SDFix: Version 1.163 Run by Damian on 28/03/2008 at 16:07 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-28 16:11:34 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\NARZEDZIA\DAEMON Tools Lite” “h0”=dword:00000000 “khjeh”=hex:64,9e,0e,80,60,59,89,18,c6,75,a4,23,89,bf,c2,b2,59,17,d2,a7,3f,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,3b,77,4b,de,27,7c,a2,6a,97,46,13,a6,54,41,90,f8,… “khjeh”=hex:42,27,6d,1e,5e,de,01,52,3c,65,2b,e5,b7,0d,c3,19,68,13,ed,58,be,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d7,9b,53,6f,cf,c0,a9,8d,12,b5,e1,4e,b4,f5,1b,56,93,9b,99,1f,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:ff,9a,65,70,75,76,2c,1f,79,b5,e3,8d,53,fa,72,ea,c9,09,43,de,cc,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d8,0a,d7,90,c3,c8,7b,2f,19,49,f0,bb,75,ae,5b,d5,b2,8e,70,19,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d2,56,66,57,24,63,0e,3f,8f,87,a0,77,95,ec,3e,e8,40,5b,a3,38,86,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\NARZEDZIA\DAEMON Tools Lite” “h0”=dword:00000000 “khjeh”=hex:64,9e,0e,80,60,59,89,18,c6,75,a4,23,89,bf,c2,b2,59,17,d2,a7,3f,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,f6,3b,77,4b,de,27,7c,a2,6a,97,46,13,a6,54,41,90,f8,… “khjeh”=hex:42,27,6d,1e,5e,de,01,52,3c,65,2b,e5,b7,0d,c3,19,68,13,ed,58,be,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:d7,9b,53,6f,cf,c0,a9,8d,12,b5,e1,4e,b4,f5,1b,56,93,9b,99,1f,f6,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:ff,9a,65,70,75,76,2c,1f,79,b5,e3,8d,53,fa,72,ea,c9,09,43,de,cc,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:d8,0a,d7,90,c3,c8,7b,2f,19,49,f0,bb,75,ae,5b,d5,b2,8e,70,19,d4,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:d2,56,66,57,24,63,0e,3f,8f,87,a0,77,95,ec,3e,e8,40,5b,a3,38,86,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" “D:\INTERNET\AVG\avginet.exe”=“D:\INTERNET\AVG\avginet.exe:*:Enabled:avginet.exe” “D:\INTERNET\AVG\avgamsvr.exe”=“D:\INTERNET\AVG\avgamsvr.exe:*:Enabled:avgamsvr.exe” “D:\INTERNET\AVG\avgcc.exe”=“D:\INTERNET\AVG\avgcc.exe:*:Enabled:avgcc.exe” “D:\INTERNET\AVG\avgemc.exe”=“D:\INTERNET\AVG\avgemc.exe:*:Enabled:avgemc.exe” “D:\INTERNET\Gadu-Gadu\gg.exe”=“D:\INTERNET\Gadu-Gadu\gg.exe:*:Enabled:Gadu-Gadu - program g3˘wny” “D:\INTERNET\IEPro\MiniDM.exe”=“D:\INTERNET\IEPro\MiniDM.exe:*:Enabled:MiniDM” “D:\INTERNET\xampp\apache\bin\apache.exe”=“D:\INTERNET\xampp\apache\bin\apache.exe:*:Enabled:Apache HTTP Server” “X:\DAMIAN\Ots\TFS\Mystic Spirit\TheForgottenServer.exe”=“X:\DAMIAN\Ots\TFS\Mystic Spirit\TheForgottenServer.exe:*:Enabled:Mystic Spirit (0.2.10)” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" “%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Finished!