Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Recently Infected with Alureon Rootkit

  • This topic is locked This topic is locked
8 replies to this topic



  • Members
  • 4 posts
  • Local time:06:19 PM

Posted 26 February 2010 - 01:18 PM

Hi! This is my first post. I've no background in computers, am clueless about their operation, but I've spent long enough in school to be able to follow instructions and press a few buttons. busy.gif laugh.gif

I'm using a 32-bit Windows XP OS on a Dell Inspiron 5100 laptop.

From about 12/02/10 my computer began to exhibit behavior consistent with viral infection. My Google searches in both IE and Firefox were being redirected to the likes of scour.com, myrealmatch.com etc, etc. I was running Avast! but full scans didn't fix anything..although a lot of infections were found. I also had stupidly disabled my firewall a few months before hand trying to get faster browser speeds and had forgotten to turn it back on. Schooboy error blush.gif

The infection began to progress. I had downloaded Hijack This, and while it worked fine for a few days, on about the 17/02/10, I was suddenly informed that the ''specified path could not be found'' when trying to load said program. I also could not downland hijack This or any other anti-virus programs like Malware Bytes..the download just stalled towards the end, or simply wouldn't begin. I could, however, run them from a USB (I downloaded them on another computer), but again, nothing significant was found by any program.

Then I downloaded Microsoft Update KB977165 and I got the dreaded BSoD 'page fault in non-paged area'


After some effort (I bought my laptop second hand, so had to find the XP recovery console ISO file online), I managed to get XP repaired. While I had been pissed at MS for ''breaking my computer'', it was actually a useful event as it alerted me to the fact that my computer was infected with the Alureon rootkit. I ran Windows Onecare Live scanner and installed MS Security essentials and re-enabled my firewall. The aforementioned programs found two 'severe' Trojans lurking in the System Volume Information,a Win32/Yabector.gen and a ASX/ Wimad.CS, as well as few other infections. I cleared the System Volume Information in response to this

However, Firefox was still being hijacked, (IE was fine) indicating the rootkit was still active..also, my computer was still pretty slow.

So, I decided to just run Combofix, following the guidance on this site. Sure, enough, almost as soon as it had begun, it detected rootkit activity and rebooted. At the end of it's run, it informed me that it had replaced an infected atapi.sys file with a new one from MS. To check that the rootkit was gone, I reinstalled KB977165. No problems, therefore, I assumed it was gone, as it's prior presence had prevented Xp booting with KB977165 installed.

Ran a full scan with MSSE on the 23/02/10 and it found and disinfected the Win32/Alureon.F hiding here :C:\System Volume Information\_restore{1F57FE27-27A3-468E-BD4E-E07ED528EDE0}\RP582\A0266973.sys

Since running Combofix, I've had no virus-related trouble. My computer is back running normally and the browser hijack are gone. I've started using a keyscramber to protect against keyloggers as I shop online a lot as well as doing a good deal of online banking. The only issue is that it is very slow on start-up and just today I got a BSoD
''page fault in non paged area
STOP: 0x00000050 (0xF8880726, 0x00000000, 0xF8880726, 0x00000000, )
PartMgr.sys - address F8880726 base of F8880726
Datestamp 00000000

I couldn't boot in safe mode, but restoring to last god configuration worked. I have since removed Combofix.

My question is,
''Is my computer free of keyloggers/trojans/malware/rootkits and can I start using it safely for online transactions?''

I've attached the required information.
Thanks in advance for any assistance.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Cheetu Nawab at 13:52:28.86 on 26/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.86 [GMT 0:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cheetu Nawab\Desktop\dds.scr
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No File
TB: {10CECF4F-A96E-4803-8AC2-F565FB29FF47} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\cheetu~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi (rc4)\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: WRNotifier - WRLogonNTF.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cheetu~1\applic~1\mozilla\firefox\profiles\7j9gqzqr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/|http://mail.google.com/mail/#inbox
FF - component: c:\documents and settings\cheetu nawab\application data\mozilla\firefox\profiles\7j9gqzqr.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\cheetu nawab\application data\mozilla\firefox\profiles\7j9gqzqr.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npcosmop211.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-2-23 115312]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-10-27 7808]
S0 szkg5;szkg;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2010-02-26 13:50:10 0 ----a-w- c:\documents and settings\cheetu nawab\defogger_reenable
2010-02-23 18:18:48 115312 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2010-02-23 18:18:24 0 d-----w- c:\program files\KeyScrambler
2010-02-20 12:45:37 0 d-sha-r- C:\cmdcons
2010-02-20 12:38:47 98816 ----a-w- c:\windows\sed.exe
2010-02-20 12:38:47 77312 ----a-w- c:\windows\MBR.exe
2010-02-20 12:38:47 261632 ----a-w- c:\windows\PEV.exe
2010-02-20 12:38:47 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 11:54:18 0 d-----w- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2010-02-20 11:42:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-02-20 11:31:59 0 d-----w- c:\program files\Security Task Manager
2010-02-19 17:13:38 0 d-----w- c:\program files\Microsoft Security Essentials
2010-02-16 21:49:36 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 21:49:36 2066048 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 21:49:36 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 21:49:36 2023936 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-16 21:49:35 2189184 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 21:49:35 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 17:44:26 0 d-----w- c:\program files\Trend Micro
2010-02-14 20:57:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-14 20:57:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-14 20:46:23 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-11 19:48:50 0 d-----w- c:\docume~1\cheetu~1\applic~1\TrojanHunter
2010-02-10 22:02:31 9758152 ----a-w- c:\program files\windows-kb890830-v3.4.exe
2010-02-10 11:24:23 16320472 ----a-w- c:\program files\vlc-0.9.8a-win32.exe
2010-02-10 11:22:53 14452040 ----a-w- c:\program files\winzip140.exe
2010-02-08 23:29:49 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-08 23:25:11 0 d-----r- c:\program files\Skype
2010-02-05 20:56:37 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-01-27 22:49:38 0 d-----w- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2008-11-01 20:55:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110120081102\index.dat

============= FINISH: 13:54:01.63 ===============

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:19 PM

Posted 01 March 2010 - 06:38 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE


  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:19 PM

Posted 02 March 2010 - 12:15 PM

Hey m0le!

Thanks for the reply - I'm here, hanging on every word!

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:19 PM

Posted 02 March 2010 - 06:48 PM

The easiest way to have checked would have been to look at the Combofix logs that you had but as you installed it we can't do that.

Alureon infects a system file and then causes redirects and slowness on the PC so if Combofix found that it would have replaced it and that would have stopped the redirects. That has happened.

We should check for remnants with MBAM and then an online scan with ESET

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE


  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:19 PM

Posted 03 March 2010 - 05:52 AM

Hey m0le,

I cleverly kept a copy of the Combofix log from the 20/02/10 and have attached it to this reply. To the best of my knowledge, the only programs I have installed since then have been those required before posting to this forum, i.e GMER, Defrogger, DDS, and KeyScrambler. I have not installed any program updates, but since I am running Microsoft Security Essentials some automatic updates have occured. Remember that MSE detected Alureon.F rootkit in the system volume information AFTER running Combofix; although after running Combofix ALL obvious symptoms of infection had disappeared, i.e no browser hijacks, faster browsing.

I will procede with your instructions regardless. Many thanks!

Attached Files

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:19 PM

Posted 03 March 2010 - 08:11 AM

QUOTE(ALDIPER @ Mar 3 2010, 10:52 AM) View Post
Hey m0le,

I cleverly kept a copy of the Combofix log from the 20/02/10 and have attached it to this reply. To the best of my knowledge, the only programs I have installed since then have been those required before posting to this forum, i.e GMER, Defrogger, DDS, and KeyScrambler. I have not installed any program updates, but since I am running Microsoft Security Essentials some automatic updates have occured. Remember that MSE detected Alureon.F rootkit in the system volume information AFTER running Combofix; although after running Combofix ALL obvious symptoms of infection had disappeared, i.e no browser hijacks, faster browsing.

I will procede with your instructions regardless. Many thanks!

Carry on with the instructions but thanks to your forward thinking thumbup2.gif the log that you kept shows that Combofix plucked out the rootkit on its run. The scans I have asked for should clear anything else out.
Posted Image
m0le is a proud member of UNITE


  • Topic Starter

  • Members
  • 4 posts
  • Local time:06:19 PM

Posted 03 March 2010 - 02:10 PM

Well, Malwarebytes scan went without a hitch. Results follow

Malwarebytes' Anti-Malware 1.44
Database version: 3817
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/03/2010 3:08:11 PM
mbam-log-2010-03-03 (15-08-11).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 190197
Time elapsed: 3 hour(s), 46 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET scan indicated that my MSE antivirus might interfere with the scan and sure enough, ESET scan was over before it began, with a search time displayed of 00:00. Thought this was odd, (unsurprisingly!) so I just disbabled MSE real time protection (hope this wasn't a big mistake. Other than logging onto hotmail, I did no other browsing while the ESET scan was running.) It found the following 3 trojans, as displayed in the following

C:\Documents and Settings\Cheetu Nawab\My Documents\My Music\Frank Zappa - Tell me you love me.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\Cheetu Nawab\My Documents\My Music\Rory Gallagher with Bert Jansch - She Moved Thro' The Fair-Ann Cran UI.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\Cheetu Nawab\My Documents\My Music\ZZ Top - Bad girl.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined


So, will I just delete these files, found by ESET? Other than that, has my computer a clean bill of health?

Thanks for taking the time to help me m0le, really appreciated. clapping.gif Once I get my new CC (canceled the old one once I found out that I was infected with Alureon), I'll donate to the cause! It's a great service..way better than my uni IT service, that's for sure, they just said ''Call Dell". dry.gif

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:19 PM

Posted 03 March 2010 - 02:49 PM

Thanks for the kind words. I happen to think that this site is the friendliest and most well-run sites around smile.gif

Those three files are the codecs that probably infected you in the first place can be deleted and then you are good to go.

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Finally, here's a treasure trove of antivirus, antimalware and antispyware resources

That's it ALDIPER, happy surfing!


Posted Image
m0le is a proud member of UNITE

#9 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:06:19 PM

Posted 07 March 2010 - 08:16 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users