Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

go.google.com Virus ---Funny Result and SDFix output

Reply

Join Date: Nov 2008
Posts: 1
Reputation: Pwj579 is an unknown quantity at this point 
Solved Threads: 0
Pwj579 Pwj579 is offline Offline
Newbie Poster

go.google.com Virus ---Funny Result and SDFix output

 
0
  #1
Nov 12th, 2008
Hey,

I ran the SDFix, and restarted and everything was working well.
Then I updated my Norton Virus Software and more importantly upgraded to Windows XP Service Pack 3.

After completing the install of Win XP SP3, I had to restart my comp.
When it was booted up the virus had returned.

I shutdown, ran safe mode again and let the SDFix run its course.
I then restarted and got the 2nd Report (See Below)

I now am going to avoid installing the XP SP3 update. Any suggestions

Thanks,
Chris

SDFix: Version 1.240
Run by Administrator on Wed 11/12/2008 at 12:06 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\sd\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 23040 11/11/2008 12:18 AM
"C:\WINDOWS\system32\drivers\beep.sys" 23040 11/11/2008 12:18 AM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM



Checking Files :

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn3 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn4 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn5 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn6 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn7 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn8 - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\_scui.cpl - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSSoeqh.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 00:20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Administrator\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:Enabled:AOL Instant Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:Enabled:LimeWire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:Enabled:RealPlayer"
"C:\\Documents and Settings\\Administrator\\My Documents\\download\\pwj579\\NES\\NES\\NESTCL95.EXE"="C:\\Documents and Settings\\Administrator\\My Documents\\download\\pwj579\\NES\\NES\\NESTCL95.EXE:Enabled:NESTCL95"
"C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aim6.exe:Enabled:AIM"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exeisabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aolsoftware.exeisabled:AOL Services"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:Enabled:McAfee Framework Service"
"D:\\Setup.exe"="D:\\Setup.exe:Enabledetup"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:Enabled:Azureus"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"="C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe:EnabledCsync Host Module"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:enabledxpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found
C:\WINDOWS\system32\TDSSnrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\sd\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 28 Feb 2006 55 A.SHR --- "C:\WINDOWS\system32\ctl32nt.sys"
Fri 19 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 23 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Fri 18 May 2007 58,368 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\~WRL0714.tmp"
Sun 1 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 18 Oct 2006 159,744 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL0003.tmp"
Wed 18 Oct 2006 185,344 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL0005.tmp"
Wed 18 Oct 2006 219,136 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL2230.tmp"
Mon 5 May 2003 29,184 A..H. --- "C:\Documents and Settings\Administrator\My Documents\2005-2006\Mom_and__ Mike FILES\Mike'sFiles\Fish and Wildlife\~WRL0001.tmp"

Finished!
Reply With Quote Quick reply to this message  
Join Date: Feb 2004
Posts: 10,026
Reputation: crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold crunchie is a splendid one to behold 
Solved Threads: 759
Moderator
Featured Poster
crunchie's Avatar
crunchie crunchie is offline Offline
Spyware Killer

Re: go.google.com Virus ---Funny Result and SDFix output

 
0
  #2
Nov 12th, 2008
Originally Posted by Pwj579 View Post
Any suggestions

Thanks,
Hi and welcome to Daniweb forums .

An hijackthis log would be a good start.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Reply With Quote Quick reply to this message  
Join Date: Oct 2008
Posts: 3
Reputation: ScottG489 is an unknown quantity at this point 
Solved Threads: 0
ScottG489 ScottG489 is offline Offline
Newbie Poster

Re: go.google.com Virus ---Funny Result and SDFix output

 
0
  #3
Nov 12th, 2008
lol and maybe turning off smilies in your post
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC