Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

One other system that might have DOS/Alureon/A on it - Computer 2


  • This topic is locked This topic is locked
13 replies to this topic

#1 Steevow

Steevow

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 09 August 2011 - 05:17 PM

This is a different system that I also use, it seems to have the same malware on it.
Maybe had. Maybe still, which is what I am trying to get some advice on.
This system is acting sluggish.

MS Security essentials said it had removed DOS/Alueron.A from this one as well but it seemed to still be there on reboot.

I ran the alwil rootkit remover and that seemed to say it worked.
I then ran combofix on it.

Attached is the DDS log and combofix log.

So am I still in trouble? The issues with this one seem to parallel the other one I posted logs on earlier. The only thing they have in common is me. Heh. At least I guess I am consistent.

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 15 August 2011 - 12:38 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 16 August 2011 - 12:37 PM

Here is the requested log.
This system was apparently cleaned out but the problem has reoccurred.

It became obvious that java was a problem so I cleaned out the java cache and programs and updated that and flash.

It's quiet now, but I doubt this is actually fixed. More like I slammed it down hard.

One thing, as I left last night I left ms security essentials doing a full scan.

At 5:24 PM last night it found this.

Category: Trojan Downloader
win32.Karagani.A

Description: This program is dangerous and downloads other programs.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\2\6f1277c2-2c1802c8


and this

Category: Backdoor
win32.kelihos.B
Description: This program provides remote access to the computer it is installed on.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Adobe\plugs\mmc-2135084031.txt.vir


That last one might be in the combofix quarantine.

Attached Files


Edited by Steevow, 16 August 2011 - 01:12 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 16 August 2011 - 01:43 PM

Hi, that warning does not represent any danger, as the main components is already in combofix quarantine.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Rootkit::
c:\windows\TEMP\TMP000000512FC5B59F1E2A4734
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 16 August 2011 - 02:21 PM

Here is the latest combofix log with that script.

Attached Files



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 16 August 2011 - 02:29 PM

Hi again,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


Please launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log, together with a description of any remaining problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 16 August 2011 - 02:57 PM

Utorrent hadn't been used since 2008. Before my time.

The java cp says it is the latest version. However I did download jre7 and am installing it.
I just updated the adobe reader.

One thing that I just noticed.
I had ms security essentials realtime disabled during the combofix scan, but it found another trojan. Even though it was disabled. Odd.
I told it to remove it.

It says
Rogue:win32.FakeRean
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\System Volume Information\_restore{1DA78845-2776-4AAF-996F-9B6F10DD41D6}\RP1647\A0059727.exe
regkey:HKCU@S-1-5-21-484763869-2025429265-682003330-1003\software\classes\.exe

That is a new one, hard to say if it just arrived somehow or if it was there all along.

MBAM is running and the log will follow.

Edited by Steevow, 16 August 2011 - 03:02 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 16 August 2011 - 03:35 PM

That detection was in system restore. I'm not surprised it detected it although it was presumably disabled. It is very difficult to completely disable real time scanning (this is so malware cannot easily turn of an AV to go by undetected).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 16 August 2011 - 06:13 PM

Here is the MBAM log.

Attached Files



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 17 August 2011 - 03:45 AM

Do you have any problem left?

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 August 2011 - 11:31 AM

The only thing I have left is this.

MS Security Essentials found and removed the following yesterday while MBAM was running, I think.

It says

8/16/2011 12:47 PM
Rogue:win32.FakeRean
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\System Volume Information\_restore{1DA78845-2776-4AAF-996F-9B6F10DD41D6}\RP1647\A0059727.exe
regkey:HKCU@S-1-5-21-484763869-2025429265-682003330-1003\software\classes\.exe


And this

8/16/2011 1:35 PM
Rogue:win32.FakeRean
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\System Volume Information\_restore{1DA78845-2776-4AAF-996F-9B6F10DD41D6}\RP1647\A0059729.exe


Now they are maybe no problem being in system restore. But shouldn't one of the other scanners we ran have found these, that is unless they are new and just planted. Which is possible.

I just started the eset smart scanner.

Edited by Steevow, 17 August 2011 - 11:32 AM.


#12 Steevow

Steevow
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 17 August 2011 - 02:07 PM

Here is the eset scan.
That thing is dumb.
It deleted some tools I put there.
Goofy.

It seems quiet.

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 17 August 2011 - 03:24 PM

MS Security essentials detected that because MBAM was scanning (and thus accessing) these files. The files are in System Restore, which will be rest anyway after the following steps. :)

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,630 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:38 PM

Posted 28 August 2011 - 04:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users