Forefront Client Security calls it "Win32/Alureon.H" won't go away

[Robertodole]

So I read the I'm infected, what do I do now page, and I'll post that stuff here in a second. I'm running Windows Vista Enterprise SP2. I didn't notice this infection until I started getting messages saying things like "couldn't run explorer.exe, program is infected. Would you like to run antispyware now?" from antispyware soft. Cleaned that out easily, but now i still have this alureon.h thing. It wont let me log in to safe made normally, and all the stuff that should be on my desktop doesnt appear actually on the desktop whether or not I'm in safe mode (its still in the directory C:\Users\My_Name but it doesnt appear when I log on). I got rid of antispyware soft by updating and running malwarebytes, and then I ran Forefront Client Security just to be safe, and thats where I found out about Alureon.H, since Malwarebytes hadn't caught it. At this point I still had my desktop, and I was going to run all these programs (Defogger, DDS, GMER), but then running GMER caused a physical memory dump, and that was when my desktop disappeared. I can still go through the directory to access the files that were on it, but malwarebyte's logs seem to have been erased or something. Also, Forefront client security can't delete the virus and can't update itself. DDS log will follow, for what it helps.

DDS (Ver_10-03-17.01) - NTFSx86

Run by DZIUBEK_ANDR at 3:37:08.64 on Tue 05/25/2010

Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15

Microsoft

[Maniac]

Hello Robertodole! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  

Step 1

• Launch Malwarebytes' Anti-Malware
  
• Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  
• Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2

Download RootRepeal Beta on your desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

In your next reply, please include these log(s) in this sequence:

1. MalwareBytes' Anti-Malware log
   
2. RootRepeal log
   
3. a new fresh DDS log with Attach.txt
   

[Robertodole]

Hi Borislav! While I was waiting for your reply, I found a couple sites had recommended Hitman Pro to get rid of the Alureon family of viruses, so I tried that, and it found 3 or 4 things (I cant remember what they were all called, but one of them was a rootkit) and needed a restart to completely remove them. Upon restart, I had my desktop back, which made me very happy, but I still didnt trust that everything was gone, so I ran Malwarebytes again (it found nothing, again), as well as running Forefront Client Security again, forefront found one problem and cleaned it successfully, but now I have a different set of problems which should (hopefully) be much simpler to solve; I have a google redirect malware that doesnt redirect if i open the link in a new tab, and I can't open a new tab unless i'm right clicking on a link and clicking open in new tab :-\ I was actually just running Malwarebytes again to try to get rid of the google redirect when I checked back here. Is it ok if I'm running a full scan instead of a quick scan?

[Maniac]

I want to follow my instructions and not others. Do what I tell you.

[Robertodole]

Ran Malwarebytes, that found 2 items and wanted a restart to clean them, log is below. Ran Root Repeal, caused a physical memory dump due to BAD_POOL_HEADER (I tried again, same thing happened). Ran DDS again just in case you want that log file. Here's the malwarebytes log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4140

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

5/26/2010 4:42:59 PM

mbam-log-2010-05-26 (16-42-59).txt

Scan type: Full scan (C:\|F:\|)

Objects scanned: 301557

Time elapsed: 1 hour(s), 19 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\DZIUBEK_ANDR\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

And Here's DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by DZIUBEK_ANDR at 17:02:14.38 on Wed 05/26/2010

Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15

Microsoft

[Maniac]

I want to update MBAM and to perform a Quick Scan, not Full Scan and your MBAM is not updated. Again without RootRepeal.

[Robertodole]

Ok, Malwarebytes found nothing, and I attached all the logs you asked for.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4149

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18904

5/27/2010 4:44:45 PM

mbam-log-2010-05-27 (16-44-45).txt

Scan type: Quick scan

Objects scanned: 134624

Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Now DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by DZIUBEK_ANDR at 16:45:13.49 on Thu 05/27/2010

Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_15

Microsoft

[Maniac]

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Robertodole]

I had a class so I wasn't here while combofix was running, but I've posted combofix.txt for you.

ComboFix 10-05-27.01 - DZIUBEK_ANDR 05/27/2010 17:06:17.1.2 - x86

Microsoft

[Maniac]

Step 1

Open Notepad and copy and paste the text in the code box below into it:

DirLook::
c:\users\DZIUBEK_ANDR\AppData\Local\garpmcoaa

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[Robertodole]

When I dragged the .txt document onto combofix, it said that I didn't have the most up to date combofix and asked if i wanted to update, but you hadn't said to update combofix so I didn't. Combofix.txt is below:

ComboFix 10-05-27.01 - DZIUBEK_ANDR 05/28/2010 14:27:04.2.2 - x86

Microsoft

[Maniac]

It's no problem.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=51637

KillAll::

Collect::[8]
c:\windows\system32\drivers\hxjoxjte.sys
c:\windows\system32\drivers\zjqmxfjr.sys

Folder::
c:\users\DZIUBEK_ANDR\AppData\Local\garpmcoaa

RegLock::
[HKEY_USERS\S-1-5-21-1229846427-2226813820-890958922-21505\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[Robertodole]

While combofix was running, something came up that a program had been forced to close, I didnt think to write down the name, but i think it was something like mbrcfxx.exe or something similar. Here's Combofic's log:

ComboFix 10-05-27.01 - DZIUBEK_ANDR 05/28/2010 15:15:55.3.2 - x86

Microsoft

[Maniac]

Good!

Please go to www.virustotal.com and upload the following file:

c:\windows\System32\SystemPropertiesRemote.exe

Post the resault in your next reply.

[Robertodole]

On the actual page it says finished, but when I copy and paste it says queued instead of finished, but I'm sure it's done...

File SystemPropertiesRemote.exe received on 2010.05.28 20:07:14 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 3.

Estimated start time is between 56 and 80 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.05.10 -

AhnLab-V3 2010.05.28.01 2010.05.28 -

AntiVir 8.2.1.242 2010.05.28 -

Antiy-AVL 2.0.3.7 2010.05.26 -

Authentium 5.2.0.5 2010.05.28 -

Avast 4.8.1351.0 2010.05.28 -

Avast5 5.0.332.0 2010.05.28 -

AVG 9.0.0.787 2010.05.28 -

BitDefender 7.2 2010.05.28 -

CAT-QuickHeal 10.00 2010.05.28 -

ClamAV 0.96.0.3-git 2010.05.28 -

Comodo 4942 2010.05.25 -

DrWeb 5.0.2.03300 2010.05.28 -

eSafe 7.0.17.0 2010.05.27 -

eTrust-Vet 35.2.7516 2010.05.28 -

F-Prot 4.6.0.103 2010.05.28 -

F-Secure 9.0.15370.0 2010.05.28 -

Fortinet 4.1.133.0 2010.05.28 -

GData 21 2010.05.28 -

Ikarus T3.1.1.84.0 2010.05.28 -

Jiangmin 13.0.900 2010.05.28 -

Kaspersky 7.0.0.125 2010.05.28 -

McAfee 5.400.0.1158 2010.05.28 -

McAfee-GW-Edition 2010.1 2010.05.28 -

Microsoft 1.5802 2010.05.28 -

NOD32 5154 2010.05.28 -

Norman 6.04.12 2010.05.28 -

nProtect 2010-05-28.01 2010.05.28 -

Panda 10.0.2.7 2010.05.28 -

PCTools 7.0.3.5 2010.05.28 -

Prevx 3.0 2010.05.28 -

Rising 22.49.04.04 2010.05.28 -

Sophos 4.53.0 2010.05.28 -

Sunbelt 6370 2010.05.28 -

Symantec 20101.1.0.89 2010.05.28 -

TheHacker 6.5.2.0.288 2010.05.27 -

TrendMicro 9.120.0.1004 2010.05.28 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.28 -

VBA32 3.12.12.5 2010.05.28 -

ViRobot 2010.5.20.2326 2010.05.28 -

VirusBuster 5.0.27.0 2010.05.28 -

Additional information

File size: 81920 bytes

MD5...: 41baa8ac67d4dcc62528dc55f16c3337

SHA1..: 2a72fac808d6428fafc14468c87d95e345b6f369

SHA256: 52a2d85584a58c44e32f4857efba3f5ea4fb76200a9bb148f041032dc4334f67

ssdeep: 1536:7MAtRECfrMcgEPJF+G57ThjEC0kzJP+V5JL9:xzECzMpurhjRVJGx9

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x14bf

timedatestamp.....: 0x4549b0b7 (Thu Nov 02 08:47:51 2006)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0xccc 0xe00 5.79 cc18ccfcbacd47da54aaa8b63774b281

.data 0x2000 0x37c 0x200 0.30 a497d24ecb6e112af339fa7456a7af7f

.rsrc 0x3000 0x12620 0x12800 7.25 798116062e55a1247e8bd4060e96a74a

.reloc 0x16000 0x22c 0x400 2.31 ec09909c870fb39751e4e6c5d4965439

( 3 imports )

> msvcrt.dll: _except_handler4_common, _controlfp, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _wcmdln, exit, _XcptFilter, _exit, _cexit, __wgetmainargs

> SYSDM.CPL: DisplaySYSDMCPL

> KERNEL32.dll: GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoW, InterlockedCompareExchange, Sleep, InterlockedExchange, UnhandledExceptionFilter

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (42.3%)

Win32 Dynamic Link Library (generic) (37.6%)

Generic Win/DOS Executable (9.9%)

DOS Executable Generic (9.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: System Remote Settings

original name: SystemPropertiesRemote.EXE

internal name: SystemPropertiesRemote

file version.: 6.0.6000.16386 (vista_rtm.061101-2205)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

[Maniac]

Good!

How are things now?

[Robertodole]

Good!

How are things now?

They seem good, I can update Forefront client security again, google doesn get redirected anymore, and I can open new tabs again. Everything seems to be back to normal Thanks so much for your help!

[Maniac]

You're welcome!

Last steps:

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

Please manually delete GMER, DDS, RootRepeal and JavaRa.

Step 3

To enable CD Emulation programs using DeFogger please perform these steps:

1. Please download DeFogger to your desktop.
   
2. Once downloaded, double-click on the DeFogger icon to start the tool.
   
3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
   
4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
   
5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
   
6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
   

Step 4

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing!