Jump to content

Alureon.h wont go away!


Recommended Posts

I was able to get rid of the worst of it but Alureon.h rootkit is not going away by any means. Microsoft Security Essentials errors when I try to remove it saying its being blocked by Group Policy, and any other program I try has failed. Im desperately looking for help, what steps do I need to take?

Link to post
Share on other sites

DDS (Ver_10-03-17.01) - NTFSx86

Run by Drakken at 15:53:10.91 on Thu 08/12/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3544.1806 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_4b688614b891b07a\STacSV.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_4b688614b891b07a\aestsrv.exe

C:\Windows\System32\svchost.exe -k Akamai

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Users\Drakken\AppData\Local\Google\Update\GoogleUpdate.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Drakken\Downloads\windows-kb890830-v3.10.exe

c:\30cb8fcc3149f4c557\mrtstub.exe

C:\Windows\system32\MRT.exe

C:\Users\Drakken\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Exterminate It!\ExterminateIt.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Drakken\Downloads\dds.scr

C:\Windows\system32\conhost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = 127.0.0.1:8580

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Microsoft Antimalware Script Scanner: {97055cd1-f6c4-40f8-af50-932f1890e7f5} - c:\program files\microsoft security client\antimalware\MpBHO.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [Google Update] "c:\users\drakken\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [<NO NAME>]

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-6-29 165520]

R1 MpKsl765a6bc8;MpKsl765a6bc8;c:\windows\system32\mpenginestore\MpKsl765a6bc8.sys [2010-8-12 28752]

R1 MpKslaf066697;MpKslaf066697;c:\programdata\microsoft\microsoft antimalware\definition updates\{6bcb1c89-2a7b-4af5-8dc4-a29895f4412a}\MpKslaf066697.sys [2010-8-12 28752]

R1 SASDIFSV;SASDIFSV;c:\users\vivian\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\users\vivian\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]

R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_4b688614b891b07a\AEstSrv.exe [2009-10-21 81920]

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-13 304464]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-27 1153368]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-10-21 29736]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-13 20952]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-6-29 43392]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-6-29 54400]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-6-26 261992]

R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-10-21 144672]

R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-10-21 269216]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]

=============== Created Last 30 ================

2010-08-12 22:52:04 0 ----a-w- c:\users\drakken\defogger_reenable

2010-08-12 22:42:44 0 d-----w- c:\program files\Exterminate It!

2010-08-12 22:36:46 0 d-----w- c:\windows\system32\MpEngineStore

2010-08-12 22:35:38 0 d-----w- C:\30cb8fcc3149f4c557

2010-08-12 22:27:32 582656 ----a-w- c:\windows\system32\gpprefcl.dll

2010-08-12 22:17:48 0 d-----w- c:\program files\WBFS

2010-08-12 21:58:52 3544 ------w- C:\bootsqm.dat

2010-08-12 04:21:34 47616 ---ha-w- c:\windows\system32\chglicpl.dll

2010-08-12 03:12:06 338944 ----a-w- c:\windows\system32\drivers\htvkwufn.sys

2010-08-12 02:59:44 338944 ----a-w- c:\windows\system32\drivers\nexjkzsw.sys

2010-08-12 02:45:50 338944 ----a-w- c:\windows\system32\drivers\cvdypcoz.sys

2010-08-11 23:21:25 240008 ----a-w- c:\windows\system32\drivers\netio.sys

2010-08-11 13:30:48 0 d-----w- c:\programdata\SUPERAntiSpyware.com

2010-08-11 01:08:27 85 ----a-w- c:\windows\wininit.ini

2010-07-24 19:15:33 65536 --sha-w- c:\users\drakken\ntuser.dat{fa0dbb7c-9755-11df-a404-002556e34354}.TM.blf

2010-07-24 19:15:33 524288 --sha-w- c:\users\drakken\ntuser.dat{fa0dbb7c-9755-11df-a404-002556e34354}.TMContainer00000000000000000002.regtrans-ms

2010-07-24 19:15:33 524288 --sha-w- c:\users\drakken\ntuser.dat{fa0dbb7c-9755-11df-a404-002556e34354}.TMContainer00000000000000000001.regtrans-ms

2010-07-24 19:03:04 0 d-----w- c:\windows\Profiles

2010-07-24 15:25:50 0 d-----w- c:\windows\Temp1DEEDFEA-6567-56F2-E6A6-3AC7529B0C9C-Signatures

2010-07-24 15:24:55 0 d-----w- c:\program files\Microsoft Security Client

2010-07-24 15:24:42 0 d-----w- C:\e74730651a50b56113aa0b97339bc6fe

2010-07-18 08:52:24 15872 --sha-w- c:\users\drakken\Thumbs.db

2010-07-16 20:43:13 0 d--h--w- c:\users\drakken\Tracing

==================== Find3M ====================

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll

2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll

2010-06-30 06:56:42 54400 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys

2010-06-30 06:56:42 43392 ----a-w- c:\windows\system32\drivers\MpNWMon.sys

2010-06-30 06:56:42 165520 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll

2010-06-22 02:47:35 310784 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-22 02:47:21 307200 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-06-22 02:47:13 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll

2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys

2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll

2010-06-14 19:17:46 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-14 06:12:30 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-06-02 11:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll

2010-06-02 11:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll

2010-06-02 11:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll

2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll

2010-05-26 18:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll

2010-05-26 18:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll

2010-05-26 18:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll

2010-05-26 18:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll

2010-05-26 18:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 16:02:11.98 ===============

Attach.zip

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4422

Windows 6.1.7600 (Safe Mode)

Internet Explorer 8.0.7600.16385

8/12/2010 1:33:52 PM

mbam-log-2010-08-12 (13-33-52).txt

Scan type: Full scan (C:\|)

Objects scanned: 256931

Time elapsed: 49 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\0.09188179878289182.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.