polonus aka Damian
SDfix was the 2nd anti-malware program I ran, after HouseCall. It found some nasties then, and it seems to have found more nasties again:
SDFix: Version 1.208 Run by Mike on 04/08/2008 at 03:45 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\DOCUME~1\Mike\LOCALS~1\Temp\.tt11.tmp - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-08-05 08:11:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe]
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\1\r\x201e\27ï\17ÏF\x2dc\31hv\x2030H\xb7\xb7]
"þÿ??ÿÿ\20À"=hex:82,14,68,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\N\20\xb6Mq\xa2xM`Î\f\x201eu\x00acA\xaf]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\x\27[B9ê\xb6G\x2019Ëâ}\xa5\x8dS’]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\Û\34Á>\1\16ÓD\x2020Ïûë\x201eÙÞo]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ç\36Ì1S}\34A\xbf\x8fI\32wy\x2030é]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\27*éæ\r\x2039ØHºW]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x00d7E&i’\20ãH\x2020\xa8h#ç\36\xac\24]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xa3GÌÓ~\34\tGSDÉâ`l\xb7t]
"þÿ??ÿÿ\tÀ"=hex:4e,10,b6,4d,71,a2,9f,4d,8a,ce,0c,84,75,ac,41,af,01,00,00,00,54,..
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x81ttô\x81HÒE\xb0?Ö\x00bfFSj]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\(w\x008fA\xa8\x2022=K\xb2\fÆ\a\34\vý7]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\]ž—ž\xe426\x2496]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\EÒ\x2b1dû¸é\x2c58Â]
"þÿ??ÿÿ\20À"=hex:74,ed,60,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ó²nx¿\xab2dCË]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\a–#Š\x2986Ø\xa79fé]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\x9ff6!¡Ë’\x18d5\xe135\xf388]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\a…7“‘\xf208]
"þÿ??ÿÿ\20À"=hex:1a,8b,5e,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\ì-\x30fb¤€h€6]
"þÿ??ÿÿ\20À"=hex:28,b2,65,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xd91c\xf1ec\xa541‡Œž§·]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\\xedeb\xabf0ÁÍ\xdca2Hn0]
"þÿ??ÿÿ\20À"=hex:82,14,68,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0f1\xfffe\P¨
›\x226e\xf319\xe217]
"þÿ??ÿÿ\20À"=hex:ce,4f,63,2e,d3,99,c8,01,02,00,00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe]
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\\nSÍ\xb6\xb8\x90SK\x2013\x2019Ó\xabóÊÓë]
"þÿ??ÿÿ\tÀ"=hex:3e,af,14,3d,10,01,c7,01
"þÿ??ÿÿ\nÀ"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\ý\\35~ãS0D\xb2n(ô^\27\xd7\xbc]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\I\x3103è\xa52bß¡]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"
[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\\xf0ff\xfffe\\xe96e\x33a0;ø°\x89bb²]
"þÿ??ÿÿ\17À"="
͸S–\xabd3ó\xebd3"
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3997A601-A5D1-09AA-1FA6-C9EAA6D34220}]
"iaoioefmhiijddbnpp"=hex:6a,61,6b,70,63,65,64,6a,6f,68,69,67,6a,69,70,6d,6b,6c,62,67,00,..
"haiiiegmbbgkolda"=hex:6a,61,6b,70,66,65,65,6a,65,67,66,6d,66,6d,64,6a,66,61,6e,62,00,..
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\\SBCToolsV3\\bin\\SBCSniffer.exe"="C:\\SBCToolsV3\\bin\\SBCSniffer.exe:*:Enabled:SBCSniffer"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip