View Full Version : virus / spyware I think
voigtstr
2009-10-20, 15:51
Hi guys, I've been handed a computer to fix. Initially the issues were popups telling him the computer was infected (I suspect that these were rogue spyware popups using explorer). It was handed to me when xp wouldn't load at all with corrupt system files. chkdsk /p was run in the recovry console (via the install disk) and the system is now running.
AVG didn't appear to be running, so it hs been replaced with avast which has already found Win32:Alureon-DA [Rtk] lurking in c:\windows\system32
Tried to run malwarebytes but it wouldnt update, claiming that it couldn't get passed the windows firewall even though I added an exclusion for it.
something else that is weird is that my usb keyboard only worked after POST, if usb keyboards was enabled in bios, (so I could tap F8 whilt wndows was starting) but now that windows is runnng the keyboard doesnt work, I'm typing this using the onscreen kyboard program.
here is the hjt log file.
cheers
voigtstr
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:00 PM, on 20/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Jdavuzedesuva] rundll32.exe "C:\WINDOWS\adekasegadavemom.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
--
End of file - 5634 bytes
Hi voigtstr
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
voigtstr
2009-10-22, 02:59
I would prefer to attempt removal if possible.
If the Rootkits (avast has identified some instances as such) are too hard to uninstall, I'll have to try backing up user data and reinstalling. I'll back up to 500 gig drive formatted in fat32. Using my mac I'll be able to check for hidden files in the root folder such as autorun exe's etc and delete them. I may even create another xp virtual machine on my mac just so I can virus scan the backed up files.
Are the rootkits/trojans that hard to identify/remove?
I have a list from Avast of the detections its found which follows:
20/10/2009 10:53:16 PM 1256039596 SYSTEM 1484 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\ROTSCXFDFNXKIQ.DLL" file.
20/10/2009 11:03:08 PM 1256040188 SYSTEM 1484 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\ROTSCXFDFNXKIQ.DLL" file.
21/10/2009 2:04:17 AM 1256051057 Deanne 1912 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Musashi\Local Settings\Temporary Internet Files\Content.IE5\ODYBOX2B\CAER0H0H.swf" file.
21/10/2009 2:16:53 AM 1256051813 Deanne 1912 Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Musashi\Local Settings\Temporary Internet Files\Content.IE5\SXE7CHU7\CAS9YJ6N.swf" file.
21/10/2009 2:53:13 AM 1256053993 Deanne 1912 Sign of "Win32:Alureon-DJ [Trj]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003007.sys" file.
21/10/2009 7:14:19 AM 1256069659 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003029.dll" file.
21/10/2009 8:00:13 AM 1256072413 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\system32\rotscxbuouwcfm.dll" file.
21/10/2009 8:01:29 AM 1256072489 Deanne 1912 Sign of "Win32:Alureon-CW [Rtk]" has been found in "C:\WINDOWS\system32\rotscxfcutvrmy.dll" file.
21/10/2009 8:01:52 AM 1256072512 Deanne 1912 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\WINDOWS\system32\rotscxsdqjtite.dll" file.
21/10/2009 8:01:56 AM 1256072516 Deanne 1912 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\WINDOWS\system32\rotscxxexnbsmn.dll" file.
21/10/2009 8:03:17 AM 1256072597 Deanne 1912 Sign of "Win32:Zbot-MCT [Trj]" has been found in "C:\WINDOWS\Temp\1C.tmp" file.
21/10/2009 8:03:47 AM 1256072627 Deanne 1912 Sign of "Win32:Malware-gen" has been found in "C:\WINDOWS\Temp\A.tmp" file.
21/10/2009 8:04:17 AM 1256072657 Deanne 1912 Sign of "Win32:Zbot-MCT [Trj]" has been found in "C:\WINDOWS\Temp\calxxjuxiy.exe" file.
21/10/2009 8:05:01 AM 1256072701 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxamrdrrfpov.tmp" file.
21/10/2009 8:05:04 AM 1256072704 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbaithqobau.tmp" file.
21/10/2009 8:05:06 AM 1256072706 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbdtlkcjxtu.tmp" file.
21/10/2009 8:05:07 AM 1256072707 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbgpgxdbfnq.tmp" file.
21/10/2009 8:05:10 AM 1256072710 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbjgjdgdiem.tmp" file.
21/10/2009 8:05:12 AM 1256072712 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbmewluqjty.tmp" file.
21/10/2009 8:05:13 AM 1256072713 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbmfspldkrn.tmp" file.
21/10/2009 8:05:14 AM 1256072714 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbtdniabprk.tmp" file.
21/10/2009 8:05:16 AM 1256072716 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbvtfmyedmi.tmp" file.
21/10/2009 8:05:17 AM 1256072717 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbwjusppgrx.tmp" file.
21/10/2009 8:05:18 AM 1256072718 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbyfwkiksvj.tmp" file.
21/10/2009 8:05:19 AM 1256072719 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxbylewjjfic.tmp" file.
21/10/2009 8:05:22 AM 1256072722 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxccnpqpwtea.tmp" file.
21/10/2009 8:05:23 AM 1256072723 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxccpmbcycef.tmp" file.
21/10/2009 8:05:25 AM 1256072725 Deanne 1912 Sign of "Win32:Alureon-CW [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxcdmtnxbqlx.tmp" file.
21/10/2009 8:05:26 AM 1256072726 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxcftbaoryto.tmp" file.
21/10/2009 8:05:27 AM 1256072727 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxchlggrtfhq.tmp" file.
21/10/2009 8:05:28 AM 1256072728 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxcihpetyara.tmp" file.
21/10/2009 8:05:30 AM 1256072730 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxcyqrtwsiun.tmp" file.
21/10/2009 8:05:31 AM 1256072731 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxdchkutfwwl.tmp" file.
21/10/2009 8:05:32 AM 1256072732 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxeoxwuymobp.tmp" file.
21/10/2009 8:05:33 AM 1256072733 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxetwapipskq.tmp" file.
21/10/2009 8:05:34 AM 1256072734 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxewggkbqiho.tmp" file.
21/10/2009 8:05:35 AM 1256072735 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxfcctnyvhah.tmp" file.
21/10/2009 8:05:37 AM 1256072737 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxfgxhxedppp.tmp" file.
21/10/2009 8:05:38 AM 1256072738 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxftouopuxvi.tmp" file.
21/10/2009 8:05:44 AM 1256072744 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxfyqfquqfhh.tmp" file.
21/10/2009 8:05:45 AM 1256072745 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxgkvvfsxehc.tmp" file.
21/10/2009 8:05:46 AM 1256072746 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxgpmkwjbnkm.tmp" file.
21/10/2009 8:05:55 AM 1256072755 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxgsmxcvatcm.tmp" file.
21/10/2009 8:06:40 AM 1256072800 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxgsyfvbextk.tmp" file.
21/10/2009 8:06:43 AM 1256072803 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxguxyxovpte.tmp" file.
21/10/2009 8:06:45 AM 1256072805 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhbsyearrfe.tmp" file.
21/10/2009 8:06:46 AM 1256072806 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhnynbrhdsd.tmp" file.
21/10/2009 8:06:48 AM 1256072808 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhptrpbxwta.tmp" file.
21/10/2009 8:06:49 AM 1256072809 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhuuemrnqop.tmp" file.
21/10/2009 8:06:50 AM 1256072810 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhxnwrulern.tmp" file.
21/10/2009 8:06:52 AM 1256072812 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxhylmsbnrji.tmp" file.
21/10/2009 8:06:53 AM 1256072813 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxicvdbqbidv.tmp" file.
21/10/2009 8:06:55 AM 1256072815 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxidnjbmntxv.tmp" file.
21/10/2009 8:06:56 AM 1256072816 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxieexyymbfn.tmp" file.
21/10/2009 8:06:57 AM 1256072817 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxihppeitkvp.tmp" file.
21/10/2009 8:06:58 AM 1256072818 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxiihsxbpkmf.tmp" file.
21/10/2009 8:07:00 AM 1256072820 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxilgxopange.tmp" file.
21/10/2009 8:07:02 AM 1256072822 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxivqbciqmmm.tmp" file.
21/10/2009 8:07:03 AM 1256072823 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxixgadoempd.tmp" file.
21/10/2009 8:07:04 AM 1256072824 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjfvbvahoyp.tmp" file.
21/10/2009 8:07:05 AM 1256072825 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjhmhmquhbk.tmp" file.
21/10/2009 8:07:06 AM 1256072826 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjktkrqxajk.tmp" file.
21/10/2009 8:07:08 AM 1256072828 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjpqyqjiogt.tmp" file.
21/10/2009 8:07:09 AM 1256072829 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjursssyyrx.tmp" file.
21/10/2009 8:07:10 AM 1256072830 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjvqlhgcdnb.tmp" file.
21/10/2009 8:07:11 AM 1256072831 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxjxrxeqpjlh.tmp" file.
21/10/2009 8:07:12 AM 1256072832 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxkcrbucrmjf.tmp" file.
21/10/2009 8:07:13 AM 1256072833 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxkmbpoksuwq.tmp" file.
21/10/2009 8:07:14 AM 1256072834 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxkpdcddwbwc.tmp" file.
21/10/2009 8:07:15 AM 1256072835 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxksdmjjeysg.tmp" file.
21/10/2009 8:07:16 AM 1256072836 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxlpktbirbuu.tmp" file.
21/10/2009 8:07:17 AM 1256072837 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxlqgentrdnn.tmp" file.
21/10/2009 8:07:18 AM 1256072838 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxlwqoncxgjk.tmp" file.
21/10/2009 8:07:20 AM 1256072840 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxmgylnqrhnb.tmp" file.
21/10/2009 8:07:21 AM 1256072841 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxmmytbylutw.tmp" file.
21/10/2009 8:07:22 AM 1256072842 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxmotiuijxjn.tmp" file.
21/10/2009 8:07:23 AM 1256072843 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnevgtcnrfh.tmp" file.
21/10/2009 8:07:27 AM 1256072847 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnibedsagbx.tmp" file.
21/10/2009 8:07:28 AM 1256072848 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnmfhwnlxiv.tmp" file.
21/10/2009 8:07:30 AM 1256072850 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnnsintffdb.tmp" file.
21/10/2009 8:07:43 AM 1256072863 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnnsopmjmye.tmp" file.
21/10/2009 8:07:46 AM 1256072866 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnpdriyuete.tmp" file.
21/10/2009 8:07:50 AM 1256072870 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxnqiksgwcxq.tmp" file.
21/10/2009 8:08:28 AM 1256072908 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxojtwatpedo.tmp" file.
21/10/2009 8:08:33 AM 1256072913 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxoridrbvidy.tmp" file.
21/10/2009 8:08:34 AM 1256072914 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxowqfahqqnu.tmp" file.
21/10/2009 8:08:36 AM 1256072916 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpcaoscjjbd.tmp" file.
21/10/2009 8:08:37 AM 1256072917 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpcylhbhtjd.tmp" file.
21/10/2009 8:08:38 AM 1256072918 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpeduufuyuw.tmp" file.
21/10/2009 8:08:39 AM 1256072919 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpfvnsiwuxt.tmp" file.
21/10/2009 8:08:41 AM 1256072921 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpiecftlfru.tmp" file.
21/10/2009 8:08:42 AM 1256072922 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpjgpntpidr.tmp" file.
21/10/2009 8:08:43 AM 1256072923 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpjinlqbdie.tmp" file.
21/10/2009 8:08:45 AM 1256072925 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpoaprximqr.tmp" file.
21/10/2009 8:08:46 AM 1256072926 Deanne 1912 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpoppbvubfv.tmp" file.
21/10/2009 8:08:47 AM 1256072927 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxpxcmxxhral.tmp" file.
21/10/2009 8:08:49 AM 1256072929 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxqgbtstaehn.tmp" file.
21/10/2009 8:08:54 AM 1256072934 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxqibsriymxt.tmp" file.
21/10/2009 8:08:55 AM 1256072935 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxqoicmaibci.tmp" file.
21/10/2009 8:08:56 AM 1256072936 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxqsvgdikodh.tmp" file.
21/10/2009 8:08:58 AM 1256072938 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxqxdnntlqmb.tmp" file.
21/10/2009 8:08:59 AM 1256072939 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxrbeayrvixt.tmp" file.
21/10/2009 8:09:01 AM 1256072941 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxrmyicrjpug.tmp" file.
21/10/2009 8:09:06 AM 1256072946 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxsfsppahiqk.tmp" file.
21/10/2009 8:09:08 AM 1256072948 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxskusqnhqwq.tmp" file.
21/10/2009 8:09:10 AM 1256072950 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxspbbyackuv.tmp" file.
21/10/2009 8:09:11 AM 1256072951 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxsuoixggywp.tmp" file.
21/10/2009 8:09:12 AM 1256072952 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxsuvbftkmcr.tmp" file.
21/10/2009 8:09:14 AM 1256072954 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtabvsbfpor.tmp" file.
21/10/2009 8:09:15 AM 1256072955 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtbqpxuqiyc.tmp" file.
21/10/2009 8:09:16 AM 1256072956 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtejkbkryvb.tmp" file.
21/10/2009 8:09:17 AM 1256072957 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtlvynxgfud.tmp" file.
21/10/2009 8:09:18 AM 1256072958 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtqrefordga.tmp" file.
21/10/2009 8:09:19 AM 1256072959 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtrqphtnrrm.tmp" file.
21/10/2009 8:09:20 AM 1256072960 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtspylmyphk.tmp" file.
21/10/2009 8:09:21 AM 1256072961 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtuxisvfwto.tmp" file.
21/10/2009 8:09:22 AM 1256072962 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxtwakshsvjy.tmp" file.
21/10/2009 8:09:23 AM 1256072963 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxuaxourrnbs.tmp" file.
21/10/2009 8:09:24 AM 1256072964 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxudijhsnoxm.tmp" file.
21/10/2009 8:09:25 AM 1256072965 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxudjsgdbbar.tmp" file.
21/10/2009 8:09:27 AM 1256072967 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxukimstvsiw.tmp" file.
21/10/2009 8:09:28 AM 1256072968 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxulpriinnti.tmp" file.
21/10/2009 8:09:29 AM 1256072969 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxuobjghmivv.tmp" file.
21/10/2009 8:09:30 AM 1256072970 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxuouobetslh.tmp" file.
21/10/2009 8:09:31 AM 1256072971 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvidvofekxr.tmp" file.
21/10/2009 8:09:33 AM 1256072973 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvmpetutqob.tmp" file.
21/10/2009 8:09:34 AM 1256072974 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvsoupmbiqu.tmp" file.
21/10/2009 8:09:35 AM 1256072975 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvtmhvkayrf.tmp" file.
21/10/2009 8:09:37 AM 1256072977 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvttprimtye.tmp" file.
21/10/2009 8:09:38 AM 1256072978 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvxbjdfrlbb.tmp" file.
21/10/2009 8:09:40 AM 1256072980 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvxqfperbta.tmp" file.
21/10/2009 8:09:42 AM 1256072982 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxvxroxtfqqh.tmp" file.
21/10/2009 8:09:43 AM 1256072983 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxweenxnlqap.tmp" file.
21/10/2009 8:09:51 AM 1256072991 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxwqsqwktrbt.tmp" file.
21/10/2009 8:09:52 AM 1256072992 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxcyfkpeldf.tmp" file.
21/10/2009 8:09:53 AM 1256072993 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxhtwhylmra.tmp" file.
21/10/2009 8:09:54 AM 1256072994 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxkaxdmmiem.tmp" file.
21/10/2009 8:09:55 AM 1256072995 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxobcvkqrqu.tmp" file.
21/10/2009 8:09:56 AM 1256072996 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxoxkhprkoi.tmp" file.
21/10/2009 8:09:57 AM 1256072997 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxpjxjvrbvw.tmp" file.
21/10/2009 8:09:58 AM 1256072998 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxtbibwpnnk.tmp" file.
21/10/2009 8:09:59 AM 1256072999 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxvihkbscpm.tmp" file.
21/10/2009 8:09:59 AM 1256072999 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxxxrqnqfdwc.tmp" file.
21/10/2009 8:10:01 AM 1256073001 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxyextivnmws.tmp" file.
21/10/2009 8:10:02 AM 1256073002 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxyiyxasfbnn.tmp" file.
21/10/2009 8:10:03 AM 1256073003 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxynehsienyd.tmp" file.
21/10/2009 8:10:04 AM 1256073004 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxypexwkcteo.tmp" file.
21/10/2009 8:10:05 AM 1256073005 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxyrrssfcqxc.tmp" file.
21/10/2009 8:10:06 AM 1256073006 Deanne 1912 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\WINDOWS\Temp\rotscxyvixowijmi.tmp" file.
22/10/2009 2:53:53 AM 1256140433 Deanne 1776 Sign of "Win32:Malware-gen" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP10\A0003111.exe" file.
22/10/2009 10:16:49 AM 1256167009 Deanne 1776 Sign of "Win32:Alureon-DA [Rtk]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003057.dll" file.
22/10/2009 10:32:31 AM 1256167951 Deanne 1776 Sign of "Win32:Alureon-CW [Rtk]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003058.dll" file.
22/10/2009 10:32:37 AM 1256167957 Deanne 1776 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003059.dll" file.
22/10/2009 10:32:39 AM 1256167959 Deanne 1776 Sign of "Win32:Alureon-DI [Rtk]" has been found in "C:\System Volume Information\_restore{91796B9E-0CFD-4893-92E8-9F5A1AE59C76}\RP8\A0003060.dll" file.
voigtstr
2009-10-22, 05:41
After further reading, I'll do a back up and re-install.
Cheers
Voigtstr
That is a wise decision.
In addition to that, forum volunteers help with personal computers only as rules (http://forums.spybot.info/showpost.php?p=25712&postcount=5) state.
With company etc. computers this will work:
As Malware removal forum volunteers are unable to assist users with infected Corporate, Government, Small Business or Institutional machines, please contact our office support so they may provide direct assistance for your needs. Thank you.
Spybot S&D Corporate-Small Business Editions (http://www.safer-networking.ie/en/index.html)
For more information, please send an email to licenses(at)spybot.info
Regards.
voigtstr
2009-10-22, 15:02
That is a wise decision.
In addition to that, forum volunteers help with personal computers only as rules (http://forums.spybot.info/showpost.php?p=25712&postcount=5) state.
With company etc. computers this will work:
The pc is a home/personal pc, belonging to a work colleague of my wife.
Its also old, only about 125 MHz Pentium.
Anyway back up is a slow process on usb 1. As I said I'll back up the data to a usb drive, check it for root directory nasties using OS X, then scan it for viruses/trojans using a virtual xp image, do a clean install and patch it up to service pack 3. Then move the user data back onto the drives.
Thanks for the advice.