Member Avatar for Pwj579

Hey,

I ran the SDFix, and restarted and everything was working well.
Then I updated my Norton Virus Software and more importantly upgraded to Windows XP Service Pack 3.

After completing the install of Win XP SP3, I had to restart my comp.
When it was booted up the virus had returned.

I shutdown, ran safe mode again and let the SDFix run its course.
I then restarted and got the 2nd Report (See Below)

I now am going to avoid installing the XP SP3 update. Any suggestions

Thanks,
Chris

SDFix: Version 1.240
Run by Administrator on Wed 11/12/2008 at 12:06 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\sd\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\system32\dllcache\beep.sys" 23040 11/11/2008 12:18 AM
"C:\WINDOWS\system32\drivers\beep.sys" 23040 11/11/2008 12:18 AM

Infected File Listed Below:

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 08/07/2008 03:27 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 08/07/2008 03:27 PM

Checking Files :

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn3 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn4 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn5 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn6 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn7 - Deleted
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wrdwn8 - Deleted
C:\WINDOWS\system32\wini10802.exe - Deleted
C:\WINDOWS\brastk.exe - Deleted
C:\WINDOWS\karna.dat - Deleted
C:\WINDOWS\system32\_scui.cpl - Deleted
C:\WINDOWS\system32\av.dat - Deleted
C:\WINDOWS\system32\brastk.exe - Deleted
C:\WINDOWS\system32\delself.bat - Deleted
C:\WINDOWS\system32\karna.dat - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSosvd.dat - Deleted
C:\WINDOWS\system32\TDSSoeqh.log - Deleted


Could Not Remove C:\WINDOWS\system32\TDSSofxh.dll
Could Not Remove C:\WINDOWS\system32\TDSSnrsr.dll
Could Not Remove C:\WINDOWS\system32\TDSSriqp.dll
Could Not Remove C:\WINDOWS\system32\TDSScfum.dll

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 00:20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Administrator\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Documents and Settings\\Administrator\\My Documents\\download\\pwj579\\NES\\NES\\NESTCL95.EXE"="C:\\Documents and Settings\\Administrator\\My Documents\\download\\pwj579\\NES\\NES\\NESTCL95.EXE:*:Enabled:NESTCL95"
"C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1134430184\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"="C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe:*:Enabled:PCsync Host Module"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\system32\TDSSofxh.dll Found
C:\WINDOWS\system32\TDSSnrsr.dll Found
C:\WINDOWS\system32\TDSSriqp.dll Found
C:\WINDOWS\system32\TDSScfum.dll Found

File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\sd\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 28 Feb 2006 55 A.SHR --- "C:\WINDOWS\system32\ctl32nt.sys"
Fri 19 Aug 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 23 Aug 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Fri 18 May 2007 58,368 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\~WRL0714.tmp"
Sun 1 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 18 Oct 2006 159,744 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL0003.tmp"
Wed 18 Oct 2006 185,344 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL0005.tmp"
Wed 18 Oct 2006 219,136 ...H. --- "C:\Documents and Settings\Administrator\My Documents\2006-2007\Water Rescources\~WRL2230.tmp"
Mon 5 May 2003 29,184 A..H. --- "C:\Documents and Settings\Administrator\My Documents\2005-2006\Mom_and__ Mike FILES\Mike'sFiles\Fish and Wildlife\~WRL0001.tmp"

Finished!

  • 3 Contributors
  • 2 Replies
  • 165 Views
  • 17 Hours Discussion Span
  • Latest Post Latest Post by ScottG489

Recommended Answers

All 2 Replies

Member Avatar for crunchie

Any suggestions

Thanks,

Hi and welcome to Daniweb forums :).

An hijackthis log would be a good start.

Member Avatar for ScottG489

lol and maybe turning off smilies in your post :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.