SDFix: Version 1.119 Run by Jarzy on 2007-12-28 at 11:52 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\autorun.inf - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 11:56:30 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:22459102 “s2”=dword:5840982d “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:2c,40,b0,63,3e,81,0f,02,6c,5f,a5,fa,d5,ee,15,40,0d,2b,c5,86,75,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:1b,e1,f3,dd,17,d8,79,b2,22,29,a5,91,f3,84,d0,6b,9a,7b,8e,6c,a6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0c,04,0e,3c,38,63,4c,b3,34,7c,13,3f,3d,86,80,ef,16,8d,6c,76,8b,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“C:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:53,19,71,16,ba,b4,95,4c,49,f6,b0,8c,39,97,f6,c3,35,8d,c2,86,a4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:7f,58,6f,25,10,f5,0b,7d,a3,97,9f,8c,ae,ef,be,b5,1d,69,ff,91,68,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,ea,60,a6,b0,33,2b,b2,f7,3e,27,a0,45,1a,b5,29,bf,cc,… “khjeh”=hex:87,64,cc,dc,5f,15,5f,fe,b4,9a,a7,40,c5,77,0d,03,6b,87,5b,6b,ca,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:0a,4e,92,d7,f9,7f,0d,f2,c3,56,c1,f5,e1,9f,94,0c,7e,3d,a0,db,c3,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “E:\Gg\gg.exe”=“E:\Gg\gg.exe:*:Enabled:Gadu-Gadu - program glowny” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes: Mon 22 Aug 2005 79,872 A…H. — “C:\Swsetup\Monitors\SP31193\hpinsx64.exe” Wed 11 Jul 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\6565a92aeeef176188ae2c9a8920fd79\BIT4.tmp” Finished!