Hi Johnb :)

mcktheknf

mcktheknf

Member
Microsoft Windows 2000
5.00.2195
Service Pack 4
x86 Family 6 Model 8 Stepping
3
AT/AT Compatible
261.424 KB Ram

1. I can't find a firewall that will load on to Windows 2000?

2. Should I download Java?

Here is the Hijackthis and my last scan on Malwarebytes.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:51 PM, on 3/18/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKUS\.DEFAULT\..\Run: [Sygate Personall Firewall] Sygate32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINNT\system32\winjava.exe (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

--
End of file - 5496 bytes




Malwarebytes' Anti-Malware 1.44
Database version: 3884
Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

3/18/2010 8:54:24 PM
mbam-log-2010-03-18 (20-54-24).txt

Scan type: Quick Scan
Objects scanned: 98091
Time elapsed: 8 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
So what is wrong with your computer? Are you simply looking for a firewall that will work with Windows 2000?
 
voyagerfan99 said:
So what is wrong with your computer? Are you simply looking for a firewall that will work with Windows 2000?
Click to expand...

Yes I am looking for a firewall that will work with Windows 2000 and I thought maybe someone would check out my log files on hijackthis and malwarebytes? And should I download Java to this machine?
I failed to mention that. oops
 
i know your asking for johnb35 help but i checked your log and found these to fix, but johnb35 will verify for you.

O4 - HKUS\.DEFAULT\..\Run: [Sygate Personall Firewall] Sygate32.exe (User 'Default user')

Must be fixed! Added by the SDBOT.WW WORM!
Click to expand...

O17 - HKLM\System\CCS\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14

Do you know the IP or Domain '66.174.92.14 69.78.96.14'? If not, fix this entry.
Click to expand...

O17 - HKLM\System\CS1\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14

Do you know the IP or Domain '66.174.92.14 69.78.96.14'? If not, fix this entry.
Click to expand...

O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINNT\system32\winjava.exe (file missing)

Unknown service. (winjava.exe)
Click to expand...

O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)

Unknown service. (netddesrv.exe)
Click to expand...
 
As far as what firewall to use, most companies have ended support for W2000. I will try to see whats still available for your OS.

You have a few bad entries.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
John, I found this computer under some old tables that we have at the our work office. It doesn't seem like it runs that bad but I'm not familiar with it? I've downloaded AVG and Malwarebytes and came up with several viruses. I think the main reason that they went to newer machines is because these things barely ran because they have never been blowen out. I couldn't believe the amount of dirt I got out of them. There is two fans in this model and the larger one in the back of the machine was frozen up. Amazing on what a little oil will do.




ComboFix 10-03-19.04 - Rick 03/19/2010 14:23:31.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.126 [GMT -8:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JAVA
-------\Legacy_NETDDESRV
-------\Legacy_RPCCLIENT
-------\Service_Java
-------\Service_NetDDEsrv


((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 05:38 . 2010-03-19 05:38 0 ----a-w- c:\winnt\nsreg.dat
2010-03-19 05:38 . 2010-03-19 05:38 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Mozilla
2010-03-19 04:36 . 2010-03-19 04:36 -------- d-----w- c:\program files\Trend Micro
2010-03-19 02:19 . 2010-03-19 02:19 -------- dc-h--w- c:\winnt\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2010-03-19 02:08 . 2010-03-19 02:08 -------- d-----w- c:\winnt\mui
2010-03-19 01:30 . 2010-03-19 01:30 -------- d-----w- c:\documents and settings\Rick\Application Data\Malwarebytes
2010-03-19 01:30 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-03-19 01:30 . 2010-03-19 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 01:30 . 2010-01-08 00:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-03-19 01:30 . 2010-03-19 01:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 01:11 . 2010-03-19 01:11 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-19 01:11 . 2010-03-19 01:11 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-19 01:11 . 2010-03-19 01:11 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-19 01:10 . 2010-03-19 01:10 12464 ----a-w- c:\winnt\system32\avgrsstx.dll
2010-03-19 01:06 . 2010-03-18 02:38 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-19 01:06 . 2010-03-18 02:38 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-19 01:06 . 2010-03-18 02:38 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-19 01:06 . 2010-03-18 02:38 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-18 04:36 . 2009-12-08 18:53 1714560 -c--a-w- c:\winnt\system32\dllcache\NTKRNLMP.EXE
2010-03-18 04:36 . 2009-12-08 18:53 1735872 -c--a-w- c:\winnt\system32\dllcache\NTKRPAMP.EXE
2010-03-18 02:57 . 2010-03-18 02:57 -------- d-----w- c:\documents and settings\Rick\Application Data\AVG8
2010-03-18 02:40 . 2010-03-19 01:19 -------- d-----w- C:\$AVG
2010-03-18 02:39 . 2010-03-19 01:10 242696 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2010-03-18 02:39 . 2010-03-19 01:08 216200 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2010-03-18 02:39 . 2010-03-19 01:10 29512 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2010-03-18 02:39 . 2010-03-19 22:12 -------- d-----w- c:\winnt\system32\drivers\Avg
2010-03-18 02:38 . 2010-03-18 02:38 -------- d-----w- c:\program files\AVG
2010-03-18 02:38 . 2010-03-19 00:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\avg9
2010-03-18 02:38 . 2010-03-19 02:49 -------- d-----w- c:\winnt\winsxs
2010-03-18 02:08 . 2006-07-25 05:08 840976 -c----w- c:\winnt\system32\dllcache\mmcndmgr.dll
2010-03-18 02:02 . 2010-03-18 02:02 1956808 ----a-w- c:\documents and settings\Rick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-03-18 01:59 . 2010-03-18 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2010-03-18 01:57 . 2010-03-18 01:57 -------- d-----w- c:\documents and settings\Rick\Application Data\Smith Micro
2010-03-18 01:54 . 2008-08-11 01:00 59904 ----a-w- c:\winnt\system32\drivers\PTDUWWAN.sys
2010-03-18 01:54 . 2008-08-11 01:00 5120 ----a-w- c:\winnt\system32\drivers\PTDUWFLT.sys
2010-03-18 01:54 . 2008-05-17 04:46 77824 ----a-w- c:\winnt\system32\PTDUwmcp.dll
2010-03-18 01:54 . 2006-11-01 22:21 319456 ----a-w- c:\winnt\system32\DIFxAPI.dll
2010-03-18 01:54 . 2010-03-18 01:54 -------- d-----w- c:\program files\PANTECH
2010-03-18 01:54 . 2008-08-11 01:00 39936 ----a-w- c:\winnt\system32\drivers\PTDUVsp.sys
2010-03-18 01:54 . 2008-08-11 01:00 41344 ----a-w- c:\winnt\system32\drivers\PTDUMdm.sys
2010-03-18 01:54 . 2008-08-11 01:00 33024 ----a-w- c:\winnt\system32\drivers\PTDUBus.sys
2010-03-18 01:54 . 2010-03-18 01:54 -------- d-----w- c:\program files\Verizon Wireless

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 22:32 . 2005-06-02 16:03 24 ----a-w- c:\winnt\system32\DVCStateBkp-{00000001-00000000-0000000C-00001102-00000002-80261102}.dat
2010-03-19 22:32 . 2005-06-02 16:03 24 ----a-w- c:\winnt\system32\DVCState-{00000001-00000000-0000000C-00001102-00000002-80261102}.dat
2009-12-28 13:03 . 2005-06-01 20:00 319760 ----a-w- c:\winnt\system32\MSPAINT.EXE
2005-06-02 03:03 . 2005-06-02 03:03 21952 ---h--w- c:\program files\folder.htt
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-03 24576]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CountrySelection"="pctptt.exe" [2000-01-05 68096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Rick\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2010-3-17 1790056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-1 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-19 01:10 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [3/17/2010 6:39 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [3/17/2010 6:39 PM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/18/2010 5:10 PM 308064]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\winnt\system32\drivers\PTDUBus.sys [3/17/2010 5:54 PM 33024]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\winnt\system32\drivers\PTDUMdm.sys [3/17/2010 5:54 PM 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\winnt\system32\drivers\PTDUVsp.sys [3/17/2010 5:54 PM 39936]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [6/1/2005 11:32 AM 61712]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\winnt\system32\drivers\PTDUWFLT.sys [3/17/2010 5:54 PM 5120]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\winnt\system32\drivers\PTDUWWAN.sys [3/17/2010 5:54 PM 59904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {333232EE-41DA-4CA8-8919-8E7BB0D75702} = 66.174.92.14 69.78.96.14
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\woxp8a89.default\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Sygate Personall Firewall - Sygate32.exe
SafeBoot-RpcClient



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 14:34
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1460)
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\pctspk.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-03-19 14:39:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-19 22:38

Pre-Run: 13,886,447,616 bytes free
Post-Run: 14,277,156,864 bytes free

- - End Of File - - C54DDFC4C53D88BA67C67859B3805A66


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:51 PM, on 3/19/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe

--
End of file - 4721 bytes
 
Ok, you have a few minor fixes in hijackthis but lets disinfect your comres.dll file first.

Please go here and download the comres.dll file directly to the desktop and then unzip it to your desktop.

http://www.dll-files.com/pop.php?dll=comres click on where it says download under free download.

Then download "The Avenger" here.

http://swandog46.geekstogo.com/

Click on The Avenger up top and then click on download to download the program.

Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Code: 
Files to move:
%userprofile%\desktop\comres.dll | c:\winnt\system32\comres.dll


Now, click on Execute. Just say Yes at every prompt

The Avenger will automatically do the following:

•It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
•On reboot, it will briefly open a black command window on your desktop, this is normal.
•After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
•The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply.
 
John, I only copied "%userprofile%\desktop\comres.dll | c:\winnt\system32\comres.dll" on the first try and the Avenger failed with an error code. Then I included "Files to move:" and it seemed to work. Here's the file log you asked for. Rick



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows 2000 (build 2195, Service Pack 4)
Sat Mar 20 07:24:27 2010

07:24:27: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows 2000 (build 2195, Service Pack 4)
Sat Mar 20 07:24:56 2010

07:24:56: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows 2000 (build 2195, Service Pack 4)
Sat Mar 20 07:25:29 2010

07:25:29: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows 2000 (build 2195, Service Pack 4)
Sat Mar 20 07:27:31 2010

07:27:31: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows 2000 (build 2195, Service Pack 4)
Sat Mar 20 07:27:43 2010

07:27:43: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: file "C:\Documents and Settings\Rick\desktop\comres.dll" not found!
File move operation "C:\Documents and Settings\Rick\desktop\comres.dll|c:\winnt\system32\comres.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
Did you unzip the file to your desktop, so that you can actually see the comres.dll name listed under the icon? According to the avenger log its not there on your desktop.
 
How about this? This is more fun than a forced march!


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Documents and Settings\Rick\desktop\comres.dll" not found!
File move operation "C:\Documents and Settings\Rick\desktop\comres.dll|c:\winnt\system32\comres.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
Still didn't work. Are you sure the file is on your desktop? Because avenger says its not. Can you give me a screen shot of your desktop?
 
John, I've been dinking with this UNZIP thing all day. I feel like I've been in a fight, and lost:( ........ I'm too dumb to quit though. I'll keep trying to figure it out. I appreciate your patience. Rick
 
If you want I can send you the file directly to your email and you can save it to your desktop.
 
I drug the file over onto my desktop and when I opend it, it says that is Java? This PC is Windows 2000 and doesn't have a Java download? Does that make any difference or should I just follow your old instructions?

I opened it with Windows instead of Mozilla and was able to save it to my desktop, but I can't open it? It wants to know what to open it with? I did download WinZip but don't know how to use it

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Documents and Settings\Rick\desktop\comres.dll|c:\winnt\system32\comres.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Last edited:
Congratulations, you performed the procedure correctly. Now, we can clean up your hijackthis log.

pleae do another hijackthis scan and place a check next to the following entries.

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{333232EE-41DA-4CA8-8919-8E7BB0D75702}: NameServer = 66.174.92.14 69.78.96.14


Then click on fix checked at the bottom.

This computer is now done.
 
"Congratulations, you performed the procedure correctly. Now, we can clean up your hijackthis log." Johnb
And it almost killed the old-guy!!! I don't know how much "I" had to do with that repair, but, YOU do nice work. I've decided to give you the rest of the day off, John. Gracias
PS> this thing kicks butt
 
Much appreciated... I'm kinda tired tonight after getting up early for work and still have to take my kids back to their mom's.
 
You must log in or register to reply here.
Back
Top