Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Homepage Hijack


  • This topic is locked This topic is locked
31 replies to this topic

#1 tbibb

tbibb

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 24 June 2009 - 09:23 AM

Few weeks ago my parents told me their computer was set to a chinese website (www.dyroom.cn, which then leads them to baidu.com). I tried setting their homepage to google in tools -> options, but every time they reboot it sets it back to dyroom.cn.

Adaware, Spybot, malwarebytes have been tried unsuccessfully.

Help is much appreciated.

dds.txt:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 9:19:31.73 on Wed 06/24/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.664 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\System32\WBEM\unsecapp.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-6-22 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-06-24 09:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6d4.dat
2009-06-24 09:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-24 09:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a4.dat
2009-06-23 07:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 07:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c4.dat
2009-06-23 07:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-23 07:33 16,384 a------t c:\winnt\system32\Perflib_Perfdata_238.dat
2009-06-22 17:50 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-06-22 17:22 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-06-22 17:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_588.dat
2009-06-19 07:33 16,384 a------t c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 11:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4ac.dat
2009-06-17 11:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 09:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-08 15:11 466,112 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:52 2,272 a------- c:\winnt\system32\tmp.reg
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:18 16,384 a------t c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 01:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_500.dat
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-07 00:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:51 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-06-06 23:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking
2009-05-31 21:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_578.dat
2009-05-31 21:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_584.dat
2009-05-31 21:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 15:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 15:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 15:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_600.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 14:12 16,384 a------t c:\winnt\system32\Perflib_Perfdata_58c.dat
2009-05-30 13:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 12:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_554.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 08:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 16:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_534.dat

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\winnt\system32\WS2Fix.exe
2009-05-23 16:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 16:29 16,384 a------t c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b8.dat
2009-05-23 16:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_50c.dat
2009-05-23 10:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 09:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 9:19:47.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,661 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:56 AM

Posted 28 June 2009 - 02:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 30 June 2009 - 05:12 AM

Nothing has changed with the machine.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 31,661 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:56 AM

Posted 30 June 2009 - 06:16 AM

Hi,

please post a new DDS log anyway. :thumbup2:

The reason for is, that it has been 5 days since you posted your log. 5 days are a long time and the infection could have made big changes on your PC.
A helper will need to know what changed (or if nothing changed) since you first posted your log and therefore needs a new up to date log in order to efficiently help you.

regards _temp_


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 01 July 2009 - 07:59 PM

As requested:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 20:00:17.42 on Wed 07/01/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.613 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\System32\WBEM\unsecapp.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-6-22 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-01 20:00 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b8.dat
2009-07-01 19:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-06-29 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6a0.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6bc.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_320.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_694.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_31c.dat
2009-06-28 08:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_240.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6ac.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_608.dat
2009-06-28 07:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_700.dat
2009-06-28 07:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4f4.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-06-26 09:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_754.dat
2009-06-26 07:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b4.dat
2009-06-26 07:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b4.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_61c.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-25 11:57 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-06-25 11:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_328.dat
2009-06-25 08:32 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1c8.dat
2009-06-25 08:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5e0.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6cc.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_334.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6c8.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_628.dat
2009-06-24 12:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-06-24 10:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_720.dat
2009-06-24 10:29 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5fc.dat
2009-06-23 07:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 07:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-22 17:50 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-06-22 17:22 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-06-22 17:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_588.dat
2009-06-19 07:33 16,384 a------t c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 11:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 09:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-08 15:11 465,842 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:52 2,272 a------- c:\winnt\system32\tmp.reg
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:18 16,384 a------t c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 01:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_500.dat
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-07 00:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:51 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-06-06 23:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking

==================== Find3M ====================

2009-06-02 11:17 75,776 a------- c:\winnt\system32\WS2Fix.exe
2009-05-31 21:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_578.dat
2009-05-31 21:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_584.dat
2009-05-31 21:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 15:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 15:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 15:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_600.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 14:12 16,384 a------t c:\winnt\system32\Perflib_Perfdata_58c.dat
2009-05-30 13:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 12:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_554.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 08:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 16:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_534.dat
2009-05-23 16:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 16:29 16,384 a------t c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b8.dat
2009-05-23 16:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 10:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 09:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 20:00:36.73 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:56 AM

Posted 02 July 2009 - 12:38 PM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link . That means disabling Spybot TeaTimer and Ad-Aware Ad-Watch
    Remember to re-enable them when we've done the cleaning.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 03 July 2009 - 02:49 PM

DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 14:53:25.17 on Fri 07/03/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.699 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-03 14:50 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-07-03 14:46 161,792 a------- c:\winnt\SWREG.exe
2009-07-03 14:46 155,136 a------- c:\winnt\PEV.exe
2009-07-03 14:46 98,816 a------- c:\winnt\sed.exe
2009-07-03 14:46 <DIR> --ds---- C:\ComboFix
2009-07-03 14:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_514.dat
2009-07-03 14:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_300.dat
2009-07-03 14:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-02 11:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_89c.dat
2009-07-02 08:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b0.dat
2009-07-02 08:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_418.dat
2009-06-29 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6a0.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6bc.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_320.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_694.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-06-28 08:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_240.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6ac.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_608.dat
2009-06-28 07:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_700.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-06-26 09:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_754.dat
2009-06-26 07:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b4.dat
2009-06-26 07:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b4.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_61c.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-25 11:57 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-06-25 11:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_328.dat
2009-06-25 08:32 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1c8.dat
2009-06-25 08:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5e0.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_334.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6c8.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_628.dat
2009-06-24 10:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_720.dat
2009-06-23 07:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 07:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-19 07:33 16,384 a------t c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 11:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 09:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-08 15:11 554,306 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:18 16,384 a------t c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-07 00:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking

==================== Find3M ====================

2009-05-31 21:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_578.dat
2009-05-31 21:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_584.dat
2009-05-31 21:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 15:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 15:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 15:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 13:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 12:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 08:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 16:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_534.dat
2009-05-23 16:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 16:29 16,384 a------t c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 16:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 10:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 09:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 14:53:36.03 ===============


COMBO FIX:

ComboFix 09-07-02.03 - Administrator 07/03/2009 14:47.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.721 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\arcldr.exe
C:\arcsetup.exe
c:\winnt\system32\404Fix.exe
c:\winnt\system32\Agent.OMZ.Fix.exe
c:\winnt\system32\dumphive.exe
c:\winnt\system32\IEDFix.C.exe
c:\winnt\system32\IEDFix.exe
c:\winnt\system32\mww29911.dll
c:\winnt\system32\o4Patch.exe
c:\winnt\system32\Process.exe
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\tmp.reg
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\WS2Fix.exe
c:\winnt\system32\ww29911.dll
c:\winnt\Web\default.htt
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 19:42 . 2009-07-03 19:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_514.dat
2009-07-03 19:41 . 2009-07-03 19:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_300.dat
2009-07-03 19:41 . 2009-07-03 19:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-02 16:26 . 2009-07-02 16:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_89c.dat
2009-07-02 13:52 . 2009-07-02 13:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6b0.dat
2009-07-02 13:52 . 2009-07-02 13:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_418.dat
2009-06-29 17:42 . 2009-06-29 17:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6a0.dat
2009-06-29 13:44 . 2009-06-29 13:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6bc.dat
2009-06-29 13:44 . 2009-06-29 13:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_320.dat
2009-06-28 13:36 . 2009-06-28 13:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-06-28 13:36 . 2009-06-28 13:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-06-28 13:35 . 2009-06-28 13:35 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_240.dat
2009-06-28 13:26 . 2009-06-28 13:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6ac.dat
2009-06-28 13:26 . 2009-06-28 13:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_608.dat
2009-06-28 12:45 . 2009-06-28 12:45 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_700.dat
2009-06-27 12:40 . 2009-06-27 12:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-06-27 12:40 . 2009-06-27 12:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-06-26 14:59 . 2009-06-26 14:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_754.dat
2009-06-26 12:52 . 2009-06-26 12:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6b4.dat
2009-06-26 12:43 . 2009-06-26 12:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5b4.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_61c.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-25 16:57 . 2009-06-25 16:57 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-06-25 16:56 . 2009-06-25 16:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_328.dat
2009-06-25 13:32 . 2009-06-25 13:32 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_1c8.dat
2009-06-25 13:17 . 2009-06-25 13:17 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5e0.dat
2009-06-25 12:23 . 2009-06-25 12:23 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-06-25 12:23 . 2009-06-25 12:23 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_334.dat
2009-06-24 17:59 . 2009-06-24 17:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6c8.dat
2009-06-24 17:59 . 2009-06-24 17:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_628.dat
2009-06-24 15:30 . 2009-06-24 15:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_720.dat
2009-06-23 12:35 . 2009-06-23 12:35 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 12:34 . 2009-06-23 12:34 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-22 22:22 . 2009-07-03 19:39 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-06-22 22:19 . 2009-07-03 19:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\winnt\winsxs
2009-06-20 12:36 . 2009-06-20 12:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-19 12:33 . 2009-06-19 12:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 16:30 . 2009-06-17 16:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 14:58 . 2009-06-16 14:58 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 14:08 . 2009-06-12 14:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-07 06:24 . 2009-06-07 06:24 -------- d-----w- c:\program files\Sun
2009-06-07 06:24 . 2009-06-07 06:24 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-06-07 06:18 . 2009-06-07 06:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 06:11 . 2009-06-07 06:15 -------- d-----w- c:\documents and settings\Administrator\.SunDownloadManager
2009-06-07 06:03 . 2009-06-07 06:03 -------- d-----w- c:\program files\Trend Micro
2009-06-07 05:30 . 2009-06-07 05:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 04:42 . 2009-06-07 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-06-07 04:42 . 2009-06-07 04:43 -------- d-----w- c:\program files\Safer Networking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 19:40 . 2008-08-30 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 19:39 . 2008-08-30 05:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 18:46 . 2006-08-19 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-07 06:24 . 2009-05-30 19:06 -------- d-----w- c:\program files\Java
2009-06-01 02:43 . 2009-06-01 02:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_578.dat
2009-06-01 02:30 . 2009-06-01 02:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_584.dat
2009-06-01 02:14 . 2009-06-01 02:14 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 20:26 . 2009-05-31 20:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 20:30 . 2009-05-30 20:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 20:28 . 2009-05-30 20:28 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 20:25 . 2009-05-30 20:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 20:25 . 2009-05-30 20:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 19:55 . 2009-05-30 19:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 19:05 . 2009-05-30 19:05 -------- d-----w- c:\program files\Common Files\Java
2009-05-30 18:20 . 2009-05-30 18:20 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 17:46 . 2009-05-30 17:46 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 17:42 . 2009-05-30 17:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 14:24 . 2009-05-30 14:24 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 13:30 . 2009-05-27 13:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 21:55 . 2009-05-25 21:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_534.dat
2009-05-23 21:41 . 2009-05-23 21:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 21:29 . 2009-05-23 21:29 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 21:22 . 2009-05-23 21:22 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 21:17 . 2009-05-23 21:17 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 18:53 . 2009-05-23 18:53 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 15:44 . 2009-05-23 15:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 14:08 . 2009-05-14 14:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 14:41 . 2009-05-09 14:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 06:41 . 1999-12-07 12:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 09:54 . 1999-12-07 12:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 20:15 . 2009-04-21 20:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-04-17 05:04 . 1999-12-07 12:00 1645072 ----a-w- c:\winnt\system32\WIN32K.SYS
2006-07-20 10:16 . 2006-07-20 10:16 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"WrtMon.exe"="c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [12/7/1999 7:00 AM 24784]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 14:50
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_6c0.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-07-03 14:51
ComboFix-quarantined-files.txt 2009-07-03 19:51

Pre-Run: 127,574,392,832 bytes free
Post-Run: 127,689,740,288 bytes free

180 --- E O F --- 2009-06-15 23:01


DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 14:53:25.17 on Fri 07/03/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.699 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-03 14:50 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-07-03 14:46 161,792 a------- c:\winnt\SWREG.exe
2009-07-03 14:46 155,136 a------- c:\winnt\PEV.exe
2009-07-03 14:46 98,816 a------- c:\winnt\sed.exe
2009-07-03 14:46 <DIR> --ds---- C:\ComboFix
2009-07-03 14:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_514.dat
2009-07-03 14:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_300.dat
2009-07-03 14:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-02 11:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_89c.dat
2009-07-02 08:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b0.dat
2009-07-02 08:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_418.dat
2009-06-29 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6a0.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6bc.dat
2009-06-29 08:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_320.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_694.dat
2009-06-28 08:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-06-28 08:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_240.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6ac.dat
2009-06-28 08:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_608.dat
2009-06-28 07:45 16,384 a------t c:\winnt\system32\Perflib_Perfdata_700.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-06-27 07:40 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-06-26 09:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_754.dat
2009-06-26 07:52 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6b4.dat
2009-06-26 07:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5b4.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_61c.dat
2009-06-25 12:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-25 11:57 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-06-25 11:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_328.dat
2009-06-25 08:32 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1c8.dat
2009-06-25 08:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5e0.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-06-25 07:23 16,384 a------t c:\winnt\system32\Perflib_Perfdata_334.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_6c8.dat
2009-06-24 12:59 16,384 a------t c:\winnt\system32\Perflib_Perfdata_628.dat
2009-06-24 10:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_720.dat
2009-06-23 07:35 16,384 a------t c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 07:34 16,384 a------t c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-20 07:36 16,384 a------t c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-19 07:33 16,384 a------t c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 11:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 09:58 16,384 a------t c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-08 15:11 554,306 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:18 16,384 a------t c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-07 00:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking

==================== Find3M ====================

2009-05-31 21:43 16,384 a------t c:\winnt\system32\Perflib_Perfdata_578.dat
2009-05-31 21:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_584.dat
2009-05-31 21:14 16,384 a------t c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 15:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 15:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 15:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 15:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 14:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 13:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 12:46 16,384 a------t c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 12:42 16,384 a------t c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 09:24 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 08:30 16,384 a------t c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 16:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_534.dat
2009-05-23 16:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 16:29 16,384 a------t c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 16:22 16,384 a------t c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 16:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 13:53 16,384 a------t c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 10:44 16,384 a------t c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 09:08 16,384 a------t c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 09:41 16,384 a------t c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 14:53:36.03 ===============


COMBO FIX:

ComboFix 09-07-02.03 - Administrator 07/03/2009 14:47.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.721 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\arcldr.exe
C:\arcsetup.exe
c:\winnt\system32\404Fix.exe
c:\winnt\system32\Agent.OMZ.Fix.exe
c:\winnt\system32\dumphive.exe
c:\winnt\system32\IEDFix.C.exe
c:\winnt\system32\IEDFix.exe
c:\winnt\system32\mww29911.dll
c:\winnt\system32\o4Patch.exe
c:\winnt\system32\Process.exe
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\tmp.reg
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\WS2Fix.exe
c:\winnt\system32\ww29911.dll
c:\winnt\Web\default.htt
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 19:42 . 2009-07-03 19:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_514.dat
2009-07-03 19:41 . 2009-07-03 19:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_300.dat
2009-07-03 19:41 . 2009-07-03 19:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-02 16:26 . 2009-07-02 16:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_89c.dat
2009-07-02 13:52 . 2009-07-02 13:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6b0.dat
2009-07-02 13:52 . 2009-07-02 13:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_418.dat
2009-06-29 17:42 . 2009-06-29 17:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6a0.dat
2009-06-29 13:44 . 2009-06-29 13:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6bc.dat
2009-06-29 13:44 . 2009-06-29 13:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_320.dat
2009-06-28 13:36 . 2009-06-28 13:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-06-28 13:36 . 2009-06-28 13:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5c8.dat
2009-06-28 13:35 . 2009-06-28 13:35 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_240.dat
2009-06-28 13:26 . 2009-06-28 13:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6ac.dat
2009-06-28 13:26 . 2009-06-28 13:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_608.dat
2009-06-28 12:45 . 2009-06-28 12:45 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_700.dat
2009-06-27 12:40 . 2009-06-27 12:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6d8.dat
2009-06-27 12:40 . 2009-06-27 12:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-06-26 14:59 . 2009-06-26 14:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_754.dat
2009-06-26 12:52 . 2009-06-26 12:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6b4.dat
2009-06-26 12:43 . 2009-06-26 12:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5b4.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4c0.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_61c.dat
2009-06-25 17:08 . 2009-06-25 17:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_318.dat
2009-06-25 16:57 . 2009-06-25 16:57 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5d8.dat
2009-06-25 16:56 . 2009-06-25 16:56 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_328.dat
2009-06-25 13:32 . 2009-06-25 13:32 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_1c8.dat
2009-06-25 13:17 . 2009-06-25 13:17 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5e0.dat
2009-06-25 12:23 . 2009-06-25 12:23 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-06-25 12:23 . 2009-06-25 12:23 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_334.dat
2009-06-24 17:59 . 2009-06-24 17:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6c8.dat
2009-06-24 17:59 . 2009-06-24 17:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_628.dat
2009-06-24 15:30 . 2009-06-24 15:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_720.dat
2009-06-23 12:35 . 2009-06-23 12:35 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_704.dat
2009-06-23 12:34 . 2009-06-23 12:34 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_330.dat
2009-06-22 22:22 . 2009-07-03 19:39 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-06-22 22:19 . 2009-07-03 19:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\winnt\winsxs
2009-06-20 12:36 . 2009-06-20 12:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_654.dat
2009-06-19 12:33 . 2009-06-19 12:33 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_618.dat
2009-06-17 16:30 . 2009-06-17 16:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5a8.dat
2009-06-16 14:58 . 2009-06-16 14:58 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_520.dat
2009-06-12 14:08 . 2009-06-12 14:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2e8.dat
2009-06-07 06:24 . 2009-06-07 06:24 -------- d-----w- c:\program files\Sun
2009-06-07 06:24 . 2009-06-07 06:24 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-06-07 06:18 . 2009-06-07 06:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_678.dat
2009-06-07 06:11 . 2009-06-07 06:15 -------- d-----w- c:\documents and settings\Administrator\.SunDownloadManager
2009-06-07 06:03 . 2009-06-07 06:03 -------- d-----w- c:\program files\Trend Micro
2009-06-07 05:30 . 2009-06-07 05:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5a0.dat
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 04:42 . 2009-06-07 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-06-07 04:42 . 2009-06-07 04:43 -------- d-----w- c:\program files\Safer Networking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 19:40 . 2008-08-30 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 19:39 . 2008-08-30 05:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 18:46 . 2006-08-19 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-07 06:24 . 2009-05-30 19:06 -------- d-----w- c:\program files\Java
2009-06-01 02:43 . 2009-06-01 02:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_578.dat
2009-06-01 02:30 . 2009-06-01 02:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_584.dat
2009-06-01 02:14 . 2009-06-01 02:14 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_7fc.dat
2009-05-31 20:26 . 2009-05-31 20:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_424.dat
2009-05-30 20:30 . 2009-05-30 20:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_374.dat
2009-05-30 20:28 . 2009-05-30 20:28 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_670.dat
2009-05-30 20:25 . 2009-05-30 20:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_484.dat
2009-05-30 20:25 . 2009-05-30 20:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_590.dat
2009-05-30 19:55 . 2009-05-30 19:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_574.dat
2009-05-30 19:05 . 2009-05-30 19:05 -------- d-----w- c:\program files\Common Files\Java
2009-05-30 18:20 . 2009-05-30 18:20 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_728.dat
2009-05-30 17:46 . 2009-05-30 17:46 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-05-30 17:42 . 2009-05-30 17:42 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_8d8.dat
2009-05-30 14:24 . 2009-05-30 14:24 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a4.dat
2009-05-27 13:30 . 2009-05-27 13:30 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_57c.dat
2009-05-25 21:55 . 2009-05-25 21:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_534.dat
2009-05-23 21:41 . 2009-05-23 21:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_570.dat
2009-05-23 21:29 . 2009-05-23 21:29 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_308.dat
2009-05-23 21:22 . 2009-05-23 21:22 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_644.dat
2009-05-23 21:17 . 2009-05-23 21:17 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_660.dat
2009-05-23 18:53 . 2009-05-23 18:53 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_630.dat
2009-05-23 15:44 . 2009-05-23 15:44 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_650.dat
2009-05-14 14:08 . 2009-05-14 14:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_524.dat
2009-05-09 14:41 . 2009-05-09 14:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_65c.dat
2009-05-07 06:41 . 1999-12-07 12:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 09:54 . 1999-12-07 12:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 20:15 . 2009-04-21 20:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-04-17 05:04 . 1999-12-07 12:00 1645072 ----a-w- c:\winnt\system32\WIN32K.SYS
2006-07-20 10:16 . 2006-07-20 10:16 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"WrtMon.exe"="c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [12/7/1999 7:00 AM 24784]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 14:50
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_6c0.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-07-03 14:51
ComboFix-quarantined-files.txt 2009-07-03 19:51

Pre-Run: 127,574,392,832 bytes free
Post-Run: 127,689,740,288 bytes free

180 --- E O F --- 2009-06-15 23:01

Attached Files



#8 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 03 July 2009 - 02:59 PM

Two things, first, homepage is still getting changed to dyroom.cn.

Second:

I don't know if this is important or not to you... On rebooting the machine now, I get a Program Error dialogue box to pop up:

Program Error

hidserv.exe has generated error and will be closed by Windows.
You will need to restart the program.

An error log is being created.

[OK]

Edited by tbibb, 03 July 2009 - 03:00 PM.


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:56 AM

Posted 04 July 2009 - 04:58 AM

Hi,

Hidserv.exe provides support for USB multimedia devices, like keyboards. Do you have any of this kind of devices in use with the system? You may need to reinstall drivers for them.


Open notepad and copy/paste the text in the quotebox below into it:

FMove::
C:\Qoobox\Quarantine\C\winnt\Web\default.htt.vir | c:\winnt\Web\default.htt

DDS::
uStart Page = hxxp://dyroom.cn/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

Reboot::


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one (9.1 + update 9.1.2 for it) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall this vulnerable Java:
J2SE Runtime Environment 5.0 Update 3



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 04 July 2009 - 06:11 PM

Uninstalled:

All versions of Adobe Reader
J2SE Runtime Environment 5.0

Ran the ComboFix script:

ComboFix 09-07-04.04 - Administrator 07/04/2009 16:13.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.755 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Web\default.htt

.
--------------- FMove ---------------

.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 14:25 . 2009-07-04 14:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_238.dat
2009-06-22 22:22 . 2009-07-03 19:39 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-06-22 22:19 . 2009-07-03 19:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\winnt\winsxs
2009-06-07 06:24 . 2009-06-07 06:24 -------- d-----w- c:\program files\Sun
2009-06-07 06:24 . 2009-06-07 06:24 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-06-07 06:11 . 2009-06-07 06:15 -------- d-----w- c:\documents and settings\Administrator\.SunDownloadManager
2009-06-07 06:03 . 2009-06-07 06:03 -------- d-----w- c:\program files\Trend Micro
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 04:42 . 2009-06-07 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-06-07 04:42 . 2009-06-07 04:43 -------- d-----w- c:\program files\Safer Networking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 21:09 . 2009-05-30 19:06 -------- d-----w- c:\program files\Java
2009-07-03 19:40 . 2008-08-30 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 19:39 . 2008-08-30 05:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 18:46 . 2006-08-19 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-05-07 06:41 . 1999-12-07 12:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 09:54 . 1999-12-07 12:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 20:15 . 2009-04-21 20:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-04-17 05:04 . 1999-12-07 12:00 1645072 ----a-w- c:\winnt\system32\WIN32K.SYS
2006-07-20 10:16 . 2006-07-20 10:16 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"WrtMon.exe"="c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [12/7/1999 7:00 AM 24784]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 16:19
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_308.dat 16384 bytes
c:\winnt\system32\Perflib_Perfdata_5e8.dat 16384 bytes
c:\winnt\system32\Perflib_Perfdata_694.dat 16384 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1092)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\winnt\webcheck.dll
c:\winnt\system32\MSVCR71.dll
.
Completion time: 2009-07-04 16:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 21:21
ComboFix2.txt 2009-07-03 19:51

Pre-Run: 127,817,003,008 bytes free
Post-Run: 127,820,349,440 bytes free

105 --- E O F --- 2009-06-15 23:01

Installed and ran ATF Cleaner - NOTE: Prefetch was (disabled) and could not be checked.

Ran Kaspersky virus scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 4, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 04, 2009 23:46:36
Records in database: 2427850
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 42085
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:45:57


File name / Threat name / Threats count
C:\WINNT\system32\mwb36074.dll Infected: Trojan.Win32.BHO.hdt 1
C:\WINNT\system32\wb36074.dll Infected: Trojan.Win32.BHO.hdt 1

The selected area was scanned.

New DDS Log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 18:14:47.46 on Sat 07/04/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.521 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-04 16:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_694.dat
2009-07-04 16:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_308.dat
2009-07-04 16:20 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5e8.dat
2009-07-04 16:13 161,792 a------- c:\winnt\SWREG.exe
2009-07-04 16:13 155,136 a------- c:\winnt\PEV.exe
2009-07-04 16:13 98,816 a------- c:\winnt\sed.exe
2009-07-04 16:08 <DIR> a-d----- c:\winnt\system32\appmgmt
2009-07-04 09:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_238.dat
2009-07-03 14:50 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-08 15:11 554,548 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking

==================== Find3M ====================

2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 18:14:59.62 ===============



Happy 4th of July, hope you're having a nice Holiday!

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:56 AM

Posted 05 July 2009 - 04:33 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\mwb36074.dll
C:\WINNT\system32\wb36074.dll

DDS::
uStart Page = hxxp://dyroom.cn/
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

Reboot::


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Happy 4th of July, hope you're having a nice Holiday!

I'm living in Finland where July 4th is ordinary day. I'm having holiday now, though :thumbup2:

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 05 July 2009 - 09:25 PM

ComboFix Log

ComboFix 09-07-05.01 - Administrator 07/05/2009 21:15.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.741 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\winnt\system32\mwb36074.dll"
"c:\winnt\system32\wb36074.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\mwb36074.dll
c:\winnt\system32\wb36074.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 02:20 . 2009-07-06 02:20 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-06-22 22:22 . 2009-07-03 19:39 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-06-22 22:19 . 2009-07-03 19:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-22 22:19 . 2009-06-22 22:19 -------- d-----w- c:\winnt\winsxs
2009-06-07 06:24 . 2009-06-07 06:24 -------- d-----w- c:\program files\Sun
2009-06-07 06:24 . 2009-06-07 06:24 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-06-07 06:11 . 2009-06-07 06:15 -------- d-----w- c:\documents and settings\Administrator\.SunDownloadManager
2009-06-07 06:03 . 2009-06-07 06:03 -------- d-----w- c:\program files\Trend Micro
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-07 04:51 . 2009-06-07 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-07 04:42 . 2009-06-07 04:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-06-07 04:42 . 2009-06-07 04:43 -------- d-----w- c:\program files\Safer Networking

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 21:09 . 2009-05-30 19:06 -------- d-----w- c:\program files\Java
2009-07-03 19:40 . 2008-08-30 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-03 19:39 . 2008-08-30 05:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-15 18:46 . 2006-08-19 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-05-07 06:41 . 1999-12-07 12:00 263440 ----a-w- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 09:54 . 1999-12-07 12:00 95504 ----a-w- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 13:38 . 2009-04-22 13:38 437008 ----a-w- c:\winnt\system32\rpcrt4.dll
2009-04-21 20:15 . 2009-04-21 20:15 576512 ----a-w- c:\winnt\system32\WININET.DLL
2009-04-17 05:04 . 1999-12-07 12:00 1645072 ----a-w- c:\winnt\system32\WIN32K.SYS
2006-07-20 10:16 . 2006-07-20 10:16 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"WrtMon.exe"="c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]
"SoundMan"="SOUNDMAN.EXE" - c:\winnt\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-7-20 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [12/7/1999 7:00 AM 24784]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 21:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_2ec.dat 16384 bytes
c:\winnt\system32\Perflib_Perfdata_5d4.dat 16384 bytes
c:\winnt\system32\Perflib_Perfdata_67c.dat 16384 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\winnt\system32\Ati2evxx.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1272)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\winnt\webcheck.dll
c:\winnt\system32\MSVCR71.dll
.
Completion time: 2009-07-06 21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 02:24
ComboFix2.txt 2009-07-04 21:21
ComboFix3.txt 2009-07-03 19:51

Pre-Run: 127,731,306,496 bytes free
Post-Run: 127,823,683,584 bytes free

108 --- E O F --- 2009-06-15 23:01


DDS:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 21:29:20.65 on Sun 07/05/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.740 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-05 21:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_64c.dat
2009-07-05 21:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_53c.dat
2009-07-05 21:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2f0.dat
2009-07-05 21:26 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-04 16:13 161,792 a------- c:\winnt\SWREG.exe
2009-07-04 16:13 155,136 a------- c:\winnt\PEV.exe
2009-07-04 16:13 98,816 a------- c:\winnt\sed.exe
2009-07-04 16:08 <DIR> a-d----- c:\winnt\system32\appmgmt
2009-07-03 14:50 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-08 15:11 641,786 ----h--- c:\winnt\ShellIconCache
2009-06-07 01:24 <DIR> --d----- c:\program files\Sun
2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-06-07 01:24 73,728 a------- c:\winnt\system32\javacpl.cpl
2009-06-07 01:11 <DIR> --d----- c:\documents and settings\administrator\.SunDownloadManager
2009-06-07 01:03 <DIR> --d----- c:\program files\Trend Micro
2009-06-06 23:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-06-06 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-06 23:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\Safer Networking
2009-06-06 23:42 <DIR> --d----- c:\program files\Safer Networking

==================== Find3M ====================

2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 21:29:36.40 ===============

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:56 AM

Posted 06 July 2009 - 04:03 AM

Hi,

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter (on separate lines)

c95fe080-8f5d-11d2-a20b-00aa003c157a
dyroom.cn


Under Search, make sure only the Value box is checked in the first row of checkboxes. All other checkboxes should be checked.

& click Ok.
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.

Run also a full scan with Malwarebytes' Anti-Malware after updating its definitions first. Post back the report & a fresh dds.txt log.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 tbibb

tbibb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 07 July 2009 - 05:20 AM

RegSearch
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 7/7/2009 5:00:56 AM for strings:
; 'c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a'
; 'dyroom.cn'
; Strings excluded from search:
; (None)
; Search in:
; Registry Values
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
@="\"%programfiles%\\internet explorer\\iexplore.exe\" [url="http://dyroom.cn/""]http://dyroom.cn/"[/url]

[HKEY_USERS\S-1-5-21-515967899-308236825-839522115-500\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://dyroom.cn/"

; End Of The Log...

MalwareBytes

Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.0.2195 Service Pack 4

7/7/2009 5:20:33 AM
mbam-log-2009-07-07 (05-20-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113714
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\(default) (HomePage.Hijack.H) -> Bad: ("%programfiles%\internet explorer\iexplore.exe" http://dyroom.cn/) Good: (iexplore.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS


DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 5:21:28.57 on Tue 07/07/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.718 [GMT -5:00]


============== Running Processes ===============

C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Administrator\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://dyroom.cn/
mLocal Page = c:\windows\system32\blank.htm
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WrtMon.exe] c:\winnt\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153420015171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1999-12-7 24784]

=============== Created Last 30 ================

2009-07-07 05:05 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-07 05:05 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-07 05:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 04:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_690.dat
2009-07-07 04:56 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5c4.dat
2009-07-07 04:55 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2f8.dat
2009-07-07 04:54 16,384 a------t c:\winnt\system32\Perflib_Perfdata_23c.dat
2009-07-06 10:27 16,384 a------t c:\winnt\system32\Perflib_Perfdata_488.dat
2009-07-06 08:48 16,384 a------t c:\winnt\system32\Perflib_Perfdata_5dc.dat
2009-07-06 08:48 16,384 a------t c:\winnt\system32\Perflib_Perfdata_554.dat
2009-07-06 08:48 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2ec.dat
2009-07-06 08:47 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-07-04 16:13 161,792 a------- c:\winnt\SWREG.exe
2009-07-04 16:13 155,136 a------- c:\winnt\PEV.exe
2009-07-04 16:13 98,816 a------- c:\winnt\sed.exe
2009-07-04 16:08 <DIR> a-d----- c:\winnt\system32\appmgmt
2009-07-03 14:50 <DIR> -cd----- c:\winnt\system32\dllcache\cache
2009-06-22 17:19 <DIR> --d----- c:\program files\Lavasoft
2009-06-22 17:19 <DIR> --d----- c:\winnt\winsxs
2009-06-08 15:11 641,786 ----h--- c:\winnt\ShellIconCache

==================== Find3M ====================

2009-06-07 01:24 410,984 a------- c:\winnt\system32\deploytk.dll
2009-05-07 01:41 263,440 a------- c:\winnt\system32\LOCALSPL.DLL
2009-04-24 04:54 95,504 a------- c:\winnt\system32\WIN32SPL.DLL
2009-04-22 08:38 437,008 a------- c:\winnt\system32\rpcrt4.dll
2009-04-21 15:15 576,512 a------- c:\winnt\system32\WININET.DLL
2009-04-17 00:04 1,645,072 a------- c:\winnt\system32\WIN32K.SYS
2006-07-29 17:57 12,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2006-07-20 05:16 21,952 ----h--- c:\program files\folder.htt
2006-07-20 05:16 271 ----h--- c:\program files\desktop.ini
1999-12-07 07:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 5:21:41.14 ===============


I did not clean the infection that MalwareBytes found, if I was supposed to ... oops.

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:56 AM

Posted 07 July 2009 - 08:41 AM

I did not clean the infection that MalwareBytes found, if I was supposed to ... oops.

Yep, it has to be cleaned. Please re-run MBAM and fix its findings. Then post a fresh log from it and DDS (reboot system before creating DDS log).

Registry search has to be done again too. Instead of c95fe080-8f5d-11d2-a20b-00aa003c157a you had searched for c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a
c95fe080-8f5d-11d2-a20b-00aa003c157a
. There won't be found entry with that guid four times in a row. It has to be placed only once. Also, search again for dyroom.cn.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users