SDFix: Version 1.108
Run by Administrator on Tue 01/01/2002 at 12:05 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\bndsrvnl.dll - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\msvb.dll - Deleted
C:\WINDOWS\netadv.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\sysdx.dll - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\svchoct.exe"="C:\\WINDOWS\\svchoct.exe:*:Enabled:svchoct"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 3 Feb 2007 348,160 ..SH. --- "C:\msvcr71.dll"
Finished!
2
sdfix report.
Started by edthai, Oct 18 2007 07:21 AM
6 replies to this topic
#2 OFFLINE
-
- Members
-
- 78 posts
Advanced Member
- Gender:Male
- Location:Belgium
Posted 19 October 2007 - 02:00 PM
Hijackthis log? 
Greets Jurgenv.
#3 OFFLINE
-
- Members
-
- 14 posts
Member
Posted 20 October 2007 - 04:10 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:26:16, on 1/1/2545
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bangkokpost.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: .protected
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: การวิจัย - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 5768 bytes
Scan saved at 0:26:16, on 1/1/2545
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bangkokpost.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Local Settings\Temp" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: .protected
O8 - Extra context menu item: ส่&งออกไปยัง Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: การวิจัย - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay11...es/MsnPUpld.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 5768 bytes
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 08 November 2007 - 04:39 AM
Hi edthai,
We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like, If you still require help please can you post a new HijackThis log and I'd be happy to check it over for any problems
Thanks
Andy
We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like, If you still require help please can you post a new HijackThis log and I'd be happy to check it over for any problems
Thanks
Andy
#5 OFFLINE
-
- Members
-
- 2 posts
Newbie
Posted 29 December 2007 - 02:27 PM
some while ago i noticed my computer behave abnormally. it crashed a few times (which is very unusual for me) and then NAV 2005 reported a virus on my computer. it identified it as 'hacktool.rootkit'.
i used the resources on symantec website to get rid of it but it proved useless. i wonder if this is a unique form of rootkit. here's brief stuation:
1) i have an autorun file on c: root with these lines:
[AutoRun]
;;;;;asdsdafdsaSASDCXVBDSG
open=xfoolavp.com
shell\open\Command=xfoolavp.com
shell\open\Default=1
shell\explore\Command=xfoolavp.com
2) i cannot set up windows explorer to show hidden files. every time i change it the virus switces the option back again. i wrote some batches to delete some virus related files but those wouldn't work either. (attrib command is not efficient so i can't delete the hidden files)
3) norton just won't clean the virus (aaargh!)
4) i ran a bunch of tools like sysclean, aprosclean, sdfix, etc. none of them seems to be successful. sysclean claims it removed c:\autorun.inf which is a lie. here's my sdfix report:
SDFix: Version 1.120
Run by absurde on 29.12.2007 at 15:35
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\autorun.inf - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:43:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\ApexDC++\\ApexDC.exe"="C:\\Program Files\\ApexDC++\\ApexDC.exe:*:Enabled:ApexDC++"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 29 Dec 2007 104,472 ..SHR --- "C:\xfoolavp.com"
Sat 29 Dec 2007 104,472 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"
Fri 21 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
5) there are no suspicious TSRs listed in task manager (to my knowledge)
i don't know where the hell this thing came on in. i am so confused i am not sure if i've given all the info i gathered. just ask what you need to know to help me. what am i supposed to do now?
P.S. may all hackers who target decent users (like me) burn in hell! they must be claiming themselves to be the greatest hackers just because they can inject a publicly available malicious code to a PC...
i used the resources on symantec website to get rid of it but it proved useless. i wonder if this is a unique form of rootkit. here's brief stuation:
1) i have an autorun file on c: root with these lines:
[AutoRun]
;;;;;asdsdafdsaSASDCXVBDSG
open=xfoolavp.com
shell\open\Command=xfoolavp.com
shell\open\Default=1
shell\explore\Command=xfoolavp.com
2) i cannot set up windows explorer to show hidden files. every time i change it the virus switces the option back again. i wrote some batches to delete some virus related files but those wouldn't work either. (attrib command is not efficient so i can't delete the hidden files)
3) norton just won't clean the virus (aaargh!)
4) i ran a bunch of tools like sysclean, aprosclean, sdfix, etc. none of them seems to be successful. sysclean claims it removed c:\autorun.inf which is a lie. here's my sdfix report:
SDFix: Version 1.120
Run by absurde on 29.12.2007 at 15:35
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\autorun.inf - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 15:43:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\ApexDC++\\ApexDC.exe"="C:\\Program Files\\ApexDC++\\ApexDC.exe:*:Enabled:ApexDC++"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 29 Dec 2007 104,472 ..SHR --- "C:\xfoolavp.com"
Sat 29 Dec 2007 104,472 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"
Fri 21 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Finished!
5) there are no suspicious TSRs listed in task manager (to my knowledge)
i don't know where the hell this thing came on in. i am so confused i am not sure if i've given all the info i gathered. just ask what you need to know to help me. what am i supposed to do now?
P.S. may all hackers who target decent users (like me) burn in hell! they must be claiming themselves to be the greatest hackers just because they can inject a publicly available malicious code to a PC...
#6 OFFLINE
-
- Members
-
- 2 posts
Newbie
Posted 29 December 2007 - 08:20 PM
i partially fixed the problem.
i ran almost every online virus scanner. most of them even do not detect the virus. kaspersky identified it as worm.win32.autorun.biw and a program called noadware (v5.0) as adware.elodu.
none of them successfully removed it tough. then i found this magical tool: icesword. try it people. i bet it can erase even itself! you can browse with it almost anything on your computer and with a click it deletes anything... i managed to manually delete the files that sdfix reported. i had to repeat deletion several times but finally it worked.
i am not sure how i did this because i used so many tools. but i am sure finally icesword could erase the mess...
first i removed c:\xfoolavp.com
than i browsed to c:\windows\system32 and cleared out amvo.dll, amvo0.dll, amvo1.dll
after that, deleted c:...\all users\drm\drmv1.bak and c:...\all users\drm\cache\indivo1.tmp
in fact i wrote down all the reported suspicious files deleted them...
c:\windows\system32\amvo.dll proved to be the most stubborn one. i guess deleting other files finally disabled the virus' ability to copy itself (from wherever to my system32 directory) and soon amvo.dll was also gone forever...
i believe noadware played some role too. it was the only program that actually could delete c:\autorun.inf (which came back again soon) i am still working on "side effects" like still not being able to view hidden files. i guess it has sth to do with the registry.
i will be posting any more details i figure out. forgive me for my english. i hope this helps somebody.
i ran almost every online virus scanner. most of them even do not detect the virus. kaspersky identified it as worm.win32.autorun.biw and a program called noadware (v5.0) as adware.elodu.
none of them successfully removed it tough. then i found this magical tool: icesword. try it people. i bet it can erase even itself! you can browse with it almost anything on your computer and with a click it deletes anything... i managed to manually delete the files that sdfix reported. i had to repeat deletion several times but finally it worked.
i am not sure how i did this because i used so many tools. but i am sure finally icesword could erase the mess...
first i removed c:\xfoolavp.com
than i browsed to c:\windows\system32 and cleared out amvo.dll, amvo0.dll, amvo1.dll
after that, deleted c:...\all users\drm\drmv1.bak and c:...\all users\drm\cache\indivo1.tmp
in fact i wrote down all the reported suspicious files deleted them...
c:\windows\system32\amvo.dll proved to be the most stubborn one. i guess deleting other files finally disabled the virus' ability to copy itself (from wherever to my system32 directory) and soon amvo.dll was also gone forever...
i believe noadware played some role too. it was the only program that actually could delete c:\autorun.inf (which came back again soon) i am still working on "side effects" like still not being able to view hidden files. i guess it has sth to do with the registry.
i will be posting any more details i figure out. forgive me for my english. i hope this helps somebody.
#7 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 29 December 2007 - 08:57 PM
Hi Absurde
Great work clearing the worm, IceSword is a great tool when you know what files are causing the problems so its nice to hear it helped out, sdfix really isnt any use at all though for these types of infections as it doesnt target the worms or their loading points so the autorun.inf will just be recreated every time the system restarts.
SDFix only shows some of the worm files in its log because the files have hidden attributes but it will show legit files as well as malicious files in that area
You can see the worm files created on the 29th but the files in the DRM folders are unrelated to the worm as they were created a week earlier, as far as I know if you watch a movie or listen to music which has been protected by DRM (Digital Rights Management) licence data will save to that folder, it you have already deleted them using IceSword then I doubt it will cause any problems as one is blank and 0 btyes and the other will likely just be replaced if you use the protected media again,
Run sUBs Flash Disinfector as it will target alot of auto run infections and create a hidden folder named autorun.inf on each partition and any USB drive you plug in, these dummy autorun.inf files will help protect your PC from reinfection because if the infected flash drive is then inserted, autorun looks for autorun.inf which would normally run the worm but its then prevented by the dummy autorun.inf that is in place. If you have any USB drives please insert them when prompted when running the tool
http://www.techsupportforum.com/sectools/s...Disinfector.exe
Then Combofix to check for the worms loading points or remaining files,
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Can you explain more about the side effects like not being able to view hidden files, is there options missing at the moment or does it constantly hide the files again after you choose to view them ?
Cheers
Andy
Great work clearing the worm, IceSword is a great tool when you know what files are causing the problems so its nice to hear it helped out, sdfix really isnt any use at all though for these types of infections as it doesnt target the worms or their loading points so the autorun.inf will just be recreated every time the system restarts.
SDFix only shows some of the worm files in its log because the files have hidden attributes but it will show legit files as well as malicious files in that area
Quote
Sat 29 Dec 2007 104,472 ..SHR --- "C:\xfoolavp.com"
Sat 29 Dec 2007 104,472 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"
Fri 21 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 29 Dec 2007 104,472 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sat 29 Dec 2007 54,272 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"
Fri 21 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
You can see the worm files created on the 29th but the files in the DRM folders are unrelated to the worm as they were created a week earlier, as far as I know if you watch a movie or listen to music which has been protected by DRM (Digital Rights Management) licence data will save to that folder, it you have already deleted them using IceSword then I doubt it will cause any problems as one is blank and 0 btyes and the other will likely just be replaced if you use the protected media again,
Run sUBs Flash Disinfector as it will target alot of auto run infections and create a hidden folder named autorun.inf on each partition and any USB drive you plug in, these dummy autorun.inf files will help protect your PC from reinfection because if the infected flash drive is then inserted, autorun looks for autorun.inf which would normally run the worm but its then prevented by the dummy autorun.inf that is in place. If you have any USB drives please insert them when prompted when running the tool
http://www.techsupportforum.com/sectools/s...Disinfector.exe
Then Combofix to check for the worms loading points or remaining files,
Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Can you explain more about the side effects like not being able to view hidden files, is there options missing at the moment or does it constantly hide the files again after you choose to view them ?
Cheers
Andy
