SDFix: Version 1.115 Run by User on 2007-11-19 at 19:38 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\DOCUME~1\User\USTAWI~1\Temp\GLF10.tmp.dll - Deleted C:\DOCUME~1\User\USTAWI~1\Temp\GLF66.tmp.dll - Deleted C:\WINDOWS\services.exe - Deleted C:\WINDOWS\system32\tmp1.tmp - Deleted C:\WINDOWS\system32\tmp2.tmp - Deleted C:\WINDOWS\system32\tmp27.tmp - Deleted C:\WINDOWS\system32\tmp2A.tmp - Deleted C:\WINDOWS\system32\tmp3.tmp - Deleted C:\WINDOWS\system32\tmp36.tmp - Deleted C:\WINDOWS\system32\tmp3A4.tmp - Deleted C:\WINDOWS\system32\tmp4.tmp - Deleted C:\WINDOWS\system32\tmp5.tmp - Deleted C:\WINDOWS\system32\tmpE.tmp - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-19 19:44:03 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:f5,9a,e0,dd,4d,45,d4,76,01,a6,d9,29,8a,d1,f2,66,43,9e,e6,2d,d5,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:236a9b9c “s2”=dword:1101a8bb “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:b2,97,ce,72,34,8e,f9,f5,92,50,3e,c4,39,37,35,f9,79,6c,cb,4e,58,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,77,9b,e2,f8,2c,ab,b4,d8,cb,9a,64,70,e9,52,9c,07,69,… “khjeh”=hex:ef,b0,71,56,73,2c,b5,e7,c3,bb,c6,d2,ad,77,42,56,7b,e5,d4,8d,5f,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:3d,20,49,90,9a,c8,52,72,c9,0b,c6,cb,18,ae,2a,ba,2d,90,44,47,60,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:27,96,87,bf,de,e7,5d,b3,2f,90,01,f7,34,49,3c,5c,ea,9e,7a,2e,82,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:b2,97,ce,72,34,8e,f9,f5,92,50,3e,c4,39,37,35,f9,79,6c,cb,4e,58,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,77,9b,e2,f8,2c,ab,b4,d8,cb,9a,64,70,e9,52,9c,07,69,… “khjeh”=hex:ef,b0,71,56,73,2c,b5,e7,c3,bb,c6,d2,ad,77,42,56,7b,e5,d4,8d,5f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:3d,20,49,90,9a,c8,52,72,c9,0b,c6,cb,18,ae,2a,ba,2d,90,44,47,60,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:27,96,87,bf,de,e7,5d,b3,2f,90,01,f7,34,49,3c,5c,ea,9e,7a,2e,82,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\Messenger\msmsgs.exe”=“C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger” “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget” “C:\Program Files\Electronic Arts\Bitwa o —r˘dziemie II\game.dat”=“C:\Program Files\Electronic Arts\Bitwa o —r˘dziemie II\game.dat:*:Enabled:Bitwa o —r˘dziemiet II” “C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe”=“C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander” “C:\Program Files\EA GAMES\Battlefield 2\BF2.exe”=“C:\Program Files\EA GAMES\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2” “C:\Program Files\IncrediMail\bin\ImApp.exe”=“C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail” “C:\Program Files\IncrediMail\bin\IncMail.exe”=“C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail” “C:\Program Files\IncrediMail\bin\ImpCnt.exe”=“C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 13 Oct 2004 1,694,208 …SH. — “C:\Program Files\Messenger\msmsgs.exe” Tue 3 Aug 2004 705,024 A.SH. — “C:\Program Files\Outlook Express\MSIMN.EXE” Sun 22 Jul 2007 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 26 Oct 2007 444 …HR — “C:\Documents and Settings\User\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished!