SDFix: Version 1.115 Run by Administrator on 2007-11-19 at 13:18 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\privacy_danger\index.htm - Deleted C:\WINDOWS\privacy_danger\images\capt.gif - Deleted C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted C:\WINDOWS\privacy_danger\images\down.gif - Deleted C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted C:\Program Files\RichVideoCodec\install.ico - Deleted C:\Program Files\RichVideoCodec\Uninstall.exe - Deleted C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\svchost.exe - Deleted C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\uninstall.exe - Deleted C:\WINDOWS\dat.txt - Deleted C:\WINDOWS\ddkret.dll - Deleted C:\WINDOWS\rs.txt - Deleted C:\WINDOWS\search_res.txt - Deleted Folder C:\Program Files\RichVideoCodec - Removed Folder C:\WINDOWS\privacy_danger - Removed Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-19 13:31:32 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:5ec3628a “s2”=dword:a339b64d “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:54,01,67,08,89,1b,51,a2,e9,0f,37,39,a3,88,e5,78,b0,20,ed,96,8f,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,47,35,f8,29,9c,cd,fa,d5,1b,43,5c,02,d9,12,4e,9e,19,… “khjeh”=hex:63,bb,c9,87,9b,db,86,07,17,c4,8f,2b,b3,ed,5f,80,1c,65,5a,d4,36,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:ba,c1,23,a4,59,c0,cb,51,26,aa,6c,3e,b2,1e,64,4c,ea,e6,97,74,bc,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:c0,ad,c6,f0,0f,e5,71,1a,94,97,49,c3,c9,40,d6,eb,a1,bf,fc,d5,3a,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:54,01,67,08,89,1b,51,a2,e9,0f,37,39,a3,88,e5,78,b0,20,ed,96,8f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,47,35,f8,29,9c,cd,fa,d5,1b,43,5c,02,d9,12,4e,9e,19,… “khjeh”=hex:63,bb,c9,87,9b,db,86,07,17,c4,8f,2b,b3,ed,5f,80,1c,65,5a,d4,36,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:ba,c1,23,a4,59,c0,cb,51,26,aa,6c,3e,b2,1e,64,4c,ea,e6,97,74,bc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:c0,ad,c6,f0,0f,e5,71,1a,94,97,49,c3,c9,40,d6,eb,a1,bf,fc,d5,3a,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\Konnekt\konnekt.exe”=“C:\Program Files\Konnekt\konnekt.exe:*:Enabled:Konnekt - Core” “C:\Program Files\Steam\SteamApps\cyberiany\counter-strike\hl.exe”=“C:\Program Files\Steam\SteamApps\cyberiany\counter-strike\hl.exe:*:Enabled:Half-Life Launcher” “C:\Program Files\BearShare\BearShare.exe”=“C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare” “C:\Program Files\eMule\emule.exe”=“C:\Program Files\eMule\emule.exe:*:Enabled:eMule” “D:\FileZilla\FileZilla.exe”=“D:\FileZilla\FileZilla.exe:*:Enabled:FileZilla” “C:\Program Files\BitComet\BitComet.exe”=“C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client” “C:\Program Files\Migajek Software\HateML\DbgListener\DbgListener.exe”=“C:\Program Files\Migajek Software\HateML\DbgListener\DbgListener.exe:*:Enabled:Listener for php debugger DBG” “C:\usr\apache\Apache.exe”=“C:\usr\apache\Apache.exe:*:Enabled:Apache” “C:\usr\SMTP Server\localsrv.exe”=“C:\usr\SMTP Server\localsrv.exe:*:Enabled:localsrv” “C:\Program Files\DAP\DAP.exe”=“C:\Program Files\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)” “E:\BitComet\Counter-Strike 1.6+ZBot\hl.exe”=“E:\BitComet\Counter-Strike 1.6+ZBot\hl.exe:*:Enabled:Half-Life Launcher” “C:\Program Files\Steam\SteamApps\cyberiany\dedicated server\hlds.exe”=“C:\Program Files\Steam\SteamApps\cyberiany\dedicated server\hlds.exe:*:Enabled:HLDS Launcher” “E:\BitComet\CS\hlds.exe”=“E:\BitComet\CS\hlds.exe:*:Enabled:HLDS Launcher” “E:\BitComet\CS\hl.exe”=“E:\BitComet\CS\hl.exe:*:Enabled:Half-Life Launcher” “C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe”=“C:\Program Files\Firefly Studios\Stronghold Crusader\Stronghold Crusader.exe:*:Enabled:Stronghold Crusader” “C:\Python25\pythonw.exe”=“C:\Python25\pythonw.exe:*:Enabled:pythonw” “C:\usr\Krasnal Start.exe”=“C:\usr\Krasnal Start.exe:*:Enabled:Krasnal Start” “C:\Program Files\WapSter\AQQ\AQQ.exe”=“C:\Program Files\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “C:\PROGRA~1\WapSter\AQQ\AQQ.exe”=“C:\PROGRA~1\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “C:\Program Files\Zend\ZendStudio-5.5.0\jre\bin\javaw.exe”=“C:\Program Files\Zend\ZendStudio-5.5.0\jre\bin\javaw.exe:*:Enabled:Java 2 Platform Standard Edition binary” “C:\usr\wamp\Apache2\bin\httpd.exe”=“C:\usr\wamp\Apache2\bin\httpd.exe:*:Enabled:Apache HTTP Server” “C:\Program Files\Tlen.pl\tlen.exe”=“C:\Program Files\Tlen.pl\tlen.exe:*:Enabled:Komunikator Tlen.pl” “C:\Program Files\Mozilla Firefox\firefox.exe”=“C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox” “C:\Program Files\IGI2\igi2.exe”=“C:\Program Files\IGI2\igi2.exe:*:Enabled:igi2” “C:\Program Files\BearShare Applications\BearShare\BearShare.exe”=“C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare” “C:\Program Files\mIRC\mirc.exe”=“C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC” “C:\Team17\Worms World Party\wwp.exe”=“C:\Team17\Worms World Party\wwp.exe:*:Enabled:Worms World Party” “C:\Program Files\Infogrames\Rollercoaster Tycoon 2 Wacky Worlds\rct2.exe”=“C:\Program Files\Infogrames\Rollercoaster Tycoon 2 Wacky Worlds\rct2.exe:*:Enabled:rct2” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny” “e:\Program Files\WapSter\AQQ\AQQ.exe”=“e:\Program Files\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “E:\PROGRA~1\WapSter\AQQ\AQQ.exe”=“E:\PROGRA~1\WapSter\AQQ\AQQ.exe:*:Enabled:P2P AQQ” “C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Rar$EX01.031\Rails Across America\rails.exe”=“C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Rar$EX01.031\Rails Across America\rails.exe:*:Enabled:Rails Across America” “C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent” “D:\Program Files\Electronic Arts\Need for Speed Carbon\nfsc.exe”=“D:\Program Files\Electronic Arts\Need for Speed Carbon\nfsc.exe:*:Enabled:nfsc” “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\TrackMania Nations ESWC\TmNationsESWC.exe”=“C:\Program Files\TrackMania Nations ESWC\TmNationsESWC.exe:*:Enabled:TmNationsESWC” “C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour” “C:\Program Files\WapSter\WapSter AQQ\AQQ.exe”=“C:\Program Files\WapSter\WapSter AQQ\AQQ.exe:*:Enabled:AQQ” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” “C:\Program Files\Opera\Opera.exe”=“C:\Program Files\Opera\Opera.exe:*:Enabled:Opera” “D:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe”=“D:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:*:Enabled:Stronghold 2” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes: Thu 11 Jan 2007 2,251 A…H. — “C:\my_cnf.bak” Wed 13 Oct 2004 1,694,208 …SH. — “C:\Program Files\Messenger\msmsgs.exe” Fri 1 Dec 2006 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 1 Dec 2006 401 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv14.bak” Fri 3 Aug 2007 52,224 …SHR — “C:\Program Files\Selteco\Alligator Flash Designer 7 PL\Setup.exe” Fri 16 Nov 2007 961 A…H. — “C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Free Download Manager\ticA6.tmp” Fri 16 Nov 2007 1,663 A…H. — “C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Free Download Manager\ticE0.tmp” Finished!