
[b]SDFix: Version 1.206 [/b]
Run by Austin on Sat 07/19/2008 at 15:27

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]: 
Google Online Services
ICF
{DEF85C80-216A-43ab-AF70-1665EDBE2780}

[b]Path [/b]:
C:\Documents and Settings\Austin\ie_updates3r.exe -A
C:\WINDOWS\system32\svchost.exe:exe.exe 
\??\C:\WINDOWS\TEMP\13.tmp 

Google Online Services - Deleted
ICF - Deleted
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted



[b]Infected userinit.exe Found![/b]

userinit.exe File Locations:

"C:\WINDOWS\system32\userinit.exe" 32120 07/18/2008 02:33 
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 14:00 

Infected File Listed Below:

C:\WINDOWS\system32\userinit.exe

File copied to Backups Folder
Attempting to replace userinit.exe with original version 

Original userinit.exe Restored

"C:\WINDOWS\system32\userinit.exe" 24576 08/04/2004 14:00 
"C:\WINDOWS\system32\dllcache\userinit.exe" 24576 08/04/2004 14:00 


[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems]

Trojan File baseogn32.dll and startup entry Found!
baseogn32.dll will be removed after reboot if registry value is repaired


Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service asc3550p - Deleted
Service Xwsw71 - Deleted

Session Manager\SubSystems:
Windows ServerDll value restored to basesrv
Key export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Removing C:\WINDOWS\system32\baseogn32.dll
 


[b]Checking Files [/b]: 

Trojan Files Found:

C:\WINDOWS\SYSTEM32\09IXV8.SYZ - Deleted
C:\WINDOWS\SYSTEM32\1H1LDK.SYZ - Deleted
C:\WINDOWS\SYSTEM32\1OZJLU.SYZ - Deleted
C:\WINDOWS\SYSTEM32\4UTFCA.SYZ - Deleted
C:\WINDOWS\SYSTEM32\ATWJST.SYZ - Deleted
C:\WINDOWS\SYSTEM32\GX6HEV.SYZ - Deleted
C:\WINDOWS\SYSTEM32\JRBKES.SYZ - Deleted
C:\WINDOWS\SYSTEM32\LQ5TQG.SYZ - Deleted
C:\WINDOWS\SYSTEM32\M5XEKB.SYZ - Deleted
C:\WINDOWS\SYSTEM32\MQF2IC.SYZ - Deleted
C:\WINDOWS\SYSTEM32\PXD0IS.SYZ - Deleted
C:\WINDOWS\SYSTEM32\Q7CZZY.SYZ - Deleted
C:\WINDOWS\SYSTEM32\DFLGH8~1.EXE - Deleted
C:\Documents and Settings\NetworkService\Application Data\Install.dat - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\Abbr - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\ActivationCode - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\HOURS - Deleted
C:\Documents and Settings\All Users\Application Data\System Doctor Free\Data\ProductCode - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\1.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\2.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\5.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\6.dflb - Deleted
C:\Deckard\System Scanner\20080719123939\backup\WINDOWS\temp\7.dflb - Deleted
C:\Documents and Settings\Austin\ie_updates3r.exe - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v3xd1.g22me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v4xd3.ga2me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v4xd6.gam5e - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v5xd2.g3ame - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v5xd4.ga2me - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\v6xdt4.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx1dt1.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx1dt3.game - Deleted
C:\Deckard\System Scanner\backup\WINDOWS\temp\vx3dt2.game - Deleted
C:\WINDOWS\system32\back.exe.exe - Deleted
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk - Deleted
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry\Uninstall.lnk - Deleted
C:\Program Files\Common Files\System Doctor\dcmon.exe - Deleted
C:\WINDOWS\17PHolmes27.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q1.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q2.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q5.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q6.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q7.exe - Deleted
C:\WINDOWS\system32\dflgh8jkd2q8.exe - Deleted
C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vedxg6ame4.exe - Deleted
C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vedxga3me2.exe - Deleted
C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vedxga4me1.exe - Deleted
C:\WINDOWS\system32\vedxga5me3.exe - Deleted
C:\WINDOWS\system32\wpx15.cpx - Deleted
C:\WINDOWS\system32\wpx2.cpx - Deleted
C:\WINDOWS\system32\wpx25.cpx - Deleted
C:\WINDOWS\system32\wpx27.cpx - Deleted
C:\WINDOWS\system32\wpx29.cpx - Deleted
C:\WINDOWS\system32\wpx31.cpx - Deleted
C:\WINDOWS\system32\wpx34.cpx - Deleted
C:\WINDOWS\system32\wpx35.cpx - Deleted
C:\WINDOWS\system32\wpx5.cpx - Deleted
C:\ie_updater.exe  - Deleted
C:\WINDOWS\system32\cssrss.exe  - Deleted
C:\WINDOWS\system32\kr_done1  - Deleted
C:\WINDOWS\system32\lich.dat  - Deleted
C:\WINDOWS\system32\svchost.t__  - Deleted
C:\WINDOWS\system32\svcp.csv  - Deleted
C:\WINDOWS\system32\vx.tll  - Deleted
C:\WINDOWS\system32\winsub.xml  - Deleted
C:\WINDOWS\Temp\ed47fa.$  - Deleted
C:\WINDOWS\wiaservb.log  - Deleted
C:\WINDOWS\system32\baseogn32.dll - Deleted
C:\WINDOWS\system32\drivers\asc3550p.sys  - Deleted
C:\WINDOWS\system32\ntos.exe  - Deleted
C:\WINDOWS\system32\drivers\Xwsw71.sys - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color]

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$ 
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$ 

Folder C:\Documents and Settings\All Users\Application Data\SalesMon - Removed
Folder C:\Documents and Settings\All Users\Application Data\System Doctor Free - Removed
Folder C:\Program Files\Common Files\System Doctor - Removed
Folder C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Brave-Sentry - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

[b]ADS Check [/b]:
 

C:\WINDOWS\system32\svchost.exe 
  : ADS Found! 
svchost.exe: deleted 23552 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.
 


                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 15:37:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+793B-246A]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+793B-246A\0000]
"Service"="glok+793b-246a"
"DeviceDesc"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glok+793b-246a]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\glok+793b-246a.sys"
"DisplayName"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_GLOK+793B-246A]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_GLOK+793B-246A\0000]
"Service"="glok+793b-246a"
"DeviceDesc"="glok+793b-246a"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\glok+793b-246a]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\glok+793b-246a.sys"
"DisplayName"="glok+793b-246a"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\glok+793b-246a.sys 127104 bytes executable
C:\WINDOWS\glok+serv.config 43273 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"c:\\6bne4e.exe"="c:\\6bne4e.exe:*:Enabled:DHCP Client"
"C:\\WINDOWS\\system32\\cssrss.exe"="C:\\WINDOWS\\system32\\cssrss.exe:*:Enabled:DHCP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[b]Remaining Files [/b]:

C:\WINDOWS\Temp\bca4e2da.$$$  Found
C:\WINDOWS\Temp\fa56d7ec.$$$  Found

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 19 Jul 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\BIT3.tmp"

[b]Finished![/b]