Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

win32/alureon.h problem need help! [Solved]

Started by aj95023 , May 16 2010 11:15 PM

  • This topic is locked This topic is locked

#1
aj95023
Posted 16 May 2010 - 11:15 PM

aj95023

    New Member

  • Member
  • Pip
  • 8 posts
Hi guys, Been dealing with the dreaded win32/alureon.h problem. It redirects all my searches and cannot seem to get rid of it. I did a scan with Microsoft security essentials it identified the problem said it disifected it. Rebooted and seemed to be gone, but after another reboot virus shows back up again. I have used spybot, malwarebytes, microsoft security essentials and nothing has been able to remove this virus. Any help would be much appreciated. Thanks in advance!
  • 0

Advertisements

#2
aj95023
Posted 17 May 2010 - 12:53 AM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is my Cobofix Log. Hope someone can help!


ComboFix 10-05-16.01 - FRED 05/16/2010 23:35:58.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2939.1949 [GMT -7:00]
Running from: c:\users\FRED\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WGASetup.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-17 06:34 . 2010-05-17 06:34 -------- d-----w- C:\32788R22FWJFW
2010-05-17 04:13 . 2010-05-17 04:13 56912 ----a-w- c:\windows\system32\drivers\iffjqtid.sys
2010-05-16 06:42 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-16 06:42 . 2009-10-10 02:31 84992 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-05-16 04:30 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-16 04:23 . 2010-05-16 04:23 56912 ----a-w- c:\windows\system32\drivers\uvwtuzih.sys
2010-05-16 02:23 . 2010-05-16 02:33 -------- d-----w- c:\users\FRED\AppData\Roaming\Sammsoft
2010-05-16 02:22 . 2010-05-16 04:12 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-05-16 02:05 . 2010-05-16 04:12 -------- d-----w- c:\programdata\Hitman Pro
2010-05-14 20:08 . 2010-05-14 20:08 -------- d-----w- c:\programdata\Lexmark S300-S400 Series
2010-05-14 02:08 . 2008-06-02 23:19 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-05-14 02:07 . 2010-05-14 02:07 -------- d-----w- c:\users\FRED\AppData\Roaming\PC Tools
2010-05-13 16:10 . 2010-05-13 16:10 -------- d-----w- c:\users\FRED\AppData\Local\Apple
2010-05-13 15:47 . 2010-05-13 15:47 -------- d-----w- c:\users\FRED\AppData\Local\Diagnostics
2010-05-12 23:37 . 2010-05-12 23:37 -------- d-----w- c:\windows\Sun
2010-05-12 20:19 . 2010-05-12 20:23 -------- d-----w- c:\users\FRED\AppData\Local\Apple Computer
2010-05-12 20:05 . 2010-05-12 20:05 -------- d-----w- c:\users\FRED\AppData\Roaming\Malwarebytes
2010-05-12 20:05 . 2010-05-12 20:05 -------- d-----w- c:\programdata\Malwarebytes
2010-05-12 20:05 . 2010-05-13 15:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 22:25 . 2010-05-11 22:33 -------- d-----w- c:\users\FRED\AppData\Local\Nero
2010-05-11 22:23 . 2010-05-16 04:12 -------- d-----w- c:\users\FRED\AppData\Local\Nero_AG
2010-05-11 22:22 . 2010-05-11 22:22 -------- d-----w- c:\users\FRED\AppData\Roaming\Nero
2010-05-11 22:09 . 2010-05-11 22:20 -------- d-----w- c:\programdata\Nero
2010-05-11 22:08 . 2010-05-16 04:12 -------- d-----w- c:\program files\Common Files\Nero
2010-05-11 22:08 . 2010-05-11 22:20 -------- d-----w- c:\program files\Nero
2010-05-11 21:22 . 2010-05-16 04:12 -------- d-----w- c:\program files\dvdSanta
2010-05-01 03:22 . 2010-05-01 03:22 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-05-01 03:11 . 2010-05-01 03:11 -------- d-----w- c:\users\FRED\AppData\Roaming\Sony Corporation
2010-04-30 23:14 . 2010-05-16 04:10 -------- d-----w- c:\programdata\Sony Corporation
2010-04-30 23:13 . 2010-05-01 03:29 -------- d-----w- c:\program files\Sony
2010-04-30 22:51 . 2010-04-30 22:51 -------- d-----w- c:\program files\ArcSoft
2010-04-30 21:24 . 2010-04-30 21:24 -------- d-----w- c:\users\FRED\.pdfsam
2010-04-30 20:26 . 2010-04-30 20:26 -------- d-----w- c:\program files\Common Files\Java
2010-04-30 20:26 . 2010-04-30 20:25 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 20:25 . 2010-04-30 20:25 -------- d-----w- c:\program files\Java
2010-04-30 20:16 . 2010-04-30 20:16 -------- d-----w- c:\program files\pdfsam
2010-04-28 03:03 . 2010-04-28 03:03 -------- d-----w- c:\users\FRED\AppData\Roaming\StreamTorrent
2010-04-28 03:03 . 2010-04-28 03:03 -------- d-----w- c:\program files\StreamTorrent 1.0
2010-04-28 01:43 . 2010-04-28 01:43 -------- d-----w- c:\users\FRED\AppData\Roaming\EPSON
2010-04-27 17:30 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-27 17:30 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-27 17:30 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-27 01:59 . 2010-04-27 01:59 -------- d-----w- c:\users\FRED\AppData\Roaming\skypePM
2010-04-27 01:58 . 2010-04-30 07:32 -------- d-----w- c:\users\FRED\AppData\Roaming\Skype
2010-04-27 01:58 . 2010-04-27 01:58 -------- d-----w- c:\program files\Common Files\Skype
2010-04-27 01:58 . 2010-04-27 01:58 -------- d-----r- c:\program files\Skype
2010-04-27 01:58 . 2010-04-27 01:58 -------- d-----w- c:\programdata\Skype
2010-04-26 18:31 . 2010-04-26 18:31 -------- d-----w- c:\users\FRED\AppData\Local\Opera
2010-04-26 18:31 . 2010-05-16 04:12 -------- d-----w- c:\program files\Opera
2010-04-25 02:39 . 2010-04-25 02:40 -------- d-----w- c:\program files\Veetle
2010-04-24 05:35 . 2010-04-24 05:35 -------- d-----w- c:\users\FRED\AppData\Local\Yahoo!
2010-04-24 03:15 . 2010-05-17 06:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-24 03:15 . 2010-05-17 06:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 22:25 . 2010-04-23 22:25 -------- d-----w- c:\program files\MSXML 4.0
2010-04-23 21:32 . 2010-04-23 21:32 -------- d-----w- c:\program files\epson
2010-04-23 21:32 . 2009-05-01 07:00 15872 ----a-w- c:\windows\system32\escdev.dll
2010-04-23 21:32 . 2009-05-01 07:00 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-04-23 21:32 . 2007-12-06 07:00 73216 ----a-w- c:\windows\system32\eswia66.dll
2010-04-23 21:32 . 2006-08-25 07:00 65793 ----a-w- c:\windows\system32\esfw66.bin
2010-04-23 21:32 . 2006-08-25 07:00 163840 ----a-w- c:\windows\system32\esint66.dll
2010-04-23 21:32 . 2006-03-10 07:00 3584 ----a-w- c:\windows\system32\eswiaml.dll
2010-04-23 19:36 . 2010-04-23 19:36 -------- d-----w- c:\users\FRED\AppData\Roaming\Calyx Software
2010-04-23 19:35 . 2009-08-07 22:45 1064960 ----a-w- c:\windows\system32\cdintf300.dll
2010-04-23 19:35 . 2009-08-07 22:45 1064960 ----a-w- c:\windows\system32\acXMLParser.dll
2010-04-23 19:00 . 2001-04-13 00:06 137 ----a-w- c:\windows\system32\ini.bat
2010-04-23 19:00 . 1998-03-20 20:42 45568 ----a-w- c:\windows\system32\saxxfr32.dll
2010-04-23 19:00 . 1998-03-20 19:42 91136 ----a-w- c:\windows\system32\saxcom32.dll
2010-04-23 19:00 . 1999-07-07 07:08 135680 ----a-w- c:\windows\system32\escli32.dll
2010-04-23 19:00 . 1999-08-17 09:23 172032 ----a-w- c:\windows\system32\SAXFile.dll
2010-04-23 19:00 . 2010-04-23 19:00 92 ----a-w- c:\users\FRED\AppData\Local\fusioncache.dat
2010-04-23 19:00 . 2010-04-23 19:00 -------- d-----w- c:\program files\Microsoft WSE
2010-04-23 18:59 . 2010-04-23 19:29 -------- d-----w- c:\users\FRED\AppData\Local\ApplicationHistory
2010-04-23 18:58 . 2010-05-01 03:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-23 18:56 . 2010-04-23 18:56 -------- d-----w- c:\windows\system32\URTTEMP
2010-04-23 18:54 . 2010-04-30 22:51 -------- d-----w- c:\program files\Common Files\InstallShield
2010-04-23 02:38 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-23 02:38 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-23 02:38 . 2009-10-28 08:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-23 02:38 . 2008-11-26 19:08 131 ----a-w- c:\windows\IDB.zip
2010-04-23 02:38 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-23 02:38 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-23 02:38 . 2009-10-30 18:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-23 02:38 . 2009-10-30 18:09 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-04-23 02:37 . 2009-11-09 18:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-23 02:37 . 2009-10-06 23:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-23 02:37 . 2009-09-03 16:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-23 02:36 . 2010-05-16 04:12 -------- d-----w- c:\program files\Spyware Doctor
2010-04-23 02:36 . 2010-05-16 04:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-22 19:06 . 2010-04-22 19:06 -------- d-----w- c:\program files\Safari
2010-04-22 06:17 . 2010-04-22 06:17 -------- d-----w- c:\users\FRED\AppData\Roaming\Windows 7 Activation Terminator
2010-04-22 05:52 . 2010-02-10 23:17 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
2010-04-22 05:07 . 2010-04-22 05:53 -------- d-----w- C:\Intel
2010-04-22 05:05 . 2010-04-22 05:05 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-22 05:02 . 2010-04-22 05:02 -------- d-----w- c:\users\FRED\AppData\Roaming\S300-S400 Series
2010-04-22 04:58 . 2010-04-22 04:58 -------- d-----w- c:\windows\system32\Wat
2010-04-22 04:54 . 2009-09-23 17:24 69120 ----a-w- c:\windows\system32\drivers\rimsptsk.sys
2010-04-22 04:54 . 2009-09-23 17:24 626688 ----a-w- c:\windows\snymsico.dll
2010-04-22 04:42 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-22 04:20 . 2009-10-02 04:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-04-22 04:20 . 2009-09-03 07:04 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-04-22 04:20 . 2009-08-19 07:20 442920 ----a-w- c:\windows\system32\winresume.exe
2010-04-22 04:20 . 2009-08-19 07:20 507568 ----a-w- c:\windows\system32\winload.exe
2010-04-22 04:20 . 2009-08-29 06:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-04-22 04:18 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-22 04:18 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-22 04:18 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-22 04:18 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-22 01:08 . 2010-05-16 04:12 -------- d-----w- c:\users\FRED\AppData\Roaming\BitTorrent
2010-04-22 01:06 . 2010-04-22 01:06 -------- d-----w- c:\program files\BitTorrent
2010-04-22 00:35 . 2010-04-30 22:06 -------- d-----w- c:\users\FRED\AppData\Roaming\Apple Computer
2010-04-22 00:35 . 2010-04-22 05:49 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-22 00:35 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-22 00:35 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-22 00:35 . 2010-05-16 04:10 -------- d-----w- c:\program files\iPod
2010-04-22 00:35 . 2010-05-16 04:12 -------- d-----w- c:\program files\iTunes
2010-04-22 00:35 . 2010-05-16 04:10 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-22 00:34 . 2010-04-22 00:35 -------- d-----w- c:\programdata\Apple Computer
2010-04-22 00:34 . 2010-04-22 00:34 -------- d-----w- c:\program files\QuickTime
2010-04-22 00:34 . 2010-04-22 00:34 -------- d-----w- c:\program files\Apple Software Update
2010-04-22 00:33 . 2010-05-16 04:12 -------- d-----w- c:\program files\Bonjour
2010-04-22 00:33 . 2010-05-16 04:10 -------- d-----w- c:\program files\Common Files\Apple
2010-04-22 00:33 . 2010-04-29 05:08 -------- d-----w- c:\programdata\Apple
2010-04-22 00:11 . 2010-04-22 00:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-22 00:10 . 2010-04-22 00:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-22 00:09 . 2010-05-16 04:12 -------- d-----w- c:\users\FRED\AppData\Local\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 06:42 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-04-29 05:08 . 2010-04-29 05:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-04-27 01:59 . 2010-04-27 01:59 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-04-23 22:26 . 2010-04-23 22:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-04-22 05:52 . 2010-04-22 05:07 -------- d-----w- c:\program files\Intel
2010-04-22 05:49 . 2010-04-22 05:47 -------- d-----w- c:\program files\Microsoft
2010-04-22 05:49 . 2010-04-22 05:49 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-04-22 05:49 . 2010-04-22 05:46 -------- d-----w- c:\program files\Windows Live
2010-04-22 05:49 . 2010-04-22 05:49 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-04-22 05:48 . 2010-04-22 05:48 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-22 05:47 . 2010-04-22 05:47 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-22 05:08 . 2010-04-22 05:08 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-22 04:54 . 2010-04-22 04:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-04-21 23:44 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-04-21 23:29 . 2010-04-21 23:27 -------- d-----w- c:\program files\Lexmark
2010-04-21 23:29 . 2010-04-21 23:29 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-04-21 23:28 . 2010-04-21 23:28 -------- d-----w- c:\programdata\S300-S400 Series
2010-04-21 23:27 . 2010-04-21 23:27 -------- d-----w- c:\program files\Lexmark Printable Web
2010-04-17 04:24 . 2010-04-17 04:24 22416 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-02-27 12:07 . 2010-04-22 04:19 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07 . 2010-04-22 04:19 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-23 07:56 . 2010-04-22 04:19 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-01-18 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-01-18 139944]
"Lexmark S300-S400 Series Fax Server"="c:\program files\Lexmark S300-S400 Series\fm3032.exe" [2010-01-18 316072]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-11 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-11 167448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-17 22416]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592]

.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\FRED\AppData\Roaming\Mozilla\Firefox\Profiles\bxfyzv9g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\FRED\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-YVIBBBHA8C - c:\users\FRED\AppData\Local\Temp\Ck1.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-16 23:51:17
ComboFix-quarantined-files.txt 2010-05-17 06:51

Pre-Run: 89,913,425,920 bytes free
Post-Run: 89,984,184,320 bytes free

- - End Of File - - B59F23E6EE9F1360D99CC1D7F401A53D
  • 0

#3
Mjöllnir
Posted 17 May 2010 - 01:12 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Welcome to Geeks to Go, aj95023.

I will be helping you with your malware issues.

Before we get started, please read the following.
  • Please completely read through all instructions given you before attempting to follow them. If you are confused about any part of the instructions, post back with your questions and we'll figure things out.
  • Please post all logs in their entirety. DO NOT attach logs to a post unless I ask you to do that. Rather copy and paste the contents of the logs directly into the post.
  • Please refrain from running any tools or otherwise performing any fixes other than what I ask you to do.
  • Finally, do not PM me directly for help. If you have any questions, post them in this topic.


You really shouldn't run ComboFix without being advised to do so.




Continue with these scans.



»» Step 1 ««

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.




»» Step 2 ««

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.





»» Step 3 ««

OTL Scan
  • Download OTL to your desktop.
  • Double-click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    beep.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    ahcix86s.sys
    KR10N.sys
    nvstor32.sys
    nvrd32.sys
    explorer.exe
    svchost.exe
    userinit.exe
    symmpi.sys
    qmgr.dll
    ws2_32.dll
    proquota.exe
    imm32.dll
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    srsvc.dll
    adp3132.sys
    mv61xx.sys
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so.
  • When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.





»» Step 4 ««

Post Logs
Please post back with the following information:
  • GMER Log
  • MBAM Log
  • OTL Log

  • 0

#4
aj95023
Posted 17 May 2010 - 01:48 AM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Thanks for you help.

I have run GMER scanner 3 times.. each time i run it, a blue screen comes up saying physical memory dump and it reboots the computer. Not sure why this is happening but it won't allow me to complete a scan with GMER scanner.
  • 0

#5
Mjöllnir
Posted 17 May 2010 - 02:00 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Try running GMER in Safe Mode.
  • 0

#6
aj95023
Posted 17 May 2010 - 08:00 AM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok worked in Safe Mode here is the GMER log. Going to run Malwarebytes now. Thanks!



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 06:55:17
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\FRED\AppData\Local\Temp\kxldypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8A111CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8A111ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8A1120D8]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8A111984]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82232AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82232104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822323F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8221B2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8221A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822321DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82232958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822326F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82232F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 822331A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E4B599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E6FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 81E7783C 8 Bytes [DE, 1C, 11, 8A, D0, 1E, 11, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 81E77874 4 Bytes [D8, 20, 11, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 81E77CC8 4 Bytes [84, 19, 11, 8A]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtProtectVirtualMemory 77DB5360 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory 77DB5EE0 5 Bytes JMP 0039000A
.text C:\Windows\system32\svchost.exe[920] ntdll.dll!KiUserExceptionDispatcher 77DB6448 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[920] ole32.dll!CoCreateInstance 772657FC 5 Bytes JMP 0088000A
.text C:\Windows\Explorer.EXE[1264] ntdll.dll!NtProtectVirtualMemory 77DB5360 5 Bytes JMP 001B000A
.text C:\Windows\Explorer.EXE[1264] ntdll.dll!NtWriteVirtualMemory 77DB5EE0 5 Bytes JMP 001C000A
.text C:\Windows\Explorer.EXE[1264] ntdll.dll!KiUserExceptionDispatcher 77DB6448 5 Bytes JMP 001A000A

---- Devices - GMER 1.0.15 ----

Device -> \Driver\iaStor \Device\Harddisk0\DR0 851B8EE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

#7
aj95023
Posted 17 May 2010 - 08:29 AM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ran Malwarebytes it didn't catch anything, but my Microsoft Security Essentials still did. The same Win32/alureon.h . Here is the Malwarebytes log. Going to run olr scan now.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4109

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/17/2010 7:24:44 AM
mbam-log-2010-05-17 (07-24-44).txt

Scan type: Quick scan
Objects scanned: 127409
Time elapsed: 9 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
Mjöllnir
Posted 17 May 2010 - 10:57 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Okay. Once you get that OTL log up I can get a fix to you.

:)
  • 0

#9
aj95023
Posted 17 May 2010 - 01:07 PM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok will do. Been running OTL scan for 5 hours now and still waiting for scan to complete. Not sure if that is normal for it to take so long, but will put log up once it's done. Thanks for your help.
  • 0

#10
Mjöllnir
Posted 17 May 2010 - 01:27 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
That's not normal. Try to run it in Safe Mode.
  • 0

#11
aj95023
Posted 17 May 2010 - 01:32 PM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Ok it looks like its still scanning on bottom. I clicked run scan not quick scan, I belive that's how I should have done it. I will restart in safe mode and see how it goes.
  • 0

#12
Mjöllnir
Posted 18 May 2010 - 10:02 AM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
btw, this scan should only take several minutes, not hours. :)

If it will not complete the scan in Safe Mode, let me know and we'll try something else.
  • 0

#13
aj95023
Posted 18 May 2010 - 04:03 PM

aj95023

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi i tried the scan many times took hours and never any result... so i just thought the best thing to do is Reformat and start from scratch. So i did and everything is good now. Thanks so much for you help
  • 0

#14
Mjöllnir
Posted 18 May 2010 - 04:58 PM

Mjöllnir

    Trusted Helper

  • Retired Staff
  • 1,207 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP