BleepingComputer.com: Trojan://DOS alureon.e

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Trojan://DOS alureon.e

#1 User is offline   Laddie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 23-May 11

Posted 04 December 2011 - 06:59 PM

I had a virus earlier and during the removal my computer locked up and I wound up having to do a clean install of my OS (Win7). After the install MSE came up with this alureon infection and isn't able to remove it. Help would be appreciated.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Laddie at 18:27:10 on 2011-12-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1978.1001 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Windows\system32\igfxext.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5736z&r=27361111f605l04e4z165v48924612
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5736z&r=27361111f605l04e4z165v48924612
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5736z&r=27361111f605l04e4z165v48924612
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun-x64: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun-x64: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Laddie\AppData\Roaming\Mozilla\Firefox\Profiles\p4unqz4z.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-7-23 321104]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-11-29 868896]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-7-23 13336]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-6-28 255744]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-7-23 243232]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-30 135664]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-30 135664]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-5-26 305520]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2010-7-23 332272]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-04 23:16:52 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{62EB2122-713A-4376-9AA1-1C763D7065B5}\offreg.dll
2011-12-04 11:23:14 -------- d-----w- C:\Users\Laddie\AppData\Local\Adobe
2011-12-02 17:38:18 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-02 17:38:05 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{62EB2122-713A-4376-9AA1-1C763D7065B5}\mpengine.dll
2011-11-30 17:41:15 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1C412A63-FAD1-475E-9510-B62D9FCA45A8}\gapaengine.dll
2011-11-30 17:41:03 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-30 17:32:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-11-30 17:32:24 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-11-30 15:53:38 995328 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-11-30 15:38:38 -------- d-----w- C:\Windows\System32\SPReview
2011-11-30 15:37:56 -------- d-----w- C:\Windows\System32\EventProviders
2011-11-30 15:19:59 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-11-30 15:18:59 934912 ----a-w- C:\Windows\System32\FirewallControlPanel.dll
2011-11-30 15:17:59 89600 ----a-w- C:\Windows\SysWow64\wbem\WmiApRpl.dll
2011-11-30 15:16:59 8192 ----a-w- C:\Windows\System32\KBDTUF.DLL
2011-11-30 15:13:25 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-11-30 15:13:25 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2011-11-30 15:13:10 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2011-11-30 14:27:50 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-11-30 14:27:49 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-11-30 14:27:49 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-11-30 14:27:49 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-11-30 14:27:48 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-11-30 14:27:48 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-11-30 14:27:48 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2011-11-30 05:59:56 -------- d-----w- C:\Windows\SysWow64\Wat
2011-11-30 05:59:55 -------- d-----w- C:\Windows\System32\Wat
2011-11-30 05:58:29 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-11-30 05:58:29 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-11-30 05:58:28 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-11-30 05:58:28 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-11-30 05:58:28 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-11-30 03:25:33 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-11-30 03:25:33 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-11-30 03:25:30 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-11-30 03:24:51 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-11-30 03:24:38 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2011-11-30 03:24:13 -------- d-----w- C:\Windows\PCHEALTH
2011-11-30 03:24:01 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\814d544c1ccaf0f\DSETUP.dll
2011-11-30 03:24:01 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\814d544c1ccaf0f\DXSETUP.exe
2011-11-30 03:24:01 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\814d544c1ccaf0f\dsetup32.dll
2011-11-30 03:23:39 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlc45D5.tmp
2011-11-30 03:23:35 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-11-30 03:21:02 -------- d-----w- C:\Program Files (x86)\Common Files\CyberLink
2011-11-30 03:19:53 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-11-30 03:19:53 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-11-30 03:19:53 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-11-30 03:18:44 51712 ----a-w- C:\Windows\AutosetFrequency.exe
2011-11-30 03:18:44 214400 ----a-w- C:\Windows\SysWow64\snpropwp.dll
2011-11-30 03:18:44 206208 ----a-w- C:\Windows\PLFSetI.exe
2011-11-30 03:18:44 -------- d-----w- C:\Program Files (x86)\AcerCrystalEye
2011-11-30 03:18:00 -------- d-----w- C:\Program Files\Elantech
2011-11-30 03:17:08 -------- d---a-w- C:\book
2011-11-30 03:15:12 3 ----a-w- C:\Windows\System32\PLD_Framework.cmd
2011-11-30 03:13:34 -------- d-----w- C:\Windows\SysWow64\Lang
2011-11-30 03:13:33 -------- d-----w- C:\Windows\SysWow64\x64
2011-11-30 03:13:32 1002008 ----a-w- C:\Windows\SysWow64\igxpun.exe
2011-11-30 03:09:30 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-11-30 02:19:52 -------- d-----w- C:\Users\Laddie\AppData\Local\Google
2011-11-30 00:59:09 31232 ----a-w- C:\Windows\System32\prevhost.exe
2011-11-30 00:59:08 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe
2011-11-30 00:56:40 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-30 00:56:40 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-30 00:56:02 642944 ----a-w- C:\Windows\System32\winload.efi
2011-11-30 00:56:02 605552 ----a-w- C:\Windows\System32\winload.exe
2011-11-30 00:56:02 566208 ----a-w- C:\Windows\System32\winresume.efi
2011-11-30 00:56:02 518672 ----a-w- C:\Windows\System32\winresume.exe
2011-11-30 00:56:01 63488 ----a-w- C:\Windows\System32\setbcdlocale.dll
2011-11-30 00:56:01 20352 ----a-w- C:\Windows\System32\kdusb.dll
2011-11-30 00:56:01 19328 ----a-w- C:\Windows\System32\kd1394.dll
2011-11-30 00:56:01 17792 ----a-w- C:\Windows\System32\kdcom.dll
2011-11-30 00:54:57 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-11-30 00:53:58 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-11-30 00:53:54 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-30 00:53:54 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-30 00:53:48 974336 ----a-w- C:\Windows\System32\WFS.exe
2011-11-30 00:53:48 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
2011-11-30 00:51:46 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-11-30 00:51:45 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-11-30 00:51:44 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-11-30 00:50:44 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-11-30 00:50:44 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-11-30 00:50:44 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-11-30 00:46:07 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-11-30 00:46:07 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-11-30 00:46:07 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-11-30 00:46:07 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-11-30 00:46:05 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-11-30 00:46:05 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-11-30 00:46:01 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2011-11-30 00:43:05 -------- d-----w- C:\Users\Laddie\AppData\Roaming\Intel Corporation
2011-11-30 00:42:58 -------- d-----w- C:\Users\Laddie\AppData\Local\EgisTec IPS
2011-11-30 00:42:20 -------- d-----w- C:\Users\Laddie\AppData\Local\VirtualStore
2011-11-30 00:41:38 -------- d-----w- C:\Program Files (x86)\OEM
2011-11-30 00:41:33 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2011-11-30 00:41:22 -------- d-----w- C:\Program Files (x86)\Times Reader
.
==================== Find3M ====================
.
2011-11-30 16:50:39 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-11-30 16:50:39 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 18:28:21.67 ===============


GMER didn't come up with anything so I have no log to post from that.

Attached File(s)


#2 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,659
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 05 December 2011 - 11:46 PM

Hi Laddie,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Over Win7 Start logo > type diskmgmt.msc in search box and press enter > Disk Management should prompt.

Take a whole Disk Management Window screenshot, make sure we can see all columns after Disk 0 and attach that picture in your next reply. For more info:This thread . We will start from that. Thanks

#3 User is offline   Laddie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 23-May 11

Posted 06 December 2011 - 08:19 AM

The wee column on the end of Disk 0 is the second in the list above it (1 MB).

Attached File(s)


#4 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,659
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 06 December 2011 - 08:33 AM

Hi Laddie,




Do you have any idea about that odd partition which has only 1 MB capacity? If not, it seemed to be created by the variant malware.

Lets try to remove it with the normal way as instructed in this thread. If not working, we will take another approach. Give me a fresh screenshot in your next reply. After that, please proceed the following:



Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.



In your next reply, please post back:

1.New screenshot
2.TDSSKiller log

Let me know if you have any remaining issues on your pc.

#5 User is offline   Laddie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 23-May 11

Posted 06 December 2011 - 12:26 PM

TDSSKiller didn't find anything to report. MSE didn't pop up with it either after reboot.

Attached File(s)


This post has been edited by Laddie: 06 December 2011 - 12:28 PM

#6 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,659
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 06 December 2011 - 04:55 PM

Hi Laddie,



That sounds good. :thumbup2: Since the main culprit is removed, your system appears to be clean now. :thumbsup: If you have no remaining isssues, lets do some tidy up and you should be good to go.

Please delete all the logs or tools we have used and insatll java from Here . Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check


  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .



Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#7 User is offline   Laddie 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 23-May 11

Posted 06 December 2011 - 06:21 PM

Thank you very much!

#8 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,659
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 08 December 2011 - 09:52 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.

This post has been edited by sundavis: 08 December 2011 - 09:53 AM

#9 User is offline   sundavis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,659
  • Joined: 11-August 07
  • Gender:Not Telling

Posted 08 December 2011 - 09:53 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.

This post has been edited by sundavis: 08 December 2011 - 09:53 AM

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users