trojan:DOS/Alureon.E

[BingoBingo]

Merged Post

Hi

I have a Windows XP service pack 3 machine that I am currently unable to connect to the Internet (can't get it to generate an IP...or something like that).

Over the last couple of days I've been infected with

Trojan:Win32/Sirefef.AC,

Trojan:Win32/Sirefef.AH,

Trojan:JS/Iframe.AP,

TrojanDownlowder:Win/Unruy.H,

TrojanDownlowder:Win/Obvod.K

Trojan:Win32/FakeSysdef,

Most of these baddies have gone away with the assistance of my various anti-virus treatments: SUPER AntiSpyware. Microsoft Security Essentials, MalwareBytes etc. It's been 3 days of scans and reboots. And then they reappear.

However: trojan:DOS/Alureon.E is now continuously detected by MS Security Essentials, quarantined and then failed to be removed. It seems to be the one that remains...for now.

It is not detected by my Malwarebytes Anti-Malware (Pro) licensed that I am running, nor by SUPER AntiSpyware. but MS Security Essentials keeps finding it. Previously, it denied many connections to outside addresses. The other weird symptom is a recurring nag screen telling me to compress my MS Outlook Express folder - although I have NEVER used that email program. This happens on every reboot.

In preparing to post to a help website, I have downloaded and used CCleaner, Defogger, GMER, SUPERAntiSpyware amd HiJackThis.

I downloaded D.D.S and tried to stop any scrip blocking that I have (although I'm not sure what that would be...) so I stopped the realtime protection on my MS Security Essentials, stopped realtime on Malware Bytes and took down my XP firewall. Unfortunately I repeatedly had my DDS scan hang up 3/4 of the way through with no logs produced. I don't know of any other anti-script stuff to suspend. My MS Security Essentials keeps finding the trojan:DOS/Alureon.E.

At this point I have read the "I'm Infected what do I do now..." postings but I can't run DDS. I could post any of the logs of the programs that I have run. I can't connect to the Internet but I have a PowerBook that I can connect with so I am able to download programs Any help you can give will be greatly appreciated.

I

I think I may have cleared a number of the infections...I had the ZeroAccess Rootkit. This infected machine is also my print server on my home wireless network. I now am having trouble with other machines not seeing the network, this computer or the printer (it shows as offline/unavailable).

When I go to my LAN/high speed internet connection > support tab when I click "repair" it gives the following error message:"windows could not finnish repairing the problem because the following action cannot be completed Clearing NetBt for further assistance contact the person who manages your network

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Run by Stephen at 13:54:51 on 2012-04-09

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.468 [GMT -7:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe

C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\stephen\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla firefox\firefox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: intuit.com\ttlc

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276368293765

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 172.27.35.1

TCP: Interfaces\{97CF7E09-8D94-4177-8E9A-42703DB19A1A} : DhcpNameServer = 172.27.35.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\stephen\application data\mozilla\firefox\profiles\wjlwad34.default\

FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?client=firefox-a&rls=org.mozilla:en-US:official&hl=en&tab=wn

FF - plugin: c:\documents and settings\stephen\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\stephen\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\stephen\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-27 652360]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-27 20464]

S0 cerc6;cerc6; [x]

S1 xxaxrllb;xxaxrllb;\??\c:\windows\system32\drivers\xxaxrllb.sys --> c:\windows\system32\drivers\xxaxrllb.sys [?]

S2 avg7alrt;Rnadirmultiplexor;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-4-1 136176]

S2 mferkdk;Hcf_msft;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-4-1 136176]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]

.

=============== Created Last 30 ================

.

2012-04-09 14:23:22 56200 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdef6b00-b5a2-4ef2-ba7f-f6b37f7d8864}\offreg.dll

2012-04-08 14:32:26 6582328 -c--a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fdef6b00-b5a2-4ef2-ba7f-f6b37f7d8864}\mpengine.dll

2012-04-05 18:16:27 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2012-04-05 18:16:27 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-04-03 23:34:39 -------- dcsha-r- C:\cmdcons

2012-04-03 23:15:40 98816 ----a-w- c:\windows\sed.exe

2012-04-03 23:15:40 518144 ----a-w- c:\windows\SWREG.exe

2012-04-03 23:15:40 256000 ----a-w- c:\windows\PEV.exe

2012-04-03 23:15:40 208896 ----a-w- c:\windows\MBR.exe

2012-04-03 21:42:24 98992 ----a-w- c:\windows\system32\drivers\35813584.sys

2012-04-03 21:36:29 -------- dc----w- C:\TDSSKiller_Quarantine

2012-04-02 04:59:04 -------- d-----w- c:\documents and settings\stephen\local settings\application data\PCHealth

2012-04-02 02:23:23 -------- d-----w- c:\documents and settings\stephen\application data\SUPERAntiSpyware.com

2012-04-02 02:22:45 -------- dc----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-04-02 02:22:45 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-04-02 02:19:27 -------- d-----w- c:\program files\CCleaner

2012-03-29 15:03:07 388096 ----a-r- c:\documents and settings\stephen\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2012-03-29 15:03:05 -------- d-----w- c:\program files\Trend Micro

2012-03-19 14:24:42 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll

2012-03-19 14:24:42 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll

.

==================== Find3M ====================

.

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll

.

============= FINISH: 13:55:58.43 ===============

[D-FRED-BROWN]

Hello BingoBingo and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").
  

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
  
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

In your next reply, please include the following (you may need to use two posts to get it all in):

• TDSSKiller_log.txt
  

how the PC is running now?

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

-------------

In your next reply, please include:

• TDSSKiller logfile
  
• C:\ComboFix.txt
  
• Security Check checkup.txt
  

How is your computer running now?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!