SDFix: Version 1.115 Run by Administrator on 2007-11-26 at 08:19 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Safe Mode: Checking Services: Name: Distributed Allocated Memory Unit FCI MSN RAV runtime xpdx Distributed Allocated Memory Unit FCI MSN RAV runtime runtime2 xpdx Path: Distributed Allocated Memory Unit - Deleted FCI - Deleted MSN RAV - Deleted runtime - Deleted xpdx - Deleted Distributed Allocated Memory Unit - Deleted FCI - Deleted MSN RAV - Deleted runtime - Deleted runtime2 - Deleted xpdx - Deleted Infected ip6fw.sys Found! ip6fw.sys File Locations: “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 Infected File Listed Below: C:\WINDOWS\system32\drivers\ip6fw.sys Trojan File copied to Backups Folder Attempting to replace ip6fw.sys with original version… Original ip6fw.sys Restored Infected ip6fw.sys Found! ip6fw.sys File Locations: “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 Infected File Listed Below: C:\WINDOWS\system32\drivers\ip6fw.sys Trojan File copied to Backups Folder Attempting to replace ip6fw.sys with original version… Original ip6fw.sys Restored Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service asc3550o - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\410876~1 - Deleted C:\410876~1 - Deleted C:\410876~1 - Deleted C:\WINDOWS\system32\4.tmp - Deleted C:\WINDOWS\system32\5.tmp - Deleted C:\WINDOWS\system32\1E.tmp - Deleted C:\WINDOWS\system32\1_exception.nls - Deleted C:\WINDOWS\system32\Gothic.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\Temp\startdrv.exe - Deleted C:\WINDOWS\system32\xpdx.sys - Deleted C:\WINDOWS\system32\drivers\asc3550o.sys - Deleted C:\WINDOWS\system32\drivers\runtime2.sys - Deleted C:\WINDOWS\system32\drivers\runtime2.sy_ - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-26 08:27:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s0”=dword:bd64c2ea “s1”=dword:3c2c5158 “s2”=dword:4d3d409b “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\21\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x111\t\20\t\30\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\T\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x154\t\xa0\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\U\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x155\t\xb8\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Y\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x159\t\x10c\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,5e,02,00,00,01,00,00,00,05,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 2 Jul 2004 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 2 Jul 2004 401 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv11.bak” Fri 22 Jul 2005 400 …SH. — “C:\Documents and Settings\All Users\DRM\v2ks.bla.bak” Fri 22 Jul 2005 48 …SH. — “C:\Documents and Settings\All Users\DRM\v2ks.sec.bak” Tue 21 Mar 2000 565,248 A…H. — “C:\Kuba\Mini Car Racing\Game\WCSUP.DLL” Thu 22 Mar 2007 46,592 …H. — “C:\Documents and Settings\User\Dane aplikacji\Microsoft\Word~WRL1665.tmp” Thu 22 Mar 2007 22,016 …H. — “C:\Documents and Settings\User\Dane aplikacji\Microsoft\Word~WRL3080.tmp” Fri 27 Jan 2006 444 …HR — “C:\Documents and Settings\User\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished!