Author Topic: Alureon - log check please (Read 2396 times)

.MMM · « **on:** April 09, 2012, 10:16:18 PM »

Hi guys,

apparently even though I try to update my Avast fairly often it didn't stop the raving Alureon from infecting my notebook. So I read some of the topics here, with a help from Gparted got rid of the small 3MB partition, then re-activated my Desktop and Start menu with Malwarebytes, deleted some of the gunk manually, run TDSSKiller and aswMBR and also manually set back the folders from "read-only" and "hidden" status. The notebook behaves normally now, but still I would appreciate if someone with trained eye could give a look into my logs. Thanks in advance!

btw: Do you know whether the virus can also tamper somehow the ThinkVantage Client Security Solution? I tried not to type any passwords on the machine and only used the fingerprint reader to gain access to the computer, but the TCSS now bugs me that the Windows password was changed and I should do some changes in TCSS as well.

mchain · « **Reply #1 on:** April 10, 2012, 08:01:36 AM »

Depending on what variant of Alureon was detected, actions of trojan are different.

See: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=alureon

essexboy · « **Reply #2 on:** April 10, 2012, 08:37:59 PM »

Unfortunately no AV to my knowledge is able to block this as it changes on a daily basis, but at least Avast stops it calling home. Are you experiencing any problems at the moment ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
Quote
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
[2010/05/19 01:02:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/12/05 15:41:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/04 12:04:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
O4 - HKLM..\Run: [OWnJICFAheC.exe] C:\Documents and Settings\All Users\Application Data\OWnJICFAheC.exe File not found
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.MMM · « **Reply #3 on:** April 10, 2012, 11:22:44 PM »

Thank you for your help! No problems at the moment. I deleted the OWnJICFAheC.exe before, so I guess that even though it was trying to open it I stayed allright. Plus I use Opera and only very rarely FF.

essexboy · « **Reply #4 on:** April 10, 2012, 11:29:28 PM »

You did a good job, GParted was the main trick for this one

Author Topic: Alureon - log check please (Read 2396 times)

.MMM

Alureon - log check please

mchain

Re: Alureon - log check please

essexboy

Re: Alureon - log check please

.MMM

Re: Alureon - log check please

essexboy

Re: Alureon - log check please