We help IT Professionals succeed at work.

Getting rid of a recurring Trojan

Anthony_B
Anthony_B asked
on
I've ran SDFix, and it keeps coming up with a file that it says it deletes, but keeps coming back for some reason.  Doesn't really give the name of the thing, but I am posting the log here.  



SDFix: Version 1.240
Run by Administrator on Mon 06/14/2010 at 07:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\hosts - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 19:44:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe:LocalSubNet:Enabled:TestOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\NavStart.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\NavStart.exe:LocalSubNet:Disabled:TestOut ShareCast"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe:*:Disabled:TestOut Navigator"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe:LocalSubNet:Enabled:TestOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe:*:Disabled:TestOut Navigator"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enabled:SMC Service"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Enabled:SNAC Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe:*:Enabled:Symantec Email"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 14 Apr 2008     1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri  9 Mar 2007         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon  4 Jun 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Any and all assistance is appreciated.

Anthony
Comment
Watch Question

I had similar problem. Before you run SDFIX, install some spyware removal tool (I reccomend Malyarebytes) and update it. Then disconnect your computer from internet and run SDFIX, after it do it's job start system normally and run spyware removal tool, you should be okay then.
Top Expert 2007

Commented:
I wouldn't used SDFix, the last time it was updated was in 2008. The way malware/viruses are evolving, SDFix is now an obsolete tool.
I suggest using updated tools like MalwareBytes etc.
MalwareBytes:
http://www.malwarebytes.org/mbam-download.php 

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
SDFix is maybe a bit old, but when used right (from my real practice) it has no concurence in dealing with hidden rogues. And in combination with ComboFix and Malwarebytes you have last resort tackle against almost every infection.
Top Expert 2007
Commented:
"SDFix is maybe a bit old, but when used right (from my real practice)"
SDFix tool used to have updates everytime a new variant of SDBot/IRCBot etc surfaces which was a few times per week, at other times it was updated daily.

So you can imagine how less effective it is now. It is also not a good idea to use an outdated tool in cases where a rootkit or malware that the tool can't handle could have a bad result.
Like for example in the past where tools weren't able to properly remove a particular rootkit rendered the system unbootable, caused system32 folder to be deleted(happened with ComboFix), or in minor cases where system files have been deleted(happened with SDFix while it had regular updates).

These outdated tools, SDFix, Smitfraudfix etc these days are really only useful for fixing registry entries that had been modified by nasties.
It's just not worth the risk involved when there are many other tools out there fully updated against new variants.

Author

Commented:
Ran Mallwarebytes, and it found more things than SDFix did, and cleaned them all with no problems!  Thank you!!!
Top Expert 2007

Commented:
You're welcome.
I'm glad to know the issue is resolved.
Thank you for using Experts-Exchange!