Help with Sysvxd.exe malware problem (logs included)

[SveinR]

Hi, recently I started getting these pop-up error messages due to Sysvxd.exe, saying

16 bit MS-DOS Subsystem : C:\WINNT\Sysvxd.exe
The NTVDM CPU has encountered an illegal instruction.

whereupon I could either click Ignore or Close.

After running MalwareBytes, which found and deleted the file, it just kept coming back later on. So now I've come to this site for help

I've gone through the steps outlined in the Malware Removal Guide, and below I have the requested logs attached.

-----------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2010 at 03:18 AM

Application Version : 4.42.1000

Core Rules Database Version : 5499
Trace Rules Database Version: 3311

Scan type       : Complete Scan
Total Scan Time : 02:51:12

Memory items scanned      : 305
Memory threats detected   : 0
Registry items scanned    : 4386
Registry threats detected : 0
File items scanned        : 60586
File threats detected     : 1

Rogue.Agent/Gen-Nullo[EXE]
   C:\WINNT\SYSVXD.EXE


----------------------------------------


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4616

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

14.09.2010 21:23:26
mbam-log-2010-09-14 (21-23-26).txt

Scan type: Quick scan
Objects scanned: 116133
Time elapsed: 20 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


---------------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:41:43, on 14.09.2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\starter.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WLAN\GConfig\GConfig.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\SYSTEM32\starter.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GConfig.lnk = C:\Program Files\WLAN\GConfig\GConfig.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4834 bytes

[SveinR]

I also thought it could be helpful if I posted the log from the first time I ran MalwareBytes after the problem appeared (this is then before any of the other steps were performed):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4552

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

06.09.2010 06:32:08
mbam-log-2010-09-06 (06-32-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 175307
Time elapsed: 1 hour(s), 35 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1234567890.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e1035 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINNT\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINNT\system32\internat.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*****************************************
Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
***************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[SveinR]

Hey SuperDave, thanks for the help, it's much appreciated :)

Here are the logs:

Jotti's malware scan:

http://virusscan.jotti.org/en/scanresult/881307b60f1b30b78bf33ba9032e1ecc0a90038f/c2d701a133ebd31717b37c2de07eb476347064ee


------------------


ComboFix log:

ComboFix 10-09-17.04 - Svein Rune 19.09.2010  15:48:40.1.1 - x86
Microsoft Windows 2000 Professional  5.0.2195.4.1252.1.1033.18.256.39 [GMT 2:00]
Running from: c:\documents and settings\Svein Rune\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system\msvbvm60.dll
c:\winnt\system32\msconfig.exe
c:\winnt\Web\default.htt
C:\xcrashdump.dat

Infected copy of c:\winnt\system32\userinit.exe was found and disinfected
Restored copy from - c:\winnt\ServicePackFiles\i386\userinit.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOST32


(((((((((((((((((((((((((   Files Created from 2010-08-19 to 2010-09-19  )))))))))))))))))))))))))))))))
.

2010-09-19 14:04 . 2010-09-19 14:04   16384   ----atw-   c:\winnt\system32\Perflib_Perfdata_260.dat
2010-09-14 20:39 . 2010-09-14 20:39   --------   d-----w-   c:\program files\Trend Micro
2010-09-13 22:13 . 2010-09-13 22:13   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\SUPERAntiSpyware.com
2010-09-13 22:13 . 2010-09-13 22:13   --------   d-----w-   c:\documents and settings\All Users.WINNT\Application Data\SUPERAntiSpyware.com
2010-09-13 22:12 . 2010-09-13 22:13   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-12 17:45 . 2010-09-12 17:45   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\Avira
2010-09-12 17:11 . 2010-04-01 11:05   122768   ----a-w-   c:\winnt\system32\drivers\avipbb.sys
2010-09-12 17:11 . 2009-05-11 10:49   64488   ----a-w-   c:\winnt\system32\drivers\avgntdd.sys
2010-09-12 17:11 . 2009-05-11 10:49   18520   ----a-w-   c:\winnt\system32\drivers\avgntmgr.sys
2010-09-12 17:11 . 2010-09-12 17:11   --------   d-----w-   c:\program files\Avira
2010-09-12 17:11 . 2010-09-12 17:11   --------   d-----w-   c:\documents and settings\All Users.WINNT\Application Data\Avira
2010-09-11 15:33 . 2010-09-11 15:33   --------   d-----w-   c:\program files\CCleaner
2010-09-05 22:03 . 2010-09-05 22:03   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\Malwarebytes
2010-09-05 22:02 . 2010-04-29 13:39   38224   ----a-w-   c:\winnt\system32\drivers\mbamswissarmy.sys
2010-09-05 22:02 . 2010-09-05 22:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-05 22:02 . 2010-09-05 22:02   --------   d-----w-   c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes
2010-09-05 22:02 . 2010-04-29 13:39   19288   ----a-w-   c:\winnt\system32\drivers\mbam.sys
1601-01-01 00:00 . 1601-01-01 00:00   0   ----atw-   c:\winnt\system32\Perflib_Perfdata_324.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-17 22:50 . 2009-07-15 21:00   --------   d-----w-   c:\program files\Opera 10 Beta
2010-09-17 22:42 . 2010-09-17 22:43   1368443   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aescript.dll
2010-09-17 22:41 . 2010-09-17 22:43   631156   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aerdl.dll
2010-09-17 22:41 . 2010-09-17 22:43   471413   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aepack.dll
2010-09-17 22:41 . 2010-09-17 22:43   2916727   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeheur.dll
2010-09-17 22:41 . 2010-09-17 22:43   401780   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aegen.dll
2010-09-14 20:39 . 2010-09-14 20:39   388096   ----a-r-   c:\documents and settings\Svein Rune\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-14 19:28 . 2004-10-24 04:58   --------   d---a-w-   c:\program files\Java
2010-09-13 22:17 . 2010-09-13 22:17   63488   ----a-w-   c:\documents and settings\Svein Rune\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-13 22:16 . 2010-09-13 22:16   52224   ----a-w-   c:\documents and settings\Svein Rune\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-13 22:16 . 2010-09-13 22:16   117760   ----a-w-   c:\documents and settings\Svein Rune\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-12 17:39 . 2010-09-17 22:43   254324   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aesbx.dll
2010-09-12 17:39 . 2010-09-17 22:43   106868   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aevdf.dll
2010-09-12 17:39 . 2010-09-17 22:43   127347   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aescn.dll
2010-09-12 17:39 . 2010-09-17 22:43   201081   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeoffice.dll
2010-09-12 17:39 . 2010-09-17 22:43   242038   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aehelp.dll
2010-09-12 17:39 . 2010-09-17 22:43   393588   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aeemu.dll
2010-09-12 17:39 . 2010-09-17 22:43   192887   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aecore.dll
2010-09-12 17:39 . 2010-09-17 22:43   53618   ----a-w-   c:\documents and settings\All Users.WINNT\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\VALIDATION\aebb.dll
2010-09-11 16:29 . 2004-10-24 04:58   --------   d-----w-   c:\program files\Common Files\Java
2010-09-11 15:57 . 2004-10-27 22:30   --------   d-----w-   c:\program files\DivX
2010-09-11 15:56 . 2005-03-06 04:59   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\Lavasoft
2010-09-11 15:48 . 2009-09-10 23:43   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\Media Player Classic
2010-09-05 16:49 . 2004-10-24 06:33   --------   d-----w-   c:\program files\ElastoMania Multi
2010-09-04 22:59 . 2006-02-15 22:03   --------   d-----w-   c:\program files\ElastoMania Online
2010-09-03 21:25 . 2007-08-04 01:33   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\uTorrent
2010-08-29 18:31 . 2009-11-20 23:33   --------   d-----w-   c:\documents and settings\All Users.WINNT\Application Data\Soulseek
2010-08-29 17:02 . 2004-10-25 19:32   --------   d-----w-   c:\program files\Soulseek
2010-08-22 12:13 . 2009-11-04 21:04   --------   d-----w-   c:\documents and settings\Svein Rune\Application Data\vlc
2010-08-13 19:16 . 2010-08-13 19:16   503808   ----a-w-   c:\documents and settings\Svein Rune\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-26ea5983-n\msvcp71.dll
2010-08-13 19:16 . 2010-08-13 19:16   499712   ----a-w-   c:\documents and settings\Svein Rune\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-26ea5983-n\jmc.dll
2010-08-13 19:16 . 2010-08-13 19:16   348160   ----a-w-   c:\documents and settings\Svein Rune\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-26ea5983-n\msvcr71.dll
2010-08-13 19:16 . 2010-08-13 19:16   61440   ----a-w-   c:\documents and settings\Svein Rune\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-515228b6-n\decora-sse.dll
2010-08-13 19:16 . 2010-08-13 19:16   12800   ----a-w-   c:\documents and settings\Svein Rune\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-515228b6-n\decora-d3d.dll
2010-07-17 03:00 . 2010-04-19 21:15   423656   ----a-w-   c:\winnt\system32\deployJava1.dll
2004-10-24 01:19 . 2004-10-24 01:19   21952   ---h--w-   c:\program files\folder.htt
2004-03-11 11:27 . 2005-05-25 12:57   40960   ----a-w-   c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2002-11-26 17:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll

[-] 2004-07-09 02:27 . 3120F6D2AB10CDF242EDE54052A8BE47 . 1689600 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll

.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2001-05-08 20752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-06-19 111376]
"EnsoniqMixer"="c:\winnt\SYSTEM32\starter.exe" [2001-10-04 32768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2001-05-08 20752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\Svein Rune\Start Menu\Programs\Startup\
Rainlendar.lnk - c:\program files\Rainlendar\Rainlendar.exe [2003-10-4 49152]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
GConfig.lnk - c:\program files\WLAN\GConfig\GConfig.exe [2004-10-24 409600]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
2005-04-26 18:30   851968   ----a-w-   c:\program files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-04-06 17:36   1298542   ------w-   c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50   155648   ----a-w-   c:\winnt\system32\NeroCheck.exe

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.02.2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10.05.2010 20:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12.09.2010 19:11 135336]
R3 RT2500PCI;802.11g Wireless LAN PCI;c:\winnt\system32\drivers\RT2500.sys [24.10.2004 03:40 156032]
R3 S3SAVAGE4;S3SAVAGE4;c:\winnt\system32\drivers\s3savg4m.sys [09.06.2006 19:49 84704]
R3 Winacpci;Winacpci;c:\winnt\system32\drivers\winacpci.sys [24.10.2004 05:04 602128]
S3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3sav4m.sys [24.10.2004 05:04 65072]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-RemoteControl - c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 16:07
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  EnsoniqMixer = c:\winnt\SYSTEM32\starter.exe????^????P????????????????????w?;?w????????v&uq??????????????P??????????????????^?????????????????@??????vq@&qq????4??????w????????????????????????d???#5?w?%uq??????????????????P?????????????? ???????9?w??P????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1028)
c:\winnt\system32\SHDOCVW.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\internat.exe
.
**************************************************************************
.
Completion time: 2010-09-19  16:20:36 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-19 14:20

Pre-Run: 299 106 304 bytes free
Post-Run: 344 444 928 bytes free

- - End Of File - - 42DF7CBC0F9571E4D45B134184323574


---------------------------


SecurityCheck log:

 Results of screen317's Security Check version 0.99.5 
 Windows 2000 Service Pack 4 
 Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Avira AntiVir Personal - Free Antivirus
 Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 21 
 Adobe Flash Player 10.0.42.34 
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:
 nslookup.exe missing!
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````


----------------------------------------------------------------------------------------


By the way, your instructions for Security Check by screen317 should probably be updated, as the file downloaded is SecurityCheck.exe, not SecurityCheck.zip. I would also like to add that my browser of choice is Opera (version 10.62 installed), IE is pretty much never used.

[SuperDave]

Security Check by screen317 is probably different because you're running Windows 2000.

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
***************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[SveinR]

Alright, I uninstalled my version of Adobe Acrobat Reader. I actually ended up not installing the new version, since it would be far too demanding for this old machine.

The result from running ESET Online Scan:

C:\totalsoc2000\soccer.exe   a variant of Win32/Packed.PECrypt32.A application


And the log file, if needed:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c4fe831d9859664ca47d21c372bcbc80
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-22 12:22:09
# local_time=2010-09-22 02:22:09 (+0100, Romance Daylight Time)
# country="Norway"
# lang=1033
# osver=5.0.2195 NT Service Pack 4
# scanned=59585
# found=1
# cleaned=0
# scan_time=5013
C:\totalsoc2000\soccer.exe   a variant of Win32/Packed.PECrypt32.A application   00000000000000000000000000000000   I

[SveinR]

Sorry for bumping; I thought I could edit the previous post but didn't find an option to do so.

I ran the ESET Online Scan again, this time having checked the "remove found threats" option:

C:\totalsoc2000\soccer.exe   a variant of Win32/Packed.PECrypt32.A application   cleaned by deleting - quarantined


Log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c4fe831d9859664ca47d21c372bcbc80
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-22 12:11:37
# local_time=2010-09-22 02:11:37 (+0100, Romance Daylight Time)
# country="Norway"
# lang=1033
# osver=5.0.2195 NT Service Pack 4
# scanned=59555
# found=1
# cleaned=1
# scan_time=4939
C:\totalsoc2000\soccer.exe   a variant of Win32/Packed.PECrypt32.A application (cleaned by deleting - quarantined)   00000000000000000000000000000000   C

[SuperDave]

That looks good. If there are no other issues, it's time for some cleanup.You can uninstall HJT but you may keep SAS and MBAM, if you wish. Update them and run them on a regular basis to keep your computer clean.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

********************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

**********************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[SveinR]

Thank you, I appreciate it. I'll make sure to run through these final steps. Which of those firewall programs would you say is the most light-weight, as that is a crucial issue on this computer?

There is one more issue though, but it's probably not malware related so I shouldn't really bother you with it. With Avira Antivir Guard enabled, the computer hangs when right-clicking a file (whether in the desktop or in windows explorer), it also hangs when trying to delete a file. The only way to restore the computer seems to be to reboot it. There's no problem however, with simply right-clicking on the desktop itself. I found that the problem often disappears when disabling the guard (but sadly not always), and also does not appear again upon reenabling the guard. I guess this might be too random a problem to troubleshoot..

[SuperDave]

Which of those firewall programs would you say is the most light-weight, as that is a crucial issue on this computer?

You can visit each site and pick the one that is lightest. They are all very good but they can be frustrating to work with until the firewall learns your routine, then you hardly know it's there.

With Avira Antivir Guard enabled, the computer hangs when right-clicking a file (whether in the desktop or in windows explorer)

If this is freeware, I would advise dumping Avira all together and installing MicroSoft Security Essentials.
Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP