Stealth Intrusion

SDFix: Version 1.240
Run by Valerie on Fri 02/19/2010 at 11:06 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 08:47:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"RefCount"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\dlcjcoms.exe"="C:\\WINDOWS\\system32\\dlcjcoms.exe:*:Enabled:Dell 964 Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcjpswx.exe:*:Enabled:Dell 964 Printer Status"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\AVG\\AVG8\\avgam.exe"="C:\\Program Files\\AVG\\AVG8\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\AVG\\AVG9\\avgam.exe"="C:\\Program Files\\AVG\\AVG9\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG9\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG9\\avgupd.exe"="C:\\Program Files\\AVG\\AVG9\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG9\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG9\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Valerie\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 21 Jan 2004 61,440 ...H. --- "C:\Program Files\MSN\msnupdate!@#@.exe"
Wed 21 Jan 2004 292,864 ...H. --- "C:\Program Files\MSN\txsrvc.dll"
Wed 21 Jan 2004 302,080 ...H. --- "C:\Program Files\MSN\unicows.dll"
Sun 20 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 17 Feb 2010 49,664 ...H. --- "C:\Documents and Settings\Valerie\My Documents\~WRL2543.tmp"
Tue 14 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 16 Jan 2008 30,208 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL0001.tmp"
Wed 9 Dec 2009 32,256 ...H. --- "C:\Documents and Settings\Valerie\My Documents\Stationary\~WRL4002.tmp"
Sun 26 Apr 2009 266,752 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Templates\~WRL0189.tmp"
Fri 10 Jul 2009 172,544 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0115.tmp"
Wed 25 Nov 2009 585,728 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0341.tmp"
Fri 22 Jan 2010 712,192 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL0356.tmp"
Tue 8 Sep 2009 367,104 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2661.tmp"
Tue 6 Oct 2009 428,032 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2817.tmp"
Sun 2 Aug 2009 271,872 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL2879.tmp"
Wed 24 Jun 2009 134,656 ...H. --- "C:\Documents and Settings\Valerie\Application Data\Microsoft\Word\~WRL3678.tmp"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\ar00000\install.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\in00000\setup.exe"
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\install1.exe"
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Valerie\Application Data\mjusbsp\Upgrade\setup1.exe"
Sun 20 Jul 2008 4,348 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1key.bak"
Mon 28 Jul 2008 20 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 20 Jul 2008 400 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2key.bak"
Mon 28 Jul 2008 1,536 ...H. --- "C:\Documents and Settings\Valerie\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

We need to do some more diagnostics to make sure your computer is clean.

1. Please download Rooter and Save it to your desktop

1. Double click it to start the tool.
   
2. Click Scan.
   
3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

2. Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
  
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply
  

3. Please download CKScanner by askey127 from here

Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
  
• After a very short time, when the cursor hourglass disappears, click Save List To File.
  
• A message box will verify that the file is saved.
  
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

4. I request the following logs to be posted in your next reply, please:
-Rooter
-LockSearch
-CKScanner

Thanks.

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 1, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !

.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:211 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [Removable]
.
Scan : 10:30.40
Path : C:\Documents and Settings\Valerie\Desktop\Rooter.exe
User : Valerie ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (892)
______ \??\C:\WINDOWS\system32\csrss.exe (940)
______ \??\C:\WINDOWS\system32\winlogon.exe (964)
______ C:\WINDOWS\system32\services.exe (1008)
______ C:\WINDOWS\system32\lsass.exe (1020)
______ C:\WINDOWS\system32\svchost.exe (1224)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\WINDOWS\System32\svchost.exe (1436)
______ C:\WINDOWS\system32\svchost.exe (1572)
______ C:\WINDOWS\system32\svchost.exe (1684)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (1772)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (1780)
______ C:\WINDOWS\system32\spoolsv.exe (1908)
Locked AVGIDSAgent.exe (1948)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1984)
______ C:\WINDOWS\Explorer.EXE (620)
______ C:\WINDOWS\system32\svchost.exe (1568)
______ C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (1624)
Locked avgwdsvc.exe (1676)
Locked avgfws9.exe (1696)
______ C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (328)
______ C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (644)
Locked avgam.exe (1516)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (1832)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (2528)
______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (2568)
______ C:\WINDOWS\system32\svchost.exe (2764)
______ C:\WINDOWS\system32\WFXSVC.EXE (2792)
______ C:\Program Files\WinFax\WFXMOD32.EXE (2856)
______ C:\WINDOWS\System32\alg.exe (3832)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (3704)
______ C:\WINDOWS\System32\svchost.exe (3804)
______ C:\WINDOWS\system32\dllhost.exe (3496)
______ C:\WINDOWS\system32\msdtc.exe (1768)
______ C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (4024)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (3656)
______ C:\Program Files\Internet Explorer\IEXPLORE.EXE (2308)
______ C:\WINDOWS\system32\dlcjcoms.exe (1416)
______ C:\Program Files\AVG\AVG9\avgui.exe (112)
______ C:\Documents and Settings\Valerie\Desktop\Rooter.exe (5992)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:249990902784)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{76D70BD6-ADEF-4772-B82F-52AD730EEB58}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 10:31.07
.
C:\Rooter$\Rooter_1.txt - (20/02/2010 | 10:31.07)

LockSearch by jpshortstuff (05.11.09.1)
Log created at 10:32 on 20/02/2010 (Valerie)
Scanning C:\


C:\pagefile.sys
-------------------------

-=E.O.F=-

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind.swf
c:\documents and settings\valerie\my documents\photoshow print & share\_photoshow\music\rock\crackthesky_mind_image.swf
c:\program files\jasc software inc\paint shop pro studio\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro studio\patterns\cracked paint.pspimage
scanner sequence 3.CA.11
----- EOF -----

I would say clean.

How is the computer running now?

It is working Very nice thank you!!!! I personally want to thank you for all your help. You truly are a MASTER!!! I also donated to Geek Police this morning... it is well worth the money. Until we meet again...... A BIG THANKS!!

You're welcome.