Tech Support Forum - View Single Post - Files-Secure has invaded [Moved from IE]

OHgirl0728 · 01-12-2008, 10:52 PM

Wasn't sure if you would need this as an attachment or pasted into the posting.... So here are both ways

SDFix: Version 1.125

Run by MICHAEL on Fri 01/11/2008 at 02:21 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\toprates.dll - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 15:26:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\1170446665\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1170446665\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 6 Nov 2007 104 ..SHR --- "C:\WINDOWS\system32\03846076EE.sys"
Mon 7 Jan 2008 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 20 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 10 Aug 2007 414 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Wed 15 Feb 2006 1,640 A.SH. --- "C:\Documents and Settings\MICHAEL\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVD+-RW_GWA4164B_D108_300_DICV018_DRGV2050107.TMP"
Mon 11 Jun 2007 24,576 A..H. --- "C:\Documents and Settings\MICHAEL\Desktop\Dana\Taylor\Taylor\Taylor\~WRL0004.tmp"
Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 17 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 17 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

01-12-2008, 10:52 PM	#6 (permalink)
OHgirl0728 Registered User Join Date: Jan 2008 Location: Ohio Posts: 44 OS: WINXP	Re: Files-Secure has invaded [Moved from IE] Wasn't sure if you would need this as an attachment or pasted into the posting.... So here are both ways SDFix: Version 1.125 Run by MICHAEL on Fri 01/11/2008 at 02:21 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\toprates.dll - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-11 15:26:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online 9.0" "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe::Enabled:EasyShare" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe::Enabled:Windows Messenger" "C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe::Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe::Enabled:IncrediMail" "C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe::Enabled:IncrediMail" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\1170446665\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1170446665\\ee\\aolsoftware.exe::Enabled:AOL Services" "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe::Enabled:McAfee Network Agent" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe::Enabled:Yahoo! FT Server" "C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe::Enabled:Yahoo! Music Jukebox" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online 9.0" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe" Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe" Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe" Tue 6 Nov 2007 104 ..SHR --- "C:\WINDOWS\system32\03846076EE.sys" Mon 7 Jan 2008 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Tue 20 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 10 Aug 2007 414 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Wed 15 Feb 2006 1,640 A.SH. --- "C:\Documents and Settings\MICHAEL\Application Data\Roxio\Dragon\DiscInfoCache\HL-DT-ST_DVD+-RW_GWA4164B_D108_300_DICV018_DRGV2050107.TMP" Mon 11 Jun 2007 24,576 A..H. --- "C:\Documents and Settings\MICHAEL\Desktop\Dana\Taylor\Taylor\Taylor\~WRL0004.tmp" Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp" Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp" Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp" Fri 3 Aug 2007 8 A..H. --- "C:\Documents and Settings\DANA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp" Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp" Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp" Sat 8 Dec 2007 8 A..H. --- "C:\Documents and Settings\HALEY\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp" Wed 11 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp" Tue 17 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp" Tue 17 Apr 2007 8 A..H. --- "C:\Documents and Settings\MICHAEL\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp" Finished!