Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


trojan virus scheur2

  • This topic is locked This topic is locked
3 replies to this topic

#1 jolt4583


  • Members
  • 1 posts
  • Local time:06:21 PM

Posted 09 May 2009 - 05:41 PM

I ran sdfix and this is what I got:.... help...

SDFix: Version 1.240
Run by danielle on Sat 05/09/2009 at 05:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\All Users\Documents\SDFix\SDFix

Checking Services :

Infected user32.dll Found!

user32.dll File Locations:

"C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll" 577024 03/02/2005 02:19 PM
"C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll" 578048 03/08/2007 11:48 AM
"C:\WINDOWS\$NtServicePackUninstall$\user32.dll" 577536 03/08/2007 11:36 AM
"C:\WINDOWS\$NtUninstallKB890859$\user32.dll" 577024 08/04/2004 08:00 AM
"C:\WINDOWS\$NtUninstallKB925902$\user32.dll" 577024 03/02/2005 02:09 PM
"C:\WINDOWS\ServicePackFiles\i386\user32.dll" 578560 04/13/2008 08:12 PM
"C:\WINDOWS\system32\user32.DLL" 578560 05/02/2009 11:35 AM
"C:\WINDOWS\system32\dllcache\user32.dll" 578560 05/02/2009 11:35 AM

[C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll] 1800F293BCCC8EDE8A70E12B88D80036
[C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll] 7AA4F6C00405DFC4B70ED4214E7D687B
[C:\WINDOWS\$NtServicePackUninstall$\user32.dll] B409909F6E2E8A7067076ED748ABF1E7
[C:\WINDOWS\$NtUninstallKB890859$\user32.dll] C72661F8552ACE7C5C85E16A3CF505C4
[C:\WINDOWS\$NtUninstallKB925902$\user32.dll] DE2DB164BBB35DB061AF0997E4499054
[C:\WINDOWS\ServicePackFiles\i386\user32.dll] B26B135FF1B9F60C9388B4A7D16F600B
[C:\WINDOWS\system32\user32.DLL] 37F7393D5D46BDFCE4ADC8BCA553926E
[C:\WINDOWS\system32\dllcache\user32.dll] 37F7393D5D46BDFCE4ADC8BCA553926E

[C:\WINDOWS\System32\jsamai] 37F7393D5D46BDFCE4ADC8BCA553926E
[C:\WINDOWS\System32\ukylg] 37F7393D5D46BDFCE4ADC8BCA553926E
[C:\WINDOWS\System32\vukwuw] 37F7393D5D46BDFCE4ADC8BCA553926E
[C:\WINDOWS\System32\wptlry] B26B135FF1B9F60C9388B4A7D16F600B

Note: SDFix does not repair this file!

Restoring Default Security Values
Restoring Default Hosts File


Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-09 17:33:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\richard\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :

Authorized Application Key Export:

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe:*:Enabled:MySpaceIM"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgam.exe"="C:\\Program Files\\AVG\\AVG8\\avgam.exe:*:Enabled:avgam.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"="C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with Hidden Attributes :

Wed 6 May 2009 24,064 A.SH. --- "C:\Documents and Settings\richard\protect.dll"
Wed 6 May 2009 24,064 A.SH. --- "C:\WINDOWS\system32\autochk.dll"
Fri 25 Apr 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 25 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 6 May 2009 24,064 A.SH. --- "C:\WINDOWS\system32\config\systemprofile\protect.dll"
Tue 15 Apr 2008 34,304 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL3477.tmp"
Sun 12 Oct 2008 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\DynUpdate\BITA.tmp"
Sun 12 Oct 2008 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\DynUpdate\BITB.tmp"
Sun 12 Oct 2008 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\DynUpdate\BITC.tmp"
Sun 12 Oct 2008 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\Money\10.0\DynUpdate\BITD.tmp"
Wed 6 May 2009 24,064 A.SH. --- "C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll"


BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:21 AM

Posted 25 May 2009 - 10:39 AM

Hi jolt4583,

Sorry for the delay the forums here at BC are always very busy and we do are best to keep up.I would like to see a new log
please. If you no longer require any help could you let me no please, so this topic can be closed.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:21 AM

Posted 28 May 2009 - 07:59 AM

Hi can you let me no if you still require my help, if you have resloved your issues
please let me no so this topic can be closed.



#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:01:21 AM

Posted 30 May 2009 - 01:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users