SDFix: Version 1.214 Run by dassem on 2008-08-08 at 20:17 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-08 20:28:01 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:3d57eeb8 “s2”=dword:cbbce973 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:ab,b6,de,57,14,f6,02,99,c4,35,87,78,74,3c,39,db,eb,1b,66,72,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,40,6a,46,93,91,d5,6e,f2,78,47,54,46,d4,1e,5c,07,96,… “khjeh”=hex:ed,3a,0b,ca,79,ba,38,53,e2,40,8e,4f,9e,1c,24,88,06,bd,33,68,43,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:00,b4,95,30,db,3b,72,26,5e,92,6f,0e,4a,cb,d5,60,36,25,17,d7,e4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:36,f7,83,5f,ab,b6,99,b4,ef,14,b0,dc,f0,9b,df,61,4a,8f,bc,d5,34,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:ab,b6,de,57,14,f6,02,99,c4,35,87,78,74,3c,39,db,eb,1b,66,72,e7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,40,6a,46,93,91,d5,6e,f2,78,47,54,46,d4,1e,5c,07,96,… “khjeh”=hex:ed,3a,0b,ca,79,ba,38,53,e2,40,8e,4f,9e,1c,24,88,06,bd,33,68,43,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:00,b4,95,30,db,3b,72,26,5e,92,6f,0e,4a,cb,d5,60,36,25,17,d7,e4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:36,f7,83,5f,ab,b6,99,b4,ef,14,b0,dc,f0,9b,df,61,4a,8f,bc,d5,34,… scanning hidden registry entries … scanning hidden files … C:\WINDOWS\Temp_av_proI.tm~a02288 scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 1 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe” “C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe” “C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe” “C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe” “C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe” “C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe” “C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe” “C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”=“C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe” “C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe” “C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe” “C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook” “C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove” “C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote” “C:\Gry\Call of Duty 2\CoD2MP_s.exe”=“C:\Gry\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s” “C:\Gry\Pro Evolution Soccer 2008\PES2008.exe”=“C:\Gry\Pro Evolution Soccer 2008\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008” “C:\Documents and Settings\dassem\Pulpit\PES 2008.exe”=“C:\Documents and Settings\dassem\Pulpit\PES 2008.exe:*:Enabled:Pro Evolution Soccer 2008” “C:\Program Files\Mozilla Firefox\firefox.exe”=“C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox” “C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe” Mon 28 Jan 2008 5,146,448 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” Mon 28 Jan 2008 2,097,488 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” Thu 1 May 2008 8 …SHR — “C:\WINDOWS\system32\20AC8F4E3A.sys” Finished!