SDFix: Version 1.193 Run by Natalia on 2008-06-16 at 18:21 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Name : PowerManager Path : C:\WINDOWS\svchost.exe PowerManager - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\autorun.inf - Deleted C:\WINDOWS\svchost.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-16 18:24:41 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“E:\undegrand\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:fa,0b,a6,4b,ee,77,41,15,b7,78,3b,35,d4,e9,04,cc,f8,6e,50,8c,2c,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,52,98,40,59,6b,c4,56,28,e6,3e,ec,0a,92,e9,dc,73,e4,… “khjeh”=hex:a1,94,04,bb,c6,37,0b,a7,32,1c,4d,66,e0,55,44,0c,4b,4a,fb,57,04,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:5a,cb,17,75,f0,9b,69,e1,c4,c1,37,96,85,92,60,04,17,9d,5f,45,eb,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“E:\undegrand\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:fa,0b,a6,4b,ee,77,41,15,b7,78,3b,35,d4,e9,04,cc,f8,6e,50,8c,2c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,52,98,40,59,6b,c4,56,28,e6,3e,ec,0a,92,e9,dc,73,e4,… “khjeh”=hex:a1,94,04,bb,c6,37,0b,a7,32,1c,4d,66,e0,55,44,0c,4b,4a,fb,57,04,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:5a,cb,17,75,f0,9b,69,e1,c4,c1,37,96,85,92,60,04,17,9d,5f,45,eb,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d0,6a,b0,74,8e,d3,96,23,c8,35,ad,0d,f4,dc,80,37,ef,53,b2,8e,95,… scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “D:\nfs\speed2.exe”=“D:\nfs\speed2.exe:*:Enabled:speed2” “D:\dfbhdlc.exe”=“D:\dfbhdlc.exe:*:Enabled:dfbhdlc” “D:\Program Files\EA Games\Need For Speed Hot Pursuit 2\NfsHP2.ori”=“D:\Program Files\EA Games\Need For Speed Hot Pursuit 2\NfsHP2.ori:*:Disabled:NfsHP2” “D:\NYR.exe”=“D:\NYR.exe:*:Disabled:NYR.EXE” “D:\Program Files\The Rage\TheRage.exe”=“D:\Program Files\The Rage\TheRage.exe:*:Enabled:TheRage” “D:\BlueSoleil.exe”=“D:\BlueSoleil.exe:*:Enabled:BlueSoleil” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny” “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe” “C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe” “C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe” “C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe” “C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe” “C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe” “C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”=“C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe” “C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe” “C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Thu 14 Sep 2006 20,480 …SHR — “C:\Recycled\ctfmon.exe” Thu 14 Sep 2006 20,480 …SHR — “C:\Recycled\Recycled\ctfmon.exe” Wed 27 Sep 2006 56 …SHR — “C:\WINDOWS\system32\4DC9CDCA12.sys” Wed 27 Sep 2006 9,188 A.SH. — “C:\WINDOWS\system32\KGyGaAvL.sys” Thu 5 Jan 2006 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Sun 5 Nov 2006 22,528 …H. — “C:\Documents and Settings\Natalia\Dane aplikacji\Microsoft\Word~WRL1627.tmp” Finished!