parent's computer

[michaewlewis]

I just reinstalled windows xp on my parent's computer and it still looks like there is a virus on it. My guess is it's a rootkit, which I have no idea how to get rid of (besides installing linux and just having them use that.) I've seen the virus before from my work development computer. Luckily Symantec has been doing a good job of cleaning up my flash drive before the virus can do anything there.
You can see which file it is below (herss.exe). I deleted the herss.exe file, but there are still two files in the root directory (9fo3ar0j.exe & sywyrl0q.exe), which I can only see from the command line. The virus seems to be blocking the option to see system files and hidden files from explorer.
I've run Avira A/V, but it doesn't seem to notice anything wrong.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:38 PM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\Dad\LOCALS~1\Temp\herss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263869748936
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

--
End of file - 2491 bytes

[tmoe30]

If you think it is a rootkit, you can download rootkit revealer and run that on the PC.  It is a free download.  Just google rootkit revealer and you'll find it.

Are you doing a format of XP or just a repair?  If you are doing a format, is all the software loaded on after XP purchased from the vendor or has it been downloaded?  Often times, downloaded software will contain trojans which will reinfect the computer.  Hope this helps.

[michaewlewis]

I figured out the problem. It's not a rootkit. I was using a flash drive to copy drivers from my parent's computer to my laptop, which was also infected and am restoring. Silly me, I should have known better.
I fixed both computers now and am in the process of reinstalling all of the software.

[sos2516]

Edited.

[WildIce]

I figured out the problem. It's not a rootkit. I was using a flash drive to copy drivers from my parent's computer to my laptop, which was also infected and am restoring. Silly me, I should have known better.
I fixed both computers now and am in the process of reinstalling all of the software.

Hi, could you tell me how exactly you fixed it ? I have this sywyrl0q.exe too on my drive and my anti virus software doesn't seem to detect it..

Thank you!

Tom

[harry 48]

tmoe30  and   sos2516 please do not give advice you are not malware experts

[WildIce]

Hi, could you tell me how exactly you fixed it ? I have this sywyrl0q.exe too on my drive and my anti virus software doesn't seem to detect it..

Thank you!

Tom

For people having the same problem (sywyrl0q.exe and his autorun.inf keep coming back on hard drives and usb sticks):
I deleted that herss.exe file in my Temp folder and both the sywyrl0q.exe and autorun.inf on all drives (with command prompt: del /a:h /f ) and it solved it for me I think..

[michaewlewis]

Hi, could you tell me how exactly you fixed it ? I have this sywyrl0q.exe too on my drive and my anti virus software doesn't seem to detect it..

Thank you!

Tom

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081106-1401-99&tabid=3