SDFix: Version 1.219 Run by Kamaker on 2008-08-26 at 15:46 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\wvUnMfec.dll - Deleted C:\DOCUME~1\Kamaker\USTAWI~1\Temp\tmp3D.tmp - Deleted Folder C:\Documents and Settings\Kamaker\Dane aplikacji\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys#w*w.redtube.com - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-26 16:04:25 Windows 5.1.2600 Dodatek Service Pack 3 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40] “khjeh”=hex:20,02,00,00,df,83,a0,6a,0c,a9,dc,6a,c3,5e,5a,a0,f0,c4,14,8f,2f,… “hj34z0”=hex:94,b1,fa,c0,6c,03,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,ad,… “hj34z1”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z2”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z3”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z4”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41] “khjeh”=hex:20,02,00,00,df,83,a0,6a,ed,68,49,48,c3,5e,5a,a0,0d,9a,14,8f,2f,… “hj34z0”=hex:c5,b1,fa,c0,6c,03,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,40,… “hj34z1”=hex:0c,f2,fc,c0,a4,48,4a,d4,d6,dd,04,fb,d0,32,ca,cf,4e,22,89,f8,f4,… “hj34z2”=hex:66,75,f7,c0,33,cf,41,d4,c9,5d,0f,fb,46,b5,c1,cf,6e,a5,82,f8,01,… “hj34z3”=hex:36,52,ee,c0,e1,e9,58,d4,a5,7b,16,fb,bd,94,d8,cf,19,47,9a,f8,c8,… “hj34z4”=hex:32,1f,e1,c0,b0,b6,57,d4,03,35,19,fb,b1,aa,d7,cf,b6,8d,94,f8,a3,… “hj34z5”=hex:ab,9e,d8,c0,f4,35,6e,d4,12,b4,20,fb,09,2a,ee,cf,15,0d,ad,f8,55,… “hj34z6”=hex:ca,c1,d2,c0,2b,74,64,d4,3d,f4,2a,fb,37,ea,e4,cf,bd,cd,a7,f8,0b,… “hj34z7”=hex:03,c6,d4,c0,df,7e,62,d4,ed,0d,2c,fb,18,e4,e2,cf,87,d7,a1,f8,a9,… “hj34z8”=hex:7b,fb,ce,c0,49,53,78,d4,48,df,36,fb,73,32,f8,cf,76,24,bb,f8,e5,… “hj34z9”=hex:81,5c,c3,c0,f7,f0,75,d4,33,70,3b,fb,54,91,f5,cf,7a,43,b5,f8,29,… “hj34z10”=hex:ef,d7,c5,c0,98,6f,73,d4,be,fb,3d,fb,84,16,f3,cf,9e,38,b0,f8,20,… “hj34z11”=hex:19,09,be,c0,e1,be,08,d4,7e,4a,46,fb,ec,a7,88,cf,8f,89,cb,f8,66,… “hj34z12”=hex:ee,54,b3,c0,2a,e8,05,d4,12,79,4b,fb,ee,98,85,cf,56,bd,c6,f8,b9,… “hj34z13”=hex:e4,40,b4,c0,35,f4,02,d4,52,75,4c,fb,4b,6f,83,cf,d0,41,c0,f8,11,… “hj34z14”=hex:9d,6f,a9,c0,1c,e7,1f,d4,94,60,51,fb,2c,80,9f,cf,57,b5,dc,f8,f5,… “hj34z15”=hex:bb,1f,a2,c0,1b,b7,14,d4,e2,30,5a,fb,d8,d0,94,cf,02,85,d7,f8,64,… “hj34z16”=hex:49,d5,a7,c0,36,6a,11,d4,f4,e7,5f,fb,86,1d,91,cf,c0,3e,d2,f8,85,… “hj34z17”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z18”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z19”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z20”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… “hj34z21”=hex:5d,b1,fa,c0,14,03,4c,d4,db,89,02,fb,ba,6e,cc,cf,89,46,8f,f8,d0,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42] “khjeh”=hex:20,02,00,00,df,83,a0,6a,f7,f2,55,49,c3,5e,5a,a0,c4,d5,14,8f,2f,… “hj34z0”=hex:94,b0,fa,c0,7c,02,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,37,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43] “khjeh”=hex:20,02,00,00,df,83,a0,6a,5d,41,2d,50,c3,5e,5a,a0,cb,d5,14,8f,2f,… “hj34z0”=hex:9b,b0,fa,c0,7c,02,4c,d4,da,89,03,fb,bb,6e,cc,cf,89,46,8f,f8,0a,… scanning hidden registry entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “C:\Program Files\FlashGet\flashget.exe”=“C:\Program Files\FlashGet\flashget.exe:*:Enabled:FlashGet” “C:\GRY\Battlefield 2\BF2.exe”=“C:\GRY\Battlefield 2\BF2.exe:*:Enabled:Battlefield 2” “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour” “C:\Program Files\FlashFXP\FlashFXP.exe”=“C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3” “C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe”=“C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server” “C:\GRY\Battlefield 2142 Deluxe Edition\BF2142.exe”=“C:\GRY\Battlefield 2142 Deluxe Edition\BF2142.exe:*:Enabled:Battlefield 2142” “C:\Program Files\Konnekt\konnekt.exe”=“C:\Program Files\Konnekt\konnekt.exe:*:Enabled:Konnekt - Core” “C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe”=“C:\Program Files\VertrigoServ\Mysql\bin\v_mysqld.exe:*:Enabled:v_mysqld” “C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe”=“C:\Program Files\VertrigoServ\Apache\bin\v_apache.exe:*:Enabled:Apache HTTP Server” “C:\GRY\Battlefield 2 Deluxe Edition\BF2.exe”=“C:\GRY\Battlefield 2 Deluxe Edition\BF2.exe:*:Enabled:BF2” “C:\WINDOWS\system32\dplaysvr.exe”=“C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\h3blade.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\h3blade.exe:*:Enabled:Heroes of Might and Magic III” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes3.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes 3 Full\Heroes3.exe”=“C:\SYFY\Heroes\Heroes\Heroes\Heroes 3 Full\Heroes 3 Full\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\GRY\Heroes of Might and Magic III - Zlota Edycja\Heroes3.exe”=“C:\GRY\Heroes of Might and Magic III - Zlota Edycja\Heroes3.exe:*:Enabled:Heroes of Might and MagicR III” “C:\Program Files\Electronic Arts\EADM\Core.exe”=“C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager” “C:\GRY\teeworlds-0.4.2-win32\teeworlds_srv.exe”=“C:\GRY\teeworlds-0.4.2-win32\teeworlds_srv.exe:*:Enabled:teeworlds_srv” “C:\Program Files\Opera\opera.exe”=“C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser” “C:\GRY\Warcraft III\Warcraft III.exe”=“C:\GRY\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III” “C:\Program Files\Xfire\xfire.exe”=“C:\Program Files\Xfire\xfire.exe:*:Enabled:Xfire” “C:\Program Files\Paltalk Messenger\paltalk.exe”=“C:\Program Files\Paltalk Messenger\paltalk.exe:*:Disabled:PaltalkScene” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “C:\Program Files\FlashFXP\FlashFXP.exe”=“C:\Program Files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3” Remaining Files : File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 22 Jul 2002 418,816 …HR — “C:\WINDOWS\system32\Tools\All.exe” Fri 19 Jul 2002 390,144 …HR — “C:\WINDOWS\system32\Tools\Change.exe” Fri 19 Jul 2002 574,464 …HR — “C:\WINDOWS\system32\Tools\CheckPath.exe” Tue 20 Aug 2002 430,592 …HR — “C:\WINDOWS\system32\Tools\Counter.exe” Tue 23 Jul 2002 390,656 …HR — “C:\WINDOWS\system32\Tools\DelFolders.exe” Fri 22 Nov 2002 399,872 …HR — “C:\WINDOWS\system32\Tools\DirectSetup.exe” Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RegClean.exe” Fri 19 Jul 2002 388,608 …HR — “C:\WINDOWS\system32\Tools\Regexe.exe” Mon 2 Dec 2002 431,616 …HR — “C:\WINDOWS\system32\Tools\Restart.exe” Fri 19 Jul 2002 388,096 …HR — “C:\WINDOWS\system32\Tools\RunRegexe.exe” Finished!