SDFix: Version 1.114 Run by ppp on 2007-11-16 at 17:17 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\sdfix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\svchost.exe - Deleted Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-16 17:21:09 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:23eabbe7 "s2"=dword:e50f68a0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:55,e6,41,49,70,d3,7f,75,bc,e9,e4,9f,83,9c,e4,75,71,d0,82,68,bf,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,cd,91,80,ae,8a,4c,e1,cf,15,60,88,26,9b,85,c5,b5,33,.. "khjeh"=hex:36,11,42,e4,9e,6c,32,17,8f,76,3e,83,e2,0a,3a,6d,0d,86,18,23,9b,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:64,62,02,00,38,db,18,00,c8,85,1a,00,e8,ff,ff,ff,48,00,49,00,44,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:55,e6,41,49,70,d3,7f,75,bc,e9,e4,9f,83,9c,e4,75,71,d0,82,68,bf,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,cd,91,80,ae,8a,4c,e1,cf,15,60,88,26,9b,85,c5,b5,33,.. "khjeh"=hex:36,11,42,e4,9e,6c,32,17,8f,76,3e,83,e2,0a,3a,6d,0d,86,18,23,9b,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:64,62,02,00,a8,57,26,00,74,00,00,00,f0,ff,ff,ff,55,00,53,00,42,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] "Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,.. scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Disabled:Gadu-Gadu - program gˆ¢wny" "D:\\Gry\\pes6.exe"="D:\\Gry\\pes6.exe:*:Disabled:pes6.exe" "C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare" "C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows" "C:\\Program Files\\BearShare applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare applications\\BearShare\\BearShare.exe:*:Enabled:BearShare" "C:\\Python24\\pythonw.exe"="C:\\Python24\\pythonw.exe:*:Enabled:pythonw" "D:\\Gry\\PES 6\\PES6.exe"="D:\\Gry\\PES 6\\PES6.exe:*:Disabled:pes6.exe" "C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client" "D:\\Gry\\test\\TestDriveUnlimited.exe"="D:\\Gry\\test\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited" "C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix" "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule" "C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser" "C:\\Program Files\\WapSter\\AQQ\\AQQ.exe"="C:\\Program Files\\WapSter\\AQQ\\AQQ.exe:*:Enabled:P2P AQQ" "C:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe"="C:\\PROGRA~1\\WapSter\\AQQ\\AQQ.exe:*:Enabled:P2P AQQ" "D:\\Gry\\ dis\\Discipl2.exe"="D:\\Gry\\ dis\\Discipl2.exe:*:Enabled:Disciples II v2.01" "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil" "C:\\Program Files\\NAPI-PROJEKT\\napisy.exe"="C:\\Program Files\\NAPI-PROJEKT\\napisy.exe:*:Enabled:www.napiprojekt.pl" "D:\\Gry\\Fm\\fm.exe"="D:\\Gry\\Fm\\fm.exe:*:Enabled:Football Manager 2008" "C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb" "C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray" "C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath " [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\sdfix\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 13 May 2006 1,211 A.SHR --- "C:\copy.exe" Sat 20 May 2006 70,207 A.SHR --- "C:\host.exe" Sat 13 May 2006 1,211 A.SHR --- "C:\WINDOWS\xcopy.exe" Sat 3 Nov 2007 5 A.SH. --- "C:\WINDOWS\system32\cefdfaca6_k.dll" Sat 29 Sep 2007 189,858 ..SH. --- "C:\WINDOWS\system32\wmplayer.exe" Fri 19 Oct 2007 1,745 ...HR --- "C:\Documents and Settings\ppp\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak" Finished!