Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have the Trojan:DOS\Alureon.e virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Nickod

Nickod

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 28 November 2011 - 09:55 PM

I have a Windows 7 Home Premium Laptop 64 bit.
I had this virus earlier, but did not experience any major symptoms except in like 2 days, of having it my system wouldn't startup past the main startup of a reset.

I had this virus a few days ago, and thought I had gotten rid of it, by doing a full system reinstall. Windows somehow backed up a lot of my old files. After I started my windows again and copied over my backups, I saw this virus pop up. I tried stuff from this website where I originally asked my question.

Microsoft

I also got expert assistance from people(Microsoft people),it was free, who claim to have been in the antivirus and malware services for 5+ years. Person tried Rkill and TDSSkiller and Mbam, MSE, which those 2 I already had, and windows defender, AVG, Superantispyware. He tried renaming the TDSSkiller program but was unable to remove the Rootkit.boot.SST.B that came along with the virus DOS\Alureon.e.
My GMER log might be a little weird, could only have my Services, files, and registries checked since I recently reinstalled, and just copied my backups over.

DDS Log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Michael Nicodemus at 19:10:01 on 2011-11-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3935.2023 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\DllHost.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Michael Nicodemus\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
uRun: [Google Update] "C:\Users\Michael Nicodemus\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRunOnce: [Microsoft Security Client] C:\Program Files\Microsoft Security Client\msseces.exe /UpdateAndQuickScan /OpenWebPageOnClose
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{2772379B-B59C-4E2D-BB9B-04F36375DF30} : DhcpNameServer = 10.0.0.1
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys --> C:\Windows\system32\DRIVERS\SFEP.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
.
=============== Created Last 30 ================
.
2011-11-29 23:55:49 -------- d-----w- C:\Users\Michael Nicodemus\AppData\Local\Google
2011-11-29 23:43:29 917840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F86A6041-2307-46D8-8FA5-3264266D9E1E}\gapaengine.dll
2011-11-29 23:43:25 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EC2642EB-8CC1-496D-8773-2F8CE6EA4FAD}\offreg.dll
2011-11-29 23:43:22 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EC2642EB-8CC1-496D-8773-2F8CE6EA4FAD}\mpengine.dll
2011-11-29 23:38:10 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-11-29 23:38:02 -------- d-sh--w- C:\Windows\Installer
2011-11-29 23:38:02 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-11-29 23:32:47 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5C0F75A5-A03D-495A-B396-A46C2D0246AB}\mpengine.dll
2011-11-29 23:32:47 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-11-29 23:20:40 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-11-29 23:20:40 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-11-29 15:14:27 -------- d-----w- C:\Windows\Panther
2011-11-29 14:53:40 -------- d-----w- C:\Windows.old.000
2011-11-27 23:59:52 -------- d-sh--w- C:\found.003
2011-11-27 23:27:00 -------- d-sh--w- C:\Boot
2011-11-27 23:15:11 -------- d-----w- C:\Windows.old
2011-11-27 21:42:24 -------- d-sh--w- C:\Recovery
2011-11-27 01:18:37 -------- d-----w- C:\Old
2011-11-25 19:12:18 -------- d-----w- C:\sh4ldr
.
==================== Find3M ====================
.
.
============= FINISH: 19:10:28.19 ===============

Attached Files


Edited by Nickod, 29 November 2011 - 07:14 PM.


BC AdBot (Login to Remove)

 


#2 Nickod

Nickod
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 November 2011 - 12:18 AM

GMER says it has not found any system Modification, after I did the scan.

#3 Nickod

Nickod
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 29 November 2011 - 07:09 PM

I just pissed myself off. I thought a full reinstall would fix it, but no it's still there. I'm gonna probably update my DDS log since nothing is there now except for installed files.

#4 Nickod

Nickod
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 01 December 2011 - 10:43 PM

Forget it, I replaced the hard drive, all is good now.

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:49 PM

Posted 03 December 2011 - 06:17 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users