SDFix: Version 1.119 Run by Administrator on 2007-12-26 at 17:09 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: ZZZsvc_lich Path: C:\lich.exe ZZZsvc_lich - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\system32\lich.dat - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-26 17:16:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:22,a1,f4,ef,83,23,41,59,76,67,15,b3,ed,ef,33,ea,b2,1b,a5,4c,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:a2,6b,49,21,69,6b,fe,5c,23,e5,3e,65,7d,d6,25,76,65,3f,ff,c4,77,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,7b,c6,7c,d8,f0,d2,58,91,b7,89,e1,2b,9d,c4,31,b3,ad,… “khjeh”=hex:2c,73,d2,4d,a3,18,62,f5,c8,82,4a,9f,8f,2c,1a,4f,8b,bc,96,32,06,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:51,33,d0,c1,c9,11,95,36,ba,2b,c9,22,bc,a5,eb,08,e7,7b,da,fc,1d,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:23,6a,95,18,02,8c,3f,29,dd,80,15,70,19,36,3e,00,83,7a,af,5d,3c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:a2,6b,49,21,69,6b,fe,5c,23,e5,3e,65,7d,d6,25,76,65,3f,ff,c4,77,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,7b,c6,7c,d8,f0,d2,58,91,b7,89,e1,2b,9d,c4,31,b3,ad,… “khjeh”=hex:2c,73,d2,4d,a3,18,62,f5,c8,82,4a,9f,8f,2c,1a,4f,8b,bc,96,32,06,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:64,68,cd,92,48,f5,1a,a1,43,fe,dd,ef,e2,87,f5,6b,f8,26,6f,ad,59,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:43,49,73,ca,f4,d4,1b,3d,4f,68,10,fe,ee,e1,05,1d,40,0c,5b,ad,95,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:a2,6b,49,21,69,6b,fe,5c,23,e5,3e,65,7d,d6,25,76,65,3f,ff,c4,77,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,7b,c6,7c,d8,f0,d2,58,91,b7,89,e1,2b,9d,c4,31,b3,ad,… “khjeh”=hex:2c,73,d2,4d,a3,18,62,f5,c8,82,4a,9f,8f,2c,1a,4f,8b,bc,96,32,06,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:05,0f,30,33,03,ea,1a,8a,08,38,cd,b2,cc,4e,72,eb,e9,4f,f5,7b,e2,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:43,49,73,ca,f4,d4,1b,3d,4f,68,10,fe,ee,e1,05,1d,40,0c,5b,ad,95,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:a2,6b,49,21,69,6b,fe,5c,23,e5,3e,65,7d,d6,25,76,65,3f,ff,c4,77,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,7b,c6,7c,d8,f0,d2,58,91,b7,89,e1,2b,9d,c4,31,b3,ad,… “khjeh”=hex:2c,73,d2,4d,a3,18,62,f5,c8,82,4a,9f,8f,2c,1a,4f,8b,bc,96,32,06,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:05,0f,30,33,03,ea,1a,8a,08,38,cd,b2,cc,4e,72,eb,e9,4f,f5,7b,e2,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,42,05,00,00,01,00,00,00,0a,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\Ares\Ares.exe”=“C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny” “C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” “D:\! Lekoman !\! programy !\totalcmd\TOTALCMD.EXE”=“D:\! Lekoman !\! programy !\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 22 Oct 2007 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Mon 22 Oct 2007 401 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv10.bak” Finished!