FireDaemon Service: smss (smss)
Windows Product Activation (wpa)
WUPDATE_TEMP


Run HijackThis and select these entries:-

O23 - Service: IPSEC NT Service (IPSECM) - Cat Soft - C:\WINNT\WUPDATE_TEMP\sys32.exe
O23 - Service: FireDaemon Service: mmtask (mmtask) - Unknown owner - C:\WINNT\WUPDATE_TEMP\FireDaemon.EXE
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\System32\mousebm.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINNT\System32\mousecrm.exe
O23 - Service: FireDaemon Service: smss (smss) - Unknown owner - C:\WINNT\WUPDATE_TEMP\FireDaemon.EXE
O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\System32\wpa.exe
O23 - Service: WUPDATE_TEMP - Unknown owner - C:\WINNT\WUPDATE_TEMP\root.exe

Close all other open programs and click "Fix Checked" in HijackThis.


Delete these files:-
C:\WINNT\System32\mousebm.exe
C:\WINNT\System32\mousecrm.exe
C:\WINNT\System32\wpa.exe

Delete this folder:-
C:\WINNT\WUPDATE_TEMP


Run SDBotGUI and click "Configuration". Here click "Scan All Files" and click "OK". Next, click "Go" to start scanning.

After this, run AgoBotGUI and click "Config". Here click "Scan All Files" and click "OK". Next, click "Go" to start the scan.


Finally run Ewido, click on the "Scanner" button in the left menu, then click on the "Start" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.


Reboot back to normal mode. Run HijackThis and post a fresh log. Also post whether SDBotGUI and AgoBotGUI found anything or not.

Member Avatar for dlh6213

Hi Quezl, welcome back :D

Please follow these instructions to remove root.exe:

http://securityresponse.symantec.com/avcenter/venc/data/codered.removal.tool.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.gruel@mm.html

And here for wpa.exe:

http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html

FireDaemon.EXE is a legitimate program that allows you to run any program as a service. If you didn't install it yourself, it's possible that somebody with malicious intentions installed it to take control of your PC (or to spy on you).

Follow the recommendations and instructions in the links below to help protect your PC (Windows Update), clean your system up a bit, and give you some info on HijackThis.

When you've finished all that, close any open browser windows, scan with HJT, and post a new log please.

Member Avatar for quezl

Thanks guys,

I went ahead and performed the fix as instructed by swatkat. Everything seems to have gone well with one problem...

services.exe is still terminating, which is still causing my pc to restart.

Whether it ever had anything to do with the spyware I had on my machine or not, I can't say, maybe you guys can help me with that.

Here's a post of a hijackthis log (WITHOUT IE open this time ;) ) and I'll go ahead and post the Ewido report as well.

Logfile of HijackThis v1.99.1
Scan saved at 8:53:17 PM, on 8/20/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HiJack This\hijackthis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ThinkPad Modem Service (ThinkPadModemService) - IBM Corporation - C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          8:41:53 PM, 8/20/2005
 + Report-Checksum:     8F4B8525

 + Scan result:

    HKLM\SOFTWARE\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Bargains -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CLSID -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\ClientAX.ClientInstaller\CurVer -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{03B800F9-2536-4441-8CDA-2A3E6D15B4F8} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001} -> Spyware.SafeSurfing : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{DFBCC1EB-B149-487E-80C1-CC1562021542} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{40B1D454-9CA4-43CC-86AA-CB175EAC52FB} -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44} -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{5B6689B5-C2D4-4DC7-BFD1-24AC17E5FCDA} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj\CLSID -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ysb.YsbObj\CurVer -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
    HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\eXactUtil -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy -> Spyware.BargainBuddy : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sais -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\sais -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\SideFind -> Spyware.SideFind : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Spyware.ISTBar : Cleaned with backup
    HKLM\SOFTWARE\YourSiteBar\Historysearch -> Spyware.ISTBar : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\IST -> Spyware.ISTBar : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
    HKU\S-1-5-21-796845957-152049171-1060284298-500\Software\sais -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@bidtool.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@bs.serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@cj[1].txt -> Spyware.Cookie.Cj : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@clubmom.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@counter.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@counter2.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ehg-commjun.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ehg-dig.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ehg-foxsports.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@excite[2].txt -> Spyware.Cookie.Excite : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@hg1.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@rccl.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@sel.as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@www.cj[2].txt -> Spyware.Cookie.Cj : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@ysbweb[1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\administrator@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temp\Del14.tmp -> TrojanDownloader.Small.asf : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temp\res17.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9NLQXPT6\g4[1].txt -> Backdoor.Agent.mo : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9NLQXPT6\mspaint[1].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\comrade[1].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\comrade[2].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\comrade[3].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\installs[1].exe -> TrojanDownloader.Agent.dn : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\mspaint[1].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9XUUOTAZ\mspaint[2].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\comrade[2].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\comrade[3].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\comrade[4].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\comrade[5].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\comrade[6].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\l6[1].jpg -> Backdoor.Small.fb : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\FT49QR2J\signup_r5[1].gif/ra.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R3JE0MDI\comrade[2].exe -> TrojanProxy.Agent.fp : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\R3JE0MDI\p4[1].jpg -> Backdoor.IRCBot.ex : Cleaned with backup
    C:\WINNT\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup
    C:\WINNT\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
    C:\WINNT\Downloaded Program Files\ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
    C:\WINNT\il.bat -> Trojan.Zapchast : Cleaned with backup
    C:\WINNT\nem220.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
    C:\WINNT\ra.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
    C:\WINNT\sysrestore.exe -> Backdoor.SdBot.aad : Cleaned with backup
    C:\WINNT\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\exdl0.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup
    C:\WINNT\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\mqexdlm.srg -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
    C:\WINNT\system32\mt-uninstaller.exe -> Spyware.PurityScan.u : Cleaned with backup
    C:\WINNT\system32\soff.pif -> Backdoor.Rbot.xe : Cleaned with backup
    C:\WINNT\system32\wees.exe -> Backdoor.Rbot : Cleaned with backup


::Report End

All I can report is when I'm in safe mode services.exe doesn't terminate.

Any help you guys can give me in pointing me in the right direction to get this fix would be a big help, like if I need to post my problem to another forum because it's not related to spyware.

Thanks guys for all you've done.

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for swatkat

Hi,
Please download WinPFind and extract it to a folder. Next, double-click on the WinPFind.exe file to run it. Then click "Start Scan". After the scan, post the log of WinPFind.

Member Avatar for quezl

All done (had to do it about 5 times since pc kept restarting)...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000    Current Build: Service Pack 3    Current Build Number: 2195
Internet Explorer Version: 5.50.4807.2300

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
Umonitor             7/24/2002 7:00:00 AM   528144     C:\WINNT\SYSTEM32\rasdlg.dll
winsync              7/24/2002 7:00:00 AM   1309184    C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
H                    8/21/2005 12:37:04 AM  375338     C:\WINNT\ShellIconCache
S                    8/21/2005 8:42:44 PM   64         C:\WINNT\CSC\00000001
S                    8/21/2005 8:42:44 PM   64         C:\WINNT\CSC\00000002
S                    8/21/2005 8:29:28 PM   64         C:\WINNT\CSC\csc1.tmp
SH                   8/19/2005 8:22:56 PM   0          C:\WINNT\system32\.exe
SH                   8/19/2005 8:29:30 PM   142336     C:\WINNT\system32\system.pif
H                    8/21/2005 8:44:28 PM   1024       C:\WINNT\system32\config\default.LOG
H                    8/21/2005 8:42:50 PM   1024       C:\WINNT\system32\config\SAM.LOG
H                    8/21/2005 8:52:48 PM   1024       C:\WINNT\system32\config\SECURITY.LOG
H                    8/21/2005 8:49:44 PM   1024       C:\WINNT\system32\config\software.LOG
H                    8/21/2005 8:42:38 PM   6          C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          7/24/2002 7:00:00 AM   67344      C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   300816     C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   237328     C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   31504      C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   128272     C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          7/23/2001 7:16:00 PM   259344     C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   118032     C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   36112      C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   60688      C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   122128     C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   303888     C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   17168      C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   41232      C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   41232      C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   90896      C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   83216      C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   125712     C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   5904       C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   61200      C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation          2/9/2004 9:08:14 PM    61208      C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          7/23/2001 7:16:00 PM   259344     C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation                9/23/1999 1:44:36 PM   94208      C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   41232      C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation          7/24/2002 7:00:00 AM   41232      C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          2/9/2004 9:08:14 PM    61208      C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     5/21/2005 1:11:16 AM   1572       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
                     5/20/2005 8:03:52 PM   508        C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ThinkPad Modem Copyright.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
    {09799AFB-AD67-11d1-ABCD-00C04FC30936}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
    {E0D79300-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
    {E0D79300-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
    {750fdf0e-2a26-11d1-a3ea-080036587f03}   = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
    {A470F8CF-A1E8-4f65-8335-227475AA5C46}   = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
    {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}   = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
    {E0D79300-84BE-11CE-9641-444553540000}   = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
     = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
     = C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
     = %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
     = C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
     = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
     = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
    Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
    &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
    {2318C2B1-4965-11d4-9B18-009027A5CD4F}   = &Google  : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
    File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google    : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
    {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
    {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google    : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Modem Update Reminder   C:\WINNT\MWW32\manager\mwremind.exe autorun
    TrackPointSrv   tp4mon.exe
    Synchronization Manager mobsync.exe /logon

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
    IMAIL   Installed = 1
    MAPI    Installed = 1
    MSFS    Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    SpybotSD TeaTimer   C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
    {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    dontdisplaylastusername 0
    legalnoticecaption  
    legalnoticetext 
    shutdownwithoutlogon    1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun  149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    Network.ConnectionTray          {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
    WebCheck                        {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
    SysTray                         {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit    = C:\WINNT\system32\userinit.exe,
    Shell       = Explorer.exe
    System      = 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
     = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
     = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
     = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
     = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
     = WlNotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
    Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLs    


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/21/2005 8:54:21 PM
Edited by mike_2000_17 because: Fixed formatting
Member Avatar for swatkat

Hi,
Delete this file:-
C:\WINNT\system32\system.pif
Also, download Dr.Web CureIT and run a scan. Because, i can see a file called C:\WINNT\system32\.exe which may not be possible to locate!

Member Avatar for quezl

Hey Swatkat,

I THINK I FIXED THE PROBLEM!

From the looks of things it actually never had anything to do with all the spyware I had on my pc (which you so graciously helped me take care of).

First I deleted C:\WINNT\system32\system.pif and was even able to find and delete C:\WINNT\system32\.exe and still no success. I ran Dr Web CureIT and it didn't really find anything so I was getting ready to post the bad news.

But after a search on Ggl I found out that there had been a problem with the Zotob worm and Win2k machines starting on Aug 15 (which is exactly when my problem started) for which MS released a security patch.

So I upgraded to sp4 and applied the security update 899588 http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx and BOOM, no more problem.

So pass the word if you get any other simular issues.

Anyway, thanks a million for all your help as I had a ton of spyware on my pc, which as usual, you guys came through for me like you do for so many other people.

But don't rest on your loins yet, because while this pc was on the fritz, I found out my trustie backup laptop had MORE spyware problems than this one did.

So look for a post for that one soon.

Thanks again, you guys are the best!

Member Avatar for swatkat

Hi,
Wow..happy to hear that your problem is solved :D and thanks for posting the solutions too, this would definitely help others. If you dont experience any problems, please post back, so that i could mark this as "Solved"!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.