Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan:Win32/Alureon!inf ?????


  • This topic is locked This topic is locked
2 replies to this topic

#1 hottiemom24

hottiemom24

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 22 May 2009 - 11:31 AM

HI there,

I have had problems for a couple of days. I was a few days outside of my AVG Free Trial and picked up something from a link sent to me via email. I couldn't run anything; including the internet. I keep getting a blue crash screen with the error STOP:0x0000008E, even in Safe Mode. I could get on the net with Safe mode w/networking only. However, I couldn't install anything to fix or scan the system for Malware. I couldn't run Kaspersky's online scan either. I tried downloading their program instead, wouldn't work. I tried going to the MalwareBytes site....it still won't let me, even now. Tells me that the website address is incorrect. I tried SuperAntispyware, wouldn't let me on their website either.

I scoured the net and finally found that Trend Micro had a scan that worked in Safe Mode, so I ran it...it took a few hours. It worked and found an infection called MAL_OTORUN1 I clicked to clean it and it supposedly did. I restarted in regular mode. I installed the Trend Micro's Internet Security just fine after that. I went to update it and it gives me an error saying I am not connected to the internet. Obviously I am.

I still could not install Hijackthis again this morning, so I searched solutions and found that some spyware will block it's operation. I learned that if you rename it, then it will work. I did that and it did. I renamed it HiJack Man. So apparently I am still infected! At least my computer is no longer spewing out "Congratulations, you have won!". That was certainly annoying! :thumbup2:

I haven't been able to do anything productive since I read that this Trojan steals financial information. I am afraid to do anything having to do with money, including running my businesses payroll and my employees will be pissed if I don't get it done, so if someone could help me, I would appreciate it greatly! I have read the info provided about the DDS logs and the HijackThis logs and hopefully have provided enough information.

Thank you so much!!

-Cassandra

PS - I attached both the DDS docs....just in case, cuz I forgot which one the forum said to attach. :-)

HIJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:20 AM, on 5/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesIncrediMailbinIMApp.exe
C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe
C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroInternet SecurityUfNavi.exe
C:Program FilesTrend MicroHijackThisHijack Man.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = https://retailer.dishnetwork.com/prmportal
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:Program FileseBayeBay Toolbar2eBayTB.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.1.1309.3572swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:Program FilesGoogleGoogle ToolbarComponentfastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:Program FileseBayeBay Toolbar2eBayTB.dll
O4 - HKLM..Run: [UfSeAgnt.exe] "C:Program FilesTrend MicroInternet SecurityUfSeAgnt.exe"
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [OE] C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [OE] C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [OE] C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [OE] C:Program FilesTrend MicroInternet SecurityTMAS_OETMAS_OEMon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:Program FileseBayeBay Toolbar2eBayTb.dll/RCSearch.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:Program FilesBonjourExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:Windowsbdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:Windowsbdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader57.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O17 - HKLMSystemCCSServicesTcpip..{1C1927A2-7B5F-40A6-B87C-F48D57722775}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCCSServicesTcpip..{621D4A5B-6E09-4D45-9616-76721CB620ED}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCCSServicesTcpip..{AA771269-CD33-4E3C-BF80-13704A8882D6}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS1ServicesTcpipParameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS1ServicesTcpip..{1C1927A2-7B5F-40A6-B87C-F48D57722775}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS2ServicesTcpipParameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS2ServicesTcpip..{1C1927A2-7B5F-40A6-B87C-F48D57722775}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS3ServicesTcpipParameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCS3ServicesTcpip..{1C1927A2-7B5F-40A6-B87C-F48D57722775}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLMSystemCCSServicesTcpipParameters: NameServer = 85.255.112.10,85.255.112.133
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:Program FilesIntuitQuickBooks 2008HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~3GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:Windowssystem32aestsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: GoogleDesktopManager - Google - C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:Program FilesLavasoftAd-AwareAAWService.exe
O23 - Service: QBCFMonitorService - Intuit - C:Program FilesCommon FilesIntuitQuickBooksQBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:Program FilesCommon FilesIntuitQuickBooksFCSIntuit.QuickBooks.FCS.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:Program FilesRoxioDigital Home 9RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecuritySfCtlCom.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:Windowssystem32STacSV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:Program FilesTrend MicroBMTMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:Program FilesTrend MicroInternet SecurityTmProxy.exe

--
End of file - 9284 bytes

Oh and I forgot to add that I was able to successfully install Microsoft's LiveONE anti-virus program and that's the one that found the Alureon Trojan and it said it was removed.

I have done a little more work to my system while waiting for someone to help me. I figured out by going through my registry that the Trojan had installed a TON of files for DVD, Video editing, and programs that work for iPhone and iPod....well I don't have either and didn't download this stuff. I also found a registry file containing a bunch of "blocked" programs and websites. Among them were all the anti-spyware, anti-malware that I was trying to download to clean my system! I deleted it and was immediately able to download SuperAntiSpyware. It's running now so I will repost logs when it's completed.

No one has bothered to respond or help me and like I said, I need my computer running normally. If by chance someone DOES respond someday, then maybe the stuff I have found will help others.
===========

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 August 2010 - 12:46 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:07 AM

Posted 29 May 2009 - 12:47 AM

Hello Cassandra,


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 29 May 2009 - 12:48 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:07 AM

Posted 03 June 2009 - 09:27 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users