Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system security invasion, sheur2


  • Please log in to reply
15 replies to this topic

#1 mtmax

mtmax

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 19 July 2009 - 07:15 PM

I recently acquired this darn thing, I'm not sure how, but the kids use this old computer alot. I have an older computer, running xp, with avg antivirus. I have tried running mbam, and atf and sas in safe mode, but avg is still giving me warnings. I also tried stopping the process, but the warnings continue. The warnings are shown below. [/img]
I hope I did the screenshot correctly. In case it does not show up, the culprit is sheur2.aqlk.
I very much appreciate any help,
Drmax

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 19 July 2009 - 07:22 PM

Please post your mbam log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 19 July 2009 - 07:38 PM

Thank you very much for your help Budapest. Here is the first log:
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/14/2009 10:15:01 PM
mbam-log-2009-07-14 (22-15-01).txt

Scan type: Quick Scan
Objects scanned: 107407
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\jeruvote.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\herifolu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm377f7803 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kowokiyidu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11242814 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jeruvote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jeruvote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Hillberry\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\jeruvote.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nusoyeta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11242814\11242814.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\herifolu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lodivoyo.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yepogofa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\documents and settings\hillberry\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\hillberry\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Hillberry\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



And here is the next log:







Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/14/2009 10:15:01 PM
mbam-log-2009-07-14 (22-15-01).txt

Scan type: Quick Scan
Objects scanned: 107407
Time elapsed: 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\jeruvote.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\herifolu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a60e3ee0-559e-4d6e-b838-877b039970d7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm377f7803 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kowokiyidu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11242814 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jeruvote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\jeruvote.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\herifolu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Hillberry\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\jeruvote.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vovuhinu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nusoyeta.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11242814\11242814.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\herifolu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lodivoyo.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\yepogofa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\documents and settings\hillberry\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\hillberry\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Hillberry\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I tried before to give you a screenshot, but it didn't work, not surprising given my skills. The warnings that I keep getting from avg involve a trojan horse that it cannot fully remove.
Thanks again, your help is truly appreciated,
Mtmax

#4 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 19 July 2009 - 07:43 PM

Oh snap,
Here is the second log.
Mtmax


Malwarebytes' Anti-Malware 1.39
Database version: 2437
Windows 5.1.2600 Service Pack 3

7/15/2009 10:49:27 PM
mbam-log-2009-07-15 (22-49-27).txt

Scan type: Quick Scan
Objects scanned: 108457
Time elapsed: 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 19 July 2009 - 07:44 PM

Those logs are the same.

Reboot, run another mbam quick scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 19 July 2009 - 07:45 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 19 July 2009 - 09:47 PM

Budapest,
I can't seem to run rootrepeal in normal or safe mode. The computer locks up on the screen "initializing....please wait".
Perhaps we can try something else?
Thanks again for your help.
Mtmax

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 19 July 2009 - 10:19 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 20 July 2009 - 07:52 AM

Budapest,
Here is the sophos log. There were no items checked for cleanup recommended. Thank you.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/19/2009 at 21:40:34 PM
User "Hillberry" on computer "MARIE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Stopped logging on 7/19/2009 at 21:40:40 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/19/2009 at 21:41:26 PM
User "Hillberry" on computer "MARIE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Stopped logging on 7/19/2009 at 21:41:58 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 7/19/2009 at 21:42:04 PM
User "Hillberry" on computer "MARIE"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-21-1708537768-1078145449-682003330-1006
Hidden: registry item \HKEY_USERS\S-1-5-21-1708537768-1078145449-682003330-500
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\msdelta.dll
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098480.exe
Hidden: file C:\Documents and Settings\Hillberry\Application Data\Mozilla\Firefox\Profiles\rkjjf2mi.default\Cache\A2F0955Ed01
Hidden: file C:\Program Files\Memeo\AutoSync\truecrypt\TrueCrypt Setup.exe
Hidden: file C:\Program Files\Memeo\AutoSync\truecrypt\Setup Files\TrueCrypt.exe
Hidden: file C:\Program Files\Memeo\AutoSync\truecrypt\Setup Files\TrueCrypt Format.exe
Hidden: file C:\Documents and Settings\Hillberry\Desktop\backup programs\ambackup3-setup.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\sdhelper161.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\teatimer162.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1214\A0094577.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\UNJFGJXJ.scr
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098482.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\PJGPOAYMKOBJZDYAI.scr
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098486.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098490.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\UKLMXYKKZYJMPOSSHW.scr
Hidden: file C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\RORLYY.scr
Hidden: file C:\Program Files\Spybot - Search & Destroy\JUSAPFQW.scr
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDFiles.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDShred.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Plugins\Chai.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\Plugins\Fennel.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\Plugins\Mate.dll
Hidden: file C:\Program Files\MSN\MSNCoreFiles.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}\msnAuIns.exe
Hidden: file C:\Documents and Settings\Hillberry\Desktop\RootRepeal\RootRepeal.exe
Hidden: file C:\Program Files\EA GAMES\MOHAA\MOHAA.exe
Hidden: file C:\WINDOWS\system32\mfc71.dll
Hidden: file C:\WINDOWS\system32\mfc71u.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
Hidden: file C:\Program Files\EA GAMES\BF1942.exe
Hidden: file C:\Program Files\EA GAMES\fpupdate.exe
Hidden: file C:\Documents and Settings\Hillberry\Desktop\avg_free_stb_en_8_15.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\advcheck162.exe
Hidden: file C:\Documents and Settings\Hillberry\My Documents\LimeWire\Incomplete\T-75852904-Mix 2006 - Sean Paul ft. Neyo & Lil Flip & Busta & Lil Kim & Massari Ryan & Leslie & Chris Brown & Ying Yang Twins & Missy Elliot & Pharell & Pety Pablo & Fabolous & R. Kelly.mp3
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\tools216.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098484.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\advcheck.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\Tools.dll
Hidden: file C:\Program Files\SearchRelevant\uninstall.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam-dor.exe
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\EfpOfxGen.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\Components\Payroll\PatchStaging\EfpOfx\EfpOfxGen.DLL
Hidden: file C:\Documents and Settings\Hillberry\My Documents\LimeWire\Incomplete\T-75852904-Mix 2006 - Sean Paul ft. Neyo & Lil Flip & Busta & Lil Kim & Massari Ryan & Leslie & Chris Brown & Ying Yang Twins & Missy Elliot & Pharell & Pety Pablo & Fabolous & R. Kelly.mp3
Hidden: file C:\Documents and Settings\Hillberry\Desktop\Google Updater.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1232\A0102788.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098483.exe
Hidden: file C:\Program Files\EA GAMES\Battlefield 1942\BF1942.exe
Hidden: file C:\Program Files\EA GAMES\Battlefield 1942\fpupdate.exe
Hidden: file C:\Program Files\GameSpy Arcade\fpupdate.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\WDSetup.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_ch.exe
Hidden: file C:\Program Files\LimeWire\uninstall.exe
Hidden: file C:\Program Files\LimeWire\.NetworkShare\LimeWireWin4.18.8.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098506.exe
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1229\A0098481.exe
Hidden: file C:\Program Files\Common Files\Intuit\QuickBooks\SR_FedEx_PLS.exe
Hidden: file C:\Program Files\Common Files\AnswerWorks 4.0\LtSpynEn30.dll
Hidden: file C:\Program Files\Common Files\AnswerWorks 4.0\awTPort.dll
Hidden: file C:\Program Files\Common Files\Intuit\QuickBooks\xerces-c_2_5_0_qb.dll
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\xerces-c_2_5_0_qb.dll
Hidden: file C:\Program Files\Common Files\Intuit\Product Config\xerces-c_2_5_0_qb.dll
Hidden: file C:\Program Files\Java\j2re1.4.0\javaws-1_0_1_02-win-int.exe
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\pkarchive85u.dll
Hidden: file C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\dpcdll.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\ipevldpc.dll
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1232\A0102790.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipmntdpc.dll
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Hidden: file C:\Documents and Settings\Hillberry\Desktop\avg_free_stb_en_8_15-1.exe
Hidden: file C:\Documents and Settings\Hillberry\Local Settings\Application Data\Wildtangent\Cdacache\islandrally\fmod.dll
Hidden: file C:\Program Files\Musicmatch\Musicmatch Update\MMJB\mfc71u.dll
Hidden: file C:\Program Files\Common Files\Intuit\QuickBooks\ZRush_ShipRush3_QB.ocx
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\APPCORE.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\FEATURES.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\PAYSERV.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\PREFS.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\QBCHAO32.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\QBONLI32.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\TXNFORM.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\abmapi.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\paycore.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\qbtxn32.DLL
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\sdkqbimpl.dll
Hidden: file C:\Program Files\Intuit\QuickBooks Basic\ui.DLL
Hidden: file C:\Program Files\Sony\Sony Picture Utility\Browser\MFC71u.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\MFC71u.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\InitTool\MFC71u.dll
Hidden: file C:\Documents and Settings\Hillberry\My Documents\Hannah schoolwork\wl_patch_2.0.3.exe
Hidden: file C:\WINDOWS\wt\wtupdates\wtcda\files\4.0.0.370\wtcdatt.exe
Hidden: file C:\WINDOWS\wt\wtcda\wtcdatt.exe
Hidden: file C:\Program Files\Sony\Sony Picture Utility\Importer\DCF\MFC71u.dll
Hidden: file C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
Hidden: file C:\Documents and Settings\Hillberry\My Documents\Hannah schoolwork\CouponPrinter.exe
Hidden: file C:\Program Files\Coupons\uninstall.exe
Hidden: file C:\Documents and Settings\Hillberry\My Documents\Hannah schoolwork\wl_setup_2.0.3.exe
Hidden: file C:\Program Files\Sibelius Software\Scorch\ActiveXPlugin\ScorchPDFWrapper.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\Announce\MFC71u.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kperdpc.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\Mapview\MFC71u.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\msncli.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipseldpc.dll
Hidden: file C:\Program Files\Adobe\Photoshop Elements 6.0\Browser\es262-32.dll
Hidden: file C:\Program Files\Adobe\Photoshop Elements 6.0\Browser\opera.dll
Hidden: file C:\Program Files\Adobe\Photoshop Elements 6.0\Browser\xmlparse.dll
Hidden: file C:\Program Files\Adobe\Photoshop Elements 6.0\Browser\zip.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\VideoTrimming\MFC71u.dll
Hidden: file C:\WINDOWS\system32\wmploc.dll
Hidden: file C:\Program Files\Sony\Sony Picture Utility\VideoDiscCopier\MFC71u.dll
Hidden: file C:\System Volume Information\_restore{103E8C71-AA9A-443D-B001-44B12799AFF0}\RP1232\A0102791.exe
Hidden: file C:\Program Files\Sony\Sony Picture Utility\Importer\Disc\MFC71u.dll
Hidden: file C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe
Hidden: file C:\Program Files\Sony\Sony Picture Utility\DVDAuthor\MFC71u.dll
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_cn.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_de.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_de.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_en.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_es.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_fr.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_it.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Google\Desktop\GoogleDesktopSetup_zh-cn.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_en.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_es.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_fr.exe
Hidden: file C:\Program Files\Western Digital\My Book Essential Tools\Adobe\AcroReader80_it.exe
Hidden: file C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\pcl5eres.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\pcl5ures.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isendpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\dpcdll.dll
Hidden: file C:\WINDOWS\system32\dpcdll.dll
Hidden: file C:\Program Files\CCleaner\CCleaner.exe
Hidden: file C:\Program Files\CCleaner\uninst.exe
Hidden: file C:\Program Files\AVG\AVG8\avgcorex.dll
Hidden: file C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsLexicons0009.dll
Hidden: file C:\Documents and Settings\Hillberry\Application Data\IMVUClient\Uninstall.exe
Stopped logging on 7/19/2009 at 23:00:48 PM

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 20 July 2009 - 04:11 PM

The Sophos log looks okay. How's your computer running?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 21 July 2009 - 10:57 PM

Thank you Budapest,
I have rerun all scans, and have found no trace of malware. My computer is running fine. This site is so great, and your kindness and time are greatly appreciated.
Drmax

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 21 July 2009 - 11:02 PM

If you’re clean, you should create a new Restore Point to prevent possible re-infection from an old one.

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Also, go Start > Control Panel and double-click Add or Remove Programs. Post back and report any Java entries that you have.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 23 July 2009 - 09:33 AM

Budapest,
The restore has been reset. I have the following entries under java:
j2se runtime environment 5.0 update 11
java 2 runtime environment, SE v 1.4.0
java webstart
java 6 update 11
java 6 update 5
Thanks again for your help
max

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 23 July 2009 - 04:26 PM

Remove all those Java entries and then get the most up-to-date one from here:

http://www.java.com/en/download/index.jsp
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 mtmax

mtmax
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 24 July 2009 - 12:31 PM

Budapest,
Java has been updated. I am using mbam, sas, avg, and spybot. Any other recommendations? Thanks again,

max.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users