Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dropper.delf.wj = Sysdriver.exe, Won't Go Away!


  • Please log in to reply
2 replies to this topic

#1 chris727

chris727

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 17 March 2008 - 04:34 PM

Hi all!
First post...unfortunately motivated by a bleepingcomputer problem! Quick stats list:

Windows XP Media Center Version 2002 SP2
AVG Free 7.5
AVG Anti-Spyware
Sunbelt Personal Firewall
SpyBot Search and Destroy
CCleaner
*All programs are updated

I've got this funny file that keeps popping up C:\Windows\System32\sysdriver.exe AVG and AVG Anti-Spyware both detect it and delete it, however, the file always comes back when the computer is rebooted. AVG detects it as trojan.backdoor.generic5.wjm and AVG Anti-Spyware detects it as dropper.delf.wj. They both agree it is bad news, but are unable to prevent its return - no other problems are reported and have not noticed any changes / problems with the computer as of yet. Any help would be appreciated.

Sincerely (sick of this annoying file),
Chris

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 17 March 2008 - 04:41 PM

Welcome to Bleeping Computer.

Please run SDfix.
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode.
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will popup, along with a log shortly after. Copy the contents of the log back in your next reply.


#3 chris727

chris727
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 17 March 2008 - 06:05 PM

Ok, followed your instructions and here is the report.txt file that was generated:


SDFix: Version 1.158

Run by Owner on Mon 03/17/2008 at 04:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 16:55:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Program Files\Sunbelt Firewall\crashdump.tar.gz

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\IVP\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"="C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 10 Aug 2004 188,416 A..H. --- "C:\WINDOWS\system32\waultc.exe"
Mon 11 Dec 2006 31,744 A..H. --- "C:\_Us\_General Letters\~WRL0018.tmp"
Mon 11 Dec 2006 43,008 A..H. --- "C:\_Us\_General Letters\~WRL0274.tmp"
Mon 11 Dec 2006 43,520 A..H. --- "C:\_Us\_General Letters\~WRL0459.tmp"
Mon 11 Dec 2006 41,472 A..H. --- "C:\_Us\_General Letters\~WRL0476.tmp"
Mon 11 Dec 2006 40,448 A..H. --- "C:\_Us\_General Letters\~WRL0752.tmp"
Mon 11 Dec 2006 41,472 A..H. --- "C:\_Us\_General Letters\~WRL0901.tmp"
Mon 11 Dec 2006 37,888 A..H. --- "C:\_Us\_General Letters\~WRL1603.tmp"
Mon 11 Dec 2006 36,352 A..H. --- "C:\_Us\_General Letters\~WRL2190.tmp"
Mon 11 Dec 2006 38,912 A..H. --- "C:\_Us\_General Letters\~WRL2862.tmp"
Mon 11 Dec 2006 43,520 A..H. --- "C:\_Us\_General Letters\~WRL2875.tmp"
Mon 11 Dec 2006 32,256 A..H. --- "C:\_Us\_General Letters\~WRL3958.tmp"
Wed 22 Dec 2004 33,792 A..H. --- "C:\__Sharon\Wedding-MINE!\~WRL0045.tmp"
Thu 23 Dec 2004 170,496 A..H. --- "C:\__Sharon\Wedding-MINE!\~WRL0074.tmp"
Thu 23 Dec 2004 238,592 A..H. --- "C:\__Sharon\Wedding-MINE!\~WRL0531.tmp"
Thu 23 Dec 2004 226,816 A..H. --- "C:\__Sharon\Wedding-MINE!\~WRL1076.tmp"
Thu 23 Dec 2004 207,360 A..H. --- "C:\__Sharon\Wedding-MINE!\~WRL2942.tmp"
Fri 9 Nov 2007 36,352 A..H. --- "C:\__Backups\__USB Drive - Sharon\New Folder\~WRL1439.tmp"
Fri 9 Nov 2007 36,352 A..H. --- "C:\__Backups\__USB Drive - Sharon\New Folder\WILDFLOWER (E)\~WRL1439.tmp"
Wed 27 Mar 2002 35,328 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\2nd Semester Clinical\~WRL2097.tmp"
Wed 13 Mar 2002 35,328 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\2nd Semester Clinical\~WRL3281.tmp"
Tue 13 Nov 2001 9,089,536 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Comm. Assess\~WRL2628.tmp"
Tue 16 Oct 2001 33,792 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Family Class\~WRL1476.tmp"
Sun 23 Sep 2001 28,672 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Family Class\~WRL1901.tmp"
Tue 16 Oct 2001 22,016 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Family Class\~WRL3499.tmp"
Fri 8 Mar 2002 30,208 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Patho-Pharm\~WRL3257.tmp"
Sat 9 Mar 2002 32,768 A..H. --- "C:\__Sharon\Nursing\Nursing School Classes\Patho-Pharm\~WRL3431.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0004.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0924.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1012.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1148.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL1520.tmp"
Sat 19 Jan 2008 0 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL2066.tmp"
Tue 10 Aug 2004 188,416 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder\Recycler\S-1-5-21-7657222115-722243114-4627784866-500\~WRL2957.tmp"
Mon 19 Mar 2007 28,672 A..H. --- "C:\__Sharon\Instituto El Rey\GRADUATION PAPERS\2007 Graduates\Solicitud BOY\~WRL0279.tmp"
Wed 13 Jun 2007 188,416 A..H. --- "C:\__Backups\__USB Drive - Sharon\New Folder\WILDFLOWER (E)\Recycler\S-1-5-21-7657222115-722243114-4627784866-500\~WRL2957.tmp"
Mon 23 Oct 2006 27,648 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (15)\_IER\Classes\COM3 - Internet\~WRL0001.tmp"
Mon 23 Oct 2006 27,648 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (14)\_IER\Classes\COM3 - Internet\~WRL0001.tmp"
Mon 23 Oct 2006 27,648 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (17)\_IER\Classes\COM3 - Internet\~WRL0001.tmp"
Mon 23 Oct 2006 27,648 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (16)\_IER\Classes\COM3 - Internet\~WRL0001.tmp"
Mon 23 Oct 2006 27,648 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder\_IER\Classes\COM3 - Internet\~WRL0001.tmp"
Tue 10 Aug 2004 32,256 A..H. --- "C:\__Sharon\Nursing\Nursing Information\Health Education\Sexual Education\poster stuff\~WRL1192.tmp"
Wed 24 Oct 2007 74,240 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (15)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0003.tmp"
Tue 30 Oct 2007 80,384 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (15)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0005.tmp"
Wed 24 Oct 2007 74,240 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (14)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0003.tmp"
Tue 30 Oct 2007 80,384 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (14)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0005.tmp"
Wed 24 Oct 2007 74,240 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (17)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0003.tmp"
Tue 30 Oct 2007 80,384 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (17)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0005.tmp"
Wed 24 Oct 2007 74,240 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (16)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0003.tmp"
Tue 30 Oct 2007 80,384 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder (16)\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0005.tmp"
Wed 24 Oct 2007 74,240 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0003.tmp"
Tue 30 Oct 2007 80,384 A..H. --- "C:\__Backups\__USB Drive - Chris\New Folder\_IER\Exams (Finals Only)\1TC - _Quarterly Exams\4P\~WRL0005.tmp"

Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users