SDFix: Version 1.116 Run by Administrator on Sat 11/04/2006 at 02:43 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\115182~1 - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\1.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\2.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\5.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\6.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\7.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v3xd1.g22me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v4xd3.ga2me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v4xd6.gam5e - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v5xd2.g3ame - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v5xd4.ga2me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v6xdt4.game - Deleted C:\WINDOWS\Temp\v3xd1.g22me - Deleted C:\WINDOWS\Temp\v4xd3.ga2me - Deleted C:\WINDOWS\Temp\v4xd6.gam5e - Deleted C:\WINDOWS\Temp\v5xd2.g3ame - Deleted C:\WINDOWS\Temp\v5xd4.ga2me - Deleted C:\WINDOWS\Temp\v6xdt4.game - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\vx1dt3.game - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\vx3dt2.game - Deleted C:\WINDOWS\Temp\vx1dt1.game - Deleted C:\WINDOWS\Temp\vx1dt3.game - Deleted C:\WINDOWS\Temp\vx3dt2.game - Deleted C:\WINDOWS\system32\coco.exe.exe - Deleted C:\WINDOWS\system32\sam.exe.exe - Deleted C:\WINDOWS\system32\alg.exe.tmp - Deleted C:\WINDOWS\Temp\v3xd1.g22me - Deleted C:\WINDOWS\Temp\v4xd3.ga2me - Deleted C:\WINDOWS\Temp\v4xd6.gam5e - Deleted C:\WINDOWS\Temp\v5xd2.g3ame - Deleted C:\WINDOWS\Temp\v5xd4.ga2me - Deleted C:\WINDOWS\Temp\v6xdt4.game - Deleted C:\WINDOWS\Temp\vx1dt1.game - Deleted C:\WINDOWS\Temp\vx1dt3.game - Deleted C:\WINDOWS\Temp\vx3dt2.game - Deleted C:\d.exe - Deleted C:\WINDOWS\17PHolmes27.exe - Deleted C:\WINDOWS\iTunesMusic.exe - Deleted C:\WINDOWS\rs.txt - Deleted C:\WINDOWS\system32\kr_done1 - Deleted C:\WINDOWS\system32\msvchost.exe - Deleted C:\WINDOWS\system32\svcp.csv - Deleted C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted C:\WINDOWS\system32\vedxg6ame4.exe - Deleted C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted C:\WINDOWS\system32\vedxga3me2.exe - Deleted C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted C:\WINDOWS\system32\vedxga4me1.exe - Deleted C:\WINDOWS\system32\vedxga5me3.exe - Deleted C:\WINDOWS\system32\vx.tll - Deleted C:\WINDOWS\system32\wind32.exe - Deleted C:\WINDOWS\system32\winsub.xml - Deleted C:\WINDOWS\taskmon.exe - Deleted C:\WINDOWS\Temp\removalfile.bat - Deleted C:\WINDOWS\Temp\winlogan.exe - Deleted C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted C:\WINDOWS\system32\ntos.exe - Deleted C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted C:\WINDOWS\system32\wsnpoem\video.dll - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2006-11-04 14:57:55 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rjnl48] "Type"=dword:00000001 "Tag"=dword:00000001 "Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0" "ErrorControl"=dword:00000001 "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000002 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000023 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories] @="" [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\rjnl48] "Type"=dword:00000001 "Tag"=dword:00000001 "Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0" "ErrorControl"=dword:00000001 "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p] "ErrorControl"=dword:00000000 "Start"=dword:00000002 "Group"="SCSI miniport" "Tag"=dword:0000002a "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqtxde] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\Help\oqtxde.chm" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oqtxde\security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rjnl48] "Type"=dword:00000001 "Tag"=dword:00000001 "Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0Symantec Core Services\0Symantec Services\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0" "ErrorControl"=dword:00000001 "Start"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\Prefetch\PCHealth\UploadLB C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries\UploadM.exe 138752 bytes executable C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config\config.xml 466 bytes C:\WINDOWS\privacy_danger\images C:\WINDOWS\privacy_danger\images\capt.gif 23870 bytes C:\WINDOWS\privacy_danger\images\danger.jpg 45418 bytes C:\WINDOWS\privacy_danger\images\down.gif 14916 bytes C:\WINDOWS\privacy_danger\images\spacer.gif 43 bytes C:\WINDOWS\privacy_danger\index.htm 1304 bytes C:\WINDOWS\system32\drivers\Rjnl48.sys 167936 bytes executable C:\WINDOWS\system32\drivers\grande48.sys 167936 bytes executable scan completed successfully hidden processes: 0 hidden services: 2 hidden files: 13 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]