SDFix: Version 1.113 Run by Wojciech on Fri 11/02/2007 at 11:24 AM Microsoft Windows XP [Version 5.1.2600] Running From: D:\a\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: D:\WINDOWS\hupsrv.dll - Deleted D:\WINDOWS\sdrmod.dll - Deleted D:\WINDOWS\wtopmod.exe - Deleted Removing Temp Files… ADS Check: D:\WINDOWS No streams found. D:\WINDOWS\system32 No streams found. D:\WINDOWS\system32\svchost.exe No streams found. D:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-02 11:32:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:3a,77,e4,99,29,39,7c,f9,06,78,82,1d,cb,ff,3e,93,bc,9e,0d,47,ab,… “p0”=“D:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:b6,1d,cc,c2,33,9c,e2,40,ef,d4,05,4c,97,e3,cd,f5,c5,cd,fa,3d,f4,… “p0”=“D:\Program Files\Alcohol Soft\Alcohol 120” scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{6928D535-03A4-958B-7461-DD3612E161FB}] “oaanddhijdobognkokkdmaolhedkkp”=hex:6b,61,65,67,65,68,6d,6d,6a,70,64,6b,64,6f,6e,70,6e,6e,65,63,64,… “nagmffkkaknnaiainldhcaoghjpp”=hex:6b,61,65,67,65,68,6d,6d,6a,70,64,6b,64,6f,6e,70,6e,6e,65,63,64,… [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{E4426DCE-9354-DB81-3A0A-3C1170F8343E}] “oaccmndhgffhnepnpjpiodcppmoamd”=hex:6b,61,68,63,63,69,6b,6f,6f,6c,70,64,68,6e,69,6d,6b,69,6b,70,61,… “paadeigicloiioaoaljeaakcjddjnkgb”=hex:6b,61,6d,62,6d,6b,63,67,65,6a,6c,61,62,66,6a,69,68,69,6a,62,67,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “E:\Program Files\Opera\Opera.exe”=“E:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser” “E:\Downloads\uTorrent.exe”=“E:\Downloads\uTorrent.exe:*:Enabled:µTorrent” “E:\Games\RedFaction\RedFaction.exe”=“E:\Games\RedFaction\RedFaction.exe:*:Enabled:Red Faction Launcher” “E:\Games\RedFaction\rf.exe”=“E:\Games\RedFaction\rf.exe:*:Enabled:Red Faction” “D:\Program Files\eMule\emule.exe”=“D:\Program Files\eMule\emule.exe:*:Enabled:eMule” “E:\Games\BtRL\Demo\fs2_open_3_6_9.exe”=“E:\Games\BtRL\Demo\fs2_open_3_6_9.exe:*:Enabled:FreeSpace” “D:\Program Files\Gadu-Gadu\gg.exe”=“D:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glówny” “E:\Games\Chrome\ChromeNet.exe”=“E:\Games\Chrome\ChromeNet.exe:*:Enabled:Chrome” “E:\Games\DreamCatcher\Painkiller Overdose\Bin\Overdose.exe”=“E:\Games\DreamCatcher\Painkiller Overdose\Bin\Overdose.exe:*:Enabled:Painkiller Overdose” “E:\Games\DreamCatcher\Painkiller Overdose\Bin\OverdoseEditor.exe”=“E:\Games\DreamCatcher\Painkiller Overdose\Bin\OverdoseEditor.exe:*:Enabled:Painkiller Overdose Editor” “E:\Games\DreamCatcher\Painkiller Overdose\Bin\OverdoseServer.exe”=“E:\Games\DreamCatcher\Painkiller Overdose\Bin\OverdoseServer.exe:*:Enabled:Painkiller Overdose Console Server” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- File Backups: - D:\a\SDFix\backups\backups.zip Files with Hidden Attributes: Tue 23 Oct 2007 5,903,928 A…H. — “D:\Program Files\Picasa2\setup.exe” Fri 31 Aug 2007 0 A.SH. — “D:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Wed 24 Oct 2007 857 A…HR — “D:\Documents and Settings\Piotrek\Application Data\SecuROM\UserData\securom_v7_01.bak” Sat 27 Oct 2007 857 …HR — “D:\Documents and Settings\Wojciech\Application Data\SecuROM\UserData\securom_v7_01.bak” Finished!