Anthony_B
asked on
Getting rid of a recurring Trojan
I've ran SDFix, and it keeps coming up with a file that it says it deletes, but keeps coming back for some reason. Doesn't really give the name of the thing, but I am posting the log here.
SDFix: Version 1.240
Run by Administrator on Mon 06/14/2010 at 07:34 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\hosts - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 19:44:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\sta ndardprofi le\authori zedapplica tions\list ]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C :\\Program Files\\MSN Messenger\\msnmsgr.exe:*:E nabled:Win dows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"=" C:\\Progra m Files\\MSN Messenger\\livecall.exe:*: Enabled:Wi ndows Live Messenger 8.1 (Phone)"
"C:\\DOCUME~1\\ptirado\\LO CALS~1\\Te mp\\tofram ework\\Sha reCast.exe "="C:\\DOC UME~1\\pti rado\\LOCA LS~1\\Temp \\toframew ork\\Share Cast.exe:L ocalSubNet :Enabled:T estOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LO CALS~1\\Te mp\\tofram ework\\{FC 2CE2DE-CCC E-4EAD-86D 2-FA3FEF34 F42E}\\Nav Start.exe" ="C:\\DOCU ME~1\\ptir ado\\LOCAL S~1\\Temp\ \toframewo rk\\{FC2CE 2DE-CCCE-4 EAD-86D2-F A3FEF34F42 E}\\NavSta rt.exe:Loc alSubNet:D isabled:Te stOut ShareCast"
"C:\\DOCUME~1\\ptirado\\LO CALS~1\\Te mp\\tofram ework\\{FC 2CE2DE-CCC E-4EAD-86D 2-FA3FEF34 F42E}\\Nav igator.exe "="C:\\DOC UME~1\\pti rado\\LOCA LS~1\\Temp \\toframew ork\\{FC2C E2DE-CCCE- 4EAD-86D2- FA3FEF34F4 2E}\\Navig ator.exe:* :Disabled: TestOut Navigator"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Progra m Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\s ervices\sh aredaccess \parameter s\firewall policy\dom ainprofile \authorize dapplicati ons\list]
"%windir%\\system32\\sessm gr.exe"="% windir%\\s ystem32\\s essmgr.exe :*:enabled :@xpsp2res .dll,-2201 9"
"%windir%\\Network Diagnostic\\xpnetdiag.exe" ="%windir% \\Network Diagnostic\\xpnetdiag.exe: *:Enabled: @xpsp3res. dll,-20000 "
"C:\\Program Files\\Yahoo!\\Messenger\\ YahooMesse nger.exe"= "C:\\Progr am Files\\Yahoo!\\Messenger\\ YahooMesse nger.exe:* :Enabled:Y ahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\ YServer.ex e"="C:\\Pr ogram Files\\Yahoo!\\Messenger\\ YServer.ex e:*:Enable d:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C :\\Program Files\\MSN Messenger\\msnmsgr.exe:*:E nabled:Win dows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"=" C:\\Progra m Files\\MSN Messenger\\livecall.exe:*: Enabled:Wi ndows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire. exe"="C:\\ Program Files\\LimeWire\\LimeWire. exe:*:Enab led:LimeWi re"
"C:\\DOCUME~1\\ptirado\\LO CALS~1\\Te mp\\tofram ework\\Sha reCast.exe "="C:\\DOC UME~1\\pti rado\\LOCA LS~1\\Temp \\toframew ork\\Share Cast.exe:L ocalSubNet :Enabled:T estOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LO CALS~1\\Te mp\\tofram ework\\{FC 2CE2DE-CCC E-4EAD-86D 2-FA3FEF34 F42E}\\Nav igator.exe "="C:\\DOC UME~1\\pti rado\\LOCA LS~1\\Temp \\toframew ork\\{FC2C E2DE-CCCE- 4EAD-86D2- FA3FEF34F4 2E}\\Navig ator.exe:* :Disabled: TestOut Navigator"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE"="C:\\ Program Files\\Microsoft Office\\Office12\\OUTLOOK. EXE:*:Enab led:Micros oft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.E XE"="C:\\P rogram Files\\Microsoft Office\\Office12\\GROOVE.E XE:*:Enabl ed:Microso ft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE. EXE"="C:\\ Program Files\\Microsoft Office\\Office12\\ONENOTE. EXE:*:Enab led:Micros oft Office OneNote"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\ Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enab led:SMC Service"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\ \Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Ena bled:SNAC Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Pr ogram Files\\Common Files\\Symantec Shared\\ccApp.exe:*:Enable d:Symantec Email"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolloa d.exe"="C: \\Program Files\\Common Files\\AOL\\Loader\\aolloa d.exe:*:En abled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C: \\Program Files\\AIM6\\aim6.exe:*:En abled:AIM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\ \Program Files\\Google\\Google Talk\\googletalk.exe:*:Ena bled:Googl e Talk"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.z ip
Files with Hidden Attributes :
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe "
Fri 9 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 4 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tm p"
Finished!
Any and all assistance is appreciated.
Anthony
SDFix: Version 1.240
Run by Administrator on Mon 06/14/2010 at 07:34 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\hosts - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 19:44:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C
"C:\\Program Files\\MSN Messenger\\livecall.exe"="
"C:\\DOCUME~1\\ptirado\\LO
"C:\\DOCUME~1\\ptirado\\LO
"C:\\DOCUME~1\\ptirado\\LO
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Progra
[HKEY_LOCAL_MACHINE\system
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\
"C:\\Program Files\\Yahoo!\\Messenger\\
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C
"C:\\Program Files\\MSN Messenger\\livecall.exe"="
"C:\\Program Files\\LimeWire\\LimeWire.
"C:\\DOCUME~1\\ptirado\\LO
"C:\\DOCUME~1\\ptirado\\LO
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.E
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Pr
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolloa
"C:\\Program Files\\AIM6\\aim6.exe"="C:
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\
Remaining Files :
File Backups: - C:\SDFix\backups\backups.z
Files with Hidden Attributes :
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe
Fri 9 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 4 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tm
Finished!
Any and all assistance is appreciated.
Anthony
I had similar problem. Before you run SDFIX, install some spyware removal tool (I reccomend Malyarebytes) and update it. Then disconnect your computer from internet and run SDFIX, after it do it's job start system normally and run spyware removal tool, you should be okay then.
I wouldn't used SDFix, the last time it was updated was in 2008. The way malware/viruses are evolving, SDFix is now an obsolete tool.
I suggest using updated tools like MalwareBytes etc.
MalwareBytes:
http://www.malwarebytes.org/mbam-download.php
ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I suggest using updated tools like MalwareBytes etc.
MalwareBytes:
http://www.malwarebytes.org/mbam-download.php
ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
SDFix is maybe a bit old, but when used right (from my real practice) it has no concurence in dealing with hidden rogues. And in combination with ComboFix and Malwarebytes you have last resort tackle against almost every infection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ran Mallwarebytes, and it found more things than SDFix did, and cleaned them all with no problems! Thank you!!!
You're welcome.
I'm glad to know the issue is resolved.
Thank you for using Experts-Exchange!
I'm glad to know the issue is resolved.
Thank you for using Experts-Exchange!