All my .dat files show type "Video cd Movie"

[nania]

I am running a small test network with the following three boxes:
PPC 7100/80 136MB with Yellow Dog Pomona (broken by last Gnome update)
Dual P3-500 1024MB with W2K3sp2 IE7 5730.13 and no additional security updates (control box)
NF2 Barton-2500 1024MB with W2K3sp2 IE7 5730.13 and no additional security updates (afflicted box)
I afflicted the Barton with an "h-bomb" (multiple virus, worms, trojans and adware) installation as root on the NF2. I then waited 180 seconds and forced a shutdown on it. The file was allegedly a Newsbin Pro crack in a .rar archive but we knew better http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' /> I then opened a read only share on the Dual-P3 only for registered users and rebooted the Barton. Immediately, the network started flowing packets and the outerinfo malware started the popups. I removed the outerinfo malware and some of the easier catches with the smithfraudfix but the network was still active so I tried shutting down. The response became veeeerrrrrrrry slow and after about 5 minutes of watching a dark monitor I shut off the power (soft switch). I checked the latest modification dates on the Dual-P3 and it appeared unaffected. I rebooted into safe mode on the Barton and ran the latest Vundofix. Lots of stuff came out and HiJackThis gave a nice short list with only a few problematic files:
exm.exe
superfindout.exe
wmsyspr9.pxy
swg.dll/sl.exe
and a few other Trojan variants.
I thought this be a good test of the Dual-P3 resistance on the private LAN so I restarted the Barton in safe mode with networking but didn't log on to the share. As before the packets started flowing so I tried to shutdown the Barton and once again the response became veeeerrrry slow. The one notable difference was that the network traffic seemed to stop, so I went home and left the machines running tilll morning. When I returned the following day, I discovered the wmsyspr9.prx file on the Dual-P3! I immediately tried to shutdown the Barton and again, the shutdown needed to be forced. I restarted the Barton in safe mode, did checkdisk on all the volumes (some required reboot) and went about removing the remaining files noted above. I also checked the Dual-P3 for infection and found nothing. I deleted the wmsyspr9.prx from the Dual-P3. I returned to the Barton, ran combofix and carefully removed the related keys from the registry. I then rebooted into safe mode and ran the programs again to double check. All seemed well so I rebooted the Barton normally. Things looked pretty quiet but definitely a little sluggish so I opened explorer and got the -1073741819 shutdown error message. I set my calendar back one year and moved the offensive message into a corner. I checked the processes and CPU usage in task manager and noted brief applications would appear and disappear before I could read what they were. I also noted that the CPU usage would spike the minute I went to any other task tab beside monitoring the cycles. I couldn't open a process and the search tools were either unresponsive or returning false information. I searched for files that I knew were there and was rudely told they weren't. Interesting. Okay, I changed the date back on the clock and let the machine shut down. The OS informed me it was saving my changes for quite a while. The only thing I remember changing was the clock and even that went back to where it was before I changed it (+/- one year). I rebooted the Barton in safe mode and that is where it is currently being observed. I'm writing this post from the Dual-P3 and I've just noted that all my .dat files have the "video cd movie" file type. I'm a little over my head here and would like some guidance. I want to thoroughly check the Dual-P3 with some hand holding so that I may understand what caused the file type change. The box seems to be working normally for now but I'd like more assurance http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

I scoured through your input
Without seeing the actual Hijackthis logs, I'm unsure how to help
Are you just needing confirmation of what you did
This doesn't make sense???

[nania]

Thanks for looking over my introduction. Here is the latest HJT log on the Barton:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:53:36 AM, on 1/12/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Administrator.TEMP-7KNDXUB9ET\Desktop\HiJackThis_v2.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://www.0spam.com
O15 - ESC Trusted Zone: http://forums.######.com
O15 - ESC Trusted Zone: http://www.andale.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.dsldepot.com
O15 - ESC Trusted Zone: http://support.gateway.com
O15 - ESC Trusted Zone: http://search.irs.gov
O15 - ESC Trusted Zone: http://www.irs.gov
O15 - ESC Trusted Zone: http://www.learnflash.com
O15 - ESC Trusted Zone: http://www.learnoffice2003.com
O15 - ESC Trusted Zone: http://www.learnsqlserver.com
O15 - ESC Trusted Zone: http://www.learnwebdevelopment.com
O15 - ESC Trusted Zone: http://www.learnwindowsserver.com
O15 - ESC Trusted Zone: http://mail01.mail.com
O15 - ESC Trusted Zone: http://auto.search.msn.com
O15 - ESC Trusted Zone: http://by101fd.bay101.Email Removed.msn.com
O15 - ESC Trusted Zone: http://by24fd.bay24.Email Removed.msn.com
O15 - ESC Trusted Zone: http://by2fd.bay2.Email Removed.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://webmailb.netzero.net
O15 - ESC Trusted Zone: http://loginnet.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://www.tax.state.ny.us
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.zinncycles.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: 192.168.0.1
O15 - ESC Trusted IP range: http://192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4170 bytes

I've made some progress but CWShredder informed me that I had a Coolweb variant and started with a random text. I also have rootcheck and other logs in the event you want to take this on.

[guestolo]

I would like to see a new  Hijackthis log
But first, download the latest version of Hijackthis from my signature below

Then run Hijackthis 2.0.2 in Normal Windows, not in Safe mode and post the fresh log

[nania]

No can do. Windows Explorer is inoperable when I boot the network. Why does the version you linked me to claim to be v1?

[guestolo]

Why does the version you linked me to claim to be v1?

I just downloaded from my signature, upon install it claims 2.0.2
Not sure where your get v1 from?

Can you try the following
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back just the Whole contents of Main.txt

Also include extra.txt

If you need more than one reply to post both logs, please do so

[nania]

It's probably just the installer version that is v1.  I just ran combofix and will try the network again. I will disable the WAN so as to stop downloads and alternative data streams and try again.

[guestolo]

What about the logs from Deckard's system scanner?
Are you going to post them?

If you do run combofix, post it's log also

Do you really need a hand or are you just keeping us informed of the fixes you are doing?