Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with KWRD.DLL/80000032.@/80000032.@


  • This topic is locked This topic is locked
17 replies to this topic

#1 Jim21

Jim21

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 24 December 2011 - 03:27 PM

I've had this problem for a while now...I've had all this file in C:\windows\assembly\temp\U and I've quarantined them with Malwarebytes but it keeps returning and its become annoying. It started 3 days ago or so, and it hasn't stopped. and gmer problem:All of the checkboxes are gray'd except last 3 Services/Registry/Files and C:\ and Q:\. therefore gmer couldn't find anything. If there is anything else I can add or will help out, feel free to tell me what to do.
Attached File  Attach.txt   12.63KB   2 downloads

Edited by Jim21, 25 December 2011 - 11:38 AM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 30 December 2011 - 01:25 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.


Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 31 December 2011 - 05:15 AM

Here's the new DDS Log you requested. And the 80000032.@ file has brought Trojan.Alureon.AC now on my system tho it's effects has been repeatedly blocked by my F-Secure Protection.

Attached File  Attach.txt   12.36KB   4 downloads

Attached File  DDS.txt   33.13KB   7 downloads

#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 01 January 2012 - 05:24 PM

Hi there,


If I happen not to answer before the estimated 48 hours since your last reply tomorrow, I most likely did not reach the computer in time. However, I will try my best to fit into the given time interval.


Thank you for understanding,


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 02 January 2012 - 05:41 AM

Hi there,


Firstly I need to tell you about the risks your computer is exposed to.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

=========================================================================================


If you decide to continue please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 03 January 2012 - 12:07 PM

I ran ComboFix as you suggested, and will consider reformat and reinstall as a last resort if in any case. After running ComboFix, my start up menu's other options had shown up again, I had gotten the 2012 fake antivirus rouge program awhile ago and after removing it with malware it took out all options on start up menu but ComboFix brought all those options back just now. Here's the log you asked for:

Attached File  ComboFix.txt   26.23KB   4 downloads

Edited by Jim21, 03 January 2012 - 12:08 PM.


#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 04 January 2012 - 01:47 PM

Hi there,


Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


=================================================================================

Please open Malwarebytes' Anti-Malware and update it from the Update tab.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 04 January 2012 - 04:57 PM

Did as you said and all seemed good for a while...until it returned again.

#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 04 January 2012 - 05:00 PM

What do you mean? Please give a more detailed explanation. :)



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 04 January 2012 - 08:48 PM

Well i did as you said and it all seemed fine, Malware brought nothing up anymore. Then my F-Secure blocked and alerted me of a program "Application.BitCoinMiner.I" trying to start up or do some action and I told it to block it completely, it could not remove it but it said it made it harmless to my computer. Then F-Secure came up with "80000032.@/TrojanAlureon.AC" trying to go at my laptop again. So as before it could not remove it but block it. Since my F-Secure blocked them, they have not acted up anymore and have not made F-Secure go crazy. I'll let you know if it starts acting up again.

Edit: Also F-Secure was able to remove 1 thing when that happened, I went back and checked the log for F-Secure and it removed "Backdoor.Generic.710662".

Here's a screenshot of the recent F-Secure blocks/removals its done:

Attached File  HistoryViruses.jpg   346.36KB   3 downloads

Edited by Jim21, 04 January 2012 - 09:29 PM.


#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 05 January 2012 - 02:31 PM

Please run Malwarebytes' Anti-Malware as instructed and post the log. The detections may just be the quarantined files from ComboFix.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 05 January 2012 - 10:37 PM

Heres the malware log, it brought up nothing but my F-Secure is blocking "Backdoor.Trojan.(Random Number)" and "Trojan.Generic.(Random Number)" now. And "Trojan.Alureon.AC" is still at it.

Attached File  LogMlawareBytes.txt   1.81KB   5 downloads

Edited by Jim21, 05 January 2012 - 11:02 PM.


#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 06 January 2012 - 12:52 PM

Hi there,


Please give some feedback on the state of your system. How is it working now?



Also, can you remember the filepath of the detections found by F-Secure? (the files that are detected as being infected)




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#14 Jim21

Jim21
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 06 January 2012 - 02:16 PM

The source was C:/Windows/Assembly/temp where this was coming from and due to my F-Secure blocking all of the attacks, my system has not had any effect from the viruses/trojans but they do still seem to exist there regardless making repeated attacks. Whatever the "temp" folder or file is in there, I can't access it.

Re-Edit:10 hours and no signs of any attacks so far. Tho I highly doubt this is over, been going all day without attacks so that must say something for 1st day without any attacks finally. Will keep you posted.

Edited by Jim21, 06 January 2012 - 10:02 PM.


#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:55 PM

Posted 08 January 2012 - 09:10 AM

Hi there,


You are not infected anymore regradless of the F-Secure detections as it is detecting these files only because another scanner was accessing them.
Now, please run one more scan before we are ready to wrap this up. :)


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users