Thread: wserv32.exe and csrssd.exe
View Single Post
Old 08-08-2008, 02:56 PM   #9 (permalink)
CurryMad
Registered User
 
Join Date: Aug 2008
Posts: 18
OS: XP SP2


Re: wserv32.exe and csrssd.exe
SDFix: Version 1.214
Run by Steve on 08/08/2008 at 21:23

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\VDM10.TMP - Deleted
C:\VDM100.TMP - Deleted
C:\VDM101.TMP - Deleted
C:\VDM108.TMP - Deleted
C:\VDM109.TMP - Deleted
C:\VDM11.TMP - Deleted
C:\VDM110.TMP - Deleted
C:\VDM111.TMP - Deleted
C:\VDM118.TMP - Deleted
C:\VDM119.TMP - Deleted
C:\VDM120.TMP - Deleted
C:\VDM121.TMP - Deleted
C:\VDM124.TMP - Deleted
C:\VDM125.TMP - Deleted
C:\VDM126.TMP - Deleted
C:\VDM127.TMP - Deleted
C:\VDM16.TMP - Deleted
C:\VDM17.TMP - Deleted
C:\VDM1E.TMP - Deleted
C:\VDM1F.TMP - Deleted
C:\VDM28.TMP - Deleted
C:\VDM29.TMP - Deleted
C:\VDM30.TMP - Deleted
C:\VDM31.TMP - Deleted
C:\VDM36.TMP - Deleted
C:\VDM37.TMP - Deleted
C:\VDM3E.TMP - Deleted
C:\VDM3F.TMP - Deleted
C:\VDM46.TMP - Deleted
C:\VDM47.TMP - Deleted
C:\VDM4E.TMP - Deleted
C:\VDM4F.TMP - Deleted
C:\VDM58.TMP - Deleted
C:\VDM59.TMP - Deleted
C:\VDM60.TMP - Deleted
C:\VDM61.TMP - Deleted
C:\VDM66.TMP - Deleted
C:\VDM67.TMP - Deleted
C:\VDM6A.TMP - Deleted
C:\VDM6B.TMP - Deleted
C:\VDM70.TMP - Deleted
C:\VDM71.TMP - Deleted
C:\VDM76.TMP - Deleted
C:\VDM77.TMP - Deleted
C:\VDM7E.TMP - Deleted
C:\VDM7F.TMP - Deleted
C:\VDM86.TMP - Deleted
C:\VDM87.TMP - Deleted
C:\VDM8E.TMP - Deleted
C:\VDM8F.TMP - Deleted
C:\VDM94.TMP - Deleted
C:\VDM95.TMP - Deleted
C:\VDM9A.TMP - Deleted
C:\VDM9B.TMP - Deleted
C:\VDMA0.TMP - Deleted
C:\VDMA1.TMP - Deleted
C:\VDMA8.TMP - Deleted
C:\VDMA9.TMP - Deleted
C:\VDMB0.TMP - Deleted
C:\VDMB1.TMP - Deleted
C:\VDMBA.TMP - Deleted
C:\VDMBB.TMP - Deleted
C:\VDMC2.TMP - Deleted
C:\VDMC3.TMP - Deleted
C:\VDMCA.TMP - Deleted
C:\VDMCB.TMP - Deleted
C:\VDMD0.TMP - Deleted
C:\VDMD1.TMP - Deleted
C:\VDMD8.TMP - Deleted
C:\VDMD9.TMP - Deleted
C:\VDMDC.TMP - Deleted
C:\VDMDD.TMP - Deleted
C:\VDME8.TMP - Deleted
C:\VDME9.TMP - Deleted
C:\VDMF0.TMP - Deleted
C:\VDMF1.TMP - Deleted
C:\VDMF8.TMP - Deleted
C:\VDMF9.TMP - Deleted
C:\WINDOWS\system32\TFTP1508 - Deleted
C:\WINDOWS\system32\TFTP2620 - Deleted
C:\WINDOWS\system32\TFTP2632 - Deleted
C:\WINDOWS\system32\TFTP2776 - Deleted
C:\WINDOWS\system32\TFTP2944 - Deleted
C:\WINDOWS\system32\TFTP3224 - Deleted
C:\WINDOWS\system32\TFTP3716 - Deleted
C:\WINDOWS\system32\TFTP3720 - Deleted
C:\WINDOWS\system32\TFTP3736 - Deleted
C:\WINDOWS\system32\TFTP3876 - Deleted
C:\WINDOWS\system32\TFTP3968 - Deleted
C:\WINDOWS\system32\TFTP452 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 21:38:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\PPStream\\PPStream.exe"="C:\\Program Files\\PPStream\\PPStream.exe:*:Enabled:PPStream"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 31 Jul 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 31 Jul 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv14.bak"
Mon 1 Aug 2005 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Mon 1 Aug 2005 48 A.SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Tue 6 May 2003 1,479 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiE.tmp"
Sun 3 Aug 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sun 3 Aug 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 9 Sep 2003 0 ...H. --- "C:\Documents and Settings\Steve\Application Data\Microsoft\Word\~WRL0710.tmp"
Tue 9 Sep 2003 0 ...H. --- "C:\Documents and Settings\Steve\Application Data\Microsoft\Word\~WRL0826.tmp"

Finished!
CurryMad is offline