Trojan:Win32/Alureon.gen!U (Seems like a popular one)

Lisatron · 10-23-2009, 10:23 AM

I'm running XP Professional.

I woke up a few days ago to a little surprise on my computer-- a very determinated trojan named Win:32/Alureon.gen!U, which despite my equal determination and persistence would just not go away.

I have run every anti-malware, anti-virus, online scanner and trojan hunter program I could get my hands with absolutely no luck. Windows Defender, Malware Bytes, AVAST, A-squared Free, Spyware Doctor, Super Anti-Spyware, Adaware and Macafee and ESET Free Online Virus Scanners.

So far the only programs to actually find it and 'delete it' are Windows Defender and AVAST-- AVAST prompts me to delete it, which I do, however the AVAST alert will pop up a few hours later with a warning about the same trojan. Windows Defender alerts me to its severity and similarly prompts me to remove it however within seconds it will tell me the action has failed. So Windows Defender has found it, but cannot complete the removal action or quarantine action.

My computer, despite everyone elses findings, doesnt seem much slower than normal aside from opening programs or IE. It does redirect me when attempting to view certain webpages, mostly webpages concerning viurs removal, virus scanners and the like. For instance, I got redirected 5 or 6 times just trying to get here. Opening a tab seems to work though.

I cannot say for certain where it is located, initially it was in the System folder and later findings pointed at temporary internet files... but I cannot say for certain where it is.

Anyone who can help will have my unending gratitude.

(Edit: Last time I tried, the computer would not boot in safemood. The F8 method would create a continuous reboot cycle until I booted in normal mode. The manual way was grayed out.. but I cant remember how to get there to check again)

(Hopefully i've attached everything right!)

Lisatron · 10-23-2009, 03:53 PM

DDS (Ver_09-10-13.01) - NTFSx86
Run by The Kids at 21:07:29.31 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1154 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091022-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\The Kids\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://thesuperficial.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202220411078
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-27 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-19 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-22 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-22 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-24 24652]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S0 islgbff;islgbff;c:\windows\system32\drivers\dfbpxhk.sys --> c:\windows\system32\drivers\dfbpxhk.sys [?]
S0 lurvqhfk;lurvqhfk;c:\windows\system32\drivers\oqaplf.sys --> c:\windows\system32\drivers\oqaplf.sys [?]
S0 nqflx;nqflx;c:\windows\system32\drivers\rbkdb.sys --> c:\windows\system32\drivers\rbkdb.sys [?]
S0 zdpnnyem;zdpnnyem;c:\windows\system32\drivers\tswflzjd.sys --> c:\windows\system32\drivers\tswflzjd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-19 348752]

=============== Created Last 30 ================

2009-10-21 12:35 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-10-21 12:35 50,176 a------- c:\windows\system32\proquota.exe
2009-10-21 12:22 236,544 a------- c:\windows\PEV.exe
2009-10-21 12:22 161,792 a------- c:\windows\SWREG.exe
2009-10-21 12:22 98,816 a------- c:\windows\sed.exe
2009-10-21 12:22 <DIR> --d----- C:\Combo-Fix
2009-10-20 11:11 <DIR> --d----- c:\windows\pss
2009-10-20 00:50 <DIR> --d----- c:\program files\CCleaner
2009-10-19 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-10-19 20:08 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-10-19 20:07 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-10-19 20:07 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-19 20:07 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-10-19 20:07 <DIR> --d----- c:\program files\common files\PC Tools
2009-10-19 20:07 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-10-19 20:07 <DIR> --d----- c:\program files\Spyware Doctor
2009-10-19 20:07 <DIR> --d----- c:\docume~1\thekid~1\applic~1\PC Tools
2009-10-19 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-19 19:16 19,150 a------- c:\windows\okutex.dat
2009-10-19 19:16 18,102 a------- c:\windows\hefobyluj.dat
2009-10-19 19:16 11,068 a------- c:\docume~1\alluse~1\applic~1\ytalu.dat
2009-10-16 11:09 19,638 a------- c:\windows\orow.com
2009-10-02 12:28 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-26 18:04 <DIR> --d----- c:\program files\iPod
2009-09-26 18:04 <DIR> --d----- c:\program files\iTunes
2009-09-26 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-26 18:03 <DIR> --d----- c:\program files\Bonjour
2009-09-26 17:56 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-09-26 17:55 <DIR> --d----- c:\program files\iPhone Configuration Utility

==================== Find3M ====================

2009-10-21 12:09 60 a------- c:\program files\tkrkrhdy.txt
2009-09-21 20:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 01:08 916,480 -------- c:\windows\system32\wininet.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 08:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 07:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-05-12 14:51 60 ac------ c:\program files\qbgn.txt
2009-05-12 08:22 60 ac------ c:\program files\kyqtf.txt
2008-02-05 08:49 47,360 ac------ c:\docume~1\thekid~1\applic~1\pcouffin.sys

============= FINISH: 21:08:57.50 ===============

Ried · 10-23-2009, 04:27 PM

Hello Lisatron,

Quote:

I have run every anti-malware, anti-virus, online scanner and trojan hunter program I could get my hands with absolutely no luck. Windows Defender, Malware Bytes, AVAST, A-squared Free, Spyware Doctor, Super Anti-Spyware, Adaware and Macafee and ESET Free Online Virus Scanners.

You failed to mention you ran ComboFix, who advised you to run the tool? Post the C:\ComboFix.txt for review.

Lisatron · 10-23-2009, 06:55 PM

Ah thats right, my apologies. Couldn't remember the name.

Someone on a Q&S website.

Ried · 10-23-2009, 07:49 PM

In the future, you would be wise to pay heed to the Disclaimer ComboFix has you OK before it will run. I need to see the ComboFix.txt. Kindly post that log.

Lisatron · 10-25-2009, 01:42 PM

Shortly after I posted in this thread to your reply I left to do a few errands and came back to atleast 5 notifications from AVAST about various new trojans which had not be alerted to earlier, or perhaps where new. 2 names that I can remember were Vundrop and Trojan.gen.

Unfortunately I could not locate the combo fix log so I had to re-run the program... hopefully this will not create any issues. However this time I ran the program I had entirely different results:
1. This time Combo Fix detected rootkit activity which it did not before
2. When it was finished, it reset my computer's background to the background I had originally (before the virus first appeared). This is strange since when I first recieved the virus I had a blue background with a black square and red text that says your system had been infected. Then after earlier scans (before I started this thread) it changed to plain blue. After I figured the virus was gone since it was no longer being detected, I changed it to a different background... now the original one is back. Is that good?

Here is the combo fix log...

ComboFix 09-10-25.01 - The Kids 10/25/2009 12:13.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1414 [GMT -7:00]
Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091024-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wbem\proquota.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-24 01:11 . 2009-10-24 02:10 -------- d-----w- c:\program files\eegejn
2009-10-24 01:11 . 2009-10-24 01:11 26624 ----a-w- C:\ldvx.exe
2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix
2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner
2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8
2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations
2009-10-20 02:16 . 2009-10-20 02:16 19150 ----a-w- c:\windows\okutex.dat
2009-10-20 02:16 . 2009-10-20 02:16 18102 ----a-w- c:\windows\hefobyluj.dat
2009-10-16 18:09 . 2009-10-16 18:09 19638 ----a-w- c:\windows\orow.com
2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime
2009-09-27 00:56 . 2009-08-29 02:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 19:31 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam
2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free
2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 19:09 . 2009-10-21 19:09 60 ----a-w- c:\program files\tkrkrhdy.txt
2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software
2009-10-20 02:16 . 2009-10-20 02:16 11068 ----a-w- c:\documents and settings\All Users\Application Data\ytalu.dat
2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire
2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer
2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:57 . 2009-08-28 03:55 -------- d-----w- c:\program files\SpywareBlaster
2009-08-28 03:29 . 2009-08-28 03:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-28 03:29 . 2009-05-06 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-05-12 21:51 . 2009-05-12 21:51 60 -c--a-w- c:\program files\qbgn.txt
2009-05-12 15:22 . 2009-05-12 15:22 60 -c--a-w- c:\program files\kyqtf.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-25 19:21 . 2009-10-25 19:21 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_7ec.dat
+ 2009-10-25 19:21 . 2009-10-25 19:21 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_2a4.dat
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-02-05 00:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S0 islgbff;islgbff;c:\windows\system32\drivers\dfbpxhk.sys --> c:\windows\system32\drivers\dfbpxhk.sys [?]
S0 lurvqhfk;lurvqhfk;c:\windows\system32\drivers\oqaplf.sys --> c:\windows\system32\drivers\oqaplf.sys [?]
S0 nqflx;nqflx;c:\windows\system32\drivers\rbkdb.sys --> c:\windows\system32\drivers\rbkdb.sys [?]
S0 zdpnnyem;zdpnnyem;c:\windows\system32\drivers\tswflzjd.sys --> c:\windows\system32\drivers\tswflzjd.sys [?]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29]

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thesuperficial.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 12:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\combofix\CF14498.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 19:36
ComboFix2.txt 2009-10-21 19:47

Pre-Run: 69,954,392,064 bytes free
Post-Run: 69,896,916,992 bytes free

- - End Of File - - 112FB230A904C5DC2E92330715DCD985

Ried · 10-25-2009, 08:30 PM

Hi Lisatron,

Please - don't keep running ComboFix unless instructed. Refer to post #2 in our pre-posting topic. ;)

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/425019-trojan-win32-alureon-gen-u-seems-like-popular-one.html#post2409516

Collect::
C:\ldvx.exe

Suspect::
c:\windows\orow.com

File::
c:\WINDOWS\okutex.dat
c:\WINDOWS\hefobyluj.dat
c:\program files\tkrkrhdy.txt
c:\documents and settings\All Users\Application Data\ytalu.dat
c:\program files\qbgn.txt
c:\program files\kyqtf.txt

Folder::
c:\Program Files\eegejn

Driver::
islgbff
lurvqhfk
nqflx
zdpnnyem

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Post the C:\Combofix.txt for further review.

Lisatron · 10-25-2009, 10:49 PM

ComboFix 09-10-25.02 - The Kids 10/25/2009 21:33.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1335 [GMT -7:00]
Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Kids\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091025-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\All Users\Application Data\ytalu.dat"
"c:\program files\kyqtf.txt"
"c:\program files\qbgn.txt"
"c:\program files\tkrkrhdy.txt"
"c:\windows\hefobyluj.dat"
"c:\windows\okutex.dat"

file zipped: C:\ldvx.exe
file zipped: c:\windows\orow.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ytalu.dat
C:\ldvx.exe
c:\program files\eegejn
c:\program files\kyqtf.txt
c:\program files\qbgn.txt
c:\program files\tkrkrhdy.txt
c:\windows\hefobyluj.dat
c:\windows\okutex.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_islgbff
-------\Service_lurvqhfk
-------\Service_nqflx
-------\Service_zdpnnyem

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix
2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner
2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8
2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations
2009-10-16 18:09 . 2009-10-16 18:09 19638 ----a-w- c:\windows\orow.com
2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime
2009-09-27 00:56 . 2009-08-29 02:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 19:34 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam
2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free
2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software
2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire
2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer
2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 03:57 . 2009-08-28 03:55 -------- d-----w- c:\program files\SpywareBlaster
2009-08-28 03:29 . 2009-08-28 03:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-28 03:29 . 2009-05-06 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-26 04:40 . 2009-10-26 04:40 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_7f8.dat
+ 2009-10-26 04:40 . 2009-10-26 04:40 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_2a8.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2009 8:21 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29]

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thesuperficial.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\combofix\CF4269.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 04:47
ComboFix2.txt 2009-10-25 19:36
ComboFix3.txt 2009-10-21 19:47

Pre-Run: 69,847,408,640 bytes free
Post-Run: 69,813,223,424 bytes free

- - End Of File - - 20A4BE8EBAA2489A4FF14DB57F24A229

Ried · 10-25-2009, 10:55 PM

I'm not seeing the files that should have been uploaded. Please open the C: drive and look for a C:\CF-Submit.htm If you see it there, simply double click on it and the upload will begin.

If you do not see that file, navigate to C:\Qoobox\ and look for a file named [4]-Submit_<date>@<time>.zip and upload it to this site

Please let me know when that has been done.

Lisatron · 10-26-2009, 10:19 AM

Win32:MalOb-X [Cryp] has been detected here: C:\Documents and Settings\The Kids\Application Data\lizkavd.exe by AVAST.

Upload has been done.

Ried · 10-26-2009, 11:00 AM

Files received, thank you.

Instruct Avast to delete that file.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Lisatron · 10-26-2009, 12:37 PM

I was unable to complete the scan as directed.

Your instructions asked for any virus scanners to be temporarily disabled as did Kaspersky's. I disabled AVAST as directed, however the scan only managed to reach 60% completion before Microsoft said the machine needed to be rebooted due to hidden viruses.

At the same the Microsoft's notification came up, Anti-Virus Pro 2010 had been installed on the computer.

Should I run the scan with AVAST activated?

Ried · 10-26-2009, 05:38 PM

No, please run new scans with dds.scr and gmer. Post the fresh logs.

Be sure to follow the gmer configuration as shown in our pre-posting topic.

Lisatron · 10-26-2009, 10:57 PM

Here are the logs.

DDS (Ver_09-10-26.01) - NTFSx86
Run by The Kids at 19:10:16.62 on Mon 10/26/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1393 [GMT -7:00]

AV: avast! antivirus 4.8.1356 [VPS 091026-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\The Kids\Application Data\seres.exe
C:\Documents and Settings\The Kids\Application Data\svcst.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\The Kids\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://thesuperficial.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [mserv] c:\documents and settings\the kids\application data\seres.exe
uRun: [svchost] c:\documents and settings\the kids\application data\svcst.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202220411078
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-27 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-19 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-22 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-22 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-24 24652]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]

=============== Created Last 30 ================

2009-10-26 18:01:06 17212 ----a-w- c:\windows\omajizugy._sy
2009-10-26 18:01:06 16734 ----a-w- c:\docume~1\alluse~1\applic~1\eguqaw.com
2009-10-26 18:01:06 16176 ----a-w- c:\program files\common files\cecifu.dat
2009-10-26 18:01:06 16170 ----a-w- c:\program files\common files\gekuq.bat
2009-10-26 18:01:06 15976 ----a-w- c:\windows\zixi._dl
2009-10-26 18:01:06 13851 ----a-w- c:\program files\common files\gihaxa.pif
2009-10-26 18:01:06 13702 ----a-w- c:\windows\zohebeni.inf
2009-10-26 18:01:06 13223 ----a-w- c:\windows\odolyr._dl
2009-10-26 18:01:06 13090 ----a-w- c:\windows\jexukoc.scr
2009-10-26 18:01:06 12437 ----a-w- c:\windows\isyduj.ban
2009-10-26 18:01:06 12315 ----a-w- c:\windows\tadup.pif
2009-10-26 18:00:43 0 d-----w- c:\program files\AntivirusPro_2010
2009-10-26 16:13:34 60928 ----a-w- c:\docume~1\thekid~1\applic~1\svcst.exe
2009-10-26 16:13:34 60928 ----a-w- c:\docume~1\thekid~1\applic~1\seres.exe
2009-10-25 19:19:55 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 19:19:55 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-25 19:08:40 77312 ----a-w- c:\windows\MBR.exe
2009-10-23 22:13:15 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 22:13:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-21 19:22:54 98816 ----a-w- c:\windows\sed.exe
2009-10-21 19:22:54 236544 ----a-w- c:\windows\PEV.exe
2009-10-21 19:22:54 161792 ----a-w- c:\windows\SWREG.exe
2009-10-21 19:22:34 0 d-----w- C:\Combo-Fix
2009-10-20 18:11:02 0 d-----w- c:\windows\pss
2009-10-20 07:50:57 0 d-----w- c:\program files\CCleaner
2009-10-20 03:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-10-20 03:08:00 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-20 03:07:55 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-20 03:07:55 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-10-20 03:07:55 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 03:07:49 0 d-----w- c:\program files\common files\PC Tools
2009-10-20 03:07:48 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-20 03:07:37 0 d-----w- c:\program files\Spyware Doctor
2009-10-20 03:07:37 0 d-----w- c:\docume~1\thekid~1\applic~1\PC Tools
2009-10-20 03:07:37 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-10-16 18:09:38 19638 ----a-w- c:\windows\orow.com
2009-10-02 19:28:26 195440 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-26 18:01:06 13981 ----a-w- c:\program files\common files\lowuqefy.ban
2009-09-22 03:29:59 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42:52 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 19:10:45.06 ===============

Ried · 10-27-2009, 07:17 AM

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/425019-trojan-win32-alureon-gen-u-seems-like-popular-one.html#post2412089

Collect::
c:\WINDOWS\omajizugy._sy
c:\docume~1\alluse~1\Applic~1\eguqaw.com
c:\Program Files\Common Files\cecifu.dat
c:\Program Files\Common Files\gekuq.bat
c:\WINDOWS\zixi._dl
c:\Program Files\Common Files\gihaxa.pif
c:\WINDOWS\zohebeni.inf
c:\WINDOWS\odolyr._dl
c:\WINDOWS\jexukoc.scr
c:\WINDOWS\isyduj.ban
c:\WINDOWS\tadup.pif
c:\program files\common files\lowuqefy.ban
c:\windows\orow.com

Folder::
c:\Program Files\AntivirusPro_2010
c:\docume~1\thekid~1\Applic~1\svcst.exe
c:\docume~1\thekid~1\Applic~1\seres.exe

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

Lisatron · 10-27-2009, 09:47 AM

Ran combo fix as directed, this was all the logfile said:

Upload was successful

Running Kaspersky now...

Ried · 10-27-2009, 11:42 AM

There should be more than just the log saying 'Upload was successful'. Navigate to the C:\ComboFix.txt and post the entire contents.

Lisatron · 10-27-2009, 12:10 PM

Found the combo fix log:

ComboFix 09-10-25.02 - The Kids 10/27/2009 8:30.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1411 [GMT -7:00]
Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Kids\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091026-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\docume~1\alluse~1\Applic~1\eguqaw.com
file zipped: c:\program files\Common Files\cecifu.dat
file zipped: c:\program files\Common Files\gekuq.bat
file zipped: c:\program files\Common Files\gihaxa.pif
file zipped: c:\program files\common files\lowuqefy.ban
file zipped: c:\windows\isyduj.ban
file zipped: c:\windows\jexukoc.scr
file zipped: c:\windows\odolyr._dl
file zipped: c:\windows\omajizugy._sy
file zipped: c:\windows\orow.com
file zipped: c:\windows\tadup.pif
file zipped: c:\windows\zixi._dl
file zipped: c:\windows\zohebeni.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\Applic~1\eguqaw.com
c:\documents and settings\All Users\Documents\epikeg._sy
c:\documents and settings\All Users\Documents\ybywafupyd.reg
c:\documents and settings\The Kids\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\The Kids\Application Data\seres.exe
c:\documents and settings\The Kids\Application Data\svcst.exe
c:\documents and settings\The Kids\Application Data\ufigapavu.dl
c:\documents and settings\The Kids\Cookies\akucicoxe.inf
c:\documents and settings\The Kids\Cookies\qecipem.dat
c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\cecifu.dat
c:\program files\Common Files\gekuq.bat
c:\program files\Common Files\gihaxa.pif
c:\program files\common files\lowuqefy.ban
c:\windows\isyduj.ban
c:\windows\jexukoc.scr
c:\windows\odolyr._dl
c:\windows\omajizugy._sy
c:\windows\orow.com
c:\windows\tadup.pif
c:\windows\zixi._dl
c:\windows\zohebeni.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-26 18:01 . 2009-10-26 18:01 10651 ----a-w- c:\documents and settings\The Kids\Local Settings\Application Data\kiqovyte.dat
2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix
2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner
2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8
2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools
2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations
2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 20:39 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam
2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free
2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software
2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire
2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer
2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod
2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour
2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime
2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari
2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-09-27 00:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-26 19:56 . 2009-10-26 19:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_5f8.dat
+ 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\30559c8.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp
+ 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\125b64e.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0aswBoot.exe /M:62edc8944

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2009 8:21 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - axloqpoc
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29]

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thesuperficial.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 08:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-27 8:36
ComboFix-quarantined-files.txt 2009-10-27 15:36
ComboFix2.txt 2009-10-26 04:47
ComboFix3.txt 2009-10-25 19:36
ComboFix4.txt 2009-10-21 19:47

Pre-Run: 69,562,208,256 bytes free
Post-Run: 69,613,580,288 bytes free

- - End Of File - - 17822F2B7017F2F2AD27E6E807BBC909
Upload was successful

Lisatron · 10-27-2009, 01:47 PM

Sorry for the wait.

KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 27, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 27, 2009 18:32:09
Records in database: 3089963
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 90899
Threats found: 3
Infected objects found: 13
Suspicious objects found: 0
Scan duration: 01:29:53

File name / Threat / Threats count
C:\Program Files\Audio One Pack (Full)\AOPAPI.dll Infected: Backdoor.Win32.Delf.qlk 1
C:\Qoobox\Quarantine\C\Documents and Settings\The Kids\Application Data\seres.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Documents and Settings\The Kids\Application Data\svcst.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\htmlayout.dll.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Packed.Win32.Krap.ah 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-25_21.32.55.zip Infected: Trojan-Downloader.Win32.FraudLoad.fvz 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP1\A0000052.exe Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP4\A0000475.exe Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000558.exe Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000559.exe Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000563.dll Infected: Packed.Win32.Krap.ah 1
C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000569.cpl Infected: Packed.Win32.Krap.ah 1

Selected area has been scanned.

Lisatron · 10-27-2009, 02:35 PM

So far the computer appears to be behaving normally. AVAST and Windows Defender hasn't notified me of anything suspicious since running combo fix.

10-23-2009, 03:53 PM	#2 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) DDS (Ver_09-10-13.01) - NTFSx86 Run by The Kids at 21:07:29.31 on Thu 10/22/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1154 [GMT -7:00] AV: avast! antivirus 4.8.1356 [VPS 091022-0] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\Program Files\a-squared Free\a2service.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\The Kids\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://thesuperficial.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [Steam] "c:\program files\steam\steam.exe" -silent uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) mPolicies-explorer: ForceClassicControlPanel = 1 (0x1) dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202220411078 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-27 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-19 206256] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-22 114768] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-22 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-24 24652] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408] S0 islgbff;islgbff;c:\windows\system32\drivers\dfbpxhk.sys --> c:\windows\system32\drivers\dfbpxhk.sys [?] S0 lurvqhfk;lurvqhfk;c:\windows\system32\drivers\oqaplf.sys --> c:\windows\system32\drivers\oqaplf.sys [?] S0 nqflx;nqflx;c:\windows\system32\drivers\rbkdb.sys --> c:\windows\system32\drivers\rbkdb.sys [?] S0 zdpnnyem;zdpnnyem;c:\windows\system32\drivers\tswflzjd.sys --> c:\windows\system32\drivers\tswflzjd.sys [?] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-19 348752] =============== Created Last 30 ================ 2009-10-21 12:35 50,176 ac------ c:\windows\system32\dllcache\proquota.exe 2009-10-21 12:35 50,176 a------- c:\windows\system32\proquota.exe 2009-10-21 12:22 236,544 a------- c:\windows\PEV.exe 2009-10-21 12:22 161,792 a------- c:\windows\SWREG.exe 2009-10-21 12:22 98,816 a------- c:\windows\sed.exe 2009-10-21 12:22 <DIR> --d----- C:\Combo-Fix 2009-10-20 11:11 <DIR> --d----- c:\windows\pss 2009-10-20 00:50 <DIR> --d----- c:\program files\CCleaner 2009-10-19 20:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt 2009-10-19 20:08 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys 2009-10-19 20:07 206,256 a------- c:\windows\system32\drivers\PCTCore.sys 2009-10-19 20:07 86,888 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2009-10-19 20:07 7,396 a------- c:\windows\system32\drivers\pctcore.cat 2009-10-19 20:07 <DIR> --d----- c:\program files\common files\PC Tools 2009-10-19 20:07 64,392 a------- c:\windows\system32\drivers\pctplsg.sys 2009-10-19 20:07 <DIR> --d----- c:\program files\Spyware Doctor 2009-10-19 20:07 <DIR> --d----- c:\docume~1\thekid~1\applic~1\PC Tools 2009-10-19 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-10-19 19:16 19,150 a------- c:\windows\okutex.dat 2009-10-19 19:16 18,102 a------- c:\windows\hefobyluj.dat 2009-10-19 19:16 11,068 a------- c:\docume~1\alluse~1\applic~1\ytalu.dat 2009-10-16 11:09 19,638 a------- c:\windows\orow.com 2009-10-02 12:28 195,440 -------- c:\windows\system32\MpSigStub.exe 2009-09-26 18:04 <DIR> --d----- c:\program files\iPod 2009-09-26 18:04 <DIR> --d----- c:\program files\iTunes 2009-09-26 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-26 18:03 <DIR> --d----- c:\program files\Bonjour 2009-09-26 17:56 2,065,696 a------- c:\windows\system32\usbaaplrc.dll 2009-09-26 17:55 <DIR> --d----- c:\program files\iPhone Configuration Utility ==================== Find3M ==================== 2009-10-21 12:09 60 a------- c:\program files\tkrkrhdy.txt 2009-09-21 20:29 15,688 a------- c:\windows\system32\lsdelete.exe 2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-29 01:08 916,480 -------- c:\windows\system32\wininet.dll 2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-04 08:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 07:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2009-05-12 14:51 60 ac------ c:\program files\qbgn.txt 2009-05-12 08:22 60 ac------ c:\program files\kyqtf.txt 2008-02-05 08:49 47,360 ac------ c:\docume~1\thekid~1\applic~1\pcouffin.sys ============= FINISH: 21:08:57.50 ===============

10-23-2009, 06:55 PM	#4 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Ah thats right, my apologies. Couldn't remember the name. Someone on a Q&S website.

10-23-2009, 07:49 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,093 OS: WinXP and Vista	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) In the future, you would be wise to pay heed to the Disclaimer ComboFix has you OK before it will run. I need to see the ComboFix.txt. Kindly post that log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-25-2009, 01:42 PM	#6 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Shortly after I posted in this thread to your reply I left to do a few errands and came back to atleast 5 notifications from AVAST about various new trojans which had not be alerted to earlier, or perhaps where new. 2 names that I can remember were Vundrop and Trojan.gen. Unfortunately I could not locate the combo fix log so I had to re-run the program... hopefully this will not create any issues. However this time I ran the program I had entirely different results: 1. This time Combo Fix detected rootkit activity which it did not before 2. When it was finished, it reset my computer's background to the background I had originally (before the virus first appeared). This is strange since when I first recieved the virus I had a blue background with a black square and red text that says your system had been infected. Then after earlier scans (before I started this thread) it changed to plain blue. After I figured the virus was gone since it was no longer being detected, I changed it to a different background... now the original one is back. Is that good? Here is the combo fix log... ComboFix 09-10-25.01 - The Kids 10/25/2009 12:13.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1414 [GMT -7:00] Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1356 [VPS 091024-0] On-access scanning enabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\wbem\proquota.exe Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it :p c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 ))))))))))))))))))))))))))))))) . 2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe 2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-10-24 01:11 . 2009-10-24 02:10 -------- d-----w- c:\program files\eegejn 2009-10-24 01:11 . 2009-10-24 01:11 26624 ----a-w- C:\ldvx.exe 2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe 2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix 2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center 2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner 2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt 2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8 2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools 2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations 2009-10-20 02:16 . 2009-10-20 02:16 19150 ----a-w- c:\windows\okutex.dat 2009-10-20 02:16 . 2009-10-20 02:16 18102 ----a-w- c:\windows\hefobyluj.dat 2009-10-16 18:09 . 2009-10-16 18:09 19638 ----a-w- c:\windows\orow.com 2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime 2009-09-27 00:56 . 2009-08-29 02:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility 2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-25 19:31 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam 2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free 2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-21 19:09 . 2009-10-21 19:09 60 ----a-w- c:\program files\tkrkrhdy.txt 2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software 2009-10-20 02:16 . 2009-10-20 02:16 11068 ----a-w- c:\documents and settings\All Users\Application Data\ytalu.dat 2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire 2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer 2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple 2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-28 03:57 . 2009-08-28 03:55 -------- d-----w- c:\program files\SpywareBlaster 2009-08-28 03:29 . 2009-08-28 03:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-28 03:29 . 2009-05-06 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe 2009-05-12 21:51 . 2009-05-12 21:51 60 -c--a-w- c:\program files\qbgn.txt 2009-05-12 15:22 . 2009-05-12 15:22 60 -c--a-w- c:\program files\kyqtf.txt . ((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-10-25 19:21 . 2009-10-25 19:21 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_7ec.dat + 2009-10-25 19:21 . 2009-10-25 19:21 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_2a4.dat + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-02-05 00:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408] S0 islgbff;islgbff;c:\windows\system32\drivers\dfbpxhk.sys --> c:\windows\system32\drivers\dfbpxhk.sys [?] S0 lurvqhfk;lurvqhfk;c:\windows\system32\drivers\oqaplf.sys --> c:\windows\system32\drivers\oqaplf.sys [?] S0 nqflx;nqflx;c:\windows\system32\drivers\rbkdb.sys --> c:\windows\system32\drivers\rbkdb.sys [?] S0 zdpnnyem;zdpnnyem;c:\windows\system32\drivers\tswflzjd.sys --> c:\windows\system32\drivers\tswflzjd.sys [?] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29] 2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-10-25 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://thesuperficial.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 12:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(332) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Windows Defender\MsMpEng.exe c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\a-squared Free\a2service.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Viewpoint\Common\ViewpointService.exe c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\wbem\unsecapp.exe c:\combofix\CF14498.exe c:\program files\iPod\bin\iPodService.exe c:\combofix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-25 12:36 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-25 19:36 ComboFix2.txt 2009-10-21 19:47 Pre-Run: 69,954,392,064 bytes free Post-Run: 69,896,916,992 bytes free - - End Of File - - 112FB230A904C5DC2E92330715DCD985

10-25-2009, 10:49 PM	#8 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) ComboFix 09-10-25.02 - The Kids 10/25/2009 21:33.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1335 [GMT -7:00] Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\The Kids\Desktop\CFScript.txt AV: avast! antivirus 4.8.1356 [VPS 091025-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FILE :: "c:\documents and settings\All Users\Application Data\ytalu.dat" "c:\program files\kyqtf.txt" "c:\program files\qbgn.txt" "c:\program files\tkrkrhdy.txt" "c:\windows\hefobyluj.dat" "c:\windows\okutex.dat" file zipped: C:\ldvx.exe file zipped: c:\windows\orow.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\ytalu.dat C:\ldvx.exe c:\program files\eegejn c:\program files\kyqtf.txt c:\program files\qbgn.txt c:\program files\tkrkrhdy.txt c:\windows\hefobyluj.dat c:\windows\okutex.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_islgbff -------\Service_lurvqhfk -------\Service_nqflx -------\Service_zdpnnyem ((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 ))))))))))))))))))))))))))))))) . 2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe 2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe 2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix 2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center 2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner 2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt 2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8 2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools 2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations 2009-10-16 18:09 . 2009-10-16 18:09 19638 ----a-w- c:\windows\orow.com 2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime 2009-09-27 00:56 . 2009-08-29 02:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility 2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-25 19:34 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam 2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free 2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software 2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire 2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer 2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple 2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-28 03:57 . 2009-08-28 03:55 -------- d-----w- c:\program files\SpywareBlaster 2009-08-28 03:29 . 2009-08-28 03:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-28 03:29 . 2009-05-06 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-10-26 04:40 . 2009-10-26 04:40 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_7f8.dat + 2009-10-26 04:40 . 2009-10-26 04:40 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_2a8.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2009 8:21 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] --- Other Services/Drivers In Memory --- NewlyCreated - GTNDIS5 Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29] 2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-10-26 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://thesuperficial.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 21:40 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(928) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3244) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\a-squared Free\a2service.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\combofix\CF4269.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\iPod\bin\iPodService.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe c:\combofix\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-26 21:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-26 04:47 ComboFix2.txt 2009-10-25 19:36 ComboFix3.txt 2009-10-21 19:47 Pre-Run: 69,847,408,640 bytes free Post-Run: 69,813,223,424 bytes free - - End Of File - - 20A4BE8EBAA2489A4FF14DB57F24A229

10-25-2009, 10:55 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,093 OS: WinXP and Vista	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) I'm not seeing the files that should have been uploaded. Please open the C: drive and look for a C:\CF-Submit.htm If you see it there, simply double click on it and the upload will begin. If you do not see that file, navigate to C:\Qoobox\ and look for a file named [4]-Submit_<date>@<time>.zip and upload it to this site Please let me know when that has been done. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-26-2009, 10:19 AM	#10 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Win32:MalOb-X [Cryp] has been detected here: C:\Documents and Settings\The Kids\Application Data\lizkavd.exe by AVAST. Upload has been done. Last edited by Lisatron; 10-26-2009 at 10:21 AM.

10-26-2009, 11:00 AM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,093 OS: WinXP and Vista	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Files received, thank you. Instruct Avast to delete that file. It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-26-2009, 12:37 PM	#12 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) I was unable to complete the scan as directed. Your instructions asked for any virus scanners to be temporarily disabled as did Kaspersky's. I disabled AVAST as directed, however the scan only managed to reach 60% completion before Microsoft said the machine needed to be rebooted due to hidden viruses. At the same the Microsoft's notification came up, Anti-Virus Pro 2010 had been installed on the computer. Should I run the scan with AVAST activated?

10-26-2009, 05:38 PM	#13 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,093 OS: WinXP and Vista	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) No, please run new scans with dds.scr and gmer. Post the fresh logs. Be sure to follow the gmer configuration as shown in our pre-posting topic. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-27-2009, 09:47 AM	#16 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Ran combo fix as directed, this was all the logfile said: Upload was successful Running Kaspersky now...

10-27-2009, 11:42 AM	#17 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,093 OS: WinXP and Vista	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) There should be more than just the log saying 'Upload was successful'. Navigate to the C:\ComboFix.txt and post the entire contents. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-27-2009, 12:10 PM	#18 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Found the combo fix log: ComboFix 09-10-25.02 - The Kids 10/27/2009 8:30.4.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1411 [GMT -7:00] Running from: c:\documents and settings\The Kids\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\The Kids\Desktop\CFScript.txt AV: avast! antivirus 4.8.1356 [VPS 091026-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} file zipped: c:\docume~1\alluse~1\Applic~1\eguqaw.com file zipped: c:\program files\Common Files\cecifu.dat file zipped: c:\program files\Common Files\gekuq.bat file zipped: c:\program files\Common Files\gihaxa.pif file zipped: c:\program files\common files\lowuqefy.ban file zipped: c:\windows\isyduj.ban file zipped: c:\windows\jexukoc.scr file zipped: c:\windows\odolyr._dl file zipped: c:\windows\omajizugy._sy file zipped: c:\windows\orow.com file zipped: c:\windows\tadup.pif file zipped: c:\windows\zixi._dl file zipped: c:\windows\zohebeni.inf . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\alluse~1\Applic~1\eguqaw.com c:\documents and settings\All Users\Documents\epikeg._sy c:\documents and settings\All Users\Documents\ybywafupyd.reg c:\documents and settings\The Kids\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk c:\documents and settings\The Kids\Application Data\seres.exe c:\documents and settings\The Kids\Application Data\svcst.exe c:\documents and settings\The Kids\Application Data\ufigapavu.dl c:\documents and settings\The Kids\Cookies\akucicoxe.inf c:\documents and settings\The Kids\Cookies\qecipem.dat c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010 c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk c:\documents and settings\The Kids\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk c:\program files\AntivirusPro_2010 c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg c:\program files\AntivirusPro_2010\data\daily.cvd c:\program files\AntivirusPro_2010\htmlayout.dll c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll c:\program files\AntivirusPro_2010\pthreadVC2.dll c:\program files\AntivirusPro_2010\wscui.cpl c:\program files\Common Files\cecifu.dat c:\program files\Common Files\gekuq.bat c:\program files\Common Files\gihaxa.pif c:\program files\common files\lowuqefy.ban c:\windows\isyduj.ban c:\windows\jexukoc.scr c:\windows\odolyr._dl c:\windows\omajizugy._sy c:\windows\orow.com c:\windows\tadup.pif c:\windows\zixi._dl c:\windows\zohebeni.inf . ((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 ))))))))))))))))))))))))))))))) . 2009-10-26 18:01 . 2009-10-26 18:01 10651 ----a-w- c:\documents and settings\The Kids\Local Settings\Application Data\kiqovyte.dat 2009-10-25 19:19 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe 2009-10-25 19:19 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe 2009-10-23 22:13 . 2009-10-23 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-10-23 22:13 . 2009-10-23 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-10-22 23:31 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-10-22 23:31 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-10-22 23:31 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2009-10-22 23:31 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys 2009-10-22 23:31 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2009-10-22 23:31 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-10-22 23:31 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-10-22 23:31 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-10-22 23:30 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe 2009-10-21 19:22 . 2009-10-21 19:47 -------- d-----w- C:\Combo-Fix 2009-10-21 18:54 . 2009-10-21 18:58 -------- d-----w- c:\program files\Windows Live Safety Center 2009-10-20 07:50 . 2009-10-20 07:50 -------- d-----w- c:\program files\CCleaner 2009-10-20 03:45 . 2009-10-20 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt 2009-10-20 03:35 . 2009-10-22 15:25 -------- d-----w- c:\windows\BDOSCAN8 2009-10-20 03:08 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-10-20 03:07 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-10-20 03:07 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-10-20 03:07 . 2009-10-20 03:10 -------- d-----w- c:\program files\Common Files\PC Tools 2009-10-20 03:07 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-10-20 03:07 . 2009-10-20 03:36 -------- d-----w- c:\program files\Spyware Doctor 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\The Kids\Application Data\PC Tools 2009-10-20 03:07 . 2009-10-20 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-10-20 02:36 . 2009-10-20 02:36 -------- d-----w- c:\documents and settings\The Kids\Local Settings\Application Data\Downloaded Installations 2009-10-16 17:19 . 2009-10-16 17:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-02 19:28 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-26 20:39 . 2008-05-10 01:40 -------- d-----w- c:\program files\Steam 2009-10-24 11:16 . 2008-10-04 15:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-23 04:03 . 2009-05-04 16:46 -------- d-----w- c:\program files\a-squared Free 2009-10-21 21:54 . 2009-05-11 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-21 00:47 . 2009-05-04 05:31 -------- d-----w- c:\documents and settings\The Kids\Application Data\Simply Super Software 2009-10-15 15:11 . 2008-02-17 16:22 -------- d-----w- c:\documents and settings\The Kids\Application Data\LimeWire 2009-09-27 01:28 . 2008-04-12 13:03 -------- d-----w- c:\documents and settings\The Kids\Application Data\Apple Computer 2009-09-27 01:25 . 2008-04-12 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iTunes 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-27 01:04 . 2009-09-27 01:04 -------- d-----w- c:\program files\iPod 2009-09-27 01:04 . 2008-04-12 13:02 -------- d-----w- c:\program files\Common Files\Apple 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\Bonjour 2009-09-27 01:03 . 2009-09-27 01:03 -------- d-----w- c:\program files\QuickTime 2009-09-27 00:55 . 2009-09-27 00:55 -------- d-----w- c:\program files\iPhone Configuration Utility 2009-09-27 00:54 . 2009-09-27 00:54 -------- d-----w- c:\program files\Safari 2009-09-22 03:29 . 2009-08-28 03:37 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-09-11 14:18 . 2004-08-06 20:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 10:06 . 2008-02-05 16:54 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 21:03 . 2004-08-06 20:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-06 20:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-29 02:42 . 2009-09-27 00:56 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-29 02:42 . 2008-04-12 13:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 08:00 . 2004-08-06 20:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-07 02:24 . 2008-02-04 23:35 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-07 02:24 . 2008-02-04 23:35 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-07 02:24 . 2008-02-04 23:35 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-07 02:24 . 2008-02-04 23:35 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-07 02:24 . 2004-08-06 20:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-07 02:23 . 2008-02-04 23:35 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-07 02:23 . 2008-02-08 12:34 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-07 02:23 . 2008-02-04 23:35 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-07 02:23 . 2007-07-31 03:18 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-05 09:01 . 2004-08-06 20:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 15:13 . 2004-08-06 20:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-21_19.40.28 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-06 20:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-10-26 19:56 . 2009-10-26 19:56 16384 c:\windows\system32\config\systemprofile\Local Settings\Temp\Perflib_Perfdata_5f8.dat + 2008-02-05 00:19 . 2009-10-25 18:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-02-05 00:19 . 2009-10-21 16:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-10-16 17:19 . 2009-10-25 18:57 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat - 2009-10-16 17:19 . 2009-10-21 16:50 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\30559c8.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\23e2468.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1f23fd1.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1abb681.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\1312a12.msp + 2009-08-20 12:02 . 2009-08-20 12:02 5204992 c:\windows\Installer\125b64e.msp . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-28 1830128] "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0lsdelete\0aswBoot.exe /M:62edc8944 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 8:29 PM 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/19/2009 8:07 PM 206256] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/22/2009 4:31 PM 114768] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/22/2009 4:31 PM 20560] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/24/2009 8:21 PM 24652] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408] S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1028432] --- Other Services/Drivers In Memory --- NewlyCreated* - GTNDIS5 Deregistered - axloqpoc Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 03:29] 2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] 2009-10-27 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://thesuperficial.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://ea-src-cdn.systemrequirementslab.com/curi/bin/sysreqlab_srlx.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-27 08:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(752) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll . Completion time: 2009-10-27 8:36 ComboFix-quarantined-files.txt 2009-10-27 15:36 ComboFix2.txt 2009-10-26 04:47 ComboFix3.txt 2009-10-25 19:36 ComboFix4.txt 2009-10-21 19:47 Pre-Run: 69,562,208,256 bytes free Post-Run: 69,613,580,288 bytes free - - End Of File - - 17822F2B7017F2F2AD27E6E807BBC909 Upload was successful

10-27-2009, 01:47 PM	#19 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) Sorry for the wait. KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, October 27, 2009 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, October 27, 2009 18:32:09 Records in database: 3089963 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 90899 Threats found: 3 Infected objects found: 13 Suspicious objects found: 0 Scan duration: 01:29:53 File name / Threat / Threats count C:\Program Files\Audio One Pack (Full)\AOPAPI.dll Infected: Backdoor.Win32.Delf.qlk 1 C:\Qoobox\Quarantine\C\Documents and Settings\The Kids\Application Data\seres.exe.vir Infected: Packed.Win32.Krap.ah 1 C:\Qoobox\Quarantine\C\Documents and Settings\The Kids\Application Data\svcst.exe.vir Infected: Packed.Win32.Krap.ah 1 C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\htmlayout.dll.vir Infected: Packed.Win32.Krap.ah 1 C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\wscui.cpl.vir Infected: Packed.Win32.Krap.ah 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Packed.Win32.Krap.ah 1 C:\Qoobox\Quarantine\[4]-Submit_2009-10-25_21.32.55.zip Infected: Trojan-Downloader.Win32.FraudLoad.fvz 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP1\A0000052.exe Infected: Packed.Win32.Krap.ah 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP4\A0000475.exe Infected: Packed.Win32.Krap.ah 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000558.exe Infected: Packed.Win32.Krap.ah 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000559.exe Infected: Packed.Win32.Krap.ah 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000563.dll Infected: Packed.Win32.Krap.ah 1 C:\System Volume Information\_restore{E496512F-D07C-4027-8153-A952738F33A2}\RP6\A0000569.cpl Infected: Packed.Win32.Krap.ah 1 Selected area has been scanned.

10-27-2009, 02:35 PM	#20 (permalink)
Lisatron Registered User Join Date: Oct 2009 Posts: 22 OS: XP	Re: Trojan:Win32/Alureon.gen!U (Seems like a popular one) So far the computer appears to be behaving normally. AVAST and Windows Defender hasn't notified me of anything suspicious since running combo fix.