SDFix: Version 1.114 Run by Maciek on 2007-11-12 at 07:36 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\DOCUME~1\Maciek\USTAWI~1\Temp\uninstall.exe - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-12 07:39:45 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] “p0”=“C:\Program Files\DAEMON Tools Pro” “h0”=dword:00000001 “hdf12”=hex:52,e6,34,3a,07,bb,71,13,ce,4a,96,25,97,42,23,1f,90,d6,f2,b9,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] “a0”=hex:20,01,00,00,81,6d,32,5f,94,40,79,b0,21,3f,5d,7c,df,d3,63,5b,c7,… “hdf12”=hex:4f,aa,b0,e1,c8,b8,e9,d9,4d,17,5b,ad,7c,67,96,44,28,4c,80,45,a7,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] “hdf12”=hex:78,ae,83,6e,68,a2,a8,50,59,67,dc,a0,a7,68,ee,68,61,c6,86,2d,f3,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] “a0”=hex:20,01,00,00,2c,45,34,5f,9d,18,14,01,0c,e1,31,12,f1,d7,42,a2,61,… “hdf12”=hex:db,74,63,c8,43,6a,40,28,2f,3d,87,3e,48,f7,8e,1a,4b,1f,4b,03,26,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] “hdf12”=hex:f6,59,63,20,cc,9f,fd,2c,7f,9b,05,2e,20,30,7b,4d,a0,0e,60,49,9c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:6a,5b,72,6f,00,10,b9,1f,1b,c6,73,12,20,b2,39,b4,07,6d,d2,4e,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,50,83,0c,ae,41,aa,b6,c0,c8,fc,84,c9,04,c7,24,1b,86,… “khjeh”=hex:00,4d,97,1b,d2,d6,30,6f,22,ca,49,c4,00,7b,32,89,aa,81,bd,06,ee,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:fe,fe,e3,3d,2d,1a,83,93,bd,73,0a,99,3a,b4,88,2c,8d,90,18,59,4b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] “p0”=“C:\Program Files\DAEMON Tools Pro” “h0”=dword:00000001 “hdf12”=hex:52,e6,34,3a,07,bb,71,13,ce,4a,96,25,97,42,23,1f,90,d6,f2,b9,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] “a0”=hex:20,01,00,00,81,6d,32,5f,94,40,79,b0,21,3f,5d,7c,df,d3,63,5b,c7,… “hdf12”=hex:4f,aa,b0,e1,c8,b8,e9,d9,4d,17,5b,ad,7c,67,96,44,28,4c,80,45,a7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] “hdf12”=hex:78,ae,83,6e,68,a2,a8,50,59,67,dc,a0,a7,68,ee,68,61,c6,86,2d,f3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] “a0”=hex:20,01,00,00,2c,45,34,5f,9d,18,14,01,0c,e1,31,12,f1,d7,42,a2,61,… “hdf12”=hex:db,74,63,c8,43,6a,40,28,2f,3d,87,3e,48,f7,8e,1a,4b,1f,4b,03,26,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] “hdf12”=hex:f6,59,63,20,cc,9f,fd,2c,7f,9b,05,2e,20,30,7b,4d,a0,0e,60,49,9c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:6a,5b,72,6f,00,10,b9,1f,1b,c6,73,12,20,b2,39,b4,07,6d,d2,4e,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,50,83,0c,ae,41,aa,b6,c0,c8,fc,84,c9,04,c7,24,1b,86,… “khjeh”=hex:00,4d,97,1b,d2,d6,30,6f,22,ca,49,c4,00,7b,32,89,aa,81,bd,06,ee,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:fe,fe,e3,3d,2d,1a,83,93,bd,73,0a,99,3a,b4,88,2c,8d,90,18,59,4b,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent” “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\diskw\usr\local\Apache2\bin\Apache.exe”=“C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\diskw\usr\local\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server” “C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\diskw\usr\local\mysql\bin\mysqld-nt.exe”=“C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\diskw\usr\local\mysql\bin\mysqld-nt.exe:*:Enabled:mysqld-nt” “C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\logonserver.exe”=“C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\logonserver.exe:*:Enabled:logonserver” “C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\ascent.exe”=“C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\ascent.exe:*:Enabled:ascent” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny” “C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\start.bat”=“C:\Documents and Settings\Maciek\Pulpit\WoWPlanet-Forumwow.Net-Ascent-TBC~15.09.07~\start.bat:*:Enabled:start” “C:\Documents and Settings\Maciek\Ustawienia lokalne\Temp\nsh539.tmp\utorrent.exe”=“C:\Documents and Settings\Maciek\Ustawienia lokalne\Temp\nsh539.tmp\utorrent.exe:*:Enabled:uTorrent” “C:\Program Files\World of Warcraft\Repair.exe”=“C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility” “C:\Program Files\mIRC\mirc.exe”=“C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC” “C:\Program Files\Mozilla Firefox\firefox.exe”=“C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox” “C:\Program Files\Warcraft III\Warcraft III.exe”=“C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III” “C:\Documents and Settings\Maciek\Pulpit\CabalTemp\ESTSetupLoader.exe”=“C:\Documents and Settings\Maciek\Pulpit\CabalTemp\ESTSetupLoader.exe:*:Enabled:EST! download engine” “C:\Program Files\BearShare Applications\BearShare\BearShare.exe”=“C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Enabled:BearShare” “C:\Program Files\The All-Seeing Eye\eye.exe”=“C:\Program Files\The All-Seeing Eye\eye.exe:*:Enabled:Yahoo! All-Seeing Eye” “D:\Star Wars Jedi Knight Jedi Academy\GameData\jamp.exe”=“D:\Star Wars Jedi Knight Jedi Academy\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Thu 20 Sep 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\8d097da1e8c89a333191843e23dfc161\BIT8.tmp” Finished!