SDFix: Version 1.116 Run by MARCOPOLO on 2007-12-03 at 00:01 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-03 00:06:26 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:b0,77,f2,75,82,f5,5f,75,a4,33,b8,cd,7d,d1,5f,4b,d6,c8,dd,b2,b9,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,e4,f6,39,ff,45,6c,93,f3,84,8c,10,e4,d8,8e,af,14,aa,… “khjeh”=hex:81,ac,e2,b9,0f,8e,69,88,e7,41,c4,54,d4,17,f1,6c,e0,5d,bc,e0,5b,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:84,37,b5,7a,99,a6,ea,08,dc,b3,24,5a,51,7f,f6,d8,ed,b1,12,ee,db,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:8b,51,7b,47,66,2e,25,6e,fe,05,28,76,a1,e8,16,cc,d8,32,be,7b,b2,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:b0,77,f2,75,82,f5,5f,75,a4,33,b8,cd,7d,d1,5f,4b,d6,c8,dd,b2,b9,… “p0”=“C:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,e4,f6,39,ff,45,6c,93,f3,84,8c,10,e4,d8,8e,af,14,aa,… “khjeh”=hex:81,ac,e2,b9,0f,8e,69,88,e7,41,c4,54,d4,17,f1,6c,e0,5d,bc,e0,5b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:84,37,b5,7a,99,a6,ea,08,dc,b3,24,5a,51,7f,f6,d8,ed,b1,12,ee,db,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:8b,51,7b,47,66,2e,25,6e,fe,05,28,76,a1,e8,16,cc,d8,32,be,7b,b2,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths] “A\1o?w?c?a?”=“C:\Documents and Settings\x141owca\Moje dokumenty” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints\A\1o] “PictureSource”=“C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp” @="" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook” “C:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=“C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove” “C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=“C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Thu 29 Nov 2007 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Tue 15 Nov 2005 78,104 …SHR — “C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe” Tue 15 Nov 2005 12,912 A.SHR — “C:\Program Files\Autodesk\Autodesk DWF Viewer_Setupx.dll” Finished!