SDFix: Version 1.116 Run by Administrator on Thu 04/24/2008 at 06:25 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Infected beep.sys Found! beep.sys File Locations: "C:\WINDOWS\system32\dllcache\beep.sys" 35328 04/24/2008 06:09 PM "C:\WINDOWS\system32\drivers\beep.sys" 35328 04/24/2008 06:09 PM Infected File Listed Below: C:\WINDOWS\system32\dllcache\beep.sys C:\WINDOWS\system32\drivers\beep.sys Trojan File copied to Backups Folder Attempting to replace beep.sys with original version... Original beep.sys Restored Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\115182~1 - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\1.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\2.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\5.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\6.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\7.dllb - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v3xd1.g22me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v4xd3.ga2me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v4xd6.gam5e - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v5xd2.g3ame - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v5xd4.ga2me - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\v6xdt4.game - Deleted C:\WINDOWS\Temp\v3xd1.g22me - Deleted C:\WINDOWS\Temp\v4xd3.ga2me - Deleted C:\WINDOWS\Temp\v4xd6.gam5e - Deleted C:\WINDOWS\Temp\v5xd2.g3ame - Deleted C:\WINDOWS\Temp\v5xd4.ga2me - Deleted C:\WINDOWS\Temp\v6xdt4.game - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\vx1dt3.game - Deleted C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Local Settings\Temp\vx3dt2.game - Deleted C:\WINDOWS\Temp\vx1dt1.game - Deleted C:\WINDOWS\Temp\vx1dt3.game - Deleted C:\WINDOWS\Temp\vx3dt2.game - Deleted C:\WINDOWS\system32\coco.exe.exe - Deleted C:\WINDOWS\system32\sam.exe.exe - Deleted C:\WINDOWS\system32\alg.exe.tmp - Deleted C:\WINDOWS\Temp\v3xd1.g22me - Deleted C:\WINDOWS\Temp\v4xd3.ga2me - Deleted C:\WINDOWS\Temp\v4xd6.gam5e - Deleted C:\WINDOWS\Temp\v5xd2.g3ame - Deleted C:\WINDOWS\Temp\v5xd4.ga2me - Deleted C:\WINDOWS\Temp\v6xdt4.game - Deleted C:\WINDOWS\Temp\vx1dt1.game - Deleted C:\WINDOWS\Temp\vx1dt3.game - Deleted C:\WINDOWS\Temp\vx3dt2.game - Deleted C:\d.exe - Deleted C:\WINDOWS\17PHolmes27.exe - Deleted C:\WINDOWS\iTunesMusic.exe - Deleted C:\WINDOWS\rs.txt - Deleted C:\WINDOWS\system32\kr_done1 - Deleted C:\WINDOWS\system32\msvchost.exe - Deleted C:\WINDOWS\system32\svcp.csv - Deleted C:\WINDOWS\system32\vedxg4am1et2.exe - Deleted C:\WINDOWS\system32\vedxg6ame4.exe - Deleted C:\WINDOWS\system32\vedxga1me4t1.exe - Deleted C:\WINDOWS\system32\vedxga3me2.exe - Deleted C:\WINDOWS\system32\vedxga4m1et4.exe - Deleted C:\WINDOWS\system32\vedxga4me1.exe - Deleted C:\WINDOWS\system32\vedxga5me3.exe - Deleted C:\WINDOWS\system32\vx.tll - Deleted C:\WINDOWS\system32\wind32.exe - Deleted C:\WINDOWS\system32\winsub.xml - Deleted C:\WINDOWS\taskmon.exe - Deleted C:\WINDOWS\Temp\removalfile.bat - Deleted C:\WINDOWS\Temp\winlogan.exe - Deleted C:\WINDOWS\system32\drivers\asc3550p.sys - Deleted C:\WINDOWS\system32\ntos.exe - Deleted C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted C:\WINDOWS\system32\wsnpoem\video.dll - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 18:31:42 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000002 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000023 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p] "ErrorControl"=dword:00000000 "Start"=dword:00000002 "Group"="SCSI miniport" "Tag"=dword:0000002a "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000002 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000023 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000004 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties] "DeviceType"=dword:00000007 "DeviceCharacteristics"=dword:00000100 [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\MRxDAV\EncryptedDirectories] @="" [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\ydhqzop] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\ydhqzop.sys" [HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\ydhqzop\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 "Appinit_dlls"="cru629.dat" scanning hidden files ... C:\WINDOWS\Prefetch\PCHealth\UploadLB C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries C:\WINDOWS\Prefetch\PCHealth\UploadLB\Binaries\UploadM.exe 138752 bytes executable C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config C:\WINDOWS\Prefetch\PCHealth\UploadLB\Config\config.xml 466 bytes scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 5 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK" Sat 4 Nov 2006 7,168 A.SH. --- "C:\Documents and Settings\Administrator.YOUR-AT5QGAAC3Z\cftmon.exe" Wed 30 Aug 2006 36,685 ...H. --- "C:\Program Files\eFax Messenger Plus 3.3\J2GPlus.exe-BarStateC" Wed 29 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Tue 3 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe" Sat 4 Nov 2006 7,168 ..SH. --- "C:\WINDOWS\system32\drivers\spools.exe" Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 22 Apr 2008 196 A.SHR --- "C:\BOOT.BAK" Wed 30 Aug 2006 36,685 ...H. --- "C:\Program Files\eFax Messenger Plus 3.3\J2GPlus.exe-BarStateC" Wed 29 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 4 Aug 2004 11,776 ..SH. --- "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMComReg.exe" Sun 26 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Sat 7 Feb 2004 5,294,080 A..H. --- "C:\hp\patches\42WW1REC\src\App00153.exe" Sat 7 Feb 2004 452,096 A..H. --- "C:\hp\patches\42WW1REC\src\App00292.exe" Sat 7 Feb 2004 444,416 A..H. --- "C:\hp\patches\42WW1REC\src\App00491.exe" Sat 7 Feb 2004 1,838,592 A..H. --- "C:\hp\patches\42WW1REC\src\App02995.exe" Sat 7 Feb 2004 492,544 A..H. --- "C:\hp\patches\42WW1REC\src\App04827.exe" Sat 7 Feb 2004 1,401,856 A..H. --- "C:\hp\patches\42WW1REC\src\App05447.exe" Sat 7 Feb 2004 440,320 A..H. --- "C:\hp\patches\42WW1REC\src\App05705.exe" Sat 7 Feb 2004 462,848 A..H. --- "C:\hp\patches\42WW1REC\src\App09961.exe" Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App14604.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App16827.exe" Sat 7 Feb 2004 3,668,992 A..H. --- "C:\hp\patches\42WW1REC\src\App17421.exe" Tue 10 Feb 2004 696,832 A..H. --- "C:\hp\patches\42WW1REC\src\App18716.exe" Sat 7 Feb 2004 423,936 A..H. --- "C:\hp\patches\42WW1REC\src\App19169.exe" Sat 7 Feb 2004 1,157,632 A..H. --- "C:\hp\patches\42WW1REC\src\App19718.exe" Tue 10 Feb 2004 995,328 A..H. --- "C:\hp\patches\42WW1REC\src\App19895.exe" Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App23281.exe" Sat 7 Feb 2004 453,632 A..H. --- "C:\hp\patches\42WW1REC\src\App24464.exe" Sat 7 Feb 2004 2,251,776 A..H. --- "C:\hp\patches\42WW1REC\src\App26962.exe" Sat 7 Feb 2004 481,792 A..H. --- "C:\hp\patches\42WW1REC\src\App29358.exe" Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App32391.exe" Sat 7 Feb 2004 12,426,752 A..H. --- "C:\hp\patches\42WW1REC\src\App99990.exe" Sat 7 Feb 2004 15,596,032 A..H. --- "C:\hp\patches\42WW1REC\src\App99992.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\App99993.exe" Sat 7 Feb 2004 5,256,704 A..H. --- "C:\hp\patches\42WW1REC\src\xApp14604.exe" Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Default User\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Sun 26 Aug 2007 20 A..H. --- "C:\Documents and Settings\Owner.YOUR-AT5QGAAC3Z\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Sun 26 Aug 2007 20 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Application Data\Real\rhapsody\wmlicbackup\drmv1lic.bak" Finished!