# [SOLVED] How to remove Alureon Virus?



## brandino3

I ran Microsoft Windows Malicious Software Removal Tool and it found several types of Alureon viruses. It said they were partially removed and i had to run a full scan to completely remove them. I was running a full system scan (PC Matic) and of course my scan froze and i had to start over. I ran MWMSRT again and it found nothing. So i downloaded Microsoft Security Essentials, which found some trojans and removed them, but no alureon viruses. I dont know if the trojans were the alureon viruses and im worried about if my computer is safe. How can i be sure if the alureon viruses are gone and if they aren't how can i remove them completely?


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

Hi there,
my name is Marius and I will be assisting you with your Malware related problems. 

Before we move on, please read the following points carefully.


 First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
 Perform everything in the correct order. Sometimes one step requires the previous one.
 If you have any problems while you are follow my instructions, *Stop* there and tell me the exact nature of your problem.
 Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
 Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
 If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
 Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
 My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



*Preparing for the malware removal process*

While a description of the trouble you're having is of help, we need more information. A comprehensive set of logs is required to determine the presence of malware.

Please follow our pre-posting process outlined here:

*NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help*

After running through all the steps, you shall have a proper set of logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.


----------



## brandino3

*Re: How to remove Alureon Virus?*

Here are the attach and dds zips, i was having some trouble running the GMER, im not sure if you need it. Also i dont have a Windows disk, im not sure, but i think Windows XP came pre-installed

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by HP_Administrator at 14:37:17 on 2012-05-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1358 [GMT -4:00]
.
FW: Norton Internet Worm Protection *Disabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\PCPitstop\PC MaticRT\PCPitstopRTService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
C:\Program Files\PCPitstop\PC MaticRT\PCMaticRT.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PCPitstop\Download Nitro\pcpitstop-nitro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SMC\Common_11n\RaUI.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2117678
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Download Nitro] "c:\program files\pcpitstop\download nitro\pcpitstop-nitro.exe" -autorun
uRun: [PC SpeedScan Pro] c:\program files\ascentive\pc speedscan pro\PCSpeedScan.exe -m
uRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m
mRun: [Info Center] c:\program files\pcpitstop\info center\InfoCenter.exe
mRun: [PC MaticRT] c:\program files\pcpitstop\pc maticrt\PCMaticRT.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [RTHDCPL] RTHDCPL.EXE


Code:


mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAA0ADIANwA2ADYAOAA3ADUALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsANQAtAEYAOQBNADEAMABCACsAMgA"&"prod=90"&"ver=9.0.872

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smcezc~1.lnk - c:\program files\smc\common_11n\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{938EF7FB-AD07-43A9-8752-EC3FE2ED41DE} : DhcpNameServer = 75.75.75.75 75.75.76.76
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2012-3-10 21464]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\pc maticrt\PCPitstopRTService.exe [2012-3-10 382104]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2012-3-10 69976]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-1-1 1209408]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2012-3-10 91816]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
.
=============== Created Last 30 ================
.
2012-05-10 18:53:33	237072	------w-	c:\windows\system32\MpSigStub.exe
.
==================== Find3M ====================
.
2012-04-11 13:14:41	2148352	------w-	c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06	1862272	----a-w-	c:\windows\system32\win32k.sys
2012-04-11 12:35:51	2026496	------w-	c:\windows\system32\ntkrnlpa.exe
2012-03-27 21:03:36	6100072	----a-w-	c:\windows\system32\drivers\RtkHDAud.sys
2012-03-14 17:40:46	20065896	----a-w-	c:\windows\RTHDCPL.EXE
2012-03-01 11:01:32	916992	----a-w-	c:\windows\system32\wininet.dll
2012-03-01 11:01:32	43520	----a-w-	c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32	1469440	------w-	c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16	177664	----a-w-	c:\windows\system32\wintrust.dll
2012-02-29 14:10:16	148480	------w-	c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40	385024	----a-w-	c:\windows\system32\html.iec
.
============= FINISH: 14:38:27.90 ===============


----------



## brandino3

*Re: How to remove Alureon Virus?*

Do you know the solution to my problem?


----------



## brandino3

*Re: How to remove Alureon Virus?*

Her is my updated Attch zip with the GMER log as well


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

Regards,

Marius


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: 

A guide and tutorial on using ComboFix

*  ** Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 

Please include the *C:\ComboFix.txt* in your next reply for further review.


----------



## brandino3

*Re: How to remove Alureon Virus?*

Here is the combofix log

ComboFix 12-05-13.03 - HP_Administrator 05/13/2012 13:53:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1409 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
.
.
2012-05-13 20:41 . 2012-05-13 20:41	--------	d-----w-	c:\windows\LastGood
2012-05-13 20:21 . 2012-05-13 20:21	--------	d-----w-	c:\windows\system32\scripting
2012-05-13 20:21 . 2012-05-13 20:21	--------	d-----w-	c:\windows\l2schemas
2012-05-13 20:21 . 2012-05-13 20:21	--------	d-----w-	c:\windows\system32\en
2012-05-13 20:21 . 2012-05-13 20:21	--------	d-----w-	c:\windows\system32\bits
2012-05-13 07:16 . 2012-05-13 07:16	21419	----a-w-	c:\windows\system32\drivers\AegisP.sys
2012-05-13 07:15 . 2012-05-13 07:15	--------	dc----w-	c:\windows\system32\DRVSTORE
2012-05-13 07:15 . 2012-05-13 07:15	--------	d-----w-	c:\program files\SMC
2012-05-13 07:15 . 2007-07-28 14:50	517632	----a-r-	c:\windows\system32\drivers\rt2870.sys
2012-05-13 07:11 . 2012-05-13 20:56	--------	d-----w-	c:\documents and settings\HP_Administrator
2012-05-13 07:06 . 2001-08-17 20:48	12160	----a-w-	c:\windows\system32\drivers\mouhid.sys
2012-05-13 07:06 . 2008-04-13 18:45	10368	----a-w-	c:\windows\system32\drivers\hidusb.sys
2012-05-13 06:52 . 2012-05-13 07:02	--------	d-----r-	c:\documents and settings\All Users\Documents
2012-05-13 06:47 . 2012-05-13 20:36	--------	d-sh--r-	c:\windows\system32\dllcache
2012-05-13 05:42 . 2012-05-13 05:42	--------	d-----w-	c:\program files\MSXML 4.0
2012-05-13 05:31 . 2012-05-13 20:20	--------	d-----w-	c:\windows\ServicePackFiles
2012-05-13 05:13 . 2008-05-03 11:55	2560	------w-	c:\windows\system32\xpsp4res.dll
2012-05-13 05:11 . 2008-06-13 11:05	272128	------w-	c:\windows\system32\drivers\bthport.sys
2012-05-13 05:06 . 2006-03-21 03:23	23040	------w-	c:\windows\kb913800.exe
2012-05-13 05:01 . 2012-05-13 05:01	--------	d-----w-	c:\program files\Microsoft Download Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SMC EZ Connect N Wireless Utility.lnk - c:\program files\SMC\Common_11n\RaUI.exe [2012-5-13 2289664]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-4 36903]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-4 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-4 27136]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-12-31 19:13]
.
2012-05-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-08-04 04:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PCDrProfiler - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-05-13 13:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2012-05-13 14:02:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-13 21:02
.
Pre-Run: 226,844,663,808 bytes free
Post-Run: 226,813,509,632 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AF96E84BF0D9F43732DC3FD4BE6BAEDD


----------



## brandino3

*Infected Recovery Partition*

My brother is stupid and downloaded a fishy file said he got a trojan from it that affects all parts of the computer even the partitions. My computer has no recovery discs it just has a recovery partition and I believe the virus has gotten on the recovery partition. Is there anyway to remove it or wipe out the hard drive and install the OS without the installation CD? Will wiping out the hard drive even get rid of the virus? My computer is an HP Pavilion a1630n and has Windows XP Media Center Edition 2005.


----------



## Ried

*Re: Infected Recovery Partition*

Hello brandino3,

Is this the same machine you've posted about here --> http://www.techsupportforum.com/forums/f50/how-to-remove-alureon-virus-644935.html

If not, what version of Windows is this and what leads you to believe the Recovery Partition is infected?


----------



## brandino3

*Re: Infected Recovery Partition*

Yes this is the same machine. The thing that leads me to believe the Recovery Partition is infected is that whenever I use it to remove the virus, the virus comes back. Even when I install antivirus it still manages to bypass it.


----------



## Ried

*Re: Infected Recovery Partition*

Since this is the same machine you're already being assisted with, I've merged the threads so the Security Analyst is aware of all this.

Please clarify what you mean by this statement?


> Recovery Partition is infected is that whenever I use it to remove the virus, the virus comes back.


Do you mean System Restore, or are you actually invoking the manufacturer Recovery Partition that sets the machine back to factory condition?


----------



## brandino3

*Re: How to remove Alureon Virus?*

Ok thank you and yes i am using the recovery partition that sets the computer back to factory defaults


----------



## Ried

*Re: How to remove Alureon Virus?*

Thanks. It would be most helpful to the Security Analyst if you could provide him with the location your tools are finding this infection in. What is the file name(s) it is flagging as infected?

Please post what information you have, and TB-PsYcHoTiC will have the next set of instructions as soon as possible. Please be patient as there are time zone differences. :smile:


----------



## brandino3

*Re: How to remove Alureon Virus?*

Well see there is the problem, im not sure if the infection is still there. I dont know how to find it


----------



## Ried

*Re: How to remove Alureon Virus?*

What tool found the infection? Was it only the Microsoft Windows Malicious Software Removal Tool? If so, the tool creates a log file named *mrt.log* in the C:\Windows\debug folder. Look in that folder and post the contents of the log.


----------



## brandino3

*Re: How to remove Alureon Virus?*

I used the Windows Malicious Software Removal Tool and it found an alureon virus ( i forget but i think it was Win32/Alureon. Then i used Microsoft Security Essentials and that found some trojans. I keep removing the viruses i find, but they keep coming back , which leads me to believe its on the recovery partition.


----------



## Ried

*Re: How to remove Alureon Virus?*

Please see my previous post. :smile: The more information you can provide for TB-PsYcHoTiC , the better he shall be able to assist you and determine his next course of action.


----------



## brandino3

*Re: How to remove Alureon Virus?*

I have run the recovery console since then so i need to run a new malicious software scan. I will post back ASAP. Sorry


----------



## brandino3

*Re: How to remove Alureon Virus?*

Here is my updated dds, ark, and attach logs. The Gmer scan said it found rootkits


----------



## brandino3

*Re: How to remove Alureon Virus?*

Would you like the GMER scan of my Recovery drive as well?


----------



## Ried

*Re: How to remove Alureon Virus?*

No, thank you.  gmer will only run properly on an Operating System/partition that is loaded.

Have you run another malicious software scan? Is it still detecting Alureon and if so, what is filename and the location?


----------



## brandino3

*Re: How to remove Alureon Virus?*

I am running a scan still and its almost done. By the looks of it, it's not going to detect anything


----------



## brandino3

*Re: How to remove Alureon Virus?*

when i try to attach, it says invalid file


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

Good morning brandino3,

I´m sorry but, as ried told you, we have some time zone differences. :wink:
Try to zip your log before attaching it because the board will only accept a little choice of file endings for being attached.

In the meantime I´ll have a look over what you did since my last post.

Don´t panic, we´ll get rid of this! :thumb:


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download *TDSSKiller.exe* and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Klick Change parameters, check Detect TDLFS file system, click OK.
Press Start Scan
If Malicious objects are found, *do NOT *select * Cure*. *Change the action to Skip*, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.




*Scan with aswMBR*

Please download aswMBR.exe to your desktop.



Double-click the *aswMBR.exe* to run it
When prompted with *The application can use the Avast! Free Antivirus for scanning* >> select *No*
Now click on the *Scan* button to start scan
On completion of the scan click *Save Log*, save it to your desktop and post the contents in your next reply

*Note:* There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).



*Run ESET Online Scan*



 Close any open programs
 Turn off the real time scanner of any existing antivirus program while performing the online scan.
Go here to run an online scannner from ESET.
 *Note: You will need to use Internet explorer for this scan*



Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option *Remove found threats* is unticked and the *Scan Archives option* is ticked.
Click on *Advanced Settings*, ensure the options *Scan for potentially unwanted applications*, *Scan for potentially unsafe applications*, and *Enable Anti-Stealth Technology* are ticked.
Click *Scan*.
Wait for the scan to finish


 Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
 Copy and paste that log as a reply to this topic and also let me know how things are now.


----------



## brandino3

*Re: How to remove Alureon Virus?*

here is my mrt log


----------



## brandino3

*Re: How to remove Alureon Virus?*

here are my tdss and aswMBR logs, i will get you the Eset log ASAP


----------



## brandino3

*Re: How to remove Alureon Virus?*

I think it may have found the issue. It found things on my d drive which is my recovery partition


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

Those files aren't viruses. They are minor AdWare. Eset is doing its job by reporting it, but we won't be acting on them since they came with your purchase of the HP machine.


----------



## brandino3

*Re: How to remove Alureon Virus?*

so what can i do?


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

Please be patient - im on discussion with ried about the next steps. I´l tell you what to do when we´re finished!


----------



## brandino3

*Re: How to remove Alureon Virus?*

ok thank you


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

*Adobe Reader update*


Your Adobe Reader is outdated. We will fix this.




Get the actual software from here. *Important:* Uncheck any optional software (for example Google Chrome, etc.) offered.
Run setup and follow the instructions.
Click upon Start-->control panel-->add/remove programs.
Search for and remove *any* older reader versions.



*Adobe flash player update*


Your Adobe flash player is outdated. We will fix this.


Get the actual player from here. *Important:* Uncheck any optional software (for example Google Chrome, etc.) offered.
Click upon Start-->control panel-->add/remove programs.
Search for and remove *any* older reader versions.



*Java update update*


Your Java runtime environment is outdated. We will fix this.


 Get the actual JRE from *here*
 Save*jxpiinstall.exe* to your desktop
 Close all running programs, especially your browser(s)
 Run jxpiinstall.exe. This will download the newest JRE installer ( Java 7 Update 4 ) and install the software
 when finished, go to
Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
 When finished, reboot your computer.

After the reboot

 Open control panel again and click the java symbol.
 Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.
 Click Delete Files.
The Delete Temporary Files dialog box appears
Click OK on Delete Temporary Files window.
Click OK again.



*Combofix uninstall*

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

*ComboFix /Uninstall *


*Recommendations*
Below are some recommendations to lower your chances of (re)infection.


Install and maintain an _outbound_ firewall
Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.
Install the MVPs hosts file, and update it regularly
You can use the HostMan host file manager to do this automaticly if you wish.
For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
Install an Anti-Spyware program, and update it regularly
Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

_If you are using Windows XP or earlier_
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

_If you are using Windows Vista_
Click the "Start Menu" (or Windows Orb)
Click "All Programs"
Click "Windows Update"
On the left, choose "Change Settings"
Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
Press OK and accept the UAC prompt.
*Note: *You shouldn't need to check this checkbox every single time you update, only the first time.
Click "Check for Updates" in the upper left corner.
Follow the instructions to install the latest updates.
Reboot and repeat the "Check for Updates" until there are no more critical updates to install
 
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
*Stay up to date!*
The *MOST IMPORTANT* part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .


----------



## brandino3

*Re: How to remove Alureon Virus?*

Is it possible for the programs ( GMER, DDS, Combofix, etc.) to have missed the virus? how can i be sure that my computer is 100% virus-free


----------



## TB-PsYcHoTiC

*Re: How to remove Alureon Virus?*

ComboFix does not fall in the same category as general Anti Virus or Anti Malware scanner. It's a specialized tool designed to target specific infections, so you can't really lump it in with the others. That being said, the ComboFix output log is coming up clean.

No one can ever guarantee that any machine is 100% clean. We can only remove what we see, and the Anti Malware and Anti Virus programs can only remove what they detect as malware related. We've also run several other specialty tools designed to detect specific malware that AV's may not be able to detect due to the nature of specific malware.

I understand your concern, but all those scans are coming up clean, and you have restored to factory condition several times. There's not much more that can be done than that, to erradicate a machine of malware. As long as a machine is connected to and using the internet, malware can get on a machine. 

Add one of the Anti Malware programs recommended in my previous post. Continue your vigilance of keeping your Anti Virus and Anti Malware programs updated, and scan with them weekly.


----------

