Jump to content


Photo

Trojan Invasion


  • This topic is locked This topic is locked
6 replies to this topic

#1 cr1sco99999

cr1sco99999

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 28 May 2007 - 10:42 PM

I have recently been infected by Trojans, and now whenever I perform a google search a window will popup with my query searched for by other search spyware-esque search sites. Here is my HijackThis log, I know that the tuvsr file plus possibly others is to blame. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:51:42 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Random crap\HijackThis.exe
C:\Program Files\HP\hpcoretech\soln\HPOSM.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.foxsports.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)
O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....026/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157056773713
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15026/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: tuvsr - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\altera\quartus50sp1\bin\JTAGServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#2 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 29 May 2007 - 12:53 PM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)
O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset
O20 - Winlogon Notify: tuvsr - C:\WINDOWS\
O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#3 cr1sco99999

cr1sco99999

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 29 May 2007 - 01:36 PM

Thanks, here you go.

----------------------------ComboFix Logfile-----------------------------------

"Chris" - 2007-05-29 8:18:22 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Chris\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nxfgnujr.dll
C:\WINDOWS\system32\rxugfgvr.dll
C:\WINDOWS\system32\rvgfguxr.ini
C:\WINDOWS\system32\rsvut.bak1
C:\WINDOWS\system32\rsvut.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-21 00:58 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-05-21 00:58 20,746 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-05-21 00:58 187,904 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-05-21 00:58 172,032 --a------ C:\WINDOWS\system32\hidapi.dll
2007-05-21 00:58 155,648 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-05-21 00:58 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-18 16:18 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-14 00:42 <DIR> d-------- C:\WINDOWS\Downloaded Installations


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 23:35:04 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\LimeWire
2007-05-27 03:28:10 3 ----a-w C:\WINDOWS\system32\SysCalls.dat
2007-05-24 02:24:06 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\uTorrent
2007-05-20 03:23:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-25 21:19:23 -------- d-----w C:\Program Files\AIM
2007-04-25 21:19:23 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\Help
2007-04-24 03:31:52 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-04-24 03:30:57 -------- d-----w C:\Program Files\Microsoft.NET
2007-04-24 03:04:40 -------- d-----w C:\Program Files\Crimson Editor
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 02:19:59 249,856 ------w C:\WINDOWS\Setup1.exe
2007-03-07 02:19:56 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 16:47]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 16:47]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 03:49]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-14 03:02]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 17:05]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast

Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"matlabserver"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a637ee0-c47f-11db-b939-00e0b891c0f9}]
AutoRun\command- H:\LaunchU3.exe

*Newly Created Service* -HIDSYS
*Newly Created Service* -PROCEXP90


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070529-081626-825
O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywtrp]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"



backup-20070529-081626-292
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"



backup-20070529-081626-678
O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincpg32]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"



backup-20070529-081625-102
O20 - Winlogon Notify: tuvsr - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvsr]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"



backup-20070529-081625-288
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset

backup-20070529-081625-673
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll

backup-20070529-081625-607
O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)

backup-20070529-081625-893
O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)

backup-20060708-150102-700
O20 - Winlogon Notify: winuzu32 - C:\WINDOWS\SYSTEM32\winuzu32.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuzu32]
"Asynchronous"=dword:00000001
"DllName"="winuzu32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"



backup-20060708-150102-414
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g14689963.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmngr32]
"DLLName"="C:\\WINDOWS\\g14689963.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"



backup-20060708-150049-915
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????

backup-20060708-150049-905
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????`?????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20060708-150049-728
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????=?????????????‰????

backup-20060708-150049-208
O4 - HKLM\..\Run: [ca1c0c0a.exe] C:\WINDOWS\system32\ca1c0c0a.exe

backup-20060708-150049-125
O4 - HKCU\..\Run: [ca1c0c0a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\ca1c0c0a.exe

backup-20060708-150049-683
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://gtboy.viewnet...m/bl_camera.cab

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????

backup-20060707-223141-870
O20 - Winlogon Notify: icmrip - icmrip.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\icmrip]
"Asynchronous"=dword:00000000
"Dllname"="icmrip.dll"
"Impersonate"=dword:00000000
"Startup"="OnStartup"
"Shutdown"="OnShutdown"



backup-20060707-223141-827
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????

backup-20060707-223141-730
O16 - DPF: {1612E10B-CF31-0A0E-887E-6DEA3D91B658} - http://85.255.113.214/1/gdnUS2339.exe

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????

backup-20060707-223141-271
O20 - Winlogon Notify: winuzu32 - C:\WINDOWS\SYSTEM32\winuzu32.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuzu32]
"Asynchronous"=dword:00000001
"DllName"="winuzu32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"



backup-20060707-223141-950
O2 - BHO: (no name) - {76e361d3-d118-4757-a88e-345f394f6049} - C:\WINDOWS\system32\icmrip.dll (file missing)

backup-20060618-002523-915
O20 - Winlogon Notify: icmrip - C:\WINDOWS\SYSTEM32\icmrip.dll

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\icmrip]
"Asynchronous"=dword:00000000
"Dllname"="icmrip.dll"
"Impersonate"=dword:00000000
"Startup"="OnStartup"
"Shutdown"="OnShutdown"



backup-20060618-002523-835
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

backup-20060618-002523-931
O2 - BHO: (no name) - {76e361d3-d118-4757-a88e-345f394f6049} - C:\WINDOWS\system32\icmrip.dll
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 08:27:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"

/R???w0??w????*??w???wP~??O??w????m???????????????????h???h??????????wO??w????m???????????????????k!?s???w???wZ??????????w???????wHPl????????w???????w???w???

????s????g??w???w???????w???wZ??????????

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-29 8:28:49
C:\ComboFix-quarantined-files.txt ... 2007-05-29 08:28

--- E O F ---


----------------------------HijackThis Logfile-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:48:24 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Random crap\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.foxsports.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....026/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157056773713
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15026/CTPID.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\altera\quartus50sp1\bin\JTAGServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 29 May 2007 - 02:33 PM

Hello,

Your logs look OK again. How are things now? Popups/redirects gone?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#5 cr1sco99999

cr1sco99999

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 29 May 2007 - 08:47 PM

Looks like the popups have stopped. Thanks for the help!

#6 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 29 May 2007 - 09:08 PM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.

#7 miekiemoes

miekiemoes

    Malware Killer Dog

  • Volunteer Security Advisor
  • PipPipPip
  • 4092 posts

Posted 30 May 2007 - 10:45 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
DO NOT POST your problem or log in someone elses thread, even though you are having the same problems. This to avoid confusion. Start a new thread instead and someone will help you asap.
Bumping your thread won't help to receive help in a faster way, this since we always look at the posts with 0 replies first. If you bump your thread, we assume that someone is already helping you, so your thread may be ignored.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users