SDFix: Version 1.115 Run by Nowy on 2007-11-21 at 06:17 Microsoft Windows XP [Wersja 5.1.2600] Running From: D:\SDFix Safe Mode: Checking Services: Name: kcp Path: ??\D:\WINDOWS\system32\drivers\kcp.sys kcp - Deleted Infected Winlogon.exe Found! Winlogon File Locations: “D:\WINDOWS\system32\winlogon.exe” 433152 2007-11-20 14:21 “D:\WINDOWS\system32\dllcache\winlogon.exe” 432640 2007-11-20 16:33 Modified Files Are Listed Below: D:\WINDOWS\system32\winlogon.exe Note: SDFix Does Not Repair This File! Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: D:\DOCUME~1\Nowy\USTAWI~1\Temp\0wl.tmp - Deleted D:\WINDOWS\dat.txt - Deleted D:\WINDOWS\rs.txt - Deleted D:\WINDOWS\search_res.txt - Deleted D:\WINDOWS\system32\9_exception.nls - Deleted D:\WINDOWS\system32\kr_done1 - Deleted D:\WINDOWS\system32\mstscex.dll - Deleted D:\WINDOWS\system32\RunOnce.t__ - Deleted D:\WINDOWS\system32\RunOnce.tmp - Deleted D:\WINDOWS\Temp\temp_12336639.bat - Deleted Removing Temp Files… ADS Check: D:\WINDOWS No streams found. D:\WINDOWS\system32 No streams found. D:\WINDOWS\system32\svchost.exe No streams found. D:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-21 06:20:10 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{961A8719-F8BE-495D-AA25-2CEDBCE30F81}] “NetbiosOptions”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:fc699240 “s2”=dword:9df62333 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:61,e2,dd,ef,ef,7e,d9,64,b0,de,6c,5a,e2,3c,1c,87,4a,28,41,aa,64,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,00,7b,f6,c2,51,74,89,d0,38,e4,61,a3,94,26,00,a2,56,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:8c,91,ad,fb,0e,40,52,40,98,55,b0,bf,02,93,8d,e9,9e,50,f2,c9,6e,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{961A8719-F8BE-495D-AA25-2CEDBCE30F81}] “DhcpIPAddress”=“10.1.0.29” “DhcpSubnetMask”=“255.255.255.255” “NameServer”=“83.17.121.13 83.18.180.74” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa] “LsaPid”=dword:000005e0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Watchdog\Display] “ShutdownCount”=dword:0000000d [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNPA000\4&487b740c&0] “Service”=“a3ozxqva” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KCP\0000] “Service”=“kcp” “Legacy”=dword:00000001 “ConfigFlags”=dword:00000000 “Class”=“LegacyDriver” “ClassGUID”="{8ECC055D-047F-11D1-A537-0000F8753ED1}" “DeviceDesc”=“kcp” “Capabilities”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp] “Type”=dword:00000001 “Start”=dword:00000001 “ErrorControl”=dword:00000000 “ImagePath”=str(2):"??\D:\WINDOWS\system32\drivers\kcp.sys" “DisplayName”=“kcp” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp\Parameters] “a0”=hex:29,3a,a2,ce,58,b3,05,2c,d2,cb,df,72,65,1c,ca,47,ec,51,eb,54,7f,… “a1”=hex:48,0a,ba,42,1e,90,94,64,76,19,36,86,9f,61,e7,d8,25,b6,95,ed,b2,… “b0”=hex:ec,d8,53,b6,e4,ed,aa,fb,b9,fe,45,3f,43,0f,43,83,0e,a0,93,e8,21,… “b1”=hex:05,2c,a9,cb,da,72,65,1c,ca,47,99,51,f4,54,7d,95,03,a5,1c,29,50,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp\Security] “Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:61,e2,dd,ef,ef,7e,d9,64,b0,de,6c,5a,e2,3c,1c,87,4a,28,41,aa,64,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,00,7b,f6,c2,51,74,89,d0,38,e4,61,a3,94,26,00,a2,56,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:8c,91,ad,fb,0e,40,52,40,98,55,b0,bf,02,93,8d,e9,9e,50,f2,c9,6e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{1D394BC6-3323-4BD3-B013-94AA0B214D0E}] “DhcpServer”=“255.255.255.255” “Lease”=dword:00000000 “LeaseObtainedTime”=dword:4743be17 “T1”=dword:4743be17 “T2”=dword:4743be17 “LeaseTerminatesTime”=dword:7fffffff “IPAutoconfigurationAddress”=“169.254.28.133” “AddressType”=dword:00000001 “DhcpIPAddress”=“169.254.28.133” “DhcpSubnetMask”=“255.255.0.0” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services{1D394BC6-3323-4BD3-B013-94AA0B214D0E}\Parameters\Tcpip] “DhcpIPAddress”=“169.254.28.133” “DhcpSubnetMask”=“255.255.0.0” “DhcpServer”=“255.255.255.255” “Lease”=dword:00000000 “LeaseObtainedTime”=dword:4743be17 “T1”=dword:4743be17 “T2”=dword:4743be17 “LeaseTerminatesTime”=dword:7fffffff scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: Remaining Files: --------------- File Backups: - D:\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 17 Nov 2007 10,240 A…H. — “D:\WINDOWS\system32\BIT13.tmp” Finished!