Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacjthis/combofix Logs Pls. Help Diagnose


  • Please log in to reply
2 replies to this topic

#1 dudesy

dudesy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 14 February 2008 - 02:30 PM

Hi,
Pls. view below the Combofix log and followed by hijackthis log.
After performing both, I'm not able to remove the pos1A.tmp files which are present in thousands in c: and my documents.
Also two things such as "Help and Support Center" and "Windows Update" keep on coming to my desktop even after deleting.
Pls. analyse and help me solve this.
Combofix log:

ComboFix 08-02-14.3 - Administrator 2008-02-15 0:37:33.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.83 [GMT 5.5:30]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\ssqpomm.dll
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\VYXPXWKS\www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\internet explorer\iekey.dll
C:\Program Files\internet explorer\iexp1ore.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\msettings.ini
C:\WINDOWS\ravmone.exe
C:\WINDOWS\SYSTEM32\axbbsakq.ini
C:\WINDOWS\SYSTEM32\bcbeg.ini
C:\WINDOWS\SYSTEM32\bcbeg.ini2
C:\WINDOWS\SYSTEM32\dnjqmxql.ini
C:\WINDOWS\SYSTEM32\dwlfxmhd.ini
C:\WINDOWS\SYSTEM32\eooajqlj.ini
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\SYSTEM32\giroladm.ini
C:\WINDOWS\system32\hfsrseww.dll
C:\WINDOWS\system32\hfsrseww.dll . . . . failed to delete
C:\WINDOWS\system32\hfsrseww.dllbox
C:\WINDOWS\SYSTEM32\kqovxjib.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\mxsorqvd.ini
C:\WINDOWS\SYSTEM32\oiaulcvo.ini
C:\WINDOWS\SYSTEM32\qhymnslr.ini
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\SYSTEM32\qwxfrmvt.ini
C:\WINDOWS\SYSTEM32\ratohcqp.ini
C:\WINDOWS\SYSTEM32\sklrijvb.ini
C:\WINDOWS\system32\ssqpomm.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp8A.tmp.dll
C:\WINDOWS\system32\tmpF.tmp.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\SYSTEM32\xrwiwnar.ini

----- BITS: Possible infected sites -----

hxxp://nxpagent.airtelbroadband.in
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-14 23:10 . 2008-02-14 23:10 <DIR> d-------- C:\VundoFix Backups
2008-02-14 23:09 . 2004-02-23 01:00 1,386,496 --a------ C:\WINDOWS\SYSTEM32\MSVBVM60.DLL
2008-02-14 23:09 . 2004-02-23 01:00 1,386,496 --a------ C:\WINDOWS\SYSTEM\MSVBVM60.DLL
2008-02-12 04:57 . 2008-02-12 04:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 04:57 . 2008-02-12 04:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-12 02:58 . 2008-02-12 02:58 <DIR> d-------- C:\Macromedia
2008-02-05 17:37 . 2008-02-05 17:38 90,688 --a------ C:\WINDOWS\SYSTEM32\lqxmqjnd.dll
2008-02-03 02:06 . 2008-02-03 02:11 51,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhlayer.sys
2008-02-03 02:06 . 2008-02-03 02:11 30,592 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ikhfile.sys
2008-02-03 02:05 . 2008-02-03 02:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-03 02:05 . 2008-02-03 02:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-02-02 17:50 . 2008-02-02 17:50 <DIR> d-------- C:\Program Files\Webteh
2008-02-02 17:50 . 2008-02-02 17:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\BSplayer PRO
2008-02-02 01:57 . 2008-02-15 00:40 163,904 --------- C:\WINDOWS\SYSTEM32\hfsrseww.dll
2008-01-23 01:34 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\SYSTEM32\tsccvid.dll
2008-01-23 01:32 . 2008-01-23 01:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\QuickTime
2008-01-23 01:27 . 2008-02-11 00:42 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2008-01-23 01:22 . 2008-01-23 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-01-23 01:21 . 2008-01-23 01:21 <DIR> d-------- C:\Program Files\TechSmith
2008-01-23 01:21 . 2008-01-23 01:21 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-01-22 22:13 . 2008-02-02 01:47 158 --ah----- C:\WINDOWS\SYSTEM32\aaaamsg.dns
2008-01-14 02:27 . 2008-01-14 02:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Tunebite
2008-01-14 02:27 . 2007-12-11 09:52 26,784 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tbhsd.sys
2008-01-14 02:26 . 2008-01-14 02:26 <DIR> d-------- C:\Program Files\RapidSolution
2008-01-14 02:26 . 2008-01-14 02:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-01-14 01:47 . 2008-01-14 01:47 <DIR> d-------- C:\Program Files\DAP
2008-01-14 01:47 . 2008-01-14 01:47 479,298 --a------ C:\WINDOWS\SYSTEM32\wbocx.ocx
2008-01-14 01:47 . 2008-01-14 01:47 172,032 --a------ C:\WINDOWS\SYSTEM32\AniGIF.ocx
2008-01-14 01:47 . 2008-01-14 01:47 50,688 --a------ C:\WINDOWS\SYSTEM32\wbhelp2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-18 18:55 --------- d-----w C:\Program Files\Rapidown
2008-01-11 21:06 3,012 ----a-w C:\drmHeader.bin
2008-01-08 22:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-01-08 21:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Moyea
2008-01-08 21:34 710,106 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2008-01-08 21:34 4,109,784 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2008-01-08 21:34 --------- d-----w C:\Program Files\Replay Media Catcher
2008-01-08 21:32 589,278 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2008-01-08 21:32 --------- d-----w C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-01-06 22:22 --------- d-----w C:\Program Files\FLV Player
2007-12-24 08:19 7,680 ----a-w C:\WINDOWS\SYSTEM32\ff_vfw.dll
2007-11-21 07:21 74,536 ----a-w C:\WINDOWS\ddaxut.dll
2007-04-17 15:28 21,392 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-05 17:11 460,258 ----a-w C:\Documents and Settings\Administrator\ie.exe
2003-09-19 20:13 9,216 --sha-w C:\Program Files\Common Files\Thumbs.db
2003-09-19 20:12 11,264 --sha-w C:\Program Files\Thumbs.db
2002-10-30 02:52 15,592 ----a-w C:\Program Files\owcstp16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a85d0ab-4d6a-44e4-b08d-2396505ac32e}]
C:\WINDOWS\system32\amiysevt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-15 00:40 163904 --------- C:\WINDOWS\system32\hfsrseww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF5D97AB-F825-4DFA-A911-B973A0121D7E}]
C:\WINDOWS\system32\pmkjh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4842970]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-02-10 10:55 341470]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-02-10 10:51 304598]
"nxpclient"="C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe" [2007-01-11 12:19 370130]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 464348]
"WinRemote"="C:\Program Files\InterVideo\WinDVR\WinRemote.exe" [2003-08-10 23:02 292314]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-26 00:20 366046]
"WINSCHEDULER"="C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE" [2003-08-10 22:54 316896]
"DownloadAccelerator"="C:\Program Files\DAP\DAP.exe" [2006-08-03 12:42 3042268]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-04-06 23:22 2565082]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-13 02:26:16 291290]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 263642]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-10-19 00:24:01 292316]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hfsrseww]
hfsrseww.dll 2008-02-15 00:40 163904 C:\WINDOWS\SYSTEM32\hfsrseww.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\070756f0]
C:\WINDOWS\system32\lodkwtss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-04 03:59 345560 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
--a------ 2006-08-03 12:42 3042268 C:\Program Files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
--a------ 2007-04-08 22:14 480730 C:\Program Files\Essentials Codec Pack\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 341464 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 210394 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-08-26 00:20 366046 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tunebite]
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4842970 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)

R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-07-22 14:09]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2007-02-07 21:06]
R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-07-22 14:09]
S3 UTS2pl;BenQ Serial port driver;C:\WINDOWS\system32\DRIVERS\UTS2pl.sys [2004-08-05 11:34]
S4 Urmklms2u;Urmklms2u;C:\WINDOWS\system32\eventtriggers.exe [2004-08-04 12:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{087bd542-8c6d-11db-a8de-00179a78a80b}]
\Shell\Auto\command - J:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-14 18:30:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-13 19:30:48 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-13 20:30:02 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-13 21:30:02 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-11 22:30:02 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-11 23:30:02 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 00:30:02 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 01:30:02 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 02:30:02 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 03:30:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 04:30:02 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-14 05:30:02 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-14 06:30:02 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-12 07:30:02 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-09 08:30:02 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 09:30:02 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 10:30:02 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 11:30:02 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 12:30:02 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 13:30:02 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 14:30:02 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-10 15:30:02 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-13 16:30:02 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-02-13 17:30:02 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\0A1StjeR.exe
"2008-01-11 06:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 00:43:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hfsrseww.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\hfsrseww.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dckA.tmp
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Spyware Doctor\sdhelp.exe
.
**************************************************************************
.
Completion time: 2008-02-15 0:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 19:15:38


===============================================================================

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:38 AM, on 2/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe
C:\Program Files\InterVideo\WinDVR\WinRemote.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {e23ca505-6932-d80b-4e44-a6d4ba0d58a3} - {3a85d0ab-4d6a-44e4-b08d-2396505ac32e} - C:\WINDOWS\system32\amiysevt.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hfsrseww.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BF5D97AB-F825-4DFA-A911-B973A0121D7E} - C:\WINDOWS\system32\pmkjh.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert Agent\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR\WinRemote.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{69388D3B-0BF1-4956-BCAD-F0FD4E83117C}: NameServer = 203.145.184.32,203.145.184.13,203.145.184.42,203.145.184.47,202.56.250.5,202.56.230.5
O20 - Winlogon Notify: hfsrseww - C:\WINDOWS\SYSTEM32\hfsrseww.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 6073 bytes

===============================================================================

Pls. guide me how to go about it.

BC AdBot (Login to Remove)

 


#2 dudesy

dudesy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 15 February 2008 - 01:09 PM

Pls. help

#3 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:30 AM

Posted 24 February 2008 - 02:50 PM

Hello dudesy and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. Running ComboFix without guided help is not suggested as you can seriously harm your pc if you use this tool incorrectly. Bumping your topic is considered rude and actually works against you, as you are falling "off the ladder" within our tools and measures to keep track of open logs.

If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users