Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

sfc_os.dll virus

Started by izzy_murphy , Mar 18 2010 05:16 AM

  • Please log in to reply

#1
izzy_murphy
Posted 18 March 2010 - 05:16 AM

izzy_murphy

    New Member

  • Member
  • Pip
  • 5 posts
Just wondering if anybody could help me.

I have a Windows XP Professional laptop and McAfee Security Suite. This morning I ran a scan and received a notification that I had a 'Potentially Unwanted Program.'
The name: PatchedSFC
The Location: C:\WINDOWS\system32\sfc_os.dll

The McAfee notification said that they couldn't remove the file and it won't delete because it is protected.

I would be really grateful for any help.

Thank you,
Izzy.
  • 0

Advertisements

#2
RKinner
Posted 19 March 2010 - 01:13 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
sfc_os.dll is normally a windows file. Don't see how it can be a 'Potentially Unwanted Program' so this may be a false positive. Try submitting it to http://virustotal.com. See what the other anti-virus companies think about it.

Do step 5 of
http://www.geekstogo...uide-t2852.html
but instead of what they tell you to copy and paste use the text between the lines of stars:

******************************************************************************************

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
sfc_os.dll
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav


******************************************************************************************

Then copy and paste the log into a reply.
Ron
  • 0

#3
izzy_murphy
Posted 19 March 2010 - 02:19 PM

izzy_murphy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

sfc_os.dll is normally a windows file. Don't see how it can be a 'Potentially Unwanted Program' so this may be a false positive. Try submitting it to http://virustotal.com. See what the other anti-virus companies think about it.

Do step 5 of
http://www.geekstogo...uide-t2852.html
but instead of what they tell you to copy and paste use the text between the lines of stars:

******************************************************************************************

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
sfc_os.dll
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav


******************************************************************************************

Then copy and paste the log into a reply.
Ron


Thank you :) I submitted the file to virustotal.com and only 4 out of 42 sites said it could be infected.
I hope I've done this right:

OTL logfile created on: 19/03/2010 20:15:30 - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

494.00 Mb Total Physical Memory | 182.00 Mb Available Physical Memory | 37.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 33.07 Gb Free Space | 88.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EXPERIENCE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/19 20:01:53 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 13:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/08/19 10:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 10:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2006/07/29 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/22 07:14:36 | 000,086,016 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SoundMan.exe
PRC - [2006/04/14 11:56:12 | 000,569,413 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
PRC - [2006/04/14 11:52:18 | 000,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2006/04/14 11:51:52 | 000,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2006/04/14 11:44:58 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2006/04/14 11:43:02 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2006/04/14 11:42:26 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


========== Modules (SafeList) ==========

MOD - [2010/03/19 20:01:53 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
MOD - [2006/07/29 12:00:00 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2005/11/28 13:57:10 | 000,512,090 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll
MOD - [2004/09/18 15:37:00 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll
MOD - [2003/02/26 20:27:44 | 000,036,864 | ---- | M] (Stardock.Net, Inc) -- C:\WINDOWS\system32\wbsys.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2006/04/14 11:44:58 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/04/14 11:43:02 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/04/14 11:42:26 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\zoek, = http://www.google.com/search?q=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/18 12:25:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/19 12:07:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/19 12:07:16 | 000,000,000 | ---D | M]

[2009/11/21 09:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/03/19 09:22:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u7ugtq3k.default\extensions
[2009/12/22 11:58:53 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u7ugtq3k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/19 09:22:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/03 01:42:02 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/11/03 01:42:02 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/11/03 01:42:02 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/11/03 01:42:02 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/07/29 12:00:00 | 000,442,025 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 .impresionesweb.com
O1 - Hosts: 127.0.0.1 .banners.publipagos.com
O1 - Hosts: 127.0.0.1 .publipagos.com
O1 - Hosts: 127.0.0.1 v3.publipagos.com
O1 - Hosts: 127.0.0.1 red.as-eu.falkag.net
O1 - Hosts: 127.0.0.1 .googlesyndication.com
O1 - Hosts: 127.0.0.1 pagead2.googlesyndication.com
O1 - Hosts: 127.0.0.1 pagead1.googlesyndication.com
O1 - Hosts: 127.0.0.1 morannon.fok.nl
O1 - Hosts: 127.0.0.1 ad.firstadsolution.com
O1 - Hosts: 127.0.0.1 .clicktorrent.info
O1 - Hosts: 127.0.0.1 .75tz.com
O1 - Hosts: 127.0.0.1 .aavc.com
O1 - Hosts: 127.0.0.1 .acjp.com
O1 - Hosts: 127.0.0.1 .count.cc
O1 - Hosts: 127.0.0.1 .ebav.com
O1 - Hosts: 127.0.0.1 .ebaw.com
O1 - Hosts: 127.0.0.1 .ebch.com
O1 - Hosts: 127.0.0.1 .ebdv.com
O1 - Hosts: 127.0.0.1 .ebdw.com
O1 - Hosts: 127.0.0.1 .ebgo.com
O1 - Hosts: 127.0.0.1 .ebjp.com
O1 - Hosts: 127.0.0.1 .ebkb.com
O1 - Hosts: 127.0.0.1 .ebkn.com
O1 - Hosts: 14783 more lines...
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - No CLSID value found.
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SoundMan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O13 - ftp Prefix: missing
O13 - gopher Prefix: missing
O13 - home Prefix: missing
O13 - mosaic Prefix: missing
O13 - www Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (wbsys.dll) - C:\WINDOWS\System32\wbsys.dll (Stardock.Net, Inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\WBSrv: DllName - C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll - C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/18 19:35:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7d91baa0-d482-11de-abbe-00c09f964813}\Shell - "" = AutoRun
O33 - MountPoints2\{7d91baa0-d482-11de-abbe-00c09f964813}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7d91baa0-d482-11de-abbe-00c09f964813}\Shell\open\command - "" = E:\Main.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/11/18 19:10:51 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Schedule - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
Error: Registry key for service SrServicemissing or inaccessible!

========== Files/Folders - Created Within 14 Days ==========

[2010/03/19 14:50:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/03/19 12:07:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/03/19 12:04:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2010/03/19 09:18:35 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/03/19 09:13:17 | 000,000,000 | ---D | C] -- C:\Program Files\ACW
[2010/03/18 10:01:34 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2010/03/18 09:47:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Help
[2010/03/15 13:48:38 | 000,000,000 | ---D | C] -- C:\Program Files\Sonic the Hedgehog
[2009/12/01 15:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/11/30 08:59:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2009/11/18 19:36:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/11/18 19:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/11/18 19:34:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/11/18 19:34:34 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[256 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/19 19:52:46 | 000,008,225 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/03/19 19:51:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/19 19:51:02 | 518,508,544 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/19 14:50:50 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/19 14:46:46 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/19 12:08:34 | 005,881,596 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/19 12:08:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/19 10:39:37 | 000,001,453 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2010/03/19 09:02:16 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/18 09:44:45 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\regsvr32
[2010/03/18 09:30:02 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/17 20:28:00 | 000,008,361 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\SECURITY CHECK DATES.odt
[2010/03/17 20:25:54 | 000,008,386 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\PLANNER RECORD.odt
[2010/03/15 13:48:39 | 000,000,806 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Sonic the Hedgehog.lnk
[256 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/19 10:39:37 | 000,001,453 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Attach.zip
[2010/03/19 09:19:26 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/19 09:02:49 | 518,508,544 | -HS- | C] () -- C:\hiberfil.sys
[2010/03/18 09:44:45 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\regsvr32
[2010/03/15 13:48:39 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Sonic the Hedgehog.lnk
[2009/11/18 21:11:20 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/11/18 19:37:00 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\wbload.dll
[2009/11/18 19:17:20 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/07/29 12:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/07/29 12:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/07/29 12:00:00 | 000,000,573 | ---- | C] () -- C:\WINDOWS\System32\Oeminfo.ini
[2006/07/29 12:00:00 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\eXPerience.dll

========== LOP Check ==========

[2009/11/21 12:01:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2009/11/18 20:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinBatch

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/07/29 12:00:00 | 016,723,503 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2006/07/29 12:00:00 | 016,723,503 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2006/07/27 03:34:22 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2006/07/29 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2006/07/29 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/07/29 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< MD5 for: SFC_OS.DLL >
[2006/07/29 12:00:00 | 000,140,288 | ---- | M] (Microsoft Corporation) MD5=A61EF818A6B253361B7FD01430272C84 -- C:\WINDOWS\system32\sfc_os.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/11/18 19:13:36 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/11/18 19:13:36 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/11/18 19:13:36 | 000,868,352 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

Thanks again for your help :)
  • 0

#4
RKinner
Posted 19 March 2010 - 03:03 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Could you copy the virustotal report and paste it into a reply?

Ron
  • 0

#5
izzy_murphy
Posted 19 March 2010 - 03:17 PM

izzy_murphy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Could you copy the virustotal report and paste it into a reply?

Ron


Of course :)

File sfc_os.dll.zzz received on 2010.03.19 13:05:35 (UTC)
Current status: finished
Result: 4/42 (9.52%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.19 -
AhnLab-V3 5.0.0.2 2010.03.19 -
AntiVir 8.2.1.194 2010.03.19 -
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.19 -
Avast5 5.0.332.0 2010.03.19 -
AVG 9.0.0.787 2010.03.19 -
BitDefender 7.2 2010.03.19 -
CAT-QuickHeal 10.00 2010.03.19 -
ClamAV 0.96.0.0-git 2010.03.19 -
Comodo 4317 2010.03.19 -
DrWeb 5.0.1.12222 2010.03.19 -
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7374 2010.03.19 -
F-Prot 4.5.1.85 2010.03.18 -
F-Secure 9.0.15370.0 2010.03.19 -
Fortinet 4.0.14.0 2010.03.19 W32/Patched.F!tr
GData 19 2010.03.19 -
Ikarus T3.1.1.80.0 2010.03.19 -
Jiangmin 13.0.900 2010.03.19 -
K7AntiVirus 7.10.1001 2010.03.18 -
Kaspersky 7.0.0.125 2010.03.19 -
McAfee 5924 2010.03.18 potentially unwanted program PatchedSFC
McAfee+Artemis 5924 2010.03.18 potentially unwanted program Artemis!A61EF818A6B2
McAfee-GW-Edition 6.8.5 2010.03.19 -
Microsoft 1.5605 2010.03.19 -
NOD32 4957 2010.03.19 -
Norman 6.04.09 2010.03.19 -
nProtect 2009.1.8.0 2010.03.19 -
Panda 10.0.2.2 2010.03.18 -
PCTools 7.0.3.5 2010.03.19 -
Prevx 3.0 2010.03.19 -
Rising 22.39.04.04 2010.03.19 -
Sophos 4.51.0 2010.03.19 Disabled System File Check DLL
Sunbelt 5968 2010.03.19 -
Symantec 20091.2.0.41 2010.03.19 -
TheHacker 6.5.2.0.238 2010.03.19 -
TrendMicro 9.120.0.1004 2010.03.19 -
VBA32 3.12.12.2 2010.03.19 -
ViRobot 2010.3.19.2236 2010.03.19 -
VirusBuster 5.0.27.0 2010.03.18 -
Additional information
File size: 140288 bytes
MD5 : a61ef818a6b253361b7fd01430272c84
SHA1 : 766a01eb656b72fc7b3d344912eb06b0d485009d
SHA256: 6f9cf3ddd3d45870ebca5bc81c6e9a8d3d84a7b7e1100a1db6f762a83fadfb5d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xF09A
timedatestamp.....: 0x411096B3 (Wed Aug 4 09:56:35 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x17FC3 0x18000 5.98 24219bd8ff724048d30a6528bc9aa2d8
.data 0x19000 0x5244 0x200 3.20 53ad5af5f5c2bfd2e7bfa3c03f9568bd
.rsrc 0x1F000 0x8450 0x8600 4.53 679fbec37bb7342af75bd9de30d63314
.reloc 0x28000 0x1640 0x1800 5.97 6d4ffe974ca944034fa6816d607a1ba6

( 8 imports )

> advapi32.dll: RegCreateKeyExW, RegisterEventSourceW, RevertToSelf, ImpersonateLoggedOnUser, DeregisterEventSource, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, ReportEventW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl
> crypt32.dll: CertFreeCertificateContext
> kernel32.dll: GetComputerNameW, LocalAlloc, GetComputerNameExW, LeaveCriticalSection, EnterCriticalSection, HeapFree, HeapAlloc, GetProcessHeap, InitializeCriticalSection, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetCurrentProcessId, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, GetTickCount, OpenEventW, ResetEvent, CreateDirectoryW, GetLocalTime, WideCharToMultiByte, GetSystemWow64DirectoryW, GetCurrentProcess, GetFileSize, GetDiskFreeSpaceExW, GetModuleFileNameW, InterlockedExchange, WaitForSingleObject, GetCurrentThreadId, DisableThreadLibraryCalls, CreateFileW, lstrcpynW, GetDriveTypeW, FormatMessageW, LocalFree, LoadLibraryW, GetProcAddress, FreeLibrary, CreateEventW, SetEvent, GetModuleHandleW, GetVersionExW, FindFirstFileW, SetFileAttributesW, DeleteFileW, FindNextFileW, FindClose, GetSystemTimeAsFileTime, CreateThread, CloseHandle, ExpandEnvironmentStringsW, GetLastError, GetFileAttributesW, SetLastError
> ntdll.dll: RtlFreeHeap, RtlDeleteCriticalSection, LdrGetProcedureAddress, RtlInitString, LdrLoadDll, RtlReAllocateHeap, LdrUnloadDll, wcscmp, _chkstk, NtResetEvent, NtSetEvent, LdrAccessResource, LdrFindResource_U, RtlUnwind, NtQueryVirtualMemory, RtlAllocateHeap, NtQueryInformationFile, NtWriteFile, NtDeleteFile, NtCreateKey, NtQueryValueKey, NtSetValueKey, RtlFreeUnicodeString, NtFlushBuffersFile, NtSetInformationFile, NtUnmapViewOfSection, NtCreateSection, NtMapViewOfSection, RtlDosPathNameToNtPathName_U, NtCreateFile, NtFsControlFile, NtOpenFile, wcstoul, RtlInitializeCriticalSection, NtOpenKey, RtlExpandEnvironmentStrings_U, _vsnwprintf, towlower, wcschr, wcsstr, swprintf, memmove, wcslen, _wcsnicmp, NtClose, RtlInitUnicodeString, wcscpy, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, NtQuerySecurityObject, RtlCompareUnicodeString, NtWaitForMultipleObjects, NtCreateEvent, NtNotifyChangeDirectoryFile, _wcsicmp, NtWaitForSingleObject, wcscat, RtlEnterCriticalSection, RtlLeaveCriticalSection, wcsrchr, wcsncpy, RtlNtStatusToDosError
> ole32.dll: StringFromIID, CoTaskMemFree, StringFromGUID2, IIDFromString
> rpcrt4.dll: RpcStringFreeW, RpcImpersonateClient, NdrClientCall2, NdrServerCall2, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, I_RpcMapWin32Status, RpcServerRegisterIf, RpcServerUseProtseqEpW, RpcServerListen, RpcRevertToSelf
> user32.dll: SetDlgItemTextW, RegisterDeviceNotificationW, DestroyWindow, wsprintfW, LoadStringW, SetThreadDesktop, CreateDialogParamW, SendMessageW, MsgWaitForMultipleObjects, IsDialogMessageW, GetDlgItemTextW, DispatchMessageW, PeekMessageW, GetDlgItem, EnableWindow, ShowWindow, UpdateWindow, SetForegroundWindow, EndDialog, FindWindowW, RegisterWindowMessageW, PostMessageW, UnregisterDeviceNotification, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterClassW, CreateWindowExW, DefWindowProcW, GetSystemMetrics, GetWindowRect, SetWindowLongW, MoveWindow, DialogBoxParamW, MessageBoxW, TranslateMessage
> wintrust.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminReleaseCatalogContext, WinVerifyTrust, CryptCATAdminAcquireContext, CryptCATAdminReleaseContext, CryptCATAdminCalcHashFromFileHandle

( 1 exports )

> SfcGetNextProtectedFile, SfcIsFileProtected, SfcWLEventLogoff, SfcWLEventLogon
TrID : File type identification
42.3% (.EXE) Win32 Executable Generic (8527/13/3)
37.6% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
9.9% (.EXE) Generic Win/DOS Executable (2002/3)
9.9% (.EXE) DOS Executable Generic (2000/1)
0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)
ssdeep: 1536:Jr+J4xpldedPZKUEQ4xwikE12GqIjuQgljstFOedjmKsl6A9WOmw:J59de3KUEQ4mrAgWOknscA9WOm
sigcheck: publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows File Protection
original name: sfc.dll
internal name: sfc.dll
file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-
  • 0

#6
RKinner
Posted 19 March 2010 - 05:05 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I still think it's a false positive. I've found a couple of other instances of the same file on the net tho it is no longer the latest version. The file is replaced by SP3 which for some reason you do not have. It would be wise to update to SP3 unless you have some reason not to. I checked the same file on my XP SP3 netbook and it comes back clean from all vendors.

Ron
  • 0

#7
izzy_murphy
Posted 19 March 2010 - 05:12 PM

izzy_murphy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

I still think it's a false positive. I've found a couple of other instances of the same file on the net tho it is no longer the latest version. The file is replaced by SP3 which for some reason you do not have. It would be wise to update to SP3 unless you have some reason not to. I checked the same file on my XP SP3 netbook and it comes back clean from all vendors.

Ron


Ok, that's brilliant thank you :) So I should just ignore it then? I will update to SP3 as soon as possible. Thanks :)
  • 0

#8
RKinner
Posted 19 March 2010 - 05:16 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Just ignore it for now. The problem should go away with SP3.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP