Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Alureon.tk/sirefef.j virus (google/bing redirect)


  • This topic is locked This topic is locked
3 replies to this topic

#1 Turdston

Turdston

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 30 December 2011 - 05:21 PM

Hello,

This thread was originally posted here

http://www.bleepingcomputer.com/forums/topic435405.html/page__gopid__2530602#entry2530602

In that thread, I posted minitoolbox and HijackThis log files. In subsequent posts, I will posts the files asked for here.

In short: I am running Windows 7 64 bit. According to Microsoft Security Essentials, I have the Win32/Alureon.tk and Win64/sirefef.j Virus that redirects one's searches. When found and quarantined or removed, MSE tells me to reboot. Once I reboot, the system will not boot, a quick BSOD flashes and it goes into a system restore mode. I have tried rebooting a few times to see if any removal attempts worked, but to no avail. The system seems ok while they are suspended by MSE, but obviously I need this garbage off my machine ASAP, as it is still a threat. I disabled my CD Emulation software.

I've read others who have this problem, but the "reboot and have to restore the system" problem seems new. Hence, looking for help from those more expereinced than I with this new Trojan.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by Tuff at 17:09:22 on 2011-12-30
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2347 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
C:\Windows\AsScrPro.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Users\Tuff\Desktop\HijackThis.exe
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://asus.msn.com
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Google Update] "C:\Users\Tuff\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [Setwallpaper] c:\programdata\SetWallpaper.cmd
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: cinemanow.com
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 216.165.129.158
TCP: Interfaces\{1FB5F101-70DC-4CF0-A2DF-DB17D3CA5140}\1445C4D275946494 : DhcpNameServer = 172.16.32.1 205.152.37.23 205.152.144.23 205.152.132.23
TCP: Interfaces\{1FB5F101-70DC-4CF0-A2DF-DB17D3CA5140}\3507565646C496E6B6373353 : DhcpNameServer = 8.8.8.8 71.242.0.12 71.252.0.12
TCP: Interfaces\{1FB5F101-70DC-4CF0-A2DF-DB17D3CA5140}\3616374727F637 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1FB5F101-70DC-4CF0-A2DF-DB17D3CA5140}\76F676F696E666C696768647 : DhcpNameServer = 172.19.134.2
TCP: Interfaces\{8AFBCA3F-1141-4DC8-A778-FB98967C5DD0} : DhcpNameServer = 192.168.0.1 216.165.129.158
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" /r
mRun-x64: [UpdReg] C:\Windows\UpdReg.EXE
mRun-x64: [Setwallpaper] c:\programdata\SetWallpaper.cmd
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tuff\AppData\Roaming\Mozilla\Firefox\Profiles\31ruf65e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VE3D01&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VE3D01&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Program Files (x86)\Virtual Earth 3D\npVE3D.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Tuff\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2009-10-21 14904]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2009-6-11 127352]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 366152]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S1 awrvtyny;awrvtyny;\??\C:\Windows\system32\drivers\awrvtyny.sys --> C:\Windows\system32\drivers\awrvtyny.sys [?]
S1 fqtstoaq;fqtstoaq;\??\C:\Windows\system32\drivers\fqtstoaq.sys --> C:\Windows\system32\drivers\fqtstoaq.sys [?]
S1 ghyexubn;ghyexubn;\??\C:\Windows\system32\drivers\ghyexubn.sys --> C:\Windows\system32\drivers\ghyexubn.sys [?]
S1 hlsltmpy;hlsltmpy;\??\C:\Windows\system32\drivers\hlsltmpy.sys --> C:\Windows\system32\drivers\hlsltmpy.sys [?]
S1 islwckfy;islwckfy;\??\C:\Windows\system32\drivers\islwckfy.sys --> C:\Windows\system32\drivers\islwckfy.sys [?]
S1 qkoakwst;qkoakwst;\??\C:\Windows\system32\drivers\qkoakwst.sys --> C:\Windows\system32\drivers\qkoakwst.sys [?]
S1 qqdbfoad;qqdbfoad;\??\C:\Windows\system32\drivers\qqdbfoad.sys --> C:\Windows\system32\drivers\qqdbfoad.sys [?]
S1 rxgooimt;rxgooimt;\??\C:\Windows\system32\drivers\rxgooimt.sys --> C:\Windows\system32\drivers\rxgooimt.sys [?]
S1 sbmgfmao;sbmgfmao;\??\C:\Windows\system32\drivers\sbmgfmao.sys --> C:\Windows\system32\drivers\sbmgfmao.sys [?]
S1 ucdmbltt;ucdmbltt;\??\C:\Windows\system32\drivers\ucdmbltt.sys --> C:\Windows\system32\drivers\ucdmbltt.sys [?]
S1 upibaabf;upibaabf;\??\C:\Windows\system32\drivers\upibaabf.sys --> C:\Windows\system32\drivers\upibaabf.sys [?]
S1 vfhnulwr;vfhnulwr;\??\C:\Windows\system32\drivers\vfhnulwr.sys --> C:\Windows\system32\drivers\vfhnulwr.sys [?]
S1 yhtkavxd;yhtkavxd;\??\C:\Windows\system32\drivers\yhtkavxd.sys --> C:\Windows\system32\drivers\yhtkavxd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-11-3 2152152]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-21 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-21 79360]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
SUnknown cacqsxgj;cacqsxgj; [x]
SUnknown ftldxfzg;ftldxfzg; [x]
SUnknown gzxuchzd;gzxuchzd; [x]
SUnknown hdhdfcug;hdhdfcug; [x]
SUnknown jiulbdfa;jiulbdfa; [x]
SUnknown jxyijfhs;jxyijfhs; [x]
SUnknown kicfuuxf;kicfuuxf; [x]
SUnknown muwczkfh;muwczkfh; [x]
SUnknown paodwwau;paodwwau; [x]
SUnknown rbentehy;rbentehy; [x]
SUnknown risfrwkn;risfrwkn; [x]
SUnknown sbnvnzng;sbnvnzng; [x]
SUnknown tvwkrure;tvwkrure; [x]
SUnknown uwtnwgjn;uwtnwgjn; [x]
SUnknown vlhlzwfh;vlhlzwfh; [x]
.
=============== Created Last 30 ================
.
2011-12-30 22:04:41 48464 ----a-w- C:\Windows\System32\drivers\islwckfy.sys
2011-12-30 21:59:32 48464 ----a-w- C:\Windows\System32\drivers\hlsltmpy.sys
2011-12-30 21:53:30 48464 ----a-w- C:\Windows\System32\drivers\qqdbfoad.sys
2011-12-30 21:27:39 48464 ----a-w- C:\Windows\System32\drivers\awrvtyny.sys
2011-12-30 21:22:14 48464 ----a-w- C:\Windows\System32\drivers\vfhnulwr.sys
2011-12-30 21:11:41 48464 ----a-w- C:\Windows\System32\drivers\upibaabf.sys
2011-12-30 21:03:30 48464 ----a-w- C:\Windows\System32\drivers\fqtstoaq.sys
2011-12-30 20:49:28 48464 ----a-w- C:\Windows\System32\drivers\sbmgfmao.sys
2011-12-30 20:23:50 48464 ----a-w- C:\Windows\System32\drivers\qkoakwst.sys
2011-12-30 20:17:28 48464 ----a-w- C:\Windows\System32\drivers\yhtkavxd.sys
2011-12-30 20:01:28 48464 ----a-w- C:\Windows\System32\drivers\rxgooimt.sys
2011-12-30 19:45:26 48464 ----a-w- C:\Windows\System32\drivers\ucdmbltt.sys
2011-12-30 19:31:35 48464 ----a-w- C:\Windows\System32\drivers\ghyexubn.sys
2011-12-30 19:19:53 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E4AC62AD-8EA8-4446-A640-E4D935EA3116}\offreg.dll
2011-12-30 19:19:47 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E4AC62AD-8EA8-4446-A640-E4D935EA3116}\mpengine.dll
2011-12-29 05:41:25 -------- d-----w- C:\HijackThis
2011-12-29 03:43:28 48464 ----a-w- C:\Windows\System32\drivers\gzxuchzd.sys
2011-12-29 03:27:32 48464 ----a-w- C:\Windows\System32\drivers\risfrwkn.sys
2011-12-29 03:11:25 48464 ----a-w- C:\Windows\System32\drivers\hdhdfcug.sys
2011-12-29 02:55:23 48464 ----a-w- C:\Windows\System32\drivers\paodwwau.sys
2011-12-29 02:39:22 48464 ----a-w- C:\Windows\System32\drivers\rbentehy.sys
2011-12-29 02:23:21 48464 ----a-w- C:\Windows\System32\drivers\jxyijfhs.sys
2011-12-29 02:07:26 48464 ----a-w- C:\Windows\System32\drivers\jiulbdfa.sys
2011-12-29 01:52:06 48464 ----a-w- C:\Windows\System32\drivers\tvwkrure.sys
2011-12-29 01:35:24 48464 ----a-w- C:\Windows\System32\drivers\kicfuuxf.sys
2011-12-29 01:19:19 48464 ----a-w- C:\Windows\System32\drivers\ftldxfzg.sys
2011-12-29 01:03:28 48464 ----a-w- C:\Windows\System32\drivers\sbnvnzng.sys
2011-12-29 00:47:27 48464 ----a-w- C:\Windows\System32\drivers\cacqsxgj.sys
2011-12-29 00:31:17 48464 ----a-w- C:\Windows\System32\drivers\vlhlzwfh.sys
2011-12-29 00:15:21 48464 ----a-w- C:\Windows\System32\drivers\uwtnwgjn.sys
2011-12-28 23:49:28 48464 ----a-w- C:\Windows\System32\drivers\muwczkfh.sys
2011-12-28 23:36:45 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C66135D5-DE83-4D04-A96E-F6C3D4A6DFEF}\gapaengine.dll
2011-12-28 23:36:37 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9DFC1E5-1F50-4930-A003-42F74DCED9D8}\offreg.dll
2011-12-28 23:36:33 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9DFC1E5-1F50-4930-A003-42F74DCED9D8}\mpengine.dll
2011-12-28 23:35:51 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-12-28 21:03:43 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-28 20:45:57 -------- d-----w- C:\Users\Tuff\AppData\Local\Sunbelt Software
2011-12-27 17:56:00 -------- d-----w- C:\Users\Tuff\AppData\Roaming\AVG2012
2011-12-27 16:11:09 -------- d--h--w- C:\$AVG
2011-12-27 15:21:56 -------- d--h--w- C:\ProgramData\Common Files
2011-12-27 15:21:43 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-12-27 15:20:47 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-12-27 15:20:47 -------- d-----w- C:\ProgramData\AVG2012
2011-12-27 15:18:39 -------- d-----w- C:\Program Files (x86)\AVG
2011-12-27 15:07:59 -------- d-----w- C:\ProgramData\MFAData
2011-12-26 23:46:10 -------- d-----w- C:\Program Files (x86)\Microsoft XNA
2011-12-26 01:43:50 -------- d-sh--w- C:\ProgramData\DSS
2011-12-26 01:27:41 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-12-25 20:13:51 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-12-25 20:02:20 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-12-25 20:02:09 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-12-25 19:58:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-24 15:46:52 -------- d-----w- C:\Users\Tuff\AppData\Local\SWTOR
2011-12-24 04:39:17 121816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-12-24 04:39:15 97240 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-12-24 04:39:15 814040 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-12-24 04:39:15 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-24 04:39:15 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-24 04:39:15 486360 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-12-24 04:39:15 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-24 04:39:15 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-24 04:39:15 2124760 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-12-24 04:39:15 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-12-24 04:39:15 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-12-24 04:39:15 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-12-23 22:34:04 -------- d-----w- C:\Program Files (x86)\Common Files\BioWare
2011-12-23 20:22:07 -------- d-----we C:\Windows\system64
2011-12-23 17:39:28 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1F63F160-B611-46D7-BBE9-94DF2CF93A67}\mpengine.dll
2011-12-15 05:09:27 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-15 05:09:26 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-15 05:09:25 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-15 05:09:17 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-15 05:09:17 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-11 16:19:23 -------- d-----w- C:\Windows\SysWow64\URTTEMP
2011-12-11 16:18:02 103736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-11 16:18:00 669184 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-12-11 16:18:00 66872 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-12-11 01:05:53 -------- d-----w- C:\Users\Tuff\AppData\Local\My Games
.
==================== Find3M ====================
.
2011-12-26 01:30:17 45056 ----a-w- C:\Windows\System32\acovcnt.exe
2011-12-23 20:22:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
.
============= FINISH: 17:11:23.64 ===============

Edited by Turdston, 30 December 2011 - 05:21 PM.


BC AdBot (Login to Remove)

 


#2 Turdston

Turdston
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 30 December 2011 - 05:23 PM

This is the attachment asked for in this forum.

I suppose Microsoft does not have a more "solid" (ie - quick) fix for this trojan yet. The need for a system restore once MSE removes the threat puzzles me.

Attached Files



#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 PM

Posted 31 December 2011 - 01:04 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:27 PM

Posted 05 January 2012 - 09:13 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users