Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 MrsSchnabel

MrsSchnabel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 19 October 2009 - 02:04 PM

Hi everyone,

Today my computer wouldn't boot up anymore, which I managed to fix by deleting SPTD.sys in safe mode and then rebooting. But now I have all these viruses/trojans popping up left and right.
I've then switched from AVG to the free Microsoft Security Essentials, and also installed Malwarebytes. These two programmes do tell me they got rid of the problem, but whenever I restart my computer the trojans just reappear! So I guess they are still doing whatever evil they do, or are they inactive due to the Microsoft quarantine of them?
If anyone knows how I would be able to get rid of them, that would be fantastic and very much appreciated.

Here is the dds log:

DDS (Ver_09-10-13.01) - NTFSx86
Run by Debbie at 19:28:20.31 on 19/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3067.2205 [GMT 1:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkCSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Atheros WLAN Client\ACU.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Documents and Settings\Debbie\Desktop\Desktop Items\hfs.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Debbie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [feedreader.exe] "c:\program files\feedreader30\feedreader.exe"
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster 2010\launcher.exe" delay 20000
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [ACU] "c:\program files\atheros wlan client\ACU.exe" -nogui
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\debbie\start menu\programs\startup\dnusax.exe
StartupFolder: c:\docume~1\debbie\startm~1\programs\startup\hfs.lnk - c:\documents and settings\debbie\desktop\desktop items\hfs.exe
StartupFolder: c:\docume~1\debbie\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
LSA: Notification Packages = scecli dcebdhrs.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\debbie\applic~1\mozilla\firefox\profiles\bvxx1odw.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk/ig
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {22B8C910-D062-4097-A587-AE8895D3053D} - c:\documents and settings\debbie\local settings\application data\{22B8C910-D062-4097-A587-AE8895D3053D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-8-15 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2009-8-15 4300]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2006-10-30 36864]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2009-8-15 31248]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-8-14 41376]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-8-15 65576]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2009-8-15 1363088]
R3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-10-30 19840]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-8-15 57408]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2009-10-19 19:07 <DIR> --d----- c:\docume~1\debbie\applic~1\Malwarebytes
2009-10-19 19:07 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 19:07 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-19 19:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 19:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-19 18:48 <DIR> --d----- c:\program files\Trend Micro
2009-10-19 15:35 312 a------- c:\windows\wininit.ini
2009-10-19 14:32 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-19 14:30 <DIR> --d----- c:\program files\Microsoft Security Essentials
2009-10-19 14:20 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-10-19 14:01 <DIR> --d----- c:\docume~1\debbie\applic~1\Uniblue
2009-10-19 14:00 120 a------- c:\windows\Hqatewofehocozi.dat
2009-10-19 14:00 0 a------- c:\windows\Pzosobozeyeso.bin
2009-10-19 10:58 77,824 a------- C:\svvchost.exe
2009-10-19 10:58 13,312 a------- C:\dllhost.exe
2009-10-19 10:58 22,528 a------- C:\iexplorre.exe
2009-10-19 10:58 96,768 a------- C:\csrrss.exe
2009-10-15 20:39 <DIR> --d----- C:\temp
2009-10-14 16:01 305,152 a------- c:\windows\IsUninst.exe
2009-10-03 23:26 <DIR> --d----- c:\windows\system32\Adobe
2009-10-03 15:54 221,184 a------- c:\windows\system32\wmpns.dll
2009-10-03 15:53 <DIR> --d----- c:\windows\RegisteredPackages
2009-10-03 15:45 <DIR> --d----- c:\program files\iPod
2009-09-27 11:35 <DIR> --d----- c:\program files\TuneUpMedia
2009-09-27 10:49 <DIR> --d----- c:\program files\common files\LEADTools
2009-09-27 10:49 <DIR> --d----- c:\program files\Pearson VUE
2009-09-26 18:40 5,632 a------- c:\windows\system32\ptpusb.dll
2009-09-26 18:40 159,232 a------- c:\windows\system32\ptpusd.dll
2009-09-26 18:34 <DIR> --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-09-25 06:37 667,136 a------- c:\windows\system32\wininet.dll
2009-09-25 06:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-09 19:14 81 a------- C:\CTX.DAT
2009-09-09 19:12 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-18 09:47 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-15 17:18 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-08-15 10:37 315,392 a------- c:\windows\HideWin.exe
2009-08-15 10:22 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 16:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 15:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-29 05:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 05:37 81,920 a------- c:\windows\system32\fontsub.dll

============= FINISH: 19:29:38.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:50 AM

Posted 20 October 2009 - 07:52 PM

Hello MrsSchnabel :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I would like to have another ARK scan of your computer. Please do the following:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.












Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 MrsSchnabel

MrsSchnabel
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 22 October 2009 - 04:28 AM

Hi there,

Thank you very much for your reply. I have decided for a clean XP reinstall yesterday and am (for now) Virus free.

Again, many thanks for your time and effort!

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:50 AM

Posted 22 October 2009 - 09:13 AM

I totally understand and thank you for letting me know. Best of luck to you. :(


This Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users