SDFix: Version 1.240 Run by Administrator on 2008-12-15 at 00:10 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 00:15:14 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2d051fa4 “s2”=dword:a8127197 “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000001 “ujdew”=hex:a0,da,fd,f5,f4,6c,75,72,8c,27,b0,03,69,1d,e8,45,c2,02,1f,e9,cf,… “p0”=“d:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:2d,bb,7d,09,ee,9f,f6,30,1d,20,27,92,91,61,56,7d,92,82,e0,16,41,… “p0”=“e:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:74,e9,8e,73,55,9a,a4,aa,2a,ba,3d,9d,31,ef,ec,ed,85,c3,c0,2f,a0,… “a0”=hex:20,01,00,00,4e,68,06,37,a7,fd,ae,97,3a,37,2f,77,ee,fe,ea,b8,a0,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:12,44,82,f7,51,82,29,7c,55,5a,e0,96,b6,b6,72,37,74,ad,24,7f,dc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000001 “ujdew”=hex:a0,da,fd,f5,f4,6c,75,72,8c,27,b0,03,69,1d,e8,45,c2,02,1f,e9,cf,… “p0”=“d:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:2d,bb,7d,09,ee,9f,f6,30,1d,20,27,92,91,61,56,7d,92,82,e0,16,41,… “p0”=“e:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:74,e9,8e,73,55,9a,a4,aa,2a,ba,3d,9d,31,ef,ec,ed,85,c3,c0,2f,a0,… “a0”=hex:20,01,00,00,4e,68,06,37,a7,fd,ae,97,3a,37,2f,77,ee,fe,ea,b8,a0,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:12,44,82,f7,51,82,29,7c,55,5a,e0,96,b6,b6,72,37,74,ad,24,7f,dc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000001 “ujdew”=hex:a0,da,fd,f5,f4,6c,75,72,8c,27,b0,03,69,1d,e8,45,c2,02,1f,e9,cf,… “p0”=“d:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:54,2b,f4,de,fd,13,5b,5a,b1,e4,71,e3,68,fe,0a,3b,5d,ed,45,23,17,… “p0”=“e:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “khjeh”=hex:74,e9,8e,73,55,9a,a4,aa,2a,ba,3d,9d,31,ef,ec,ed,85,c3,c0,2f,a0,… “a0”=hex:20,01,00,00,4e,68,06,37,a7,fd,ae,97,3a,37,2f,77,ee,fe,ea,b8,a0,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:12,44,82,f7,51,82,29,7c,55,5a,e0,96,b6,b6,72,37,74,ad,24,7f,dc,… scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\uTorrent\utorrent.exe”=“C:\Program Files\uTorrent\utorrent.exe:*:Enabled:uTorrent” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Disabled:Gadu-Gadu - program glowny” “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “D:\Program files\Skype\Phone\Skype.exe”=“D:\Program files\Skype\Phone\Skype.exe:*:Enabled:Skype” “E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=“E:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook” “E:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=“E:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove” “E:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=“E:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote” “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\BearShare\BearShare.exe”=“C:\Program Files\BearShare\BearShare.exe:*:Enabled:BearShare” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : Files with Hidden Attributes : Mon 6 Feb 2006 56 …SHR — “C:\WINDOWS\system32\89A7A0C779.sys” Sun 9 Jul 2006 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Tue 22 May 2007 17,895 …H. — “C:\Documents and Settings\Sylwek\Dane aplikacji\Microsoft\Szablony~WRL0003.tmp” Wed 17 Oct 2007 21,376 …H. — “C:\Documents and Settings\Sylwek\Dane aplikacji\Microsoft\Szablony~WRL1954.tmp” Fri 28 Dec 2007 22,674 …H. — “C:\Documents and Settings\Sylwek\Dane aplikacji\Microsoft\Szablony~WRL2133.tmp” Wed 5 Sep 2007 35,840 …H. — “C:\Documents and Settings\Sylwek\Dane aplikacji\Microsoft\Word~WRL0004.tmp” Sun 27 Jan 2008 142,848 …H. — “C:\Documents and Settings\Sylwek\Dane aplikacji\Microsoft\Word~WRL0650.tmp” Sun 9 Jul 2006 4,348 …H. — “C:\Documents and Settings\Sylwek\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak” Wed 16 May 2007 20 A…H. — “C:\Documents and Settings\Sylwek\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak” Sat 11 Nov 2006 9,655 A.SH. — “C:\Documents and Settings\Sylwek\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak” Finished!