Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cmd Service & More

  • Please log in to reply
1 reply to this topic

#1 Maddmike125


  • Members
  • 15 posts
  • Local time:11:07 AM

Posted 19 December 2007 - 08:46 PM

hey, i think i have the same stuff wrong... please help me

SDFix: Version 1.116

Run by Administrator on Thu 12/20/2007 at 08:32 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: E:\WINDOWS\system32\SDFix

Safe Mode:
Checking Services:

Infected ip6fw.sys Found!

ip6fw.sys File Locations:

"E:\WINDOWS\system32\dllcache\ip6fw.sys" 29056 08/04/2004 07:00 AM
"E:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/04/2004 07:00 AM

Infected File Listed Below:


Trojan File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...

Original ip6fw.sys Restored

Restoring Windows Registry Values
Restoring Windows Default Hosts File


Normal Mode:
Checking Files:

Trojan Files Found:

E:\Program Files\WinAble\winable(2).exe - Deleted
E:\WINDOWS\17PHolmes572.exe - Deleted
E:\WINDOWS\b147.exe - Deleted
E:\WINDOWS\mrofinu1000106.exe - Deleted
E:\WINDOWS\mrofinu572.exe - Deleted
E:\WINDOWS\mrofinu72.exe - Deleted
E:\WINDOWS\system32\drivers\symavc32.sys - Deleted
E:\WINDOWS\tk58.exe - Deleted

Folder E:\Program Files\WinAble - Removed

Removing Temp Files...

ADS Check:

No streams found.

No streams found.

No streams found.

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 20:38:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...


scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:

Authorized Application Key Export:

"E:\\Program Files\\Steam\\Steam.exe"="E:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"E:\\Program Files\\Steam\\steamapps\\maddmike125\\counter-strike source\\hl2.exe"="E:\\Program Files\\Steam\\steamapps\\maddmike125\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"E:\\Program Files\\GIGABYTE\\@BIOS\\update.exe"="E:\\Program Files\\GIGABYTE\\@BIOS\\update.exe:*:Enabled:update"
"E:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe"="E:\\Program Files\\GIGABYTE\\@BIOS\\gwflash.exe:*:Enabled:gwflash"
"E:\\Program Files\\NAMCO BANDAI Games\\Mage Knight™ Apocalypse\\MageKnight.exe"="E:\\Program Files\\NAMCO BANDAI Games\\Mage Knight™ Apocalypse\\MageKnight.exe:*:Enabled:MageKnight"
"E:\\Program Files\\NAMCO BANDAI Games\\Mage Knight™ Apocalypse\\update.exe"="E:\\Program Files\\NAMCO BANDAI Games\\Mage Knight™ Apocalypse\\update.exe:*:Enabled:Auto Update "
"E:\\Program Files\\Morpheus\\Morpheus.exe"="E:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"E:\\Program Files\\BitTorrent\\bittorrent.exe"="E:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"E:\\WINDOWS\\system32\\mmc.exe"="E:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


Remaining Files:

File Backups: - E:\WINDOWS\system32\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Aug 2005 187,904 A.SHR --- "E:\WINDOWS\TmFiZXM(2)\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "E:\WINDOWS\TmFiZXM(2)\command.exe"
Sun 9 Dec 2007 4,348 ..SH. --- "E:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 1 Nov 2007 230,400 ..SHR --- "E:\Documents and Settings\Mike\Application Data\F?nts\?hkdsk.exe"
Thu 20 Dec 2007 71,680 ..SHR --- "E:\Documents and Settings\Mike\Application Data\?ymbols\rundll.exe"
Thu 20 Dec 2007 72,704 ..SHR --- "E:\Documents and Settings\Mike\Local Settings\Temp\sdexe.exe"
Sun 9 Dec 2007 40,183 A.SH. --- "E:\Documents and Settings\Mike\Local Settings\Temp\~nsu.tmp\Au_.exe"


BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,762 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:07 PM

Posted 20 December 2007 - 09:32 AM

I split your post into its own topic.

When you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

One or more of the identified infections is related to a nasty rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use them as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users