Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alueron.H; Virus will not die!


  • Please log in to reply
7 replies to this topic

#1 RandomStudent

RandomStudent

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 17 April 2010 - 08:33 PM

I have been fighting a virus for several days. It's been with the help of another person (a security expert basically), so I won't be able to outline everything, but here's the basics:

It all started when I got Security Guard malware. It did alot of damage but seemed like the standard malware. Preventing explorer and taskmanager from launching, deleting MBAM.exe, redirections, etc etc etc. Another issue- ProcessExplorer was showing multiple instances of iexplorer.exe, and TCPView showed them all having connections to random IP addresses.

I thought I had removed the virus, first manually through command prompt (because it was all that I could get to work from Safe Mode) and then through Malwarebytes/ Bleepingcomputer's guide. The only thing that seemed to be left was the redirection (replacing HOSTS did not fix this). At some point in this ordeal I also got the "Windows Defender" malware; removed it as well.

Though the only visible problem was the redirection, Microsoft Security Essentials (which I know isn't the greatest but it's my only live protection) soon began constantly finding new instances of "Win32/Alueron.H" . They begin stacking up at random times during the day. The details of the infection point to TMP files and files with other random TMP extensions with the "OLD" in the file name; for example, OLDF98.tmp and OLDFBF.tmp848D858B , located in Windows/system32/drivers . Also suspicious are many randomly named 8-letter system files in the same location. Many (or maybe all) of these files showed up in RootKitRevealer's scan. Malwarebytes and BitDefender scans did not find any problems however. MSE claims to suspend and disinfect the instances of Alueron.H them and asks for a restart. After restart, redirection still exists, but all else seems well- until a few hours later, when the Aluerons return again. Literally hundreds stack up.

We attempted to find the locate the source of this thing without much luck. We've run ComboFix, done much work in AutoRuns, cleanings with Malwarebytes, removed the problems RootKitReavealer found, deleted tons of files that could have been the issue. However, everything just keeps coming back.

The only noticeable detriment to my computer is the redirection, on links in Google searches. Otherwise, the virus has little to no noticeable effects. Redirects are to random advertisment sites, findgala.com, and occasionally a fake virus scanning page. Been trying to avoid clicking any links as much as possible, just copying their target location instead.


Let me know what I need to provide you with more information! We are simply stumped.

Edited by RandomStudent, 17 April 2010 - 08:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 PM

Posted 17 April 2010 - 09:38 PM

Hello, please do these and let me know how things are.

Run TDDS Killer
  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 RandomStudent

RandomStudent
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 18 April 2010 - 06:00 PM

Thanks for the help!

Notes:
Pre-Scans:
-I'm running XP; could not run Command Prompt as administrator, as I do not know the password for the Administrator account (it wasn't blank) (this originally was not my computer). However, my account is listed as an administrator in the control panel.
-Malwarebytes update failed with: MBAM_ERROR_UPDATING (0, 0, SHRegGetPath) . I uninstalled and then reinstalled, as the update that is built into the setup works.

During/Post Scans:
-TDSS removed an "atapi.sys"; Our efforts earlier located this file, and after every removal, it returned; We ended up replacing it with another file named atapi.sys hoping it would solve the problem. Clearly it didn't!
-Redirection problem still exists
-MSE has not detected Alueron.H yet, but as stated before, they usually show up after a few hours. Hopefully they wont!


Oh also, I ran RootKitRevealer before starting this whole process and it fond a couple problems that didn't seem to show up in the TDSS scan. Unfortunately the program crashed when I tried to save the log. Would you like me to scan with RootkitRevealer again and post the log?



Logs:

TDSSKiller

12:59:40:906 1176 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:59:40:906 1176 ================================================================================
12:59:40:906 1176 SystemInfo:

12:59:40:906 1176 OS Version: 5.1.2600 ServicePack: 3.0
12:59:40:906 1176 Product type: Workstation
12:59:40:906 1176 ComputerName: RYAN
12:59:40:906 1176 UserName: Matthew
12:59:40:906 1176 Windows directory: C:\WINDOWS
12:59:40:906 1176 Processor architecture: Intel x86
12:59:40:906 1176 Number of processors: 2
12:59:40:906 1176 Page size: 0x1000
12:59:40:906 1176 Boot type: Normal boot
12:59:40:906 1176 ================================================================================
12:59:40:921 1176 UnloadDriverW: NtUnloadDriver error 2
12:59:40:921 1176 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:59:40:984 1176 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:59:40:984 1176 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:59:40:984 1176 wfopen_ex: Trying to KLMD file open
12:59:40:984 1176 wfopen_ex: File opened ok (Flags 2)
12:59:40:984 1176 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:59:40:984 1176 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:59:40:984 1176 wfopen_ex: Trying to KLMD file open
12:59:40:984 1176 wfopen_ex: File opened ok (Flags 2)
12:59:40:984 1176 Initialize success
12:59:40:984 1176
12:59:40:984 1176 Scanning Services ...
12:59:43:046 1176 Raw services enum returned 517 services
12:59:43:093 1176
12:59:43:093 1176 Scanning Kernel memory ...
12:59:43:093 1176 Devices to scan: 4
12:59:43:093 1176
12:59:43:093 1176 Driver Name: Disk
12:59:43:093 1176 IRP_MJ_CREATE : F76BDBB0
12:59:43:093 1176 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
12:59:43:093 1176 IRP_MJ_CLOSE : F76BDBB0
12:59:43:093 1176 IRP_MJ_READ : F76B7D1F
12:59:43:093 1176 IRP_MJ_WRITE : F76B7D1F
12:59:43:093 1176 IRP_MJ_QUERY_INFORMATION : 804F9759
12:59:43:093 1176 IRP_MJ_SET_INFORMATION : 804F9759
12:59:43:093 1176 IRP_MJ_QUERY_EA : 804F9759
12:59:43:093 1176 IRP_MJ_SET_EA : 804F9759
12:59:43:093 1176 IRP_MJ_FLUSH_BUFFERS : F76B82E2
12:59:43:093 1176 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
12:59:43:093 1176 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
12:59:43:093 1176 IRP_MJ_DIRECTORY_CONTROL : 804F9759
12:59:43:093 1176 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
12:59:43:093 1176 IRP_MJ_DEVICE_CONTROL : F76B83BB
12:59:43:093 1176 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
12:59:43:093 1176 IRP_MJ_SHUTDOWN : F76B82E2
12:59:43:093 1176 IRP_MJ_LOCK_CONTROL : 804F9759
12:59:43:093 1176 IRP_MJ_CLEANUP : 804F9759
12:59:43:093 1176 IRP_MJ_CREATE_MAILSLOT : 804F9759
12:59:43:093 1176 IRP_MJ_QUERY_SECURITY : 804F9759
12:59:43:093 1176 IRP_MJ_SET_SECURITY : 804F9759
12:59:43:093 1176 IRP_MJ_POWER : F76B9C82
12:59:43:093 1176 IRP_MJ_SYSTEM_CONTROL : F76BE99E
12:59:43:093 1176 IRP_MJ_DEVICE_CHANGE : 804F9759
12:59:43:093 1176 IRP_MJ_QUERY_QUOTA : 804F9759
12:59:43:093 1176 IRP_MJ_SET_QUOTA : 804F9759
12:59:43:109 1176 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:59:43:109 1176
12:59:43:109 1176 Driver Name: Disk
12:59:43:109 1176 IRP_MJ_CREATE : F76BDBB0
12:59:43:109 1176 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
12:59:43:109 1176 IRP_MJ_CLOSE : F76BDBB0
12:59:43:109 1176 IRP_MJ_READ : F76B7D1F
12:59:43:109 1176 IRP_MJ_WRITE : F76B7D1F
12:59:43:109 1176 IRP_MJ_QUERY_INFORMATION : 804F9759
12:59:43:109 1176 IRP_MJ_SET_INFORMATION : 804F9759
12:59:43:109 1176 IRP_MJ_QUERY_EA : 804F9759
12:59:43:109 1176 IRP_MJ_SET_EA : 804F9759
12:59:43:109 1176 IRP_MJ_FLUSH_BUFFERS : F76B82E2
12:59:43:109 1176 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
12:59:43:109 1176 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
12:59:43:109 1176 IRP_MJ_DIRECTORY_CONTROL : 804F9759
12:59:43:109 1176 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
12:59:43:109 1176 IRP_MJ_DEVICE_CONTROL : F76B83BB
12:59:43:109 1176 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
12:59:43:109 1176 IRP_MJ_SHUTDOWN : F76B82E2
12:59:43:109 1176 IRP_MJ_LOCK_CONTROL : 804F9759
12:59:43:109 1176 IRP_MJ_CLEANUP : 804F9759
12:59:43:109 1176 IRP_MJ_CREATE_MAILSLOT : 804F9759
12:59:43:109 1176 IRP_MJ_QUERY_SECURITY : 804F9759
12:59:43:109 1176 IRP_MJ_SET_SECURITY : 804F9759
12:59:43:109 1176 IRP_MJ_POWER : F76B9C82
12:59:43:109 1176 IRP_MJ_SYSTEM_CONTROL : F76BE99E
12:59:43:109 1176 IRP_MJ_DEVICE_CHANGE : 804F9759
12:59:43:109 1176 IRP_MJ_QUERY_QUOTA : 804F9759
12:59:43:109 1176 IRP_MJ_SET_QUOTA : 804F9759
12:59:43:125 1176 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:59:43:125 1176
12:59:43:125 1176 Driver Name: Disk
12:59:43:125 1176 IRP_MJ_CREATE : F76BDBB0
12:59:43:125 1176 IRP_MJ_CREATE_NAMED_PIPE : 804F9759
12:59:43:125 1176 IRP_MJ_CLOSE : F76BDBB0
12:59:43:125 1176 IRP_MJ_READ : F76B7D1F
12:59:43:125 1176 IRP_MJ_WRITE : F76B7D1F
12:59:43:125 1176 IRP_MJ_QUERY_INFORMATION : 804F9759
12:59:43:125 1176 IRP_MJ_SET_INFORMATION : 804F9759
12:59:43:125 1176 IRP_MJ_QUERY_EA : 804F9759
12:59:43:125 1176 IRP_MJ_SET_EA : 804F9759
12:59:43:125 1176 IRP_MJ_FLUSH_BUFFERS : F76B82E2
12:59:43:125 1176 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9759
12:59:43:125 1176 IRP_MJ_SET_VOLUME_INFORMATION : 804F9759
12:59:43:125 1176 IRP_MJ_DIRECTORY_CONTROL : 804F9759
12:59:43:125 1176 IRP_MJ_FILE_SYSTEM_CONTROL : 804F9759
12:59:43:125 1176 IRP_MJ_DEVICE_CONTROL : F76B83BB
12:59:43:125 1176 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76BBF28
12:59:43:125 1176 IRP_MJ_SHUTDOWN : F76B82E2
12:59:43:125 1176 IRP_MJ_LOCK_CONTROL : 804F9759
12:59:43:125 1176 IRP_MJ_CLEANUP : 804F9759
12:59:43:125 1176 IRP_MJ_CREATE_MAILSLOT : 804F9759
12:59:43:125 1176 IRP_MJ_QUERY_SECURITY : 804F9759
12:59:43:125 1176 IRP_MJ_SET_SECURITY : 804F9759
12:59:43:125 1176 IRP_MJ_POWER : F76B9C82
12:59:43:125 1176 IRP_MJ_SYSTEM_CONTROL : F76BE99E
12:59:43:125 1176 IRP_MJ_DEVICE_CHANGE : 804F9759
12:59:43:125 1176 IRP_MJ_QUERY_QUOTA : 804F9759
12:59:43:125 1176 IRP_MJ_SET_QUOTA : 804F9759
12:59:43:125 1176 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:59:43:125 1176
12:59:43:125 1176 Driver Name: atapi
12:59:43:125 1176 IRP_MJ_CREATE : 8A420AC8
12:59:43:125 1176 IRP_MJ_CREATE_NAMED_PIPE : 8A420AC8
12:59:43:125 1176 IRP_MJ_CLOSE : 8A420AC8
12:59:43:125 1176 IRP_MJ_READ : 8A420AC8
12:59:43:125 1176 IRP_MJ_WRITE : 8A420AC8
12:59:43:125 1176 IRP_MJ_QUERY_INFORMATION : 8A420AC8
12:59:43:125 1176 IRP_MJ_SET_INFORMATION : 8A420AC8
12:59:43:125 1176 IRP_MJ_QUERY_EA : 8A420AC8
12:59:43:125 1176 IRP_MJ_SET_EA : 8A420AC8
12:59:43:125 1176 IRP_MJ_FLUSH_BUFFERS : 8A420AC8
12:59:43:125 1176 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A420AC8
12:59:43:125 1176 IRP_MJ_SET_VOLUME_INFORMATION : 8A420AC8
12:59:43:125 1176 IRP_MJ_DIRECTORY_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_FILE_SYSTEM_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_DEVICE_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_SHUTDOWN : 8A420AC8
12:59:43:125 1176 IRP_MJ_LOCK_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_CLEANUP : 8A420AC8
12:59:43:125 1176 IRP_MJ_CREATE_MAILSLOT : 8A420AC8
12:59:43:125 1176 IRP_MJ_QUERY_SECURITY : 8A420AC8
12:59:43:125 1176 IRP_MJ_SET_SECURITY : 8A420AC8
12:59:43:125 1176 IRP_MJ_POWER : 8A420AC8
12:59:43:125 1176 IRP_MJ_SYSTEM_CONTROL : 8A420AC8
12:59:43:125 1176 IRP_MJ_DEVICE_CHANGE : 8A420AC8
12:59:43:125 1176 IRP_MJ_QUERY_QUOTA : 8A420AC8
12:59:43:125 1176 IRP_MJ_SET_QUOTA : 8A420AC8
12:59:43:125 1176 Driver "atapi" infected by TDSS rootkit!
12:59:43:140 1176 C:\WINDOWS\system32\DRIVERS\ATAPI.SYS - Verdict: 1
12:59:43:140 1176 File "C:\WINDOWS\system32\DRIVERS\ATAPI.SYS" infected by TDSS rootkit ... 12:59:43:140 1176 Processing driver file: C:\WINDOWS\system32\DRIVERS\ATAPI.SYS
12:59:43:140 1176 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:59:43:250 1176 vfvi6
12:59:43:359 1176 !dsvbh1
12:59:43:625 1176 dsvbh2
12:59:43:625 1176 fdfb2
12:59:43:625 1176 Backup copy found, using it..
12:59:43:718 1176 will be cured on next reboot
12:59:43:718 1176 Reboot required for cure complete..
12:59:43:750 1176 Cure on reboot scheduled successfully
12:59:43:750 1176
12:59:43:750 1176 Completed
12:59:43:750 1176
12:59:43:750 1176 Results:
12:59:43:750 1176 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:59:43:750 1176 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:59:43:750 1176 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:59:43:750 1176
12:59:43:750 1176 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:59:43:750 1176 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:59:43:750 1176 UnloadDriverW: NtUnloadDriver error 1
12:59:43:750 1176 KLMD(ARK) unloaded successfully




MBAM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/18/2010 1:30:05 PM
mbam-log-2010-04-18 (13-30-05).txt

Scan type: Quick scan
Objects scanned: 146897
Time elapsed: 12 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-3557709925-3530359878-971885066-1006\Dc328\Systemcallretriever.exe (Trojan.Downloader) -> Quarantined and deleted successfully.



SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2010 at 03:21 PM

Application Version : 4.35.1002

Core Rules Database Version : 4820
Trace Rules Database Version: 2632

Scan type : Complete Scan
Total Scan Time : 01:37:58

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 6297
Registry threats detected : 8
File items scanned : 32812
File threats detected : 17

Adware.MyWebSearch
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.Tracking Cookie
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@cdn4.specificclick[7].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[7].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@metroleap.rotator.hadj7.adjuggler[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@realmedia[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ads.undertone[1].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@serving-sys[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@247realmedia[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@specificmedia[8].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[6].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@mediaplex[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@fastclick[6].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@zedo[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@forum.pcstats[1].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@oasn04.247realmedia[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@a1.interclick[3].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP40\A0012358.EXE


Edited by RandomStudent, 18 April 2010 - 06:01 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 PM

Posted 18 April 2010 - 07:34 PM

Ok the atapi and the recycler concder me. I want to try to verify if there is an issue.



Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 RandomStudent

RandomStudent
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 19 April 2010 - 01:27 AM

BitDefender reported a clean system.

I proceeded with a complete MBAM scan which found the following:

Files Infected:
C:\Program Files\Desktop Calendar\unins000.exe (Rogue.Installer) -> Quarantined and deleted successfully. **This is a program I downloaded very recently; should be unrelated to other problems (and possibly a false positive)**

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000983.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


Subsequent full MBAM scan revealed no problems.

Next I ran SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/19/2010 at 00:58 AM

Application Version : 4.35.1002

Core Rules Database Version : 4820
Trace Rules Database Version: 2632

Scan type : Complete Scan
Total Scan Time : 02:41:14

Memory items scanned : 464
Memory threats detected : 0
Registry items scanned : 6263
Registry threats detected : 0
File items scanned : 33044
File threats detected : 19

Adware.Tracking Cookie
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@cdn4.specificclick[7].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[7].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@metroleap.rotator.hadj7.adjuggler[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@realmedia[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ads.undertone[1].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@serving-sys[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@247realmedia[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@specificmedia[8].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@ad.yieldmanager[6].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@mediaplex[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@fastclick[6].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@zedo[3].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@forum.pcstats[1].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@oasn04.247realmedia[2].txt
C:\Documents and Settings\Matthew.RYAN\Cookies\matthew@a1.interclick[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@server.cpmstar[2].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP40\A0013423.EXE


I feel like these cookies are a result of the redirections? I will make sure I do not click any more Google links, unless you need me to test if I am still being redirected.

Anyways, this file in System Volume Information just seems to keep coming back with a new name.

Finally I ran TDSSKiller again and it is still finding atapi.sys to be infected with a rootkit.


As a side note: I've noticed that pretty much every uninstall.exe on my system is named "unins000.exe". Is this normal and I am just not very observant? Or is this some problem?

EDIT:
As of this time, MSE is again popping up with numerous detections of Win32/Alueron.H . Infected files are again in Windows/System32/DRIVERS; most are variants of the name "OLD121.tmp", though as an exception, I did see a few " i804tprt.sys". When I actually explore Windows/System32/DRIVERS, there are now 2700+ TMP files such as "OLDF98.tmp" and "OLDFBF.tmp848D858B". This is insane!

Edited by RandomStudent, 19 April 2010 - 02:06 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 PM

Posted 19 April 2010 - 12:52 PM

We need a deeper look. Please go here.... and some other tools.
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 RandomStudent

RandomStudent
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 19 April 2010 - 11:52 PM

Posting, from a different computer, to report that the GMER scan is taking an absurd amount of time. Was scanning very quickly at first but has gotten progressively slower (one file a second). First two runs resulted in a BSOD a few minutes in. I feel like this is more related to the pathetic-ness of this system's hardware rather than this malware. I'm worried it will crash when I try to save. We'll see.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:09 PM

Posted 20 April 2010 - 09:55 AM

Hello, then skip the GMer and post only the DDS log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users