Please help me get rid of Trojan:Win32/Alureon.gen!U off Windows 7

flow779 · 10-15-2009, 10:47 AM

DDS (Ver_09-10-13.01) - NTFSx86
Run by Internet Sales 1 at 11:21:56.39 on Thu 10/15/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1278.596 [GMT -5:00]

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ContactAtOnce\ContactAtOnce.cao
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\ACD Systems\ACDSee\11.0\ACDSee11.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Internet Sales 1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Internet Sales 1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\prevhost.exe
C:\Users\Internet Sales 1\Desktop\gmer.exe
C:\Users\Internet Sales 1\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/ig
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\users\internet sales 1\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Device Detector] DevDetect.exe -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TotalRecorderScheduler] "c:\program files\highcriteria\totalrecorder\TotRecSched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\intern~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\contac~1.lnk - c:\users\intern~1\appdata\roaming\microsoft\installer\{652bd9a6-ee53-400f-99bd-221ab0ed41a0}\_2BE6DB29436DE8B0F9ACF7.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/betaactivescan/cabs/as2stubie.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxps://inventory.dealercrm.com/uploader/ImageUploader3.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://uploads.webiol.homenetinc.com/ImageUploader4.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2009-10-15 10:25 <DIR> --d----- c:\users\internet sales 1\Maintenance
2009-10-13 17:54 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-10-13 17:53 <DIR> --d----- c:\program files\Panda Security
2009-10-13 12:01 <DIR> --d----- c:\users\internet sales 1\My Clients
2009-10-13 09:06 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-10-13 09:06 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-10-13 09:06 <DIR> --d----- c:\users\intern~1\appdata\roaming\SUPERAntiSpyware.com
2009-10-13 09:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-13 09:04 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-10 11:15 53,248 a------- c:\windows\system32\CSVer.dll
2009-10-10 10:54 <DIR> --d----- c:\program files\Driver-Soft
2009-10-09 14:22 188,968 a---h--- c:\windows\system32\mlfcache.dat
2009-10-08 09:41 <DIR> --d----- c:\programdata\FLEXnet
2009-10-07 14:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-10-07 14:35 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-10-07 11:47 16,640 a------- c:\windows\system32\drivers\PalmUSBD.sys
2009-10-07 11:44 <DIR> --d----- c:\programdata\HotSync
2009-10-07 11:42 <DIR> --d----- c:\program files\Palm
2009-10-07 07:43 <DIR> --d----- c:\programdata\Office Genuine Advantage
2009-10-05 18:53 <DIR> --d----- c:\windows\system32\appmgmt
2009-10-05 18:19 <DIR> --d----- c:\users\intern~1\appdata\roaming\foobar2000
2009-10-05 18:18 <DIR> --d----- c:\program files\foobar2000
2009-10-05 18:10 <DIR> --d----- c:\programdata\Digsby
2009-10-05 18:10 <DIR> --d----- c:\progra~2\Digsby
2009-10-05 18:07 <DIR> --d----- c:\users\intern~1\appdata\roaming\Digsby
2009-10-05 18:04 <DIR> --d----- c:\program files\Digsby
2009-10-05 17:35 <DIR> --d----- c:\users\intern~1\appdata\roaming\ACD Systems
2009-10-05 17:31 <DIR> --d----- c:\programdata\ACD Systems
2009-10-05 17:31 <DIR> --d----- c:\progra~2\ACD Systems
2009-10-05 17:30 <DIR> --d----- c:\program files\common files\ACD Systems
2009-10-05 17:30 <DIR> --d----- c:\program files\ACD Systems
2009-10-05 14:39 <DIR> --d----- c:\users\intern~1\appdata\roaming\Malwarebytes
2009-10-05 14:38 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 14:38 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 14:38 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-05 14:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 14:38 <DIR> --d----- c:\progra~2\Malwarebytes
2009-10-05 14:29 <DIR> --d----- c:\users\internet sales 1\printer
2009-10-05 13:06 106,496 a------- c:\windows\system32\DrvTrNTl.dll
2009-10-05 13:06 54,272 a------- c:\windows\system32\DrvTrNTm.dll
2009-10-05 13:06 <DIR> --d----- c:\program files\HighCriteria
2009-10-05 13:05 <DIR> --d----- c:\program files\PhotoWatermark Professional 7
2009-10-05 13:04 1,773,568 a------- c:\windows\system32\msgdiplus.dll
2009-10-05 11:18 <DIR> --d----- c:\program files\ContactAtOnce
2009-10-05 11:12 <DIR> --d----- c:\programdata\Adobe
2009-10-05 11:08 <DIR> --d----- c:\programdata\NOS
2009-10-03 16:19 <DIR> --d----- c:\windows\Panther
2009-10-03 16:05 <DIR> --d----- C:\Windows.old
2009-10-03 15:24 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-10-03 14:06 <DIR> --d----- c:\users\internet sales 1\Forms
2009-10-03 14:06 <DIR> --d----- c:\users\internet sales 1\My Email Info
2009-10-03 14:06 <DIR> --d----- c:\users\internet sales 1\My Applications
2009-10-03 14:06 <DIR> --d----- c:\users\internet sales 1\My Maps
2009-10-03 14:04 <DIR> --d----- c:\users\internet sales 1\My Marketing
2009-10-03 14:04 <DIR> --d----- c:\users\internet sales 1\My Office
2009-10-03 14:03 <DIR> --d--r-- c:\users\internet sales 1\My Pictures
2009-10-03 14:03 <DIR> --d----- c:\users\internet sales 1\My Watermarks
2009-10-03 14:03 <DIR> --d----- c:\users\internet sales 1\My Training
2009-10-03 14:03 <DIR> --d----- c:\users\internet sales 1\Products
2009-10-03 13:42 <DIR> --d----- C:\Xerox
2009-10-03 13:03 8,192 a--shr-- C:\BOOTSECT.BAK
2009-10-03 13:02 383,562 a--shr-- C:\bootmgr
2009-10-03 13:02 <DIR> --dsh--- C:\Boot
2009-10-03 12:38 <DIR> --d----- c:\windows\system32\Adobe
2009-10-03 12:04 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-03 11:52 717,892 a------- c:\windows\system32\PerfStringBackup.INI
2009-10-03 11:51 <DIR> --d----- c:\windows\system32\wbem\Performance
2009-10-03 11:44 <DIR> --d----- c:\users\Internet Sales 1
2009-10-03 11:44 <DIR> --dsh--- C:\Recovery
2009-10-03 10:17 163,840 a------- c:\windows\system32\igfxres.dll
2009-10-03 09:42 32,656 a------- c:\windows\system32\msonpmon.dll
2009-10-03 09:37 <DIR> --d----- c:\windows\PCHEALTH
2009-10-03 09:33 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-10-03 09:31 <DIR> --d----- c:\programdata\Microsoft Help
2009-10-03 09:10 171,136 a--shr-- C:\grldr
2009-10-03 09:09 3 a------- C:\7Loader.TAG
2009-10-01 16:55 <DIR> --d----- c:\program files\PowerISO
2009-10-01 16:40 <DIR> --d----- c:\users\intern~1\appdata\roaming\BitTyrant
2009-10-01 16:37 <DIR> --d----- c:\program files\BitTyrant
2009-10-01 16:27 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-01 16:25 <DIR> --dsh--- c:\windows\Installer

==================== Find3M ====================

2009-10-05 11:15 5 a------- c:\program files\CaoWriteTest.txt
2009-09-07 01:30 667,136 a------- c:\windows\system32\OGACheckControl.dll
2009-07-31 07:47 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-31 07:47 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfi.dat
2009-07-13 23:56 291,294 a------- c:\windows\inf\perflib\0409\perfh.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfd.dat
2009-07-13 23:56 31,548 a------- c:\windows\inf\perflib\0409\perfc.dat
2009-07-13 23:41 174 a--sh--- c:\program files\desktop.ini
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfi.dat
2009-07-13 19:34 291,294 a------- c:\windows\inf\perflib\0000\perfh.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfd.dat
2009-07-13 19:34 31,548 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 16:26 9,633,792 a--shr-- c:\windows\fonts\StaticCache.dat

============= FINISH: 11:30:06.77 ===============

flow779 · 10-24-2009, 01:12 PM

Can someone please assist

flow779 · 10-26-2009, 05:37 PM

someone please help

Ried · 10-29-2009, 11:07 AM

Hello again flow779.

You're not going to be happy with what I have to say.

This is a brand new OS and install, and already you managed to get a rootkit that hijacks your hard disk controller. With this being Windows7, in all honesty, your best solution is to backup your data, reformat and start over.

Are you still using bit torrent? If so, that is the likely source of your troubles again.

10-24-2009, 01:12 PM	#2 (permalink)
flow779 Registered User Join Date: Feb 2009 Location: Kerrville, TX Posts: 25 OS: Windows 7 x32	Re: Please help me get rid of Trojan:Win32/Alureon.gen!U off Windows 7 Can someone please assist

10-26-2009, 05:37 PM	#3 (permalink)
flow779 Registered User Join Date: Feb 2009 Location: Kerrville, TX Posts: 25 OS: Windows 7 x32	Re: Please help me get rid of Trojan:Win32/Alureon.gen!U off Windows 7 someone please help

10-29-2009, 11:07 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,883 OS: WinXP and Vista	Re: Please help me get rid of Trojan:Win32/Alureon.gen!U off Windows 7 Hello again flow779. You're not going to be happy with what I have to say. This is a brand new OS and install, and already you managed to get a rootkit that hijacks your hard disk controller. With this being Windows7, in all honesty, your best solution is to backup your data, reformat and start over. Are you still using bit torrent? If so, that is the likely source of your troubles again. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."