SDFix: Version 1.115 Run by x on 2007-11-22 at 17:25 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service xpdx - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\csrss.exe - Deleted C:\WINDOWS\system32\xpdx.sys - Deleted Could Not Remove C:\winstall.exe Could Not Remove C:\WINDOWS\csrss.exe Could Not Remove C:\WINDOWS\explore.exe Could Not Remove C:\WINDOWS\iexplorer.exe Could Not Remove C:\WINDOWS\lsasss.exe Could Not Remove C:\WINDOWS\services.exe Could Not Remove C:\WINDOWS\smss.exe Could Not Remove C:\WINDOWS\svchost.exe Could Not Remove C:\WINDOWS\system32\alsys.exe Could Not Remove C:\WINDOWS\system32\atmtd.dll Could Not Remove C:\WINDOWS\system32\atmtd.dll._ Could Not Remove C:\WINDOWS\system32\bho.dll Could Not Remove C:\WINDOWS\system32\e1.dll Could Not Remove C:\WINDOWS\system32\iexplore.exe Could Not Remove C:\WINDOWS\system32\iexplorer.exe Could Not Remove C:\WINDOWS\system32\ipv6mons.dll Could Not Remove C:\WINDOWS\system32\msclt.exe Could Not Remove C:\WINDOWS\system32\msmsgs.exe Could Not Remove C:\WINDOWS\system32\mstc.exe Could Not Remove C:\WINDOWS\system32\msupdate.exe Could Not Remove C:\WINDOWS\system32\mswins.exe Could Not Remove C:\WINDOWS\system32\nordsys.exe Could Not Remove C:\WINDOWS\system32\ppl.exe Could Not Remove C:\WINDOWS\system32\remote.exe Could Not Remove C:\WINDOWS\system32\rundll.exe Could Not Remove C:\WINDOWS\system32\scvhost32.exe Could Not Remove C:\WINDOWS\system32\se.exe Could Not Remove C:\WINDOWS\system32\server.exe Could Not Remove C:\WINDOWS\system32\svchost32.exe Could Not Remove C:\WINDOWS\system32\svhost.exe Could Not Remove C:\WINDOWS\system32\svshost.exe Could Not Remove C:\WINDOWS\system32\sys.exe Could Not Remove C:\WINDOWS\system32\taskgmr.exe Could Not Remove C:\WINDOWS\system32\update.exe Could Not Remove C:\WINDOWS\system32\wgareg.exe Could Not Remove C:\WINDOWS\system32\wgavm.exe Could Not Remove C:\WINDOWS\system32\win32.exe Could Not Remove C:\WINDOWS\system32\wincom32.sys Could Not Remove C:\WINDOWS\system32\windowz.exe Could Not Remove C:\WINDOWS\system32\winhost.exe Could Not Remove C:\WINDOWS\system32\winsvc.exe Could Not Remove C:\WINDOWS\system32\winsys.exe Could Not Remove C:\WINDOWS\system32\winsys32.exe Could Not Remove C:\WINDOWS\system32\winupd.exe Could Not Remove C:\WINDOWS\system32\winxp.exe Could Not Remove C:\WINDOWS\system32\zlbw.dll Could Not Remove C:\WINDOWS\winlogon.exe Could Not Remove C:\WINDOWS\winserv.exe Could Not Remove C:\WINDOWS\xpupdate.exe Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-22 17:32:06 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000000 “ujdew”=hex:c0,1c,cc,e1,29,c3,d7,4a,04,50,a3,4d,e6,5d,51,5d,0b,ec,30,a2,b2,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:ef4dbfa9 “s2”=dword:c1910091 “h0”=dword:00000003 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:2d,e8,d5,47,9b,6a,e9,88,4a,fe,0c,e6,4a,4e,9f,29,1f,47,b6,f9,e9,… “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] “p0”=“C:\Program Files\DAEMON Tools Pro” “h0”=dword:00000002 “hdf12”=hex:1a,6c,3a,0e,35,81,85,e4,71,0c,44,80,eb,dd,18,fe,f5,0a,c3,27,0e,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] “a0”=hex:20,01,00,00,66,2c,66,5b,15,36,84,bf,d2,1a,0a,45,f6,5b,b9,f9,08,… “hdf12”=hex:a3,69,c1,96,e7,69,6c,77,b5,0c,0d,ba,e5,10,0a,84,d7,d0,ba,2e,6d,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] “hdf12”=hex:96,b7,1d,91,28,4c,fc,e0,74,f4,33,fc,df,af,07,40,6d,98,54,df,57,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1] “hdf12”=hex:04,ff,50,ae,10,68,c9,7f,09,a7,c2,ce,9f,bb,ef,6a,ac,42,ca,5a,69,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] “a0”=hex:20,01,00,00,f7,f5,49,5b,2c,bd,b8,34,4b,fa,c5,94,68,57,49,d9,ea,… “hdf12”=hex:b3,2a,28,82,81,6a,0d,02,b1,49,12,34,5b,6d,de,cc,34,7d,3a,2a,1b,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] “hdf12”=hex:96,b7,1d,91,28,4c,fc,e0,74,f4,33,fc,df,af,07,40,6d,98,54,df,57,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1] “hdf12”=hex:04,ff,50,ae,10,68,c9,7f,09,a7,c2,ce,9f,bb,ef,6a,ac,42,ca,5a,69,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000001 “khjeh”=hex:f3,1f,6b,bb,f9,91,ac,d4,86,ea,63,2f,4e,48,69,42,0c,bc,fc,60,a7,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,86,06,9d,3f,4f,f0,2f,e1,32,c2,9c,be,56,9c,a0,54,68,… “khjeh”=hex:c4,92,8c,b6,b4,33,a6,87,ac,4a,15,e3,e1,50,5f,d2,fe,03,a5,33,74,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:06,2a,85,6a,de,ec,6e,72,ed,21,4f,dc,40,d7,bf,86,32,06,a7,9a,ec,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:69,5c,fb,e7,97,60,db,12,ba,c3,a1,ac,2c,ea,08,1c,09,4d,00,f3,f0,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “h0”=dword:00000000 “ujdew”=hex:2d,e8,d5,47,9b,6a,e9,88,4a,fe,0c,e6,4a,4e,9f,29,1f,47,b6,f9,e9,… “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC] “p0”=“C:\Program Files\DAEMON Tools Pro” “h0”=dword:00000002 “hdf12”=hex:1a,6c,3a,0e,35,81,85,e4,71,0c,44,80,eb,dd,18,fe,f5,0a,c3,27,0e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001] “a0”=hex:20,01,00,00,66,2c,66,5b,15,36,84,bf,d2,1a,0a,45,f6,5b,b9,f9,08,… “hdf12”=hex:a3,69,c1,96,e7,69,6c,77,b5,0c,0d,ba,e5,10,0a,84,d7,d0,ba,2e,6d,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0] “hdf12”=hex:96,b7,1d,91,28,4c,fc,e0,74,f4,33,fc,df,af,07,40,6d,98,54,df,57,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1] “hdf12”=hex:04,ff,50,ae,10,68,c9,7f,09,a7,c2,ce,9f,bb,ef,6a,ac,42,ca,5a,69,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002] “a0”=hex:20,01,00,00,f7,f5,49,5b,2c,bd,b8,34,4b,fa,c5,94,68,57,49,d9,ea,… “hdf12”=hex:b3,2a,28,82,81,6a,0d,02,b1,49,12,34,5b,6d,de,cc,34,7d,3a,2a,1b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0] “hdf12”=hex:96,b7,1d,91,28,4c,fc,e0,74,f4,33,fc,df,af,07,40,6d,98,54,df,57,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1] “hdf12”=hex:04,ff,50,ae,10,68,c9,7f,09,a7,c2,ce,9f,bb,ef,6a,ac,42,ca,5a,69,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000001 “khjeh”=hex:f3,1f,6b,bb,f9,91,ac,d4,86,ea,63,2f,4e,48,69,42,0c,bc,fc,60,a7,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,86,06,9d,3f,4f,f0,2f,e1,32,c2,9c,be,56,9c,a0,54,68,… “khjeh”=hex:c4,92,8c,b6,b4,33,a6,87,ac,4a,15,e3,e1,50,5f,d2,fe,03,a5,33,74,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:06,2a,85,6a,de,ec,6e,72,ed,21,4f,dc,40,d7,bf,86,32,06,a7,9a,ec,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:69,5c,fb,e7,97,60,db,12,ba,c3,a1,ac,2c,ea,08,1c,09,4d,00,f3,f0,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe”=“C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe:*:Enabled:Menu” “C:\Program Files\Gadu-Gadu\gg.exe”=“C:\Program Files\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program glowny” “C:\Program Files\BitLord\BitLord.exe”=“C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord” “C:\id Software\Quake 4\Quake4.exe”=“C:\id Software\Quake 4\Quake4.exe:*:Enabled:Quake 4” “C:\Program Files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe”=“C:\Program Files\LucasArts\Star Wars JK II Jedi Outcast\GameData\jk2mp.exe:*:Enabled:jk2mp” “C:\Program Files\LucasArts\Star Wars Jedi Knight Jedi Academy\GameData\jamp.exe”=“C:\Program Files\LucasArts\Star Wars Jedi Knight Jedi Academy\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer” “C:\Program Files\id Software\Quake 4\Quake4Ded.exe”=“C:\Program Files\id Software\Quake 4\Quake4Ded.exe:*:Enabled:Quake 4” “C:\Program Files\BitLord\Downloads\Unreal Tournament\UnrealTournament\System\UnrealTournament.exe”=“C:\Program Files\BitLord\Downloads\Unreal Tournament\UnrealTournament\System\UnrealTournament.exe:*:Enabled:UnrealTournament” “C:\Program Files\Skype\Phone\Skype.exe”=“C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath " “C:\Program Files\LucasArts\Star Wars Republic Commando\GameData\System\SWRepublicCommando.exe”=“C:\Program Files\LucasArts\Star Wars Republic Commando\GameData\System\SWRepublicCommando.exe:*:Enabled:SWRepublicCommando” “C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe”=“C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main” “C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe”=“C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD” “C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe”=“C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater” “C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe”=“C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server” “C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe”=“C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare” “C:\WINDOWS\system32\PnkBstrA.exe”=“C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA” “C:\WINDOWS\system32\PnkBstrB.exe”=“C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB” “C:\Program Files\Ares\Ares.exe”=“C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows” “C:\Program Files\Azureus\Azureus.exe”=“C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus” “C:\Program Files\BitComet\BitComet.exe”=“C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client” “C:\Program Files\DAP\DAP.exe”=“C:\Program Files\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)” “C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe”=“C:\Program Files\Activision\Call of Duty 2\CoD2MP_s.exe:*:Enabled:CoD2MP_s” “C:\Program Files\The All-Seeing Eye\eye.exe”=“C:\Program Files\The All-Seeing Eye\eye.exe:*:Enabled:Yahoo! All-Seeing Eye” “C:\WINDOWS\system32\qdfldngl.exe”=“C:\WINDOWS\system32\qdf” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”=”%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- C:\winstall.exe Found C:\WINDOWS\csrss.exe Found C:\WINDOWS\explore.exe Found C:\WINDOWS\iexplorer.exe Found C:\WINDOWS\lsasss.exe Found C:\WINDOWS\services.exe Found C:\WINDOWS\smss.exe Found C:\WINDOWS\svchost.exe Found C:\WINDOWS\system32\alsys.exe Found C:\WINDOWS\system32\atmtd.dll Found C:\WINDOWS\system32\atmtd.dll._ Found C:\WINDOWS\system32\bho.dll Found C:\WINDOWS\system32\e1.dll Found C:\WINDOWS\system32\iexplore.exe Found C:\WINDOWS\system32\iexplorer.exe Found C:\WINDOWS\system32\ipv6mons.dll Found C:\WINDOWS\system32\msclt.exe Found C:\WINDOWS\system32\msmsgs.exe Found C:\WINDOWS\system32\mstc.exe Found C:\WINDOWS\system32\msupdate.exe Found C:\WINDOWS\system32\mswins.exe Found C:\WINDOWS\system32\nordsys.exe Found C:\WINDOWS\system32\ppl.exe Found C:\WINDOWS\system32\remote.exe Found C:\WINDOWS\system32\rundll.exe Found C:\WINDOWS\system32\scvhost32.exe Found C:\WINDOWS\system32\se.exe Found C:\WINDOWS\system32\server.exe Found C:\WINDOWS\system32\svchost32.exe Found C:\WINDOWS\system32\svhost.exe Found C:\WINDOWS\system32\svshost.exe Found C:\WINDOWS\system32\sys.exe Found C:\WINDOWS\system32\taskgmr.exe Found C:\WINDOWS\system32\update.exe Found C:\WINDOWS\system32\wgareg.exe Found C:\WINDOWS\system32\wgavm.exe Found C:\WINDOWS\system32\win32.exe Found C:\WINDOWS\system32\wincom32.sys Found C:\WINDOWS\system32\windowz.exe Found C:\WINDOWS\system32\winhost.exe Found C:\WINDOWS\system32\winsvc.exe Found C:\WINDOWS\system32\winsys.exe Found C:\WINDOWS\system32\winsys32.exe Found C:\WINDOWS\system32\winupd.exe Found C:\WINDOWS\system32\winxp.exe Found C:\WINDOWS\system32\zlbw.dll Found C:\WINDOWS\winlogon.exe Found C:\WINDOWS\winserv.exe Found C:\WINDOWS\xpupdate.exe Found File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Thu 22 Nov 2007 274 …HR — “C:\Program Files\adwareremovergold.com” Thu 22 Nov 2007 274 …HR — “C:\Program Files\bulletproofsoft.com” Thu 22 Nov 2007 236 …HR — “C:\Program Files\dealhelper.com inc” Thu 22 Nov 2007 228 …HR — “C:\Program Files\gator.com” Thu 22 Nov 2007 274 …HR — “C:\Program Files\malwaresweeper.com” Thu 22 Nov 2007 274 …HR — “C:\Program Files\malwarewipe.com” Thu 22 Nov 2007 274 …HR — “C:\Program Files\pcprivacysoftware.com” Thu 22 Nov 2007 72,704 …SHR — “C:\Program Files\Malware Immunizer\MI.exe” Thu 22 Nov 2007 20,810 …SH. — “C:\WINDOWS\system32\xmsmhaff.dllbox” Tue 3 Oct 2006 50,280 …H. — “C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe” Wed 14 Nov 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BIT1.tmp” Sun 28 Oct 2007 5,853 …HR — “C:\Documents and Settings\x\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished!