Sorry I first posted in the wrong place (newbe)
:wave:
Hi everybody. As with others I got stuck with that wicked virus called, "VirusWebProtect," (Lord curse the jerk who wrote that, may all his daughters be fat and ugly). I found you guys by searching on Google for info about this virus.
Extreme gratitude and appreciation to Angelfire777 who posted the fix I used: If you were a chick I'd kiss you.
I had to jimmy a few of the directions however, like manually opening the win2k files in SDFix, but Angelfire's directions are overall correct, and only took a little tweaking on my part.
Below is my report in case it helps anyone else. I'm not yet a geek, so I thank you guys for being here to help me. I'm actually a tradesman and an aspiring writer, and computers are simply a matter of course, but I've learned more in the last year than I've ever known. This fix seems to have taken care of things on my computer that go back long before this virus and done further work on previously fixed infections. I am humbled
ray:
Thanks again, God bless, here's my report:
SDFix: Version 1.116
Run by Joe Parsons on Sun 12/02/2007 at 9:14a
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
NETDown
Path:
C:\WINNT\vcd1.exe
NETDown - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINNT\SYSTEM32\AM2KTPHD.DLL - Deleted
C:\WINNT\SYSTEM32\EAIQVYPA.DLL - Deleted
C:\WINNT\SYSTEM32\FCYAY.DLL - Deleted
C:\WINNT\SYSTEM32\GHGKDYCP.DLL - Deleted
C:\WINNT\SYSTEM32\HWRLGQYT.DLL - Deleted
C:\WINNT\SYSTEM32\IFBLKOLP.DLL - Deleted
C:\WINNT\SYSTEM32\IHBPMAGK.DLL - Deleted
C:\WINNT\SYSTEM32\JBEYGNAV.DLL - Deleted
C:\WINNT\SYSTEM32\JM2VT4L5.DLL - Deleted
C:\WINNT\SYSTEM32\JWWCRHOK.DLL - Deleted
C:\WINNT\SYSTEM32\LJVCEFUX.DLL - Deleted
C:\WINNT\SYSTEM32\LNTSHVHS.DLL - Deleted
C:\WINNT\SYSTEM32\MENHEXLD.DLL - Deleted
C:\WINNT\SYSTEM32\MQLIKJAB.DLL - Deleted
C:\WINNT\SYSTEM32\NNNKHGH.DLL - Deleted
C:\WINNT\SYSTEM32\NVQQXTPN.DLL - Deleted
C:\WINNT\SYSTEM32\NVTMVWME.DLL - Deleted
C:\WINNT\SYSTEM32\OOOXJMJQ.DLL - Deleted
C:\WINNT\SYSTEM32\QRYOKFIU.DLL - Deleted
C:\WINNT\SYSTEM32\QTIOUPJE.DLL - Deleted
C:\WINNT\SYSTEM32\QYWWJOOB.DLL - Deleted
C:\WINNT\SYSTEM32\RYPMUBWG.DLL - Deleted
C:\WINNT\SYSTEM32\SJEXGBXP.DLL - Deleted
C:\WINNT\SYSTEM32\TIQDCBYE.DLL - Deleted
C:\WINNT\SYSTEM32\UKRVQYGK.DLL - Deleted
C:\WINNT\SYSTEM32\UPXVUMUS.DLL - Deleted
C:\WINNT\SYSTEM32\VEJCQLLK.DLL - Deleted
C:\WINNT\SYSTEM32\VWLSAISA.DLL - Deleted
C:\WINNT\SYSTEM32\WMJPRKPU.DLL - Deleted
C:\WINNT\SYSTEM32\XCEWHHBU.DLL - Deleted
C:\WINNT\SYSTEM32\YBDGAFRE.DLL - Deleted
C:\SDFIX.EXE - Deleted
C:\PROGRA~1\COMPLU~1\RTENEM~1.HTM - Deleted
C:\PROGRA~1\COMPLU~1\QUFAX - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\WinTouch\wintouch.cfg - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp1.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp11.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp1A.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp2.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp2F8.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp3.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp30.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp38.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp4.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp7.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp93.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmpA.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\My Documents\tmp1.tmp.exe - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINNT\system32\tmp2.tmp.dll - Deleted
C:\WINNT\system32\tmp4.tmp.dll - Deleted
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\Install.dat - Deleted
C:\WINNT\2.tmp - Deleted
C:\WINNT\gormet.dll - Deleted
C:\WINNT\hdtip.dll - Deleted
C:\WINNT\monhop.exe - Deleted
C:\WINNT\pmkret.dll - Deleted
C:\WINNT\werbetdqw.dll - Deleted
Folder C:\Documents and Settings\Joe Parsons\Application Data\WinTouch - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\fse - Removed
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 09:59:26
Windows 5.0.2195 Service Pack 4 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\WINNT:zapoteq.bmp"
scanning hidden files ...
C:\WINNT\ydfpy1.upd 73693 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services:
------------------
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 29 Aug 2007 801,398 ..SH. --- "C:\WINNT\ghjmnn.tmp"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\Program Files\Replay Converter\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 9 Dec 2002 102,437 A..HR --- "C:\Program Files\Replay Converter\drv13260.dll"
Mon 9 Dec 2002 176,165 A..HR --- "C:\Program Files\Replay Converter\drv23260.dll"
Mon 9 Dec 2002 208,935 A..HR --- "C:\Program Files\Replay Converter\drv33260.dll"
Mon 9 Dec 2002 217,127 A..HR --- "C:\Program Files\Replay Converter\drv43260.dll"
Sun 9 Jun 2002 40,448 A..HR --- "C:\Program Files\Replay Converter\dspr3260.dll"
Sat 3 Nov 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\ivvideo.dll"
Tue 10 Apr 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\qtmlClient.dll"
Fri 20 Feb 2004 232,960 A..HR --- "C:\Program Files\Replay Converter\raac.dll"
Sun 9 Jun 2002 525,824 A..HR --- "C:\Program Files\Replay Converter\rnco3260.dll"
Mon 9 Dec 2002 245,805 A..HR --- "C:\Program Files\Replay Converter\rnlt3260.dll"
Mon 9 Dec 2002 45,093 A..HR --- "C:\Program Files\Replay Converter\rv103260.dll"
Mon 9 Dec 2002 98,341 A..HR --- "C:\Program Files\Replay Converter\rv203260.dll"
Mon 9 Dec 2002 94,247 A..HR --- "C:\Program Files\Replay Converter\rv303260.dll"
Mon 9 Dec 2002 90,151 A..HR --- "C:\Program Files\Replay Converter\rv403260.dll"
Sun 9 Jun 2002 49,152 A..HR --- "C:\Program Files\Replay Converter\tokr3260.dll"
Sun 9 Sep 2007 636,918 A.SH. --- "C:\WINNT\system32\alopssqr.tmp"
Thu 8 Mar 2007 27,648 A.SH. --- "C:\WINNT\system32\AVSredirect.dll"
Fri 24 Nov 2006 737,345 A.SH. --- "C:\WINNT\system32\bcbeg.tmp"
Sat 22 Sep 2007 124 A.SH. --- "C:\WINNT\system32\cbabc.tmp"
Thu 27 Sep 2007 6,456 A.SH. --- "C:\WINNT\system32\giiii.bak1"
Wed 5 Sep 2007 1,902,596 A.SH. --- "C:\WINNT\system32\mnpoq.tmp"
Thu 20 Sep 2007 6,448 A.SH. --- "C:\WINNT\system32\orutv.bak1"
Sat 22 Sep 2007 1,976,494 A.SH. --- "C:\WINNT\system32\orutv.bak2"
Sun 9 Sep 2007 2,236,538 A.SH. --- "C:\WINNT\system32\svyxx.tmp"
Tue 11 Sep 2007 6,456 A.SH. --- "C:\WINNT\system32\svyxx.bak1"
Sun 30 Sep 2007 124 A.SH. --- "C:\WINNT\system32\ybefe.tmp"
Fri 28 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT10.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT11.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT13.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT14.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT16.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT17.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1C.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT21.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT22.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT25.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT27.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT28.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2D.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3B.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT4.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT5.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT6.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT7.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT7D.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT8E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT9.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT99.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITA.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITA1.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITB.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITB2.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITBC.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITC5.tmp"
Wed 5 Sep 2007 7,590,000 A..H. --- "C:\WINNT\SoftwareDistribution\Download\685137a267b6e229dd95bb6ae282d1c9\BIT24.tmp"
Fri 28 Jul 2006 4,348 ...H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv1key.bak"
Fri 28 Jul 2006 20 A..H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 28 Jul 2006 312 ...H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv2key.bak"
Fri 28 Jul 2006 1,536 A..H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv2lic.bak"
Finished!
:wave:
Hi everybody. As with others I got stuck with that wicked virus called, "VirusWebProtect," (Lord curse the jerk who wrote that, may all his daughters be fat and ugly). I found you guys by searching on Google for info about this virus.
Extreme gratitude and appreciation to Angelfire777 who posted the fix I used: If you were a chick I'd kiss you.
I had to jimmy a few of the directions however, like manually opening the win2k files in SDFix, but Angelfire's directions are overall correct, and only took a little tweaking on my part.
Below is my report in case it helps anyone else. I'm not yet a geek, so I thank you guys for being here to help me. I'm actually a tradesman and an aspiring writer, and computers are simply a matter of course, but I've learned more in the last year than I've ever known. This fix seems to have taken care of things on my computer that go back long before this virus and done further work on previously fixed infections. I am humbled
ray:Thanks again, God bless, here's my report:
SDFix: Version 1.116
Run by Joe Parsons on Sun 12/02/2007 at 9:14a
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
NETDown
Path:
C:\WINNT\vcd1.exe
NETDown - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINNT\SYSTEM32\AM2KTPHD.DLL - Deleted
C:\WINNT\SYSTEM32\EAIQVYPA.DLL - Deleted
C:\WINNT\SYSTEM32\FCYAY.DLL - Deleted
C:\WINNT\SYSTEM32\GHGKDYCP.DLL - Deleted
C:\WINNT\SYSTEM32\HWRLGQYT.DLL - Deleted
C:\WINNT\SYSTEM32\IFBLKOLP.DLL - Deleted
C:\WINNT\SYSTEM32\IHBPMAGK.DLL - Deleted
C:\WINNT\SYSTEM32\JBEYGNAV.DLL - Deleted
C:\WINNT\SYSTEM32\JM2VT4L5.DLL - Deleted
C:\WINNT\SYSTEM32\JWWCRHOK.DLL - Deleted
C:\WINNT\SYSTEM32\LJVCEFUX.DLL - Deleted
C:\WINNT\SYSTEM32\LNTSHVHS.DLL - Deleted
C:\WINNT\SYSTEM32\MENHEXLD.DLL - Deleted
C:\WINNT\SYSTEM32\MQLIKJAB.DLL - Deleted
C:\WINNT\SYSTEM32\NNNKHGH.DLL - Deleted
C:\WINNT\SYSTEM32\NVQQXTPN.DLL - Deleted
C:\WINNT\SYSTEM32\NVTMVWME.DLL - Deleted
C:\WINNT\SYSTEM32\OOOXJMJQ.DLL - Deleted
C:\WINNT\SYSTEM32\QRYOKFIU.DLL - Deleted
C:\WINNT\SYSTEM32\QTIOUPJE.DLL - Deleted
C:\WINNT\SYSTEM32\QYWWJOOB.DLL - Deleted
C:\WINNT\SYSTEM32\RYPMUBWG.DLL - Deleted
C:\WINNT\SYSTEM32\SJEXGBXP.DLL - Deleted
C:\WINNT\SYSTEM32\TIQDCBYE.DLL - Deleted
C:\WINNT\SYSTEM32\UKRVQYGK.DLL - Deleted
C:\WINNT\SYSTEM32\UPXVUMUS.DLL - Deleted
C:\WINNT\SYSTEM32\VEJCQLLK.DLL - Deleted
C:\WINNT\SYSTEM32\VWLSAISA.DLL - Deleted
C:\WINNT\SYSTEM32\WMJPRKPU.DLL - Deleted
C:\WINNT\SYSTEM32\XCEWHHBU.DLL - Deleted
C:\WINNT\SYSTEM32\YBDGAFRE.DLL - Deleted
C:\SDFIX.EXE - Deleted
C:\PROGRA~1\COMPLU~1\RTENEM~1.HTM - Deleted
C:\PROGRA~1\COMPLU~1\QUFAX - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\WinTouch\wintouch.cfg - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Joe Parsons\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Joe Parsons\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp1.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp11.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp1A.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp2.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp2F8.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp3.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp30.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp38.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp4.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp7.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmp93.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\tmpA.tmp.exe - Deleted
C:\Documents and Settings\Joe Parsons\My Documents\tmp1.tmp.exe - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINNT\system32\tmp2.tmp.dll - Deleted
C:\WINNT\system32\tmp4.tmp.dll - Deleted
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe - Deleted
C:\Documents and Settings\Joe Parsons\Application Data\Install.dat - Deleted
C:\WINNT\2.tmp - Deleted
C:\WINNT\gormet.dll - Deleted
C:\WINNT\hdtip.dll - Deleted
C:\WINNT\monhop.exe - Deleted
C:\WINNT\pmkret.dll - Deleted
C:\WINNT\werbetdqw.dll - Deleted
Folder C:\Documents and Settings\Joe Parsons\Application Data\WinTouch - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\WinPop - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\fse - Removed
Removing Temp Files...
ADS Check:
C:\WINNT
No streams found.
C:\WINNT\system32
No streams found.
C:\WINNT\system32\svchost.exe
No streams found.
C:\WINNT\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 09:59:26
Windows 5.0.2195 Service Pack 4 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile, ZwQuerySystemInformation
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\WINNT:zapoteq.bmp"
scanning hidden files ...
C:\WINNT\ydfpy1.upd 73693 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services:
------------------
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 29 Aug 2007 801,398 ..SH. --- "C:\WINNT\ghjmnn.tmp"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\Program Files\Replay Converter\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 9 Dec 2002 102,437 A..HR --- "C:\Program Files\Replay Converter\drv13260.dll"
Mon 9 Dec 2002 176,165 A..HR --- "C:\Program Files\Replay Converter\drv23260.dll"
Mon 9 Dec 2002 208,935 A..HR --- "C:\Program Files\Replay Converter\drv33260.dll"
Mon 9 Dec 2002 217,127 A..HR --- "C:\Program Files\Replay Converter\drv43260.dll"
Sun 9 Jun 2002 40,448 A..HR --- "C:\Program Files\Replay Converter\dspr3260.dll"
Sat 3 Nov 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\ivvideo.dll"
Tue 10 Apr 2001 225,280 A..HR --- "C:\Program Files\Replay Converter\qtmlClient.dll"
Fri 20 Feb 2004 232,960 A..HR --- "C:\Program Files\Replay Converter\raac.dll"
Sun 9 Jun 2002 525,824 A..HR --- "C:\Program Files\Replay Converter\rnco3260.dll"
Mon 9 Dec 2002 245,805 A..HR --- "C:\Program Files\Replay Converter\rnlt3260.dll"
Mon 9 Dec 2002 45,093 A..HR --- "C:\Program Files\Replay Converter\rv103260.dll"
Mon 9 Dec 2002 98,341 A..HR --- "C:\Program Files\Replay Converter\rv203260.dll"
Mon 9 Dec 2002 94,247 A..HR --- "C:\Program Files\Replay Converter\rv303260.dll"
Mon 9 Dec 2002 90,151 A..HR --- "C:\Program Files\Replay Converter\rv403260.dll"
Sun 9 Jun 2002 49,152 A..HR --- "C:\Program Files\Replay Converter\tokr3260.dll"
Sun 9 Sep 2007 636,918 A.SH. --- "C:\WINNT\system32\alopssqr.tmp"
Thu 8 Mar 2007 27,648 A.SH. --- "C:\WINNT\system32\AVSredirect.dll"
Fri 24 Nov 2006 737,345 A.SH. --- "C:\WINNT\system32\bcbeg.tmp"
Sat 22 Sep 2007 124 A.SH. --- "C:\WINNT\system32\cbabc.tmp"
Thu 27 Sep 2007 6,456 A.SH. --- "C:\WINNT\system32\giiii.bak1"
Wed 5 Sep 2007 1,902,596 A.SH. --- "C:\WINNT\system32\mnpoq.tmp"
Thu 20 Sep 2007 6,448 A.SH. --- "C:\WINNT\system32\orutv.bak1"
Sat 22 Sep 2007 1,976,494 A.SH. --- "C:\WINNT\system32\orutv.bak2"
Sun 9 Sep 2007 2,236,538 A.SH. --- "C:\WINNT\system32\svyxx.tmp"
Tue 11 Sep 2007 6,456 A.SH. --- "C:\WINNT\system32\svyxx.bak1"
Sun 30 Sep 2007 124 A.SH. --- "C:\WINNT\system32\ybefe.tmp"
Fri 28 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT10.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT11.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT13.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT14.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT16.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT17.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1C.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT1E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT21.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT22.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT25.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT27.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT28.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2D.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT2E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3B.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT3E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT4.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT5.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT6.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT7.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT7D.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT8E.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT9.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BIT99.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITA.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITA1.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITB.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITB2.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITBC.tmp"
Sun 2 Dec 2007 0 A..H. --- "C:\Documents and Settings\Joe Parsons\Local Settings\Temp\BITC5.tmp"
Wed 5 Sep 2007 7,590,000 A..H. --- "C:\WINNT\SoftwareDistribution\Download\685137a267b6e229dd95bb6ae282d1c9\BIT24.tmp"
Fri 28 Jul 2006 4,348 ...H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv1key.bak"
Fri 28 Jul 2006 20 A..H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 28 Jul 2006 312 ...H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv2key.bak"
Fri 28 Jul 2006 1,536 A..H. --- "C:\Documents and Settings\Joe Parsons\My Documents\My Music\License Backup\drmv2lic.bak"
Finished!
