Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sdfix Log


  • Please log in to reply
3 replies to this topic

#1 JDM2

JDM2

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 28 February 2008 - 04:46 PM

SDFix says Autorun.inf found but can't remove Autorun.inf.

[b]SDFix: Version 1.149 [/b]

Run by Jeff on Thu 02/28/2008 at 04:31 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


[b]Checking Files [/b]: 

Trojan Files Found:



Could Not Remove C:\autorun.inf 



Removing Temp Files

[b]ADS Check [/b]:
 


								 [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 16:37:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\\xd8\x2022\x20ac|\xff\xff\xff\xff\22\x2022\x20ac|\xf9\x2022\xd4w\2]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\Software\Adobe\FeatureSubscriptions\DVAAdobeDocMeta\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\Registered"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="3EDFE734E00E770D2E601C7AC627826076577CE4C9958996A53E33B38673028C6A3AB4C7079BE917D360FB0B0BD93F1CA0CAC728DD658C659B786E933FAE84600A08BD63D3F72911AF38F4FB34C9086CD4BCBB817D2687F16C654124781DBAA23C8DD4B9D123D3BA9F689C25DE4297C6548D590DF4916B065B60366752087190E1C5ABCF0F91AE6746A9F130288448B6A250063B15D54F7EEBF93B326CA8178022DCD8FE9E2B22810CE5541C35C61E5787CB0DCF3293EC4F68F6232CEEAD3DD66634D97517CCB8831B3A073DAE313CDB107C98E02562217E5E50A454813B9C91DDE28DB514C3247D63FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74C8EDD5E5BE2F6E667A2D97226D213B555C53A247941CD8C3E55EBAAE5A25612630A87B9E7FBD6DACD953E6945599F22BED490EE3FDE04329D4472B0CBA7BEA2364300335873F4EA08A83E51242236C2A0266A43227F21CF92806475765F872AE99018B5760DACA9C199082ABF040B8ADEEA591463FDB3D7E2D879F1195337AF05FDD1DF849D1F54E2CF86D58E40780D6287CD2BC82B6FD1194D4D73E9FDF9CF53480FA44BEE113C1968868E088C7C6F57149EA51D48ABD70494DD1DA3CF20BBE2E1194917BDEBC6D332B9DEA915396CAE5D85742C8D619B34190FE3852D9C3688731E6AB53B3D6B482F34A5F2F574D22064225CC72430DD0075A991D06E88985A55ABF5FC8B34B96B98F019E942978421DC7674C7ACDCF703FD57444DDE9F4FB396382F43C927D1FC594C3F177FB077F1B0E92B823BCBD39AB7296D453EC0D833FA9A2C63018D69FA91087406A7733792FA44C059D389F1685A11528742EF4CBCF711D7BEB2064A2A13C9684828B2DF478CB5CA2A73C3635355668E6611D6CFF737BA72B854505014E69A1FF1E4EA251AE95031DD09CED2064A668DB8C83FA04E999C8CB7CED06E8149E8709C32384D594C0AB15CF72178EC8CAE135A769A8EF0AF9E8D29FE122886280407635A5EB2149F3FDA1316D4A4BA2843B3A7A07B7E52400CB07A364017F3A72363689CC042A084AB93F52F29BB66598BD8853E1BE7A8C51805A1382C6A649E5FD950A96B8097CFF314F68281B22A92D24258BBD4D6EEEF55EC95C04AE1B21A351242270C02D6891C699241E31783F6487F0D7928EDE5203D9ED0F93452FED787066B30F371FDED11F2C595FB07B4E300F7914AB8DE906EAA26538626262E4D1B887E53978D74EE20E7921898B5C36370E45777CFF1B4A2DEE122FA815A6820193B2D1193A862307BCE7CD82C6BFA39F6D255BB5885DE3EFD04C3604C00982D8D96B2E025A73489B885905ACD8169D9502687496208DD71121344B3AC3BF0836CE5C92C2D861B0854BCD993B9E9"
"OOCC06.00.00.01WSSV"="EE8F5F922E2C1EA55AE937144B24B1BD429C732FA2635AE84FD38D8229A22F1BFCA2D48160BEEB2145DC6881BB94DEF5367D024F4CF1101FBF1A19DF461150246370C3074EAB0C8F29F27FC01893698068F836915D66C3CE60EE9D6997496DBCA21C612393B9C3B84A82210E53FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3D5D575E7D6A3B9808AE5088527AAB2248FCD5D52C8A5F1CE245A5383BB2737F66F22AD949C4F2C3BB648D75765624712535CB1DF6988AADA09F9A889842B355196A1CF91BFE4EA6E46264B0587E9F779873CAE9BD023709A4BA14F4950BFE5A4A3F61D49C8B9896D6A9F772EEAF0C8DB718D3DFBCB43CC059F70FAAD14C3C79D975933E7318E57906FC9ED685A9C9B02CC79A82021F69893DFA3DB642C6C6C0BA517FEC19563CD6FA62E35EBA2FAD02B36B85BCF237803E62AD818A30C0ED65F4DE28FDDBFD995AD1A6856E818701469FADB05BC67538DC6E3DF4FE3884F43BA36A42EE5CC9ECD33AD6F5CD9F800165D300EB100AD639861D1CE34DCBDD12BEF48737A312789B37F8C75C2930E7DE6DCB95BA6F9BDB2281BAFCCF93AE207110AD0C2564C44C7B9C66909292A2113E8F92E654F32F8805B72B5B6D54799FB06FA3915D5B140C5AC0EE0BA77DB955BA1FCA3124F9CD65E7376372A2F599B5E44643F664196F03780113585EC08C8EDE96A97249C3D101C4B26FC40F43CFC2121D8A5DF5909F7D886365592C1B049DAC91F7EF19F56BE8897E6B9781EA3126B5250F2C7D183C51338F10B53C2C61661A5292B1199A1E3519158BF27EFDA645BDAF758C1DECB35314D0CE5B6DF635CF8E3DEB05859F437B481515A3BF736C8B8EB37B6D2BADC7DE3C9772F5D1E5E7C5E7DA88F7CE5484DA614063BC312712647D4D6E0130DD0F51ADF65EF9AF44B23777D682E017F0E372A37A639272D47EC4D5BA31BCE9E3720FE3288A1F02432619010586D6368CB2E63FD0973D59A0691ED7DEBD5B498C2F7D478605DF7776A3E23FD85535B8A599E15B6F969BED91DFECB4401D5AF586D7083A126C7BF156E20FDDEAC51D5D1D951012270B4E6C1142AE150AEF7C4765529C8FEC757489BF6E9DFE793F721739F4A0F070B238466CC6E4938B68C64C2058AE1061689407F3A413366340DD0FA25DC9F96360861F58F3933F384E85C493F73577DA21E3E81539F68D2E59CA1F67444323BEF8234FE928C69AA4FBC5A77D91A9756890B2622DB154820330E957F6F64AD6E37941E41C148A9C8D62D81F81DC0A2EBE3C94DAA8E83B8530FEAE7C29939FF2D86DD49DCC3B713152835586A8E15CBA36B95F6BD60FBEFA2411D103B690864AC8F717713E7890B6737795F0DB7F23A5C83630E26D"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B7AD9AFF-4FC3-5885-ED5D-CB2914864DA6}]
"oaehofjgnohlccmbcjgkdehemhggnj"=hex:6a,61,68,69,6f,62,62,6a,6c,65,64,68,62,70,65,62,64,69,69,64,00,..
"nakgejofkagmeimdgfcpbpmboomb"=hex:6a,61,68,69,6f,62,62,6a,6c,65,64,68,62,70,65,62,64,69,69,64,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DA4A005D-3DBE-7651-2C9C-3FE891597748}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:uTorrent"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[b]Remaining Files [/b]:

C:\autorun.inf  Found

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Sat 16 Feb 2008	11,194,368 A..H. --- "C:\Documents and Settings\Jeff\ntuser.tmp"
Fri 15 Aug 2003		49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 15 Aug 2003		36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 23 Feb 2007	   225,380 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Thu 16 Aug 2007		64,512 A..H. --- "C:\Documents and Settings\Jeff\Application Data\dach100.dll"
Fri 15 Aug 2003	   111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

[b]Finished![/b]

Should I proceed as below to remove?

Go to Start Run and type: regedit

* Click OK.
* On the left side, click to highlight My Computer at the top.
* Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
* Choose to save it to C:\
* Click save and then go to File Exit.

Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Go to Start > Run and type: regedit
Press "OK" and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right hand pane, double-click on Userinit
In the 'Edit String' box, make sure "Value data:" reads exactly (including the comma on the end) as follows: C:\WINDOWS\system32\userinit.exe,
Edit if it does not and press "OK" when done.

Now in the right hand pane again, double-click on Shell
In the 'Edit String' box, make sure "Value data:" reads exactly: Explorer.exe
Edit if it does not and press "OK" when done.
Exit regedit.

Go to Start > Run and type: cmd

* press Ok.
* At the command prompt, type in your primay drive location, usually C:
* You may need to change the directory. If so type: cd \
* Hit Enter.
* Type: attrib -s -h -r -a autorun.inf
* Hit Enter.
* Type: dir
* Hit Enter. This will allow you to see and confirm the Autorun files.
* Type: del autorun.inf
* Hit Enter.
* Repeat the above commands for each drive on your computer.

Edited by JDM2, 28 February 2008 - 04:55 PM.


BC AdBot (Login to Remove)

 


m

#2 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:34 AM

Posted 25 March 2008 - 09:54 PM

Hi JDM2

I added autorun.inf to sdfix just as a marker so helpers can check for Autorun worms if its found, tools like FlashDisinfector and Combofix would then be useful to check for the worms loading points but those should only be used on a forum with assistance from experts,

Usually if there's an Autorun worm though sdfix will delete the autorun.inf in Safe Mode but then find it again in Normal Mode and show it in the remaining files area of the report and usually also show the worm files in that area as they tend to always use hidden attributes, On your machine its unable to delete the file so that makes me think its actually a protective 'dummy' autorun.inf folder and not a file as the commands used in sdfix will not remove folders, tools like FlashDisinfector will place these dummy folders so if you have used that as some stage its fine to ignore as the folder will prevent autorun worms being able to add there own malicious autorun.inf file to that drive if you was ever unlucky enough to be infected with one,

I'll change it in sdfix so it ignores the folders but you can confirm it on yours by setting windows to show hidden and system files then check if the autorun.inf is a file or a folder, if its a file then let us know but if its a folder then its fine to ignore and leave on the machine.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide extentions for known file types" option

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Cheers

Andy

#3 JDM2

JDM2
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 18 September 2008 - 08:46 AM

Hi Andy (and anyone else reading), Thanks a lot for responding to my log. I know for a fact that these registry entries below are rogue. Do you know how I can remove them?

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

Thank you!

Jeff

#4 AndyManchesta

AndyManchesta

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester, UK
  • Local time:11:34 AM

Posted 23 September 2008 - 11:18 AM

Hi Jeff,

The service is created by Daemon tools so its fine to ignore,

http://www.daemon-tools.cc/dtcc/index.php




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users