Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Please Read!


  • This topic is locked This topic is locked
4 replies to this topic

#1 Django360

Django360

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 05 November 2007 - 10:37 AM

ok well. i am using Windows XP Home Edition
everytime i try to do something a message pops up about 'you cannot do this due to restriction rules in effect. please contact your system administrator' or something.
i cannot:
1. open my Control Panel
2. edit my computer information example: owner, logins, ect.

I REALLY NEED THIS DONE ASAP BECAUSE THIS IS MY COMPUTER IN WHICH MY WORK FILES ARE SAVED ON!

here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:45 AM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\msnlogm.exe
C:\WINDOWS\msnlogs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnlogm.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsiav.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Temporary\proky.html

--
End of file - 3611 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:17 PM

Posted 05 November 2007 - 01:29 PM

Hello Django360,

Welcome to Bleeping Computer :thumbsup:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

You need to get an AntiVirus ASAP. AVG, Avira OR Avast are good FREE antivirus.

Thanks,
tea

Edited by teacup61, 05 November 2007 - 01:30 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Django360

Django360
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 05 November 2007 - 08:59 PM

OMG THANKS A TON!

lol the SDFix report:
SDFix: Version 1.113

Run by Deshawn on 05/11/2007 at 08:34 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core

ImagePath:
system32\drivers\core.sys

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\1A.TMP - Deleted
C:\22.TMP - Deleted
C:\24.TMP - Deleted
C:\29.TMP - Deleted
C:\2C.TMP - Deleted
C:\30.TMP - Deleted
C:\31.TMP - Deleted
C:\35.TMP - Deleted
C:\39.TMP - Deleted
C:\3C.TMP - Deleted
C:\3E.TMP - Deleted
C:\40.TMP - Deleted
C:\46.TMP - Deleted
C:\47.TMP - Deleted
C:\4A.TMP - Deleted
C:\4D.TMP - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp10.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp105.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp109.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp10A.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp11.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp12.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp13.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp14.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp15.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp16.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp17.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp18.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp19.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1A.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp1F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp2.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp20.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp21.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp22.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp23.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp24.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp25.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp26.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp26E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp27.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp28.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp29.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp2B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp2C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp2D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp2F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp3.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp33.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp34.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp36.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp37.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp38.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp3B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp3D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp4.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp44.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp45.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp46.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp47.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp48.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp49.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp4A.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp4B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp4C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp4F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp5.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp54.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp57.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp5B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp5F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp6.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp61.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp6C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp6D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp6E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp78.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7A.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp7F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp80.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp81.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp83.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp86.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp87.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp88.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8A.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8B.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8C.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8D.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp8E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp9.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp9E.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmp9F.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpA.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpA1.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpAA.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpAF.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpB.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpB0.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpB1.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpBA.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpBD.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC0.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC1.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC3.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC5.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC6.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpC9.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpCA.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpCD.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpCE.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpCF.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpD.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpD0.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpD8.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpDD.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpE.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpEA.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpEC.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpF.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpF4.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpF6.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpF8.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpFB.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpFC.tmp.exe - Deleted
C:\Documents and Settings\Deshawn\Application Data\tmpFD.tmp.exe - Deleted
C:\WINDOWS\system32\tmp10.tmp.dll - Deleted
C:\WINDOWS\system32\tmp10A.tmp.dll - Deleted
C:\WINDOWS\system32\tmp12.tmp.dll - Deleted
C:\WINDOWS\system32\tmp13.tmp.dll - Deleted
C:\WINDOWS\system32\tmp14.tmp.dll - Deleted
C:\WINDOWS\system32\tmp145.tmp.dll - Deleted
C:\WINDOWS\system32\tmp15.tmp.dll - Deleted
C:\WINDOWS\system32\tmp17.tmp.dll - Deleted
C:\WINDOWS\system32\tmp1A.tmp.dll - Deleted
C:\WINDOWS\system32\tmp1B.tmp.dll - Deleted
C:\WINDOWS\system32\tmp1C.tmp.dll - Deleted
C:\WINDOWS\system32\tmp1E.tmp.dll - Deleted
C:\WINDOWS\system32\tmp20.tmp.dll - Deleted
C:\WINDOWS\system32\tmp21.tmp.dll - Deleted
C:\WINDOWS\system32\tmp22.tmp.dll - Deleted
C:\WINDOWS\system32\tmp25.tmp.dll - Deleted
C:\WINDOWS\system32\tmp26.tmp.dll - Deleted
C:\WINDOWS\system32\tmp2B.tmp.dll - Deleted
C:\WINDOWS\system32\tmp2D.tmp.dll - Deleted
C:\WINDOWS\system32\tmp36.tmp.dll - Deleted
C:\WINDOWS\system32\tmp37.tmp.dll - Deleted
C:\WINDOWS\system32\tmp4.tmp.dll - Deleted
C:\WINDOWS\system32\tmp40.tmp.dll - Deleted
C:\WINDOWS\system32\tmp42.tmp.dll - Deleted
C:\WINDOWS\system32\tmp45.tmp.dll - Deleted
C:\WINDOWS\system32\tmp4A.tmp.dll - Deleted
C:\WINDOWS\system32\tmp4B.tmp.dll - Deleted
C:\WINDOWS\system32\tmp4C.tmp.dll - Deleted
C:\WINDOWS\system32\tmp5.tmp.dll - Deleted
C:\WINDOWS\system32\tmp54.tmp.dll - Deleted
C:\WINDOWS\system32\tmp5B.tmp.dll - Deleted
C:\WINDOWS\system32\tmp6.tmp.dll - Deleted
C:\WINDOWS\system32\tmp6E.tmp.dll - Deleted
C:\WINDOWS\system32\tmp7.tmp.dll - Deleted
C:\WINDOWS\system32\tmp7A.tmp.dll - Deleted
C:\WINDOWS\system32\tmp7D.tmp.dll - Deleted
C:\WINDOWS\system32\tmp8.tmp.dll - Deleted
C:\WINDOWS\system32\tmp80.tmp.dll - Deleted
C:\WINDOWS\system32\tmp81.tmp.dll - Deleted
C:\WINDOWS\system32\tmp8B.tmp.dll - Deleted
C:\WINDOWS\system32\tmp8C.tmp.dll - Deleted
C:\WINDOWS\system32\tmp8E.tmp.dll - Deleted
C:\WINDOWS\system32\tmpA1.tmp.dll - Deleted
C:\WINDOWS\system32\tmpAA.tmp.dll - Deleted
C:\WINDOWS\system32\tmpAF.tmp.dll - Deleted
C:\WINDOWS\system32\tmpB.tmp.dll - Deleted
C:\WINDOWS\system32\tmpB1.tmp.dll - Deleted
C:\WINDOWS\system32\tmpC0.tmp.dll - Deleted
C:\WINDOWS\system32\tmpC1.tmp.dll - Deleted
C:\WINDOWS\system32\tmpC5.tmp.dll - Deleted
C:\WINDOWS\system32\tmpC6.tmp.dll - Deleted
C:\WINDOWS\system32\tmpCA.tmp.dll - Deleted
C:\WINDOWS\system32\tmpCD.tmp.dll - Deleted
C:\WINDOWS\system32\tmpD0.tmp.dll - Deleted
C:\WINDOWS\system32\tmpE.tmp.dll - Deleted
C:\WINDOWS\system32\tmpEC.tmp.dll - Deleted
C:\WINDOWS\system32\tmpF.tmp.dll - Deleted
C:\WINDOWS\system32\tmpF4.tmp.dll - Deleted
C:\WINDOWS\system32\tmpF8.tmp.dll - Deleted
C:\WINDOWS\system32\tmpFB.tmp.dll - Deleted
C:\WINDOWS\system32\tmpFD.tmp.dll - Deleted
C:\Program Files\Temporary\labu - Deleted
C:\Program Files\Temporary\proky.html - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu1000140.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\clcl16.exe - Deleted
C:\WINDOWS\system32\cmd.com - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\drivers\mzqdd.exe - Deleted
C:\WINDOWS\system32\drv32dta\tmp.tmp - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\ping.com - Deleted
C:\WINDOWS\system32\regedit.com - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\tasklist.com - Deleted
C:\WINDOWS\system32\tracert.com - Deleted
C:\WINDOWS\tsitra1000140.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\wr.txt - Deleted


Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\fse - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 20:52:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 6 Aug 2007 1,205,644 A.SH. --- "C:\WINDOWS\dfilmp.tmp"
Sat 1 Sep 2007 1,247,611 A.SH. --- "C:\WINDOWS\nppsru.tmp"
Sun 29 Jul 2007 1,248,357 A.SH. --- "C:\WINDOWS\twyxbc.tmp"
Tue 18 Sep 2007 203,149 A.SH. --- "C:\WINDOWS\winlo.exe"
Tue 18 Sep 2007 70,144 ..SHR --- "C:\Program Files\s?mbols\taskmgr.exe"
Wed 25 Jan 2006 56 A.SHR --- "C:\WINDOWS\SYSTEM32\84F63852D0.sys"
Sat 28 Jul 2007 1,315,524 A.SH. --- "C:\WINDOWS\SYSTEM32\accdd.tmp"
Fri 21 Sep 2007 50,688 ..SH. --- "C:\WINDOWS\SYSTEM32\al.exe"
Sun 4 Nov 2007 10,267 ..SH. --- "C:\WINDOWS\SYSTEM32\dcbeg.bak2"
Sun 12 Jun 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 6 Sep 2007 230,912 ..SHR --- "C:\Program Files\Common Files\A?pPatch\r?ndll.exe"
Thu 16 Aug 2007 8 A..H. --- "C:\Documents and Settings\Deshawn\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 16 Aug 2007 8 A..H. --- "C:\Documents and Settings\Deshawn\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 16 Aug 2007 8 A..H. --- "C:\Documents and Settings\Deshawn\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 16 Aug 2007 8 A..H. --- "C:\Documents and Settings\Deshawn\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:34 PM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\msnlogm.exe
C:\WINDOWS\system32\winter.exe
C:\WINDOWS\msnlogs.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [msnsyslog] C:\WINDOWS\msnlogm.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O23 - Service: AFSEGTGF Windows Service - Unknown owner - C:\WINDOWS\system32\dsiav.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Temporary\proky.html

--
End of file - 4263 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:17 PM

Posted 06 November 2007 - 08:29 AM

Good morning :thumbsup:

I need the ComboFix report and for you to get that AntiVirus installed. :blink:

Thanks!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:17 PM

Posted 17 November 2007 - 01:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users