Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 - Possible Allureon virus? Computer slow, shuts off


  • This topic is locked This topic is locked
4 replies to this topic

#1 niacelluap

niacelluap

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 29 June 2013 - 04:38 PM

My wife's computer has been slow and crashy.  I posted in the Windows 7 Forum and now they have suggested I post here.

 

Previous thread: http://www.bleepingcomputer.com/forums/t/499524/windows-7-super-slow-programs-and-services-down-etc/

 

 

  Here is my DDS log.  I also attached the "attach.txt" file:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476
Run by LLLSTUDENTS at 17:11:04 on 2013-06-29
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
uURLSearchHooks: FLV Runner Toolbar: {3bbd3c14-4c16-4989-8366-95bc9179779d} -
mURLSearchHooks: FLV Runner Toolbar: {3bbd3c14-4c16-4989-8366-95bc9179779d} -
mWinlogon: Userinit = userinit.exe
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\hp\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: FLV Runner Toolbar: {3bbd3c14-4c16-4989-8366-95bc9179779d} -
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: FLV Runner Toolbar: {3BBD3C14-4C16-4989-8366-95BC9179779D} -
TB: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0566.0\msneshellx.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\4.4.0.12\coieplg.dll
TB: FLV Runner Toolbar: {3bbd3c14-4c16-4989-8366-95bc9179779d} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\hp\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\hp\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.1.10.1
TCP: Interfaces\{608F24B8-3F6E-41CD-A123-E00A369BF246} : DHCPNameServer = 10.1.10.1
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= C:\PROGRA~2\Google\GOOGLE~1\GO36F4~1.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [Corel Photo Downloader] C:\Program Files (x86)\Corel\Corel Photo Album 6\MediaDetect.exe
x64-Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R? BHDrvx64;BHDrvx64
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? EraserUtilRebootDrv;EraserUtilRebootDrv
R? GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335
R? jswpsapi;JumpStart Wi-Fi Protected Setup
R? McComponentHostService;McAfee Security Scan Component Host Service
R? PxHlpa64;PxHlpa64
R? TsUsbFlt;TsUsbFlt
R? WatAdminSvc;Windows Activation Technologies Service
S? athur;Atheros AR9271 Wireless Network Adapter Service
S? ccHP;Symantec Hash Provider
S? HP Support Assistant Service;HP Support Assistant Service
S? IDSVia64;IDSVia64
S? JSWPSLWF;JumpStart Wireless Filter Driver
S? N360;Norton Security Suite
S? SCMNdisP;General NDIS Protocol Driver
S? SymDS;Symantec Data Store
S? SymEFA;Symantec Extended File Attributes
S? SymIRON;Symantec Iron Driver
S? SYMTDIv;Symantec Vista Network Dispatch Driver
S? WSWNA1100;WSWNA1100
.
=============== Created Last 30 ================
.
2013-06-29 20:40:09 -------- d-----w- C:\Users\LLLSTUDENTS\AppData\Roaming\Tific
2013-06-29 20:39:53 -------- d-----w- C:\Users\LLLSTUDENTS\AppData\Local\Symantec
2013-06-29 16:41:25 -------- d-----w- C:\Windows\ERUNT
2013-06-29 16:41:15 -------- d-----w- C:\JRT
2013-06-29 16:27:37 -------- d-----w- C:\Windows\pss
2013-06-28 16:32:41 -------- d-----w- C:\Users\LLLSTUDENTS\AppData\Roaming\Malwarebytes
2013-06-28 16:32:15 -------- d-----w- C:\ProgramData\Malwarebytes
2013-06-28 16:32:03 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-06-28 16:31:50 -------- d-----w- C:\Users\LLLSTUDENTS\AppData\Local\Programs
2013-06-17 23:08:38 -------- d-----w- C:\ProgramData\Recovery
.
==================== Find3M  ====================
.
2013-06-29 21:03:22 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-29 21:03:22 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
.
============= FINISH: 17:26:52.28 ===============
 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 AM

Posted 30 June 2013 - 12:57 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 niacelluap

niacelluap
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 30 June 2013 - 03:13 PM

GMR - ark.txt -

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-06-30 16:07:08
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000062 WDC_WD32 rev.01.0 298.09GB
Running: kundps8j.exe; Driver: C:\Users\LLLSTU~1\AppData\Local\Temp\aglyrpoc.sys

---- Devices - GMER 2.1 ----

Device  \Driver\nvstor64 \Device\00000062                                                                                                            fffffa80039360a8

---- Trace I/O - GMER 2.1 ----

Trace   ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80039360a8]<<                                                                 fffffa80039360a8
Trace   1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003027060]                                                                              fffffa8003027060
Trace   3 CLASSPNP.SYS[fffff8800194543f] -> nt!IofCallDriver -> [0xfffffa80022f9b50]                                                                 fffffa80022f9b50
Trace   5 ACPI.sys[fffff88000fb37a1] -> nt!IofCallDriver -> \Device\00000062[0xfffffa8002de2060]                                                     fffffa8002de2060
Trace   \Driver\nvstor64[0xfffffa800381ae70] -> IRP_MJ_CREATE -> 0xfffffa80039360a8                                                                  fffffa80039360a8

---- Registry - GMER 2.1 ----

Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A99176F6-CC87-467A-9E96-D17233B65AE5}\Connection@Name  isatap.{A7FFDB03-1045-4AD0-83FA-B36F663A369B}
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind     \Device\{5FCFD680-9A44-4202-A87E-17661EED461E}?\Device\{CC783BEC-225F-4C4C-B3E3-C9A116819358}?\Device\{A99176F6-CC87-467A-9E96-D17233B65AE5}?\Device\{E8EE4DD4-BFB6-4AE5-B347-E80F1F73123E}?\Device\{238194E8-F3BC-4691-BBE7-0173A11D5459}?
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route    "{5FCFD680-9A44-4202-A87E-17661EED461E}"?"{CC783BEC-225F-4C4C-B3E3-C9A116819358}"?"{A99176F6-CC87-467A-9E96-D17233B65AE5}"?"{E8EE4DD4-BFB6-4AE5-B347-E80F1F73123E}"?"{238194E8-F3BC-4691-BBE7-0173A11D5459}"?
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export   \Device\TCPIP6TUNNEL_{5FCFD680-9A44-4202-A87E-17661EED461E}?\Device\TCPIP6TUNNEL_{CC783BEC-225F-4C4C-B3E3-C9A116819358}?\Device\TCPIP6TUNNEL_{A99176F6-CC87-467A-9E96-D17233B65AE5}?\Device\TCPIP6TUNNEL_{E8EE4DD4-BFB6-4AE5-B347-E80F1F73123E}?\Device\TCPIP6TUNNEL_{238194E8-F3BC-4691-BBE7-0173A11D5459}?
Reg     HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@SetupExecute                                                                          
Reg     HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A99176F6-CC87-467A-9E96-D17233B65AE5}@InterfaceName                       isatap.{A7FFDB03-1045-4AD0-83FA-B36F663A369B}
Reg     HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A99176F6-CC87-467A-9E96-D17233B65AE5}@ReusableType                        0
Reg     HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@ReadyBootPlanAge                                                                  1
Reg     HKLM\SYSTEM\CurrentControlSet\services\rdyboost\Parameters@LastBootPlanUserTime                                                              ?Sun?, ?Jun ?30 ?13, 02:57:30 PM????????}??????????????????????
Reg     HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch                                                                              11525

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                        unknown MBR code

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 AM

Posted 01 July 2013 - 08:38 AM

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.
Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 AM

Posted 04 July 2013 - 06:00 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users