[b]SDFix: Version 1.178 [/b] Run by Administrator on 2008-05-03 at 15:30 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: [b]Name [/b]: MSDisk Windows NT application [b]Path [/b]: "C:\WINDOWS\System32\irdvxc.exe" /service "C:\WINDOWS\winlogon.exe" MSDisk - Deleted Windows NT application - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: C:\WINDOWS\SYSTEM32\CBOCR(2).DLL - Deleted C:\WINDOWS\SYSTEM32\CBOCR.DLL - Deleted C:\DOCUME~1\MONIA\CBOCR.DLL - Deleted C:\WINDOWS\SYSTEM32\YGSVX.EXE - Deleted C:\Program Files\Common Files\Yazzle1560OinAdmin.exe - Deleted C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe - Deleted C:\WINDOWS\b128.exe - Deleted C:\WINDOWS\b152.exe - Deleted C:\WINDOWS\mrofinu1001186.exe - Deleted C:\WINDOWS\mrofinu1001186.exe.tmp - Deleted C:\WINDOWS\system32\TFTP2856 - Deleted C:\WINDOWS\system32\TFTP1940 - Deleted C:\adware.exe - Deleted C:\WINDOWS\system32\msnmanegers.exe - Deleted C:\WINDOWS\system32\mssmpp.exe - Deleted Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-03 15:34:44 Windows 5.1.2600 FAT NTAPI detected NTDLL code modification: ZwEnumerateValueKey, ZwOpenFile, ZwQueryDirectoryFile, ZwQuerySystemInformation scanning hidden processes ... C:\WINDOWS\System32\VT100.EXE [2940] 0x81A6BDA8 scanning hidden services ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run VT100 Emulator = C:\WINDOWS\System32\VT100.EXE scanning hidden files ... C:\WINDOWS\system32\VT100.EXE 102400 bytes scan completed successfully hidden processes: 1 hidden services: 0 hidden files: 1 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [b]Remaining Files [/b]: [b]Files with Hidden Attributes [/b]: Fri 2 May 2008 49,664 A..H. --- "C:\WINDOWS\system32\chshl.exe" Sat 3 May 2008 89,088 A..H. --- "C:\WINDOWS\system32\hqsw.exe" Fri 2 May 2008 33,204 A..H. --- "C:\WINDOWS\system32\lmumug.exe" Fri 2 May 2008 125,952 A..H. --- "C:\WINDOWS\system32\ubaut.exe" Fri 2 May 2008 40,448 A..H. --- "C:\WINDOWS\system32\nuaw.exe" Fri 2 May 2008 69,632 A..H. --- "C:\WINDOWS\system32\anpfx.exe" Fri 2 May 2008 113,664 A..H. --- "C:\WINDOWS\system32\osxedg.exe" Fri 2 May 2008 46,592 A..H. --- "C:\WINDOWS\system32\ynytqar.exe" Fri 2 May 2008 56,832 A..H. --- "C:\WINDOWS\system32\lvcix.exe" Fri 2 May 2008 49,360 A..H. --- "C:\WINDOWS\system32\duywtcl.exe" Fri 2 May 2008 149,504 A..H. --- "C:\WINDOWS\system32\mifmgmg.exe" Fri 2 May 2008 120,832 A..H. --- "C:\WINDOWS\system32\ospm.exe" Fri 2 May 2008 40,448 A..H. --- "C:\WINDOWS\system32\lhxanlx.exe" Fri 2 May 2008 112,128 A..H. --- "C:\WINDOWS\system32\mqsx.exe" Fri 2 May 2008 45,568 A..H. --- "C:\WINDOWS\system32\ebbngf.exe" Fri 2 May 2008 94,644 A..H. --- "C:\WINDOWS\system32\xydsbp.exe" Fri 2 May 2008 73,728 A..H. --- "C:\WINDOWS\system32\qnkdxgq.exe" Fri 2 May 2008 85,276 A..H. --- "C:\WINDOWS\system32\yklhtym.exe" Fri 2 May 2008 80,896 A..H. --- "C:\WINDOWS\system32\tejjdpf.exe" Fri 2 May 2008 108,544 A..H. --- "C:\WINDOWS\system32\pkxblow.exe" Fri 2 May 2008 111,824 A..H. --- "C:\WINDOWS\system32\enlhzudj.exe" Fri 2 May 2008 120,832 A..H. --- "C:\WINDOWS\system32\xqazm.exe" Fri 2 May 2008 120,832 A..H. --- "C:\WINDOWS\system32\bowb.exe" Fri 2 May 2008 1,179,648 ..SH. --- "C:\WINDOWS\system32\redyLive.exe" Fri 2 May 2008 31,232 A..H. --- "C:\WINDOWS\system32\gsica.exe" Fri 2 May 2008 120,832 A..H. --- "C:\WINDOWS\system32\erqhclg.exe" Fri 2 May 2008 120,832 A..H. --- "C:\WINDOWS\system32\xoybuynn.exe" Fri 2 May 2008 68,152 A..H. --- "C:\WINDOWS\system32\xldo.exe" Fri 2 May 2008 44,141 A..H. --- "C:\WINDOWS\system32\xdlzlngu.exe" Fri 2 May 2008 72,096 A..H. --- "C:\WINDOWS\system32\uglskcqz.exe" Fri 2 May 2008 113,588 A..H. --- "C:\WINDOWS\system32\xtbvuck.exe" Fri 2 May 2008 113,664 A..H. --- "C:\WINDOWS\system32\xbcm.exe" Fri 2 May 2008 24,328 A..H. --- "C:\WINDOWS\system32\ilxwg.exe" Fri 2 May 2008 51,200 A..H. --- "C:\WINDOWS\system32\ddds.exe" Fri 2 May 2008 52,736 A..H. --- "C:\WINDOWS\system32\rhdg.exe" Fri 2 May 2008 73,728 A..H. --- "C:\WINDOWS\system32\sinnpc.exe" [b]Finished![/b]