Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Did I catch this badboy in time? Still infected?


  • Please log in to reply
5 replies to this topic

#1 Sways

Sways

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 21 June 2011 - 10:56 AM

Yesterday morning (1:30AM) I was geekily reading manga when my computer, out of nowhere, wanted to run a strange setup[random numbers].exe. I said no. It popped up again. I said no. We wrestled with the "no" button for a minute, before I opened the Task Manager and killed a suspicious looking process. That stopped the battle. I ran a full scan with Microsoft Security Essentials and it found a few java exploits (which I fixed) and nothing else. I went to bed. I woke up later and ran Microsoft Security Essentials again and it found Trojan:Win32/Alureon.DX associated with ten mysterious .exe files in my temp folder. It removed those.

These are the files it removed:

file:C:\Users\Me\AppData\Local\Temp\setup1196467728.exe
file:C:\Users\Me\AppData\Local\Temp\setup1631141144.exe
file:C:\Users\Me\AppData\Local\Temp\setup3102433748.exe
file:C:\Users\Me\AppData\Local\Temp\setup3429734700.exe
file:C:\Users\Me\AppData\Local\Temp\setup3899138216.exe
file:C:\Users\Me\AppData\Local\Temp\setup3971916696.exe
file:C:\Users\Me\AppData\Local\Temp\setup547578820.exe
file:C:\Users\Me\AppData\Local\Temp\setup58485360.exe
file:C:\Users\Me\AppData\Local\Temp\setup695763644.exe
file:C:\Users\Me\AppData\Local\Temp\setup840042756.exe

I ran another full Microsoft Security Essentials scan (third time's a charm) and it found Trojan:Win32/Alureon.DX in file:C:\Users\Me\AppData\Local\Temp\774.tmp and it was removed.

By this time I've Googled this trojan and I've hit DEFCON 1 based on my findings. After stumbling onto your forums and doing a bit of research, I download TDSSKiller. I put it on my desktop and run it as administrator (using Windows 7, but I'm the only designated user for this computer). TDSSKiller finds no infection.

Next, I downloaded Sophos Anti-Rootkit Version 1.5.4 and it finds a few temp files in IE. I don't use IE, at all, so I nuked these. It found a handful of other items, but said "clean up not recommended for this file" for each one.

These are the items Sophos found:
C:\eSupport\UL_experience.exe
C:\Program Files (x86)\ASUS\FancyStart\FancyStart.exe
C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe
C:\Program Files (x86)\CCP\EVE\bin\vivoxsdk.dll

I still wasn't satisfied, so I downloaded Malwarebytes' Anti-Malware Version 1.51.0.1200 (updated immediately). I ran both quick and full scans and it found nothing, no infection. I have since run a billion more scans of Microsoft Security Essentials and Malwarebytes (after restarts, updating databases as of this morning) and they find no infection.

I went to Windows Updates and patched anything it felt I should need. I removed all old instances of Java and installed the newest version. I removed Adobe Reader 9 and replaced it with 10. I am currently in the process of saying goodbye to Firefox and switching to Google Chrome. I have no problems going to sites that, supposedly, this Trojan likes to block. I am not being re-directed to any ad sites. I had zero issues downloading and running all the programs used above.

Am I still infected? Have I done all a girl can do? Any help will be vastly appreciated! Thank you!

-Sways

Note: I didn't post any actual logs, because I was asked not to do so. If you need them, I have them!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:30 PM

Posted 22 June 2011 - 07:41 AM

Try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Sways

Sways
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 22 June 2011 - 12:11 PM

Hello! Thank you for your reply!

I ran the scan and this is what it found:

C:\Users\Me\AppData\Local\Temp\plugtmp-8\plugin-gbckw-1.pdf PDF/Exploit.Pidief.PBK.Gen trojan cleaned by deleting - quarantined
C:\Users\Me\AppData\Local\Temp\plugtmp-8\plugin-gbckw.pdf PDF/Exploit.Pidief.PBK.Gen trojan cleaned by deleting - quarantined

I updated Adobe Acrobat and Reader yesterday, prior to this scan. They weren't too out-of-date to begin with, but it did need to be addressed.

I went even further since my original post (didn't want to reply before you, just in case) and downloaded/ran SUPERAntiSpyware and it found a bunch of "adware" cookies, which it deleted. I ran a subsequent scan after the initial and it found 0 threats/infection.

I've scanned with Sophos, TDSSKiller, ESET Online Scan, Malwarebytes' Anti-Malware, Microsoft Security Essentials, and SUPERAntiSpyware. Is it possible for these trojans to be so sneaky that it may still be on my computer? After all this scanning? I'm up for any additional scanning you think I may need. I really want to make sure I'm clear of this, because I read that Alureon, in all its variations, is really nasty unless caught early. I leave myself in your capable hands. Thank you, again, for your reply!

-Sways

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:30 PM

Posted 22 June 2011 - 01:25 PM

There are no guarantees or shortcuts when it comes to malware removal. Infections and severity of damage will vary. The longer malware remains on your system, the more time it has to download additional malicious files. Depending on the infection, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous and security tools may not find all the remnants.

In any case, I can only go by what the scan logs show (what was detected/removed) and your description of whatever signs or symptoms of infection you are experiencing.

If you want a more detailed look at your system, then more advanced tools are needed to investigate. Before that can be done you will need you to follow the instructions in the Preparation Guide and post a DDS log for further investigation in the Virus, Trojan, Spyware, and Malware Removal Logs forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Sways

Sways
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 22 June 2011 - 03:57 PM

Thank you, I will do that! In the meantime I will continue to treat this computer as if it is infected and refrain from any sensitive use.

-Sways

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:30 PM

Posted 22 June 2011 - 05:57 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users