SDFix: Version 1.116 Run by Administrator on Fri 04/25/2008 at 12:41 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Infected beep.sys Found! beep.sys File Locations: "C:\WINDOWS\system32\dllcache\beep.sys" 35328 04/24/2008 07:54 PM "C:\WINDOWS\system32\drivers\beep.sys" 35328 04/24/2008 07:54 PM Infected File Listed Below: C:\WINDOWS\system32\dllcache\beep.sys C:\WINDOWS\system32\drivers\beep.sys Trojan File copied to Backups Folder Attempting to replace beep.sys with original version... Original beep.sys Restored Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-25 12:48:36 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000002 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000023 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000002 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000023 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p] "ErrorControl"=dword:00000000 "Start"=dword:00000002 "Group"="SCSI miniport" "Tag"=dword:0000002a "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories] @="" scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "Appinit_dlls"="cru629.dat" scanning hidden files ... C:\WINDOWS\Prefetch\PCHealth\UploadLB C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries\UploadM.exe 138752 bytes executable C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config\config.xml 466 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 5 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK" Wed 30 Aug 2006 36,685 ...H. --- "C:\Program Files\eFax Messenger Plus 3.3\J2GPlus.exe-BarStateC" Wed 29 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 4 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe" Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe" Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe" Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe" Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe" Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe" Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe" Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe" Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe" Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe" Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe" Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe" Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe" Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe" Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe" Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe" Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe" Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe" Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe" Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe" Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe" Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe" Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Default User\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Sun 26 Aug 2007 20 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Finished!