SDFix: Version 1.115 Run by Administrator on 2008-04-16 at 17:06 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-16 17:11:35 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … IPC error: 2 Nie można odnaleźć określonego pliku. scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:b394f844 “s2”=dword:daaa23b3 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:cc,b1,6d,ae,8d,97,27,dc,c2,42,7a,93,16,a3,d6,fd,ca,d2,ce,c8,2e,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,c1,89,ed,1f,ae,11,32,1c,61,05,70,16,1f,d5,78,34,07,… “khjeh”=hex:d9,96,41,f4,5f,5a,e8,3a,da,92,e5,84,a8,a1,e6,7f,dc,74,ab,48,56,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d2,7e,95,24,85,ef,e1,2e,87,c1,0f,ee,f8,cb,39,a2,c0,ee,40,dd,09,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:85,b7,66,18,f4,86,0e,32,50,aa,b1,ae,64,f8,dd,e0,56,2f,5c,37,45,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:cc,b1,6d,ae,8d,97,27,dc,c2,42,7a,93,16,a3,d6,fd,ca,d2,ce,c8,2e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,c1,89,ed,1f,ae,11,32,1c,61,05,70,16,1f,d5,78,34,07,… “khjeh”=hex:f8,d8,d5,dd,7e,38,2f,16,57,2f,e1,0b,a1,4b,95,b1,2e,61,13,31,22,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:c5,1c,b1,54,56,a4,15,9c,b2,07,0b,15,29,f1,01,0b,ff,2d,0b,4b,af,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:02,d3,73,f5,a5,4e,32,2e,a7,71,a0,87,41,44,f9,b4,a1,82,cc,16,3c,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:cc,b1,6d,ae,8d,97,27,dc,c2,42,7a,93,16,a3,d6,fd,ca,d2,ce,c8,2e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,c1,89,ed,1f,ae,11,32,1c,61,05,70,16,1f,d5,78,34,07,… “khjeh”=hex:d9,96,41,f4,5f,5a,e8,3a,da,92,e5,84,a8,a1,e6,7f,dc,74,ab,48,56,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d2,7e,95,24,85,ef,e1,2e,87,c1,0f,ee,f8,cb,39,a2,c0,ee,40,dd,09,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:85,b7,66,18,f4,86,0e,32,50,aa,b1,ae,64,f8,dd,e0,56,2f,5c,37,45,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache{\1u] “SlowInfoCache”=hex:28,02,00,00,01,00,00,00,00,30,39,00,00,00,00,00,46,b0,df,55,b9,… “Changed”=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{\1u] “Inno Setup: Setup Version”=“2.0.19” “Inno Setup: App Path”=“D:\Program Files\Ortalion Entertainment\x17bulionerzy NG” “Inno Setup: Icon Group”=“Ortalion Ent\x17bulionerzy NG” “Inno Setup: User”=“Micha\x142” “Inno Setup: Selected Tasks”=“desktopicon” “Inno Setup: Deselected Tasks”="" “DisplayName”="\x17bulionerzy NewGeneration" “UninstallString”="“D:\Program Files\Ortalion Entertainment\x17bulionerzy NG\unins000.exe”" “Publisher”=“Ortalion Entertainment” “URLInfoAbout”=“http://www.ortalion.prv.pl” “HelpLink”=“http://www.ortalion.prv.pl” “URLUpdateInfo”=“http://www.ortalion.prv.pl” [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Ortalion Ent{\1u] “Order”=hex:08,00,00,00,02,00,00,00,42,02,00,00,01,00,00,00,04,00,00,00,96,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “D:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe”=“D:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service” “D:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe”=“D:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service” “D:\Program Files\Skype\Phone\Skype.exe”=“D:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Mon 30 Jul 2007 80 …SHR — “C:\WINDOWS\system32\AE456B2BB9.dll” Mon 6 Mar 2006 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Wed 14 Mar 2007 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp” Sun 21 Oct 2007 1,301 …HR — “C:\Documents and Settings\Micha\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished!