Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon-BH / kung malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 leftyjim

leftyjim

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 04 June 2009 - 10:45 PM

Hello, I have been Infected with the Alureon-BH / kung Trojan. Boopme has been helping me in the security area. (http://www.bleepingcomputer.com/forums/index.php?showtopic=230598&st=30&gopid=1288472&#entry1288472) I thought I just had a spyware problem. Boopme now suggests that I post a HJT log here. Apparently we have gone as far as we can with the other route. I am running XP Media Center Edition Service Pack 3, on a HP P4 Dual 2.80 GHz with 2GB DDR2 Ram. I use IE as well as Opera. I use and update AGV anti-virus. I use Adaware as well as Stopthepopups light, and the Google toolbar popup blocker. I have recently begun using Avast! which found the Trojan. In addition to the DDS log, I thought it might be a good idea to post the two Avast! logs. You will find them under the DDS log. In addition I cleared my winsys32 of .dat files known to be associated with this virus, but there is this file in win temp that will not go away. “perflib_perfdata_26c” It can’t be deleted normally (Says being used by another program.) I even tried to have it deleted at reboot by the program moveonboot. It regenerated on the following reboot every time. Any help appreciated, Thanks.

DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by HP_Administrator at 20:12:34.01 on Thu 06/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090604-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [sureshotpopupkiller] "c:\program files\stop-the-pop-up lite\stopthepop.exe" -minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {141E5FB3-6D27-4B5F-8F72-425888ADE0C8} = 192.168.1.254
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\dajesupo.dll c:\windows\system32\yaguhelu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\dajesupo.dll msentort.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-3 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-31 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-1-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-31 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-3 138680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-31 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-3 352920]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S2 SessionLauncher;SessionLauncher;c:\docume~1\hp_adm~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\hp_adm~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-06-04 19:14 <DIR> --d----- c:\program files\EMCO MoveOnBoot
2009-06-03 05:23 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-02 20:36 82,944 a------- c:\windows\system32\IEDFix.exe
2009-06-02 20:36 82,944 a------- c:\windows\system32\IEDFix.C.exe
2009-06-02 20:36 80,384 a------- c:\windows\system32\o4Patch.exe
2009-06-02 20:36 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-06-02 19:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-02 15:50 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-02 15:47 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-31 12:05 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-31 04:45 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 04:45 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-31 04:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-31 04:45 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-31 04:45 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\AVGTOOLBAR
2009-05-31 04:45 <DIR> --d----- c:\program files\AVG
2009-05-31 04:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-30 18:15 <DIR> --d----- c:\program files\ESET
2009-05-23 21:10 <DIR> --d----- c:\program files\Unreal Tournament 3
2009-05-23 21:10 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2009-05-23 21:10 444,776 a------- c:\windows\system32\d3dx10_35.dll
2009-05-23 21:10 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-05-23 21:10 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll
2009-05-23 21:10 443,752 a------- c:\windows\system32\d3dx10_34.dll
2009-05-23 21:10 3,497,832 a------- c:\windows\system32\d3dx9_34.dll
2009-05-23 21:10 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-05-23 21:09 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-05-23 21:09 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-05-23 21:09 62,744 a------- c:\windows\system32\xinput1_2.dll
2009-05-23 21:09 <DIR> --d----- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-05-23 18:57 <DIR> --d----- c:\program files\Konami
2009-05-21 21:20 <DIR> --d----- c:\windows\system32\AGEIA
2009-05-21 21:19 211,754 a------- c:\windows\system32\nvapps.xml
2009-05-21 21:19 <DIR> --d----- c:\windows\nview
2009-05-21 21:19 453,152 a------- c:\windows\system32\nvudisp.exe
2009-05-21 21:19 18,795 a------- c:\windows\system32\nvdisp.nvu
2009-05-21 21:18 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\scripting
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\en
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\bits
2009-05-17 07:35 <DIR> --d----- c:\windows\l2schemas
2009-05-17 07:34 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-17 07:33 <DIR> --d----- c:\windows\network diagnostic
2009-05-17 07:27 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-17 07:26 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-05-17 07:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-17 07:26 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-17 07:26 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-10 19:27 <DIR> --d----- c:\program files\DirectX
2009-05-10 19:10 <DIR> --d----- c:\program files\Steam
2009-05-10 18:53 21,504 a------- c:\windows\system32\hidserv.dll
2009-05-10 18:53 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-05-10 18:53 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-10 18:53 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-05-10 18:52 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-05-10 18:52 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-06-04 13:08 2,008 a------- c:\windows\system32\tmp.reg
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-17 07:38 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-17 07:38 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-05-17 07:38 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-05-17 07:38 217,088 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
2009-05-17 07:38 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-05-17 07:38 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-05-17 07:38 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-05-17 07:38 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-05-17 07:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-05-17 07:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-04-11 11:54 118,784 a------- c:\windows\web\wallpaper\scenic- beach scenes wallpaper dir\uninstall.exe
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-08-02 10:45 3,458 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat

============= FINISH: 20:13:24.21 ===============


AVAST!
06/03/2009 11:30
Scan of all local drives

File C:\WINDOWS\system32\drivers\kungsfinrheotf.sys is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\system32\kungsfqgjqepdv.dll is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\system32\kungsfvgoqhfoa.dll is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\Temp\kungsfaecycsqpus.tmp is infected by Win32:Alureon-BH [Rtk], Deleted
Number of searched folders: 8547
Number of tested files: 139900
Number of infected files: 4

----------------------------------------
06/04/2009 13:15
Scan of all local drives

File D:\PRELOAD\BASE_18.INP\unidrvui.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 8323
Number of tested files: 700463
Number of infected files: 0

BC AdBot (Login to Remove)

 


#2 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 05 June 2009 - 05:00 AM

Hello, This site below explains some of the actions this virus takes, and files it corrupts--it is over my head. And besides I have of course been instructed not to change anything after posting my log. I just thought the more information you have the better. If it turns out you are aware of the files it changes then disregaurd this post.


<http://74.125.155.132/search?q=cache:ISigI618I-AJ:smartdefense.zonealarm.com/tmpl/body/virus/sdrc_virusDetails.jsp%3Bvic-sessionid%3DGvLwJTdhGKQDzdKhKG2WwL9kyzJC8Kx3m2GwvnxLB9QqccHtTYpj!1133604945%3FVId%3D50214+Win32:Alureon&cd=81&hl=en&ct=clnk&gl=us>



Hello leftyjim,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman

Edited by Orange Blossom, 05 June 2009 - 06:36 PM.
Deactivate malicious link. ~ OB


#3 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:03 PM

Posted 15 June 2009 - 04:03 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#4 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 15 June 2009 - 01:21 PM

Hello, I have recently begun using Avast! which found the Trojan: Alureon-BH. Originally I had web-redirects and I could not defrag, these symptoms seem to have been taken care of by AVAST! However, I know I'm not clean. There is this file in win temp that will not go away. “perflib_perfdata_26c” I have confirmed its connection to the Alureon-BH Trojan on multiple sites. It can’t be deleted normally. (Says being used by another program.) I even tried to have it deleted at reboot by the program moveonboot. It regenerated on the following reboot every time. Every now and then another "perflib" file is added to the same folder, but is easily erased. In addition, I realize that this file is just the part of the virus I can see, and that there are almost certainly more viral elements I can not detect with my kindergarten level of technical knowledge. The new DDS log is below, but I thought it might be a good idea to post the two Avast! logs as well as a description of Alureon-BH's actions I found online. You will find them both on top of the DDS log. I also cleared my winsys32 of .dat files known to be associated with this virus. (there were 6-7 of them) Any help appreciated, Thanks.

P.S. I am running XP Media Center Edition Service Pack 3, on a HP P4 Dual 2.80 GHz with 2GB DDR2 Ram. I use IE as well as Opera. I used and updated AGV anti-virus before AVAST! I use Adaware. I run Stopthepopups light, and the Google toolbar popup blocker.



AVAST! LOGS:


06/03/2009 11:30
Scan of all local drives

File C:\WINDOWS\system32\drivers\kungsfinrheotf.sys is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\system32\kungsfqgjqepdv.dll is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\system32\kungsfvgoqhfoa.dll is infected by Win32:Alureon-BH [Rtk], Deleted
File C:\WINDOWS\Temp\kungsfaecycsqpus.tmp is infected by Win32:Alureon-BH [Rtk], Deleted
Number of searched folders: 8547
Number of tested files: 139900
Number of infected files: 4

----------------------------------------
06/04/2009 13:15
Scan of all local drives

File D:\PRELOAD\BASE_18.INP\unidrvui.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 8323
Number of tested files: 700463
Number of infected files: 0



ALUERON DESCRIPTION:


Aliases: [Win32/]Alureon Family; [Win32.]Alureon; [Win32/]Alureon!generic;

Alueron is a family of trojans with a variety of components that can download and execute arbitrary files, hijack the browser to display fake web pages, and report affected user's queries performed with popular search engines.
Alueron variants differ in how they install themselves. Some variants copy themselves into the %System% directory using a random filename; the original executable file is deleted. Code is then injected into the Explorer.exe and IExplore.exe processes. A registry key is also created to ensure that the trojan runs at each Windows start, for example:

Filename: %System%\hgqhp.exe
Registry modification: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hgqhp.exe = "%System%\hgqhp.exe"

Other variants of Alueron drop a DLL file into the %System% directory, for example:

%System%\spher.dll

and modify the registry to ensure that it is loaded:

HKCR\CLSID\{CLSID}\(Default) = "IE SP2 AddOn"
HKCR\CLSID\{CLSID}\InprocServer32\(Default) = "%System%\spher.dll"
HKCR\CLSID\{CLSID}\InprocServer32\ThreadingModel = "Apartment"

Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Downloads and Executes Arbitrary Files
Alueron contacts certain IP addresses to obtain instructions, which direct the trojan to download and execute files including variants of other malware families such as:

Win32/SillyDl
Win32/DlStwoyle
Win32/Qhosts
Win32/Bloon
Win32/Lospad

Some of the IP addresses used to download from include:

195.95.218.100
85.255.115.186
195.95.218.99
69.50.190.131
69.50.161.11
69.50.161.7

Changes DNS settings
Some variants change DNS settings, the trojan alters the file:

%AppData%\Microsoft\Network\Connections\Pbk\rasphone.pbk

by changing the following lines

IpDnsAddress=< Altered DNS>
IpDns2Address=< Altered DNS>

It then enumerates the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters

checking for references to adapters. If found, the adapters' DNS servers are changed by altering the value ' NameServer ' in the referenced key, for example:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ {CLSID}\ NameServer = "<Altered DNS>,<Altered DNS>"

After the trojan has made the relevant operating system dependent changes, it then runs the following commands:

"ipconfig.exe /flushdns"
'ipconfig.exe /registerdns"
"ipconfig.exe /dnsflush"
"ipconfig.exe /renew"
"ipconfig.exe /renew_all"

to ensure that the settings take immediate effect.

A Domain Name Server holds lists of domain names that map to matching IP addresses. Hence, when a user requests a particular domain, say, ca.com, the user's machine queries the DNS, which will return the appropriate numerical, IP address (in this example, say, 155.35.248.73). By redirecting user requests to a DNS server that contains false or incorrect mappings, an attacker can therefore redirect the user to other sites of their choice whenever a user requests a domain that is listed in the DNS. In application, for example, even if a user types the URL of their Internet Banking site into their browser they could be redirected to a spoofed site with a completely different IP address and be unaware of this subterfuge.The altering of DNS servers may also allow for the tracking of sites visited.

Changes Start Page Settings
Some variants of the trojan change the user's Internet Explore start page to its own custom page, displaying it when the browser is started. The following is an example of a page displayed by Alureon:



The trojan displays a "search" page which contains a list of common search terms, if the user clicks on any of the terms or enters text into the box and clicks the search button, the trojan posts this information to a domain, which then redirects the user to other sites.

Tracks User Information:
Variants of Alueron also track the user's search information by monitoring connections to popular search engines. When a user performs a search query, information about the query such as the contents, the search engine used and a unique identifier is sent off to a remote machine.

===========================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by HP_Administrator at 11:00:16.51 on Mon 06/15/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1385 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090615-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\HP_Administrator\Desktop\Computer hell\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
mRun: [sureshotpopupkiller] "c:\program files\stop-the-pop-up lite\stopthepop.exe" -minimized
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {141E5FB3-6D27-4B5F-8F72-425888ADE0C8} = 192.168.1.254
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\dajesupo.dll c:\windows\system32\yaguhelu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli c:\windows\system32\dajesupo.dll msentort.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-3 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-3 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-3 138680]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-3 352920]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\hp_adm~1\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\hp_adm~1\locals~1\temp\dx9\SessionLauncher.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-06-04 19:14 <DIR> --d----- c:\program files\EMCO MoveOnBoot
2009-06-03 05:23 55,640 -------- c:\windows\system32\drivers\avgntflt.sys
2009-06-02 20:36 82,944 -------- c:\windows\system32\IEDFix.exe
2009-06-02 20:36 82,944 -------- c:\windows\system32\IEDFix.C.exe
2009-06-02 20:36 80,384 -------- c:\windows\system32\o4Patch.exe
2009-06-02 20:36 78,336 -------- c:\windows\system32\Agent.OMZ.Fix.exe
2009-05-31 12:05 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-31 04:45 <DIR> --d----- c:\program files\AVG
2009-05-30 18:15 <DIR> --d----- c:\program files\ESET
2009-05-23 21:10 <DIR> --d----- c:\program files\Unreal Tournament 3
2009-05-23 21:10 1,358,192 -------- c:\windows\system32\D3DCompiler_35.dll
2009-05-23 21:10 444,776 -------- c:\windows\system32\d3dx10_35.dll
2009-05-23 21:10 3,727,720 -------- c:\windows\system32\d3dx9_35.dll
2009-05-23 21:10 1,124,720 -------- c:\windows\system32\D3DCompiler_34.dll
2009-05-23 21:10 443,752 -------- c:\windows\system32\d3dx10_34.dll
2009-05-23 21:10 3,497,832 -------- c:\windows\system32\d3dx9_34.dll
2009-05-23 21:10 81,768 -------- c:\windows\system32\xinput1_3.dll
2009-05-23 21:09 3,426,072 -------- c:\windows\system32\d3dx9_32.dll
2009-05-23 21:09 2,414,360 -------- c:\windows\system32\d3dx9_31.dll
2009-05-23 21:09 62,744 -------- c:\windows\system32\xinput1_2.dll
2009-05-23 18:57 <DIR> --d----- c:\program files\Konami
2009-05-21 21:20 <DIR> --d----- c:\windows\system32\AGEIA
2009-05-21 21:19 211,754 a------- c:\windows\system32\nvapps.xml
2009-05-21 21:19 <DIR> --d----- c:\windows\nview
2009-05-21 21:19 453,152 -------- c:\windows\system32\nvudisp.exe
2009-05-21 21:19 18,795 -------- c:\windows\system32\nvdisp.nvu
2009-05-21 21:18 453,152 -------- c:\windows\system32\NVUNINST.EXE
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\scripting
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\en
2009-05-17 07:35 <DIR> --d----- c:\windows\system32\bits
2009-05-17 07:35 <DIR> --d----- c:\windows\l2schemas
2009-05-17 07:34 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-17 07:33 <DIR> --d----- c:\windows\network diagnostic
2009-05-17 07:27 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-17 07:26 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-05-17 07:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-17 07:26 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-17 07:26 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-06-09 14:19 3,506 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-06-05 13:58 118,784 a------- c:\windows\web\wallpaper\Scenic- Beach Scenes Wallpaper.exe
2009-06-04 13:08 2,008 -------- c:\windows\system32\tmp.reg
2009-05-26 13:20 40,160 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 -------- c:\windows\system32\drivers\mbam.sys
2009-05-17 07:38 92,947 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-17 07:38 45,056 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\uninstallui\eHelpSetup.exe
2009-05-17 07:38 341,048 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\HPBasicDetection3.dll
2009-05-17 07:38 217,088 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
2009-05-17 07:38 163,840 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemcheck.dll
2009-05-17 07:38 61,440 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\modemutil.dll
2009-05-17 07:38 44,032 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\scripts\devcon.exe
2009-05-17 07:38 40,960 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\ScDmi.dll
2009-05-17 07:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\uploadHSC.dll
2009-05-17 07:38 32,768 a------- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\Scom.dll
2009-04-11 11:54 118,784 a------- c:\windows\web\wallpaper\scenic- beach scenes wallpaper dir\uninstall.exe
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

============= FINISH: 11:00:43.96 ===============

#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 18 June 2009 - 09:45 AM

Hi leftyjim,


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log (both dds.txt & attach.txt).


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 18 June 2009 - 12:54 PM

Hi, I have completed the run. Note: Everything was off when i ran Combo fix; I followed the instructions word for word, but the instructions said nothing of a restart, and AVAST auto starts on restart. (Like any other antivirus software.) So while Combo was creating the log, after the restart, Avast was on and it took some time. Also, the file "Perflib_Perfdata_590" is still in the Windows Temp folder. It still resists being deleted. I will be here untill 3:00PM Pac time today, then I will be gone for a while. I will be back Saturday morning. Thanks, Jim.

ComboFix 09-06-17.04 - HP_Administrator 06/18/2009 10:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1694 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090617-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\racle~1
c:\temp\fse
c:\temp\iee
c:\windows\IA
c:\windows\system32\o02PrEz
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Arovax AntiSpyware.lnk
c:\windows\kb913800.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SelfDel.bat
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\Autorun.inf
D:\Desktop.ini
J:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_KUNGSFJCTQPPTD
-------\Service_kungsfjctqpptd


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-05 02:14 . 2009-06-05 02:16 -------- d-----w- c:\program files\EMCO MoveOnBoot
2009-06-03 12:23 . 2009-03-24 23:08 55640 ------w- c:\windows\system32\drivers\avgntflt.sys
2009-06-03 11:27 . 2009-02-05 20:06 51376 ------w- c:\windows\system32\drivers\aswTdi.sys
2009-06-03 11:27 . 2009-02-05 20:06 23152 ------w- c:\windows\system32\drivers\aswRdr.sys
2009-06-03 11:27 . 2009-02-05 20:05 26944 ------w- c:\windows\system32\drivers\aavmker4.sys
2009-06-03 11:27 . 2009-02-05 20:04 97480 ------w- c:\windows\system32\AvastSS.scr
2009-06-03 11:27 . 2009-02-05 20:08 93296 ------w- c:\windows\system32\drivers\aswmon.sys
2009-06-03 11:27 . 2009-02-05 20:08 94032 ------w- c:\windows\system32\drivers\aswmon2.sys
2009-06-03 11:27 . 2009-02-05 20:07 114768 ------w- c:\windows\system32\drivers\aswSP.sys
2009-06-03 11:27 . 2009-02-05 20:07 20560 ------w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-03 11:27 . 2009-02-05 20:11 1256296 ------w- c:\windows\system32\aswBoot.exe
2009-06-03 11:27 . 2009-06-03 11:27 -------- d-----w- c:\program files\Alwil Software
2009-05-31 19:05 . 2009-06-05 19:09 -------- d--h--w- C:\$AVG8.VAULT$
2009-05-31 11:45 . 2009-05-31 11:45 -------- d-----w- c:\program files\AVG
2009-05-31 01:15 . 2009-05-31 01:15 -------- d-----w- c:\program files\ESET
2009-05-31 00:51 . 2009-05-31 00:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-31 00:12 . 2009-05-31 00:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-24 04:24 . 2009-05-24 04:09 331776 ----a-w- c:\documents and settings\HP_Administrator\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\SetupUT3.exe
2009-05-24 04:24 . 2007-10-24 11:47 4147031 ----a-w- c:\documents and settings\HP_Administrator\Application Data\InstallShield Installation Information\{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}\ISSetup.dll
2009-05-24 04:24 . 2009-05-24 04:24 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\InstallShield Installation Information
2009-05-24 04:10 . 2009-05-28 14:03 -------- d-----w- c:\program files\Unreal Tournament 3
2009-05-24 04:10 . 2007-07-20 01:14 444776 ------w- c:\windows\system32\d3dx10_35.dll
2009-05-24 04:10 . 2007-07-20 01:14 1358192 ------w- c:\windows\system32\D3DCompiler_35.dll
2009-05-24 04:10 . 2007-07-20 01:14 3727720 ------w- c:\windows\system32\d3dx9_35.dll
2009-05-24 04:10 . 2007-05-16 23:45 443752 ------w- c:\windows\system32\d3dx10_34.dll
2009-05-24 04:10 . 2007-05-16 23:45 1124720 ------w- c:\windows\system32\D3DCompiler_34.dll
2009-05-24 04:10 . 2007-05-16 23:45 3497832 ------w- c:\windows\system32\d3dx9_34.dll
2009-05-24 04:10 . 2007-04-05 01:53 81768 ------w- c:\windows\system32\xinput1_3.dll
2009-05-24 04:09 . 2006-11-29 20:06 3426072 ------w- c:\windows\system32\d3dx9_32.dll
2009-05-24 04:09 . 2006-09-28 23:05 2414360 ------w- c:\windows\system32\d3dx9_31.dll
2009-05-24 04:09 . 2006-07-28 16:30 62744 ------w- c:\windows\system32\xinput1_2.dll
2009-05-24 01:57 . 2009-05-28 14:02 -------- d-----w- c:\program files\Konami
2009-05-22 04:20 . 2009-05-28 14:01 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-22 04:20 . 2009-05-22 04:20 -------- d-----w- c:\windows\system32\AGEIA
2009-05-22 04:19 . 2009-05-22 04:19 -------- d-----w- c:\windows\nview
2009-05-22 04:19 . 2009-02-17 22:38 453152 ------w- c:\windows\system32\nvudisp.exe
2009-05-22 04:18 . 2009-02-05 17:54 453152 ------w- c:\windows\system32\NVUNINST.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 01:36 . 2008-03-13 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-15 14:48 . 2007-07-08 23:06 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-06-10 13:00 . 2006-06-14 04:08 62744 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 21:19 . 2007-01-23 19:58 3506 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-06-05 21:00 . 2008-06-07 03:51 -------- d-----w- c:\program files\Roxio
2009-06-05 20:58 . 2009-06-05 20:58 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Beach Scenes Wallpaper.exe
2009-06-05 20:58 . 2007-01-23 22:44 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-05 20:57 . 2007-01-23 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-06-05 19:32 . 2009-04-21 17:03 -------- d-----w- c:\program files\Lavasoft
2009-06-05 19:32 . 2007-06-18 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-05 02:27 . 2009-04-18 04:34 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-05 01:30 . 2008-04-10 11:09 -------- d-----w- c:\program files\Arovax AntiSpyware
2009-06-03 16:52 . 2007-06-18 21:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-02 13:50 . 2007-06-18 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-31 11:45 . 2007-01-20 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-05-31 00:59 . 2008-05-31 00:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-29 04:46 . 2009-05-11 02:10 -------- d-----w- c:\program files\Steam
2009-05-28 14:02 . 2009-04-18 04:25 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-28 14:01 . 2008-10-23 23:02 -------- d-----w- c:\program files\Infinite Mind LC
2009-05-26 20:20 . 2008-08-10 00:27 40160 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2008-05-31 00:45 19096 ------w- c:\windows\system32\drivers\mbam.sys
2009-05-24 04:08 . 2006-06-14 03:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 01:40 . 2007-03-06 03:14 -------- d--h--w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-05-18 01:37 . 2009-05-18 01:37 34062 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-17 14:38 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-17 14:38 . 2009-05-17 14:38 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-05-17 14:38 . 2009-05-17 14:38 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-05-17 14:38 . 2009-05-17 14:38 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-05-17 14:38 . 2009-05-17 14:38 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-05-17 14:38 . 2009-05-17 14:38 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-05-17 14:38 . 2009-05-17 14:38 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-05-17 14:38 . 2009-05-17 14:38 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-05-17 14:38 . 2009-05-17 14:38 217088 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-05-17 14:38 . 2009-05-17 14:38 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-05-05 02:02 . 2009-05-05 02:00 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\NCH Swift Sound
2009-04-21 18:10 . 2009-04-21 18:10 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
2009-04-18 04:01 . 2008-05-31 00:52 65024 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-04-18 04:01 . 2008-05-31 00:52 29696 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
2009-04-18 04:01 . 2008-05-31 00:52 18944 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-04-11 18:54 . 2009-04-11 18:54 118784 ----a-w- c:\windows\Web\Wallpaper\Scenic- Beach Scenes Wallpaper dir\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sureshotpopupkiller"="c:\program files\Stop-the-Pop-Up Lite\stopthepop.exe" [2003-10-27 2256896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-17 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-17 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-06 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-11 01:16 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IAccess.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IAccess.lnk
backup=c:\windows\pss\IAccess.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^Bat - Auto Update.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\Bat - Auto Update.lnk
backup=c:\windows\pss\Bat - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^ChkDisk.dll]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^ChkDisk.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^TA_Start.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^Think-Adz.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\Think-Adz.lnk
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Think-Adz.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Think-Adz.lnk
backup=c:\windows\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"CryptSvc"=3 (0x3)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8000:UDP"= 8000:UDP:Express Talk RTP Incoming Audio (UDP)
"8001:UDP"= 8001:UDP:Express Talk RTP Incoming Audio (UDP)
"8002:UDP"= 8002:UDP:Express Talk RTP Incoming Audio (UDP)
"8003:UDP"= 8003:UDP:Express Talk RTP Incoming Audio (UDP)
"8004:UDP"= 8004:UDP:Express Talk RTP Incoming Audio (UDP)
"8005:UDP"= 8005:UDP:Express Talk RTP Incoming Audio (UDP)
"8006:UDP"= 8006:UDP:Express Talk RTP Incoming Audio (UDP)
"8007:UDP"= 8007:UDP:Express Talk RTP Incoming Audio (UDP)
"8008:UDP"= 8008:UDP:Express Talk RTP Incoming Audio (UDP)
"8009:UDP"= 8009:UDP:Express Talk RTP Incoming Audio (UDP)
"5070:UDP"= 5070:UDP:Express Talk Sip Incoming Calls (UDP)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/3/2009 4:27 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 12:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/3/2009 4:27 AM 20560]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S2 SessionLauncher;SessionLauncher;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 09:19]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: {141E5FB3-6D27-4B5F-8F72-425888ADE0C8} = 192.168.1.254
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 10:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-06-18 10:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 17:39

Pre-Run: 63,663,124,480 bytes free
Post-Run: 63,799,685,120 bytes free

273 --- E O F --- 2009-06-04 16:56

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 19 June 2009 - 06:53 AM

Also, the file "Perflib_Perfdata_590" is still in the Windows Temp folder. It still resists being deleted.

Hi Jim,

You may let that file be. It's not actually harmful :thumbup2:

Could you post contents of attach.txt file too, please?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 June 2009 - 01:00 PM

Hello, Here is that log. I'll take your word on the file, but I have to say that is odd. It creates new files you realize? And if its actively creating new files, and known to be part of the virus (I looked it up), it is difficult to believe that it is no threat. I hope this is the correct log, its the only other one I was given. I attached it.

Attached Files



#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 21 June 2009 - 01:58 PM

Hi,

I'm not sure where you read that file was part of infection. Anyway, you seem to have P2P file sharing software installed there. Nowadays big part of infections are received from P2P networks and that's why I recommend to uninstall those clients.



Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\Bat - Auto Update.lnk
c:\windows\pss\Bat - Auto Update.lnkStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\ChkDisk.dll
c:\windows\pss\ChkDisk.dllStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\ChkDisk.lnk
c:\windows\pss\ChkDisk.lnkStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\TA_Start.lnk
c:\windows\pss\TA_Start.lnkStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Accessories\Startup\Think-Adz.lnk
c:\windows\pss\Think-Adz.lnkStartup
c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Think-Adz.lnk

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^Bat - Auto Update.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^ChkDisk.dll]
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^ChkDisk.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^TA_Start.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Accessories^Startup^Think-Adz.lnk]
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Think-Adz.lnk]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Get update 8.1.6 for Adobe Reader here or uninstall Adobe Reader for good and get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 21 June 2009 - 08:24 PM

Hi, I have attached the logs you requested; I have also completed your directions. Something was found by the online scanner. I have erased it. To be clear, when you say p2p, you believe I should erase Utorrent and Limewire because of further infection risk? As far as I know, those are the only p2p agents I use. (And I have not used LimeWire in some time.) Is there anything else you observed me to be using that falls under the heading of p2p, and if so should I get rid of it?

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 22 June 2009 - 08:34 AM

To be clear, when you say p2p, you believe I should erase Utorrent and Limewire because of further infection risk? As far as I know, those are the only p2p agents I use. (And I have not used LimeWire in some time.) Is there anything else you observed me to be using that falls under the heading of p2p, and if so should I get rid of it?

Yes, those two P2P clients are the ones I recommend to uninstall.


Uninstall this vulnerable Java:
J2SE Runtime Environment 5.0 Update 5

Also, please update your Adobe Reader to version 8.1.6 or use alternative PDF reader as instructed in previous post.


Spybot should be updated to 1.6 series version.


Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]

DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log. How's the system running?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 22 June 2009 - 12:23 PM

Then post the resultant log & a fresh dds.txt log. How's the system running?


Originally I had redirects and I could not defrag. Boopme was helping me in the malware section. His instruction got rid of several malware components, but not much was changing. Out of desperation I downloaded and ran Avast! on my own. Avast! found the Trojan: Alureon-BH. (The results are posted in this thread.) After that and my cleaning out the .dat files known to be part of the virus in WinTemp and Winsys32, I could defrag and the redirects stopped. Boopme felt it was likly I was not fully clean and refered me to you. I am thankful that both he and you have taken much malicious stuff off my computer, but these seem not to have been effecting things at a level I could notice--that does not mean they would not have been soon! As Boopme wrote:

yu do need to have them kill a few files or you WILL be doing this again soon.


If there is a current problem that I can notice, it is that defrag is not compacting well. I could be mistaken, but I seem to remember defrag compacting files much better before this ordeal. I don't understand your prosess, or how you know when it is complete. If there is any spacific area of performance you wish to know about please let me know. Thanks, Jim.


P.S. Sorry I missed your instruction to update Adobe Reader to version 8.1.6, I know the order of things can be important.

Attached Files



#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 22 June 2009 - 03:17 PM

Hi,

I usually consider case finished when malware is swept off :thumbup2: For defragging you could give a shot to Jkdefrag.

To improve performance I recommend to check this.

Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type "c:\documents and settings\HP_Administrator\Desktop\Computer hell\ComboFix.exe" /u in the runbox and click OK

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 leftyjim

leftyjim
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:03 PM

Posted 22 June 2009 - 03:53 PM

That is done. And jkdefrag helped, thanks.

Edited by leftyjim, 22 June 2009 - 04:03 PM.


#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:03 AM

Posted 23 June 2009 - 03:27 AM

You're welcome :thumbup2: Guess we can archive the topic now?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users