Link to home
Start Free TrialLog in
Avatar of Anthony_B
Anthony_B

asked on

Getting rid of a recurring Trojan

I've ran SDFix, and it keeps coming up with a file that it says it deletes, but keeps coming back for some reason.  Doesn't really give the name of the thing, but I am posting the log here.  



SDFix: Version 1.240
Run by Administrator on Mon 06/14/2010 at 07:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\hosts - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 19:44:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe:LocalSubNet:Enabled:TestOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\NavStart.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\NavStart.exe:LocalSubNet:Disabled:TestOut ShareCast"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe:*:Disabled:TestOut Navigator"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\ShareCast.exe:LocalSubNet:Enabled:TestOut Download Accelerator"
"C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe"="C:\\DOCUME~1\\ptirado\\LOCALS~1\\Temp\\toframework\\{FC2CE2DE-CCCE-4EAD-86D2-FA3FEF34F42E}\\Navigator.exe:*:Disabled:TestOut Navigator"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe:*:Enabled:SMC Service"
"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"="C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE:*:Enabled:SNAC Service"
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe:*:Enabled:Symantec Email"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 14 Apr 2008     1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri  9 Mar 2007         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon  4 Jun 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

Any and all assistance is appreciated.

Anthony
Avatar of Commandosk
Commandosk
I had similar problem. Before you run SDFIX, install some spyware removal tool (I reccomend Malyarebytes) and update it. Then disconnect your computer from internet and run SDFIX, after it do it's job start system normally and run spyware removal tool, you should be okay then.
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
I wouldn't used SDFix, the last time it was updated was in 2008. The way malware/viruses are evolving, SDFix is now an obsolete tool.
I suggest using updated tools like MalwareBytes etc.
MalwareBytes:
http://www.malwarebytes.org/mbam-download.php 

ComboFix tutorial:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
Avatar of Commandosk
Commandosk
SDFix is maybe a bit old, but when used right (from my real practice) it has no concurence in dealing with hidden rogues. And in combination with ComboFix and Malwarebytes you have last resort tackle against almost every infection.
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Anthony_B
Anthony_B

ASKER

Ran Mallwarebytes, and it found more things than SDFix did, and cleaned them all with no problems!  Thank you!!!
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
You're welcome.
I'm glad to know the issue is resolved.
Thank you for using Experts-Exchange!