• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
cr1sco99999

Trojan Invasion

Recommended Posts

I have recently been infected by Trojans, and now whenever I perform a google search a window will popup with my query searched for by other search spyware-esque search sites. Here is my HijackThis log, I know that the tuvsr file plus possibly others is to blame. Any help would be greatly appreciated.

 

Logfile of HijackThis v1.99.1

Scan saved at 5:51:42 PM, on 5/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\McAfee\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\Random crap\HijackThis.exe

C:\Program Files\HP\hpcoretech\soln\HPOSM.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.foxsports.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)

O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157056773713

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: tuvsr - C:\WINDOWS\

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\altera\quartus50sp1\bin\JTAGServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Share this post


Link to post
Share on other sites

Hello,

 

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

 

O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)

O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset

O20 - Winlogon Notify: tuvsr - C:\WINDOWS\

O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\

 

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Then, * Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Thanks, here you go.

 

----------------------------ComboFix Logfile-----------------------------------

 

"Chris" - 2007-05-29 8:18:22 Service Pack 2

ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Chris\Desktop\"

 

 

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\nxfgnujr.dll

C:\WINDOWS\system32\rxugfgvr.dll

C:\WINDOWS\system32\rvgfguxr.ini

C:\WINDOWS\system32\rsvut.bak1

C:\WINDOWS\system32\rsvut.ini

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))

 

 

2007-05-21 00:58 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll

2007-05-21 00:58 20,746 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat

2007-05-21 00:58 187,904 --a------ C:\WINDOWS\system32\drivers\HidSys.sys

2007-05-21 00:58 172,032 --a------ C:\WINDOWS\system32\hidapi.dll

2007-05-21 00:58 155,648 --a------ C:\WINDOWS\system32\KevlarSigs.dll

2007-05-21 00:58 135,168 --a------ C:\WINDOWS\system32\igfxres.dll

2007-05-18 16:18 77,312 --a------ C:\WINDOWS\ua2.dll

2007-05-14 00:42 <DIR> d-------- C:\WINDOWS\Downloaded Installations

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-05-27 23:35:04 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\LimeWire

2007-05-27 03:28:10 3 ----a-w C:\WINDOWS\system32\SysCalls.dat

2007-05-24 02:24:06 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\uTorrent

2007-05-20 03:23:45 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-25 21:19:23 -------- d-----w C:\Program Files\AIM

2007-04-25 21:19:23 -------- d-----w C:\DOCUME~1\Chris\APPLIC~1\Help

2007-04-24 03:31:52 -------- d-----w C:\Program Files\Microsoft Visual Studio 8

2007-04-24 03:30:57 -------- d-----w C:\Program Files\Microsoft.NET

2007-04-24 03:04:40 -------- d-----w C:\Program Files\Crimson Editor

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

2007-03-07 02:19:59 249,856 ------w C:\WINDOWS\Setup1.exe

2007-03-07 02:19:56 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 16:47]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 16:47]

"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 03:49]

"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" [2005-12-07 03:55]

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57]

"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-14 03:02]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 17:05]

"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-02-07 08:39]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-02-07 08:36]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 08:40]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 19:23]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast

 

Start.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

C:\Program Files\PowerISO\PWRISOVM.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WebrootSpySweeperService"=2 (0x2)

"Pml Driver HPZ12"=3 (0x3)

"ose"=3 (0x3)

"MDM"=2 (0x2)

"Creative Service for CDROM Access"=2 (0x2)

"matlabserver"=2 (0x2)

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a637ee0-c47f-11db-b939-00e0b891c0f9}]

AutoRun\command- H:\LaunchU3.exe

 

*Newly Created Service* -HIDSYS

*Newly Created Service* -PROCEXP90

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070529-081626-825

O20 - Winlogon Notify: yaywtrp - C:\WINDOWS\

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywtrp]

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000000

"Logon"="Logon"

"Logoff"="Logoff"

 

 

 

backup-20070529-081626-292

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

 

 

 

backup-20070529-081626-678

O20 - Winlogon Notify: wincpg32 - C:\WINDOWS\

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wincpg32]

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000000

"Startup"="EvtStartup"

"Shutdown"="EvtShutdown"

 

 

 

backup-20070529-081625-102

O20 - Winlogon Notify: tuvsr - C:\WINDOWS\

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvsr]

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000000

"Startup"="RealLogon"

"Logoff"="RealLogoff"

 

 

 

backup-20070529-081625-288

O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\rxugfgvr.dll",realset

 

backup-20070529-081625-673

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\nxfgnujr.dll

 

backup-20070529-081625-607

O2 - BHO: (no name) - {1EB53F98-7276-43E3-A32E-DEA0935FBA88} - (no file)

 

backup-20070529-081625-893

O2 - BHO: (no name) - {469185BF-787C-4D91-97A8-BF943EC1E8EF} - (no file)

 

backup-20060708-150102-700

O20 - Winlogon Notify: winuzu32 - C:\WINDOWS\SYSTEM32\winuzu32.dll

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuzu32]

"Asynchronous"=dword:00000001

"DllName"="winuzu32.dll"

"Impersonate"=dword:00000000

"Startup"="EvtStartup"

"Shutdown"="EvtShutdown"

 

 

 

backup-20060708-150102-414

O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g14689963.dll

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cfgmngr32]

"DLLName"="C:\\WINDOWS\\g14689963.dll"

"logoff"="WACLEventLogoff"

"lock"="WACLEventLock"

"logon"="WACLEventLogon"

"startup"="WACLEventStartup"

"shutdown"="WACLEventShutdown"

"startshell"="WACLEventStartShell"

"unlock"="WACLEventUnlock"

"startscreensaver"="WACLEventStartScreenSaver"

"stopscreensaver"="WACLEventStopScreenSaver"

 

 

 

backup-20060708-150049-915

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

???????????????????????????????

 

backup-20060708-150049-905

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

???????????????????????????????????????????????????????`?????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

backup-20060708-150049-728

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

???????????????????????????????????????????????????????????????????????????????????=?????????????‰????

 

backup-20060708-150049-208

O4 - HKLM\..\Run: [ca1c0c0a.exe] C:\WINDOWS\system32\ca1c0c0a.exe

 

backup-20060708-150049-125

O4 - HKCU\..\Run: [ca1c0c0a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\ca1c0c0a.exe

 

backup-20060708-150049-683

O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://gtboy.viewnetcam.com/bl_camera.cab

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

??????????=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????

 

backup-20060707-223141-870

O20 - Winlogon Notify: icmrip - icmrip.dll (file missing)

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\icmrip]

"Asynchronous"=dword:00000000

"Dllname"="icmrip.dll"

"Impersonate"=dword:00000000

"Startup"="OnStartup"

"Shutdown"="OnShutdown"

 

 

 

backup-20060707-223141-827

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

???????????????????????????????

 

backup-20060707-223141-730

O16 - DPF: {1612E10B-CF31-0A0E-887E-6DEA3D91B658} - http://85.255.113.214/1/gdnUS2339.exe

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

???????????????????????????????

 

backup-20060707-223141-271

O20 - Winlogon Notify: winuzu32 - C:\WINDOWS\SYSTEM32\winuzu32.dll

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuzu32]

"Asynchronous"=dword:00000001

"DllName"="winuzu32.dll"

"Impersonate"=dword:00000000

"Startup"="EvtStartup"

"Shutdown"="EvtShutdown"

 

 

 

backup-20060707-223141-950

O2 - BHO: (no name) - {76e361d3-d118-4757-a88e-345f394f6049} - C:\WINDOWS\system32\icmrip.dll (file missing)

 

backup-20060618-002523-915

O20 - Winlogon Notify: icmrip - C:\WINDOWS\SYSTEM32\icmrip.dll

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\icmrip]

"Asynchronous"=dword:00000000

"Dllname"="icmrip.dll"

"Impersonate"=dword:00000000

"Startup"="OnStartup"

"Shutdown"="OnShutdown"

 

 

 

backup-20060618-002523-835

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

 

backup-20060618-002523-931

O2 - BHO: (no name) - {76e361d3-d118-4757-a88e-345f394f6049} - C:\WINDOWS\system32\icmrip.dll

********************************************************************

 

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-29 08:27:14

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Creative Detector = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"

 

/R???w0??w????*??w???wP~??O??w????m???????????????????h???h??????????wO??w????m???????????????????k!?s???w???wZ??????????w???????wHPl????????w???????w???w???

 

????s????g??w???w???????w???wZ??????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-05-29 8:28:49

C:\ComboFix-quarantined-files.txt ... 2007-05-29 08:28

 

--- E O F ---

 

 

----------------------------HijackThis Logfile-----------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 8:48:24 AM, on 5/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\McAfee\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\QuickTimePlayer.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

E:\Random crap\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.foxsports.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [synTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157056773713

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio.../qdiagh.cab?326

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - C:\altera\quartus50sp1\bin\JTAGServer.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Share this post


Link to post
Share on other sites

Hello,

 

Your logs look OK again. How are things now? Popups/redirects gone?

Share this post


Link to post
Share on other sites

Glad I could help. :)

 

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

 

Happy Surfing again!

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this