Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly Infected with TDSS/Alureon


  • This topic is locked This topic is locked
8 replies to this topic

#1 Blur180

Blur180

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 22 November 2015 - 09:14 PM

Hello. I'm going to restate what I said on the "Am I infected?" board since I have been redirected here by a BC Advisor.

 

"A few days ago, my ISP, Cox, sent me an email from abuse@cox.net saying that a computer on my network may be infected with Alureon/TDSS. I have been having slower-than-usual load times when browsing the internet, and I read that this can be a symptom of the virus. I have run scans with Malwarebytes and TDSS Killer on both computers on my network, and they both found nothing, I wasn't convinced, and decided to run Norton Power Eraser as well, and it found two things on my laptop. It found a 33333139.sys and 96417421.sys that it said were threats. It tried to remove/fix them, but failed. Now I'm concerned, and I don't know what to do to fix it, seeing that both Malwarebytes and TDSS Killer didn't find anything. I also re-ran TDSS Killer again after Norton, and it almost finished the scan and then crashed. What should I do? Thanks for any help!

P.S. I'm running Windows 10 on an Asus laptop."

 

I've also attached the FRST and Addition logs that I was told to after using Farbar. Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 PM

Posted 24 November 2015 - 10:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin HKU\S-1-5-21-2529444087-38923702-4219817900-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Trevor\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2529444087-38923702-4219817900-1002: @tools.google.com/Google Update;version=9 -> C:\Users\Trevor\AppData\Local\Google\Update\1.3.27.5\npGoogleUpdate3.dll [No File]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
S3 cpuz138; \??\C:\WINDOWS\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\WINDOWS\TEMP\GPUZ.sys [X]
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
Task: {1850C486-2B39-4568-84F7-AAF5C7F0A91F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1E971C1C-A5F8-4A56-976E-8E5DDEFAFF70} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {209867E9-D2E5-4F3C-ADAE-2815D1BAAACA} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {3654860E-168F-487D-8221-F796F10CCABA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {3DC824A2-7E76-4751-8941-242B98AE4AFC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {4079F2A5-D6C4-4749-853E-11DB4FB155F2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {4AC57CC3-C7CB-4395-B625-D6064CC8896D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {600B550C-8DE8-4A14-BA88-9D4ADC78A0B2} - \ASUS Patch for Touch Panel -> No File <==== ATTENTION
Task: {732C543C-8E1E-4036-B6F2-72828AA8EF98} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {79CE52F1-A42D-491C-9656-B9C44F634D72} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D1B912FE-0045-415A-9D49-A90DC9009A6F} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {FBCB125C-E985-4709-9B4E-57A5259306EA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Lets check further.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Do a Deep Scan


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.
===

Any pending issue with this computer?

#3 Blur180

Blur180
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 24 November 2015 - 02:09 PM

Alright, I followed the steps you gave and I've attached the logs. Thank you for your help, by the way!

Attached Files


Edited by Blur180, 24 November 2015 - 02:09 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 PM

Posted 25 November 2015 - 09:43 AM

Last logs are clean.

Any remaining issues?

#5 Blur180

Blur180
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 25 November 2015 - 11:44 AM

No, I am not having any problems with it. If this computer is clean, that's fantastic! Is there a possibility that the virus could be on the other computer on my network? I ran Malwarebytes, Norton Power Eraser, TDSS Killer, and ESET Online Scanner on it when I first received the email, and nothing ever showed up, so it should be clean too. I suppose either the email I got from my ISP was a false alarm or something you had me do fixed it. Thank you so much for your help!  :thumbsup:



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 PM

Posted 26 November 2015 - 07:30 AM

Run this scan on the current computer.
Do it when you will not need the computer for one or two hours. It may take sometime to finish.

You can do the same on the other computer later on.

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

DO NOT Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.
<<<>>>

#7 Blur180

Blur180
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 28 November 2015 - 02:21 PM

Okay. I ran the scan on this computer, and it didn't find anything! Thanks for your help!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 PM

Posted 28 November 2015 - 03:19 PM

Glad we could help.


If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 PM

Posted 05 December 2015 - 01:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users