SDFix: Version 1.123 Run by Administrator on Fri 01/04/2008 at 09:42 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default HomePage Value Restoring Default Desktop Components Value Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\alxvdvm.dll - Deleted C:\WINDOWS\dat.txt - Deleted C:\WINDOWS\domnftwost.dll - Deleted C:\WINDOWS\fvkwdrt.exe - Deleted C:\WINDOWS\search_res.txt - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-04 21:58:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Juno\\bin\\juno.exe"="C:\\Program Files\\Juno\\bin\\juno.exe:*:Enabled:Juno" "C:\\Documents and Settings\\All Users\\Documents\\Juno\\bin\\juno.exe"="C:\\Documents and Settings\\All Users\\Documents\\Juno\\bin\\juno.exe:*:Enabled:Juno" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer" "C:\\My Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\My Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune" "C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater" "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare" "C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe" Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\MSIMN.EXE" Wed 4 May 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 8 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Carolyn\My Documents\~WRL1277.tmp" Tue 8 Mar 2005 21,504 ...H. --- "C:\Documents and Settings\Carolyn\My Documents\~WRL2274.tmp" Tue 8 Mar 2005 21,504 ...H. --- "C:\Documents and Settings\Carolyn\My Documents\~WRL2335.tmp" Tue 8 Mar 2005 22,016 ...H. --- "C:\Documents and Settings\Carolyn\My Documents\~WRL2359.tmp" Sun 23 Jul 2006 718,848 ...H. --- "C:\Documents and Settings\Patsy\My Documents\~WRL0087.tmp" Mon 14 Mar 2005 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\Maint.exe" Mon 28 Feb 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.2\uinstrsc.dll" Sat 20 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp" Tue 1 Jan 2008 0 A..H. --- "C:\Documents and Settings\Malerie\Local Settings\Temp\BIT100.tmp" Fri 4 Jan 2008 0 A..H. --- "C:\Documents and Settings\Malerie\Local Settings\Temp\BIT101.tmp" Tue 1 Jan 2008 0 A..H. --- "C:\Documents and Settings\Malerie\Local Settings\Temp\BIT102.tmp" Tons of files like these. Then: Fri 4 Jan 2008 0 A..H. --- "C:\Documents and Settings\Patsy\Local Settings\Temp\BITFFD.tmp" Fri 4 Jan 2008 0 A..H. --- "C:\Documents and Settings\Patsy\Local Settings\Temp\BITFFE.tmp" Fri 4 Jan 2008 0 A..H. --- "C:\Documents and Settings\Patsy\Local Settings\Temp\BITFFF.tmp" Wed 2 Jan 2008 39,720 ...H. --- "C:\Documents and Settings\Patsy\Local Settings\Temp\Z@R3AD.tmp" Tue 1 May 2007 87,919 ...H. --- "C:\Program Files\Road Runner\PhotoShow 5\data\Road Runner PhotoShow.exe" Tue 29 Nov 2005 262,144 ...H. --- "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\DVDMPEG2Enc.dll" Tue 29 Nov 2005 84,604 ...H. --- "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\movie_maker.exe" Tue 29 Nov 2005 61,440 ...H. --- "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\NeASL.dll" Thu 5 Jan 2006 95,892 ...H. --- "C:\Program Files\Road Runner\Road Runner PhotoShow 4\data\Road Runner PhotoShow Deluxe.exe" Wed 4 May 2005 4,348 A..H. --- "C:\Documents and Settings\Patsy\My Documents\My Music\License Backup\drmv1key.bak" Mon 1 Jan 2007 20 A..H. --- "C:\Documents and Settings\Patsy\My Documents\My Music\License Backup\drmv1lic.bak" Sun 19 Jun 2005 488 A.SH. --- "C:\Documents and Settings\Patsy\My Documents\My Music\License Backup\drmv2key.bak" Wed 17 Nov 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Wed 17 Nov 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Finished!