Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Trojan:DOS/Alureon.E"


  • Please log in to reply
16 replies to this topic

#1 REIDS

REIDS

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 13 March 2012 - 09:31 PM

So, I just purchased a new computer because my previous computer's motherboard had some hardware issues. I am running Win 7 with a new hard drive. I have turned my previous hard disk into an external hard drive connected through USB (so that I can get all of my previous file info installed onto my new computer). When I connect my external drive, my "Microsoft Security Essentials" program finds the "Trojan:DOS/Alureon.E" virus on it. It continues to try and remove the virus, however, it requires an OS restart and everytime it restarts the same virus comes up. How do I search and destroy this virus off of my old hard drive?

I tried to allow all the GMER options, however, most of the options were "grayed out" and I could not select them to run a proper scan. I need help on how to select all the options.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by rstadel at 19:18:04 on 2012-03-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.6102 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\agent_x64.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\ModLEDKey.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\CNYHKEY.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\msiexec.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\LaunchApp.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MIF5BA~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{04C086C5-55C6-4E5C-97E4-2630F64CF682} : DhcpNameServer = 192.168.1.1 68.238.64.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MIF5BA~1\Office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
mASetup: {F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec /fu {F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} /qn
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\Wow6432Node\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exe
mRun-x64: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\LaunchApp.exe
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office12\GR469A~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 Agent;Agent;C:\Windows\agent_x64.exe [2012-3-11 102912]
R2 CalendarSynchService;CalendarSynchService;C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [2011-8-16 16384]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2011-2-16 682040]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2011-9-28 212944]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-12 652360]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-12-24 1128952]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-24 2656536]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 CLKMSVC10_38F51D56;CyberLink Product - 2011/12/24 11:11:48;C:\Program Files (x86)\Cyberlink\PowerDVD10\NavFilter\kmsvc.exe [2011-2-24 241648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
S3 pmxdrv;pmxdrv;\??\C:\Windows\system32\drivers\pmxdrv.sys --> C:\Windows\system32\drivers\pmxdrv.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-13 06:42:28 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-13 06:42:22 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5534055B-E2A7-4836-89B9-6D0CAE728503}\mpengine.dll
2012-03-13 06:41:28 -------- d-----w- C:\Users\rstadel\AppData\Roaming\HP Support Assistant
2012-03-13 06:38:59 -------- d-----w- C:\Users\rstadel\AppData\Roaming\Malwarebytes
2012-03-13 06:38:48 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-13 06:38:48 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-13 06:38:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-13 06:36:36 -------- d-----w- C:\Users\rstadel\AppData\Roaming\HpUpdate
2012-03-12 07:26:42 -------- d-----w- C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2
2012-03-12 02:57:36 -------- d-----w- C:\Program Files (x86)\ESET
2012-03-12 02:52:57 -------- d-----w- C:\Users\rstadel\AppData\Local\Diagnostics
2012-03-11 22:59:32 -------- d-----w- C:\Windows\PCHEALTH
2012-03-11 22:58:21 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2012-03-11 22:57:56 -------- d-----w- C:\Users\rstadel\AppData\Local\Microsoft Help
2012-03-11 22:44:34 -------- d-----w- C:\Program Files (x86)\BandiMPEG1
2012-03-11 22:42:55 -------- d-----w- C:\Nexon
2012-03-11 22:41:44 -------- d-----w- C:\ProgramData\NexonUS
2012-03-11 21:37:02 -------- d-----w- C:\Users\rstadel\AppData\Local\PMB Files
2012-03-11 21:37:01 -------- d-----w- C:\ProgramData\PMB Files
2012-03-11 21:36:56 -------- d-----w- C:\Program Files (x86)\Pando Networks
2012-03-11 20:11:29 102912 ----a-w- C:\Windows\agent_x64.exe
2012-03-11 20:11:28 -------- d-----w- C:\Program Files\Send To Neat
2012-03-11 20:11:25 52224 ----a-w- C:\Windows\System32\sdtnpm.dll
2012-03-11 20:10:03 -------- d-----w- C:\Program Files (x86)\Common Files\Comscan
2012-03-11 20:09:45 -------- d-----w- C:\Program Files (x86)\Common Files\NeatReceipts
2012-03-11 20:09:17 -------- d-----w- C:\Program Files (x86)\Common Files\Intuit
2012-03-11 20:09:03 -------- d-----w- C:\Program Files\Common Files\The Neat Company
2012-03-11 20:08:21 -------- d-----w- C:\Program Files (x86)\Neat
2012-03-11 20:07:41 -------- d-----w- C:\Users\rstadel\AppData\Local\The Neat Company
2012-03-11 20:03:27 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2012-03-11 20:03:27 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2012-03-11 20:03:24 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2012-03-11 20:03:24 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-03-11 20:01:35 -------- d-----w- C:\Windows\twain_64
2012-03-11 20:00:46 -------- d-----w- C:\Users\rstadel\AppData\Roaming\Neat
2012-03-11 20:00:45 -------- d-----w- C:\Users\rstadel\AppData\Roaming\Nuance
2012-03-11 19:58:17 -------- d-----w- C:\Users\rstadel\AppData\Local\IsolatedStorage
2012-03-11 19:56:54 -------- d-----w- C:\Program Files\Common Files\NeatReceipts
2012-03-11 19:56:10 -------- d-----w- C:\ProgramData\The Neat Company
2012-03-11 19:56:07 -------- d-----w- C:\Program Files (x86)\NeatWorks
2012-03-11 19:56:07 -------- d-----w- C:\Program Files (x86)\Common Files\The Neat Company
2012-03-11 19:50:05 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-11 19:50:04 -------- d-----w- C:\Windows\System32\Wat
2012-03-11 19:31:30 -------- d-----w- C:\Users\rstadel\AppData\Roaming\Symantec
2012-03-11 19:20:27 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2ECD839B-E9E8-446D-9D34-5FC0455E988B}\gapaengine.dll
2012-03-11 19:19:25 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-11 19:19:22 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-11 19:16:25 -------- d-----w- C:\Users\rstadel\AppData\Local\VeriSign
2012-03-11 18:39:39 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-11 18:39:38 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{AFCE5356-F4A4-4659-806D-B02F82455A9A}\mpengine.dll
2012-03-11 18:39:22 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2012-03-11 18:29:48 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-03-11 18:29:42 723456 ----a-w- C:\Windows\System32\EncDec.dll
2012-03-11 18:29:42 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2012-03-11 18:29:15 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-03-11 18:29:15 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-03-11 18:29:08 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-11 18:29:08 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-11 18:19:00 -------- d-----w- C:\Users\rstadel\AppData\Local\PDFC
2012-03-11 18:18:38 -------- d-----w- C:\Users\rstadel\AppData\Local\VirtualStore
2012-03-11 18:15:01 -------- d-----w- C:\Users\rstadel\AppData\Local\TouchSmartData
2012-03-11 18:03:48 -------- d-----w- C:\ProgramData\Recovery
.
==================== Find3M ====================
.
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-14 04:06:27 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-12-24 19:15:52 31152 ----a-w- C:\Windows\System32\drivers\pmxdrv.sys
2011-12-24 19:11:00 29480 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-12-24 19:10:59 505128 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-12-24 19:10:59 353576 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-12-24 19:09:18 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-24 18:51:09 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-12-24 18:51:09 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-12-24 18:51:09 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-12-24 18:51:09 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-12-24 18:51:09 2565632 ----a-w- C:\Windows\System32\esent.dll
2011-12-24 18:51:09 189824 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-12-24 18:51:09 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2011-12-24 18:51:09 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-12-24 18:51:09 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-12-24 18:51:09 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2011-12-24 18:51:09 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-12-24 18:50:14 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-12-24 18:50:14 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-12-24 18:50:14 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-12-24 18:50:14 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-12-24 18:48:44 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-12-24 18:47:45 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-12-24 18:46:56 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-12-24 18:45:53 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-12-24 18:45:53 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-12-24 18:45:53 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-12-24 18:45:53 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-12-24 18:45:53 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-12-24 18:45:36 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2011-12-24 18:45:36 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2011-12-24 18:45:27 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
2011-12-24 18:45:19 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-12-24 18:45:19 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-12-24 18:45:12 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-12-24 18:45:12 100864 ----a-w- C:\Windows\System32\fontsub.dll
2011-12-16 08:46:06 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-16 07:52:58 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
.
============= FINISH: 19:18:38.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 17 March 2012 - 12:57 PM

Welcome to Bleeping Computer, REIDS!

There is a tool called TDSSkiller, and it targets TDSS variants. The variant you describe is most likely TDL4, which infects the
Master Boot Record of a drive. If that is the case, the tool may work when a drive is slaved, since it scans the MBR of all detected drives.

So, let's press on...

Please download the latest version of: TDSSKiller.exe
Save to the Desktop.

Execute the downloaded file:
Windows Seven: Right-click the file and select 'Run as Administrator'

In the TDSSKiller Scan prompt, click on: Change parameters
Check the box besides: Detect TDLFS file system
Click: OK

Press the button: Start Scan

The tool scans and detects two object types:
Malicious (where the malware has been identified)
Suspicious (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action (Cure or Delete) for Malicious objects. Leave the setting as it is.

It also prompts the User to select an action to apply to Suspicious objects (Skip, by default).
Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.


A Reboot Required prompt may appear after a disinfection.
Please reboot!!


By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system,
normally C:\).

Logs have a name like:
C:\TDSSKiller.2.4.7_22.02.2012_15.31.43_log.txt

Please post the TDSSKiller log in your reply.

Also need to know whether TDSSKiller needed a reboot.

Old duck...


#3 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 17 March 2012 - 02:19 PM

Attached are the logs. It made two logs for some reason. I have had my two other external hard drives turned off while my computer is on (because I don't get the MSE threat detection when I don't have these turned on). I started the tdsskiller program without those two drives connect, then stopped the program and connected both external hard drives and restarted the tdsskiller. As soon as the tdsskiller performed the cure action, MSE (Microsoft Security Essentials) now detects 5 potential threats (previously it would only find 1 potential threat).

It did NOT require me to reboot the system. I rebooted anyways and MSE still finds 5 potential threats now.

Attached Files



#4 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 17 March 2012 - 02:37 PM

MSE was just able to remove the (5) potential threats without rebooting (which it did automatically without my direction). The 5 threats were displayed as versions of the Alureon.* viruses that had been quarantined by tdsskiller.

I am not getting any popups from MSE anymore. Do I still need to be verifying that my C: drive as well as my other two drives do not have some sort of virus still left on them?

#5 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 17 March 2012 - 04:10 PM

Do I still need to be verifying that my C: drive as well as my other two drives do not have some sort of virus still left on them?

Oh yes!! Rootkits are sneaky darn things. <_<



We shall proceed...please make sure the USB HD drives are plugged in.

On TDSSKiller...

Please run it once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete

Then, post the TDSSKiller log in your reply.


Also, download: aswMBR
Save it to the Desktop.

Windows 7: Right-click the file and select 'Run as Administrator'

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!

Exit the program.

Please post the new aswMBR log in your reply.


Note that a file named MBR.dat is also created on the Desktop.

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

When you get to the website, use the Browse button to navigate to the location of MBR.dat
Click on the file, then, click the Open button.
The file is now displayed in the Submit Box.

Scroll down and click Send File, and wait for the results.

If you get a message saying: 'File has already been analyzed', click: 'Reanalyze file now'

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.


Will need to see three items in your next post:
A new TDSSKiller
aswMBR
Link to VirusTotal



Thanks!

Edited by Aaflac, 17 March 2012 - 04:12 PM.

Old duck...


#6 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 17 March 2012 - 05:02 PM

Attached are the logs that you requested. See the following link, as requested:

https://www.virustotal.com/file/e2c7ede50488ad98b030f7b4ec8f10077bf6ec9b82be3d0be4c62c2a8a3c7b81/analysis/1332021578/

Attached Files



#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 17 March 2012 - 06:45 PM

Good job!! :thumbsup:

Please do the following...

Download Malwarebytes' Anti-Malware


Save to the Desktop.

MBAM may make changes to the Registry as part of its disinfection routine.
If using other security programs that detect Registry changes, they may interfere or alert you.
Temporarily disable such programs as shown here, or permit them to allow the changes.

Windows Seven: Right-click and select 'Run as Administrator'

When the installation begins, follow the prompts and do not make any changes to default settings.

Make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware


Click: Finish

MBAM automatically starts and you are asked to update the program.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.


On the Scanner tab:
Make sure the Perform Full Scan option is selected.

Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected.
Click on the Start Scan button.

The scan may take some time to complete, so please be patient.

When the scan is finished, a message box shows The scan completed successfully. Click 'Show Results' to display all objects found

Click OK to close the message box and continue with the removal process.


Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware found.
Make sure that everything is checked, and click: Remove Selected

When removal is completed, a report opens in Notepad.

The log is automatically saved and can be viewed by clicking the Logs tab.

Please copy/paste the entire contents of the MBAM report in your reply.

Exit MBAM when done.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot your computer so MBAM can proceed with the
disinfection process. If asked to restart the computer, please do so immediately.

Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

Old duck...


#8 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 17 March 2012 - 11:15 PM

I noticed the that i had two copies of a crack file (previously unaware of this), and I made sure that I deleted these files. The following is the mbam log content:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
rstadel :: TGOE_DESKTOP [administrator]

Protection: Enabled

3/17/2012 8:09:51 PM
mbam-log-2012-03-17 (20-09-51).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 477355
Time elapsed: 44 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\TDSSKiller_Quarantine\17.03.2012_12.08.08\mbr0000\tdlfs0000\tsk0006.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\17.03.2012_12.08.08\mbr0000\tdlfs0000\tsk0007.dta (Rootkit.TDSS.64) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\17.03.2012_12.08.08\mbr0000\tdlfs0000\tsk0010.dta (Rootkit.TDSS.64) -> Quarantined and deleted successfully.
L:\Reid\WinRAR & Crack\Win RAR 3.2 + Crack\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
N:\I Drive - Temp\Reid\WinRAR & Crack\Win RAR 3.2 + Crack\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.

(end)

#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 18 March 2012 - 09:51 PM

The use of cracked programs is theft, and this forum does not support the use of stolen software.

If the presence of cracked software is detected on your computer, your topic may be closed, or at the discretion of an Administrator, we may continue to help you, on the strict understanding that any and all illegal software must first be removed.

If you have removed such software...

Please download CKScanner
Important: Save it to your Desktop.
Right-click CKScanner.exe > select: 'Run as administrator', then, click: Search For Files
When the cursor's hourglass disappears, click: Save List To File
A message box verifies the file saved.
Double-click the CKFiles.txt icon on your Desktop, and copy/paste the contents in your next reply.

Old duck...


#10 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 18 March 2012 - 10:16 PM

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.BWNASF
----- EOF -----

#11 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 19 March 2012 - 05:06 PM

Almost there, before we wrap up...

Please download Security Check

Save it to the Desktop.
Double-click SecurityCheck.exe and follow the onscreen instructions (on the black screen)
When done, a Notepad document opens automatically: checkup.txt

Please post the contents of checkup.txt in your reply.

Also, please give an update as to whether you are still experiencing malware problems.

Old duck...


#12 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 19 March 2012 - 09:34 PM

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

#13 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 19 March 2012 - 10:30 PM

Also, please give an update as to whether you are still experiencing malware problems.

Old duck...


#14 REIDS

REIDS
  • Topic Starter

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 20 March 2012 - 01:43 AM

I am not experiencing any malware problems.

#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:12:52 PM

Posted 20 March 2012 - 09:26 PM

If you are no longer having malware problems, you are good to go.

You can remove any programs we have used, and their related reports or folders.
Also, make sure your security software is ALL enabled and running!

Consider doing the following to prevent future infections...

Malware is normally installed through vulnerabilities found in out-dated and insecure programs on a computer.
You can use the Secunia Personal Software Inspector to scan for vulnerable programs:
http://secunia.com/vulnerability_scanning/personal/

A tutorial on how to use the program is found here:
http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/


Surf safely, REIDS!!

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users