SDFix: Version 1.117 Run by Chary on 2007-12-05 at 22:55 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service xpdx - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\windows\wr.txt - Deleted C:\windows\system32\xpdx.sys - Deleted Removing Temp Files… ADS Check: C:\windows No streams found. C:\windows\system32 No streams found. C:\windows\system32\svchost.exe No streams found. C:\windows\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-05 22:57:49 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:d1,0a,f3,13,14,ce,aa,ce,1f,2c,79,28,a5,88,7a,13,eb,6c,ad,9a,12,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:d1,0a,f3,13,14,ce,aa,ce,1f,2c,79,28,a5,88,7a,13,eb,6c,ad,9a,12,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:d1,0a,f3,13,14,ce,aa,ce,1f,2c,79,28,a5,88,7a,13,eb,6c,ad,9a,12,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:d1,0a,f3,13,14,ce,aa,ce,1f,2c,79,28,a5,88,7a,13,eb,6c,ad,9a,12,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:d1,0a,f3,13,14,ce,aa,ce,1f,2c,79,28,a5,88,7a,13,eb,6c,ad,9a,12,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\DOCUME~1\Chary\USTAWI~1\Temp\win74E.tmp.exe”=“C:\DOCUME~1\Chary\USTAWI~1\Temp\win74E.tmp.exe:*:Enabled:win74E.tmp” “C:\WINDOWS\TEMP\win28.tmp.exe”=“C:\WINDOWS\TEMP\win28.tmp.exe:*:Enabled:win28.tmp” “C:\WINDOWS\TEMP\win47.tmp.exe”=“C:\WINDOWS\TEMP\win47.tmp.exe:*:Enabled:win47.tmp” “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe”=“C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger” Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 24 Sep 2007 657,408 A.SH. — “C:!KillBox\svrhost.exe” Tue 20 Aug 2002 1,511,453 …H. — “C:\Program Files\Messenger\msmsgs.exe” Mon 27 Feb 2006 57,344 A.SH. — “C:\Program Files\Outlook Express\MSIMN.EXE” Wed 25 Apr 2007 5,371,704 A…H. — “C:\Program Files\Picasa2\setup.exe” Sat 28 Sep 2002 4,639 A.SH. — “C:\Program Files\Windows Media Player\mplayer2.exe” Sat 1 Feb 2003 73,728 A.SH. — “C:\Program Files\Windows Media Player\wmplayer.exe” Mon 1 Oct 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\02ec37ec946ef377971d8300cdcd818f\BIT24.tmp” Tue 25 Sep 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\2120c9238873cb198fa7cec9b000fc7c\BIT2.tmp” Finished!