Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Rootkit Found :
C:\WINDOWS\system32\drivers\TDSSrfdc.sys - Rootkit.Win32.Agent.cku
Name :
tdssserv
Path :
\systemroot\system32\drivers\TDSSrfdc.sys
tdssserv - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\TDSSedrm.dll - Deleted
C:\WINDOWS\system32\TDSSjrlv.dll - Deleted
C:\WINDOWS\system32\TDSSfcof.dll - Deleted
C:\WINDOWS\system32\TDSSxnaq.dll - Deleted
C:\WINDOWS\system32\TDSSxbae.dll - Deleted
C:\WINDOWS\system32\TDSSrhcw.dll - Deleted
C:\WINDOWS\SYSTEM32\WINDOW~1.EXE - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-10-22 00:15:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 7 Oct 2008 56 ..SHR --- "C:\WINDOWS\system32\0F674B5A86.sys"
Sun 14 Sep 2008 88 ..SHR --- "C:\WINDOWS\system32\865A4B670F.sys"
Tue 7 Oct 2008 5,852 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 25 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 25 Jun 2006 4,348 ...H. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv1key.bak"
Fri 16 May 2008 20 A..H. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 17 Aug 2006 400 A.SH. --- "C:\Documents and Settings\Hill Stabler\My Documents\My Music\License Backup\drmv2key.bak"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hayes Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 14 Apr 2007 8 A..H. --- "C:\Documents and Settings\Hill Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 24 Aug 2007 8 A..H. --- "C:\Documents and Settings\Stephen Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 16 Apr 2007 8 A..H. --- "C:\Documents and Settings\Susan Stabler\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Finished!