SDFix: Version 1.120 Run by Radzio on 2007-12-28 at 16:45 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-28 16:53:08 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:2df9c43f “s2”=dword:110480d0 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:6d,c9,db,be,03,36,41,cd,1d,d3,02,92,64,f3,df,a7,90,f0,0b,c5,45,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,29,18,48,76,e6,df,51,cb,c9,cd,7a,56,97,84,ad,f2,1f,… “khjeh”=hex:b3,9f,97,74,56,7b,21,83,47,36,8b,cb,8a,3e,f3,0d,4d,e5,4a,03,36,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:e6,fe,ad,dc,02,81,f3,f4,f5,81,49,76,3d,e0,10,7a,51,19,b1,80,54,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:3a,e2,0a,9d,ef,de,09,fc,84,2c,0c,25,4f,71,5f,10,29,75,1f,99,68,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“C:\Documents and Settings\Radzio\Pulpit\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:6d,c9,db,be,03,36,41,cd,1d,d3,02,92,64,f3,df,a7,90,f0,0b,c5,45,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,29,18,48,76,e6,df,51,cb,c9,cd,7a,56,97,84,ad,f2,1f,… “khjeh”=hex:b3,9f,97,74,56,7b,21,83,47,36,8b,cb,8a,3e,f3,0d,4d,e5,4a,03,36,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:e6,fe,ad,dc,02,81,f3,f4,f5,81,49,76,3d,e0,10,7a,51,19,b1,80,54,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] “khjeh”=hex:3a,e2,0a,9d,ef,de,09,fc,84,2c,0c,25,4f,71,5f,10,29,75,1f,99,68,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] “khjeh”=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] “khjeh”=hex:03,65,7b,77,a2,83,a0,76,8b,67,c5,5e,32,20,50,cd,6a,2c,15,63,33,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,66,10,00,00,01,00,00,00,21,00,00,00,50,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe”=“C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe:*:Enabled:InternetCalls” [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Fri 20 Jul 2007 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 20 Jul 2007 401 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv16.bak” Wed 14 Nov 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\1738c621b33e51e95e7a1d6339d42049\BITE.tmp” Thu 6 Dec 2007 25,802,312 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\510fd197909dd722575ec6e361c56938\BIT22C6.tmp” Thu 29 Nov 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\cf80e29263dc9f4910f39b0a56f8e418\BIT63.tmp” Tue 30 Nov 2004 253,952 A…HR — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\PocketCache Trial Version\BackupRestoreBus.dll” Thu 26 Apr 2007 20,480 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\Pawa MEmerka~WRL0002.tmp” Wed 21 Nov 2007 473 A…HR — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\PocketCache Trial Version\BackupStorage\config.bak” Wed 18 May 2005 53,248 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\CopyFile.exe” Wed 18 May 2005 30,354 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\msghxx.dllz” Wed 18 May 2005 180,700 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\MSVCR71.DLLz” Wed 18 May 2005 1,900,544 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\SecurDataStor.exe” Wed 18 May 2005 84,634 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Nowy folder (2)\SecurDataStorRM\Files\Viewer.exez” Thu 6 Jul 2006 49,152 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\97s+.dll” Sun 17 Aug 2003 122,940 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\mfsvc2.dll” Sun 7 Oct 2001 49,152 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\mumsg.dll” Tue 23 Oct 2001 36,864 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\muplayer.exe” Fri 22 Oct 2004 53,248 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\ogg.dll” Fri 22 Oct 2004 999,424 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\vorbisfile.dll” Fri 24 Aug 2001 45,056 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wsctlc.dll” Fri 15 Sep 2000 229,432 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wsctlcd.dll” Fri 22 Oct 2004 212,992 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wzAudio.dll” Mon 20 Nov 2006 53,248 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wzcipher.dll” Tue 10 Sep 2002 381,010 A…H. — “C:\Documents and Settings\Radzio\Pulpit\Z Pulpitu\1.02k\AlyMu\AlyMu\wz_zp.dll” Finished!