Alureon.H rootkit virus TermDD

[ishan]

Hello All,

I've got this new Aluron.H rootkit virus which infected atapi earlier and now infecting TermDD even after I repaired my Windows XP installation. I ran SystemLook.exe and here are the output:

I ran Malwarbytes' but it does not find any virus, but my Microsoft Forefront Security does.

Please help

[ishan]

I ran SystemLook.exe and DDS. Here are the output:

SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 04:49 on 25/05/2010 by iraval (Administrator - Elevation successful)

========== filefind ==========

Searching for "*termdd.sys"
C:\WINDOWS\system32\drivers\termdd.sys   --a--- 40840 bytes   [20:46 27/08/2007]   [12:43 14/04/2008] 1AD549DB9D8F305DBFBC9387017405FE

-=End Of File=-

[Allan]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[ishan]

Thanks for quick reply!

At present, SUPERAntiSpyware is scanning my machine. I will keep posted.

[ishan]

DDS (Ver_09-09-29.01) - NTFSx86 
Run by iraval at  4:51:16.93 on Tue 05/25/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1094 [GMT -7:00]

AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated)   {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\avs\bin\avagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Quest Software\Toad for Data Analysts 2.1\DB2 Client\BIN\db2mgmtsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AT&T Global Network Client\netcfgsvr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\WINDOWS\system32\rserver30\RServer3.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Session ShortCuts\ssc.exe
C:\Program Files\PicPick\picpick.exe
C:\Documents and Settings\iraval\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\avs\bin\avscc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\BSEMktWatch\BSE Mkt Watch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\BSEMktWatch\Gadgetworker.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\PROGRA~1\Webshots\315~1.761\Webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\iraval\Desktop\SystemLook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\iraval\Desktop\dds.com

[ishan]

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iraval\applic~1\mozilla\firefox\profiles\ggy72g16.default\
FF - plugin: c:\documents and settings\iraval\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\iraval\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpKsl4e9afcf2;MpKsl4e9afcf2;c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl4e9afcf2.sys [2010-5-25 28752]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-6-29 40640]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-18 93872]
R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2007-8-28 19328]
R2 avbackup;Backup Agent;c:\program files\avs\bin\avagent.exe [2009-6-23 4576536]
R2 DB2MGMTSVC_TACOM21;DB2 Management Service (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2mgmtsvc.exe [2007-7-23 35616]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-9-29 13088]
R2 MOM;MOM;c:\program files\microsoft forefront\client security\client\microsoft operations manager 2005\MOMService.exe [2005-7-21 134656]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-7-10 1242432]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2008-4-14 5120]
R3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [2007-8-28 218368]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-20 38224]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S0 cgtfa;cgtfa;c:\windows\system32\drivers\rciwwjn.sys --> c:\windows\system32\drivers\rciwwjn.sys [?]
S1 MpKsl6bf6c1a0;MpKsl6bf6c1a0;\??\c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\mpksl6bf6c1a0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft forefront\client security\client\antimalware\definition updates\{b01e06e4-0f57-4bfc-91c4-566b7b0083cb}\MpKsl6bf6c1a0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-20 136176]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-5 30104]
S3 DB2NTSECSERVER_TACOM21;DB2 Security Server (TACOM21);c:\program files\quest software\toad for data analysts 2.1\db2 client\bin\db2sec.exe [2007-7-23 14112]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 OracleClientCache80;OracleClientCache80;c:\oracle\product\6.0\bin\ONRSD80.EXE [2010-1-28 101136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

=============== Created Last 30 ================

2010-05-25 04:25   <DIR>   --d-----   c:\windows\ms
2010-05-25 04:15   28,288   ac------   c:\windows\system32\dllcache\xjis.nls
2010-05-25 04:13   92,416   ac------   c:\windows\system32\dllcache\mga.sys
2010-05-25 04:12   187,938   ac------   c:\windows\system32\dllcache\c_20005.nls
2010-05-25 04:10   488   a---hr--   c:\windows\system32\logonui.exe.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\WindowsShell.Manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\wuaucpl.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\sapi.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\nwc.cpl.manifest
2010-05-25 04:10   749   a---hr--   c:\windows\system32\ncpa.cpl.manifest
2010-05-25 04:10   16,384   ac------   c:\windows\system32\dllcache\isignup.exe
2010-05-25 01:12   13,312   ac------   c:\windows\system32\dllcache\irclass.dll
2010-05-25 01:12   13,312   a-------   c:\windows\system32\irclass.dll
2010-05-25 01:12   24,661   ac------   c:\windows\system32\dllcache\spxcoins.dll
2010-05-25 01:12   24,661   a-------   c:\windows\system32\spxcoins.dll
2010-05-24 23:05   <DIR>   --d-----   c:\program files\ESET
2010-05-24 22:40   0   a-------   c:\windows\system32\SBRC.dat
2010-05-18 08:02   27,944   a-------   c:\windows\system32\sbbd.exe
2010-05-18 08:02   93,872   a-------   c:\windows\system32\drivers\SBREDrv.sys
2010-05-18 08:02   <DIR>   --d-----   C:\VIPRERESCUE
2010-05-16 00:35   1,837   a-------   C:\expstat.sql
2010-05-05 21:12   <DIR>   --d-----   c:\program files\iPod
2010-05-05 21:11   <DIR>   --d-----   c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-05 21:11   <DIR>   --d-----   c:\program files\iTunes
2010-05-05 20:56   <DIR>   --d-----   c:\program files\Bonjour
2010-05-02 10:52   16,535   a----r--   c:\windows\SET90.tmp
2010-05-02 10:52   1,088,840   a----r--   c:\windows\SET84.tmp
2010-05-02 10:52   1,296,669   a----r--   c:\windows\SET81.tmp
2010-05-02 08:38   16,535   a----r--   c:\windows\SET8F.tmp
2010-05-02 08:38   1,088,840   a----r--   c:\windows\SET83.tmp
2010-05-02 08:38   1,296,669   a----r--   c:\windows\SET80.tmp
2010-05-02 07:41   16,535   a----r--   c:\windows\SETE5.tmp
2010-05-02 07:41   1,088,840   a----r--   c:\windows\SETD9.tmp
2010-05-02 07:41   1,296,669   a----r--   c:\windows\SETD6.tmp
2010-05-02 03:40   2,145,386,496   a-------   c:\windows\MEMORY.DMP
2010-05-02 02:05   <DIR>   --d-----   C:\WINXP
2010-05-01 22:42   <DIR>   --d-----   c:\program files\SiteAdvisor
2010-05-01 17:58   <DIR>   --d-----   c:\windows\system32\wbem\Repository
2010-04-28 14:10   73,728   a-------   c:\windows\system32\javacpl.cpl

==================== Find3M  ====================

2010-05-25 04:09   24,908   a-------   c:\windows\system32\emptyregdb.dat
2010-05-25 01:20   95,194   a-------   c:\windows\system32\nvModes.dat
2010-05-06 10:36   221,568   --------   c:\windows\system32\MpSigStub.exe
2010-04-29 15:39   38,224   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 15:39   20,952   a-------   c:\windows\system32\drivers\mbam.sys
2010-04-16 08:33   3,003,680   a-------   c:\windows\system32\usbaaplrc.dll
2010-04-16 08:33   41,472   a-------   c:\windows\system32\drivers\usbaapl.sys
2010-04-08 13:20   107,808   a-------   c:\windows\system32\dns-sd.exe
2010-04-08 13:20   91,424   a-------   c:\windows\system32\dnssd.dll

============= FINISH:  4:53:34.82 ===============

[ishan]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2010 4:15:16 AM
System Uptime: 5/25/2010 4:17:32 AM (0 hours ago)

Motherboard: Dell Inc. |  |       
Processor: Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 12.484 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/25/2010 4:32:12 AM - System Checkpoint
RP2: 5/25/2010 4:43:20 AM - Microsoft Forefront Client Security Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7-Zip 9.07 beta
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
AIM 7
AIO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Global Network Client Internet Edition
AutoUpdate
Backup for Windows
biolsp patch
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom Gigabit Integrated Controller
Broadcom TPM Driver Installer
BSE Mkt Watch 1.0.0.9
CCleaner
ClearType Tuning Control Panel Applet
CmdHere Powertoy For Windows XP
Codesite client tools
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Embassy Trust Suite by Wave Systems
Dell Touchpad
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
Document Manager Lite
Download Updater (AOL LLC)
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
ESET Online Scanner v3
ETS Upgrade
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth Plug-in
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
Google Updater
GoToMeeting 4.5.0.452
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICE.TCP 4.3.1 for Windows 95
Image Resizer Powertoy for Windows XP
Intel(R) PROSet/Wireless Software
IntelliSonic Speech Enhancement
iSEEK AnswerWorks English Runtime
iTunes
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Juniper Networks Host Checker
Juniper Networks Network Connect 6.4.0
Juniper Networks Network Connect 6.5.0
Juniper Networks Setup Client
Knowledge Xpert
Knowledge Xpert for Oracle Administration
Knowledge Xpert for PLSQL
Knowledge Xpert Oracle Common
Logitech QuickCam
Magic ISO Maker v5.5 (build 0276)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Forefront Client Security Antimalware Service
Microsoft Forefront Client Security State Assessment Service
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007 R2
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Web Components
Microsoft Office Word MUI (English) 2007
Microsoft Operations Manager 2005 Agent
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft Virtual PC 2007 SP1
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual SourceSafe 6.0
mIWA
MKV Splitter
mLogView
mMHouse
Mouse Gestures for Internet Explorer (x86)
Mozilla Firefox (3.5.9)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
Notepad++
NTRU TCG Software Stack
NVIDIA Drivers
O2Micro USB Smart Card Reader
OGA Notifier 2.0.0048.0
Oracle Data Provider for .NET Help
OZ776 SCR Driver V1.1.3.9
PDFCreator
Picasa 3
PicPick
PowerDVD
Preboot Manager
Private Information Manager
PuTTY Connection Manager 0.7.1.136beta
PuTTY version 0.60
Quest Installer
Quest PuTTY 0.60_q1.129
Quest Software Toad for Data Analysts 2.1
Quest SQL Optimizer 7.4.1 for Oracle
Quest SQL Optimizer for Oracle Common
Quest SQL Tuning for Oracle
QuickSet
QuickTime
Radmin Server 3.0
RedMon - Redirection Port Monitor
Secure Update
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Wizards
Session ShortCuts 1.0.1
SigmaTel Audio
SMS Advanced Client
Spelling Dictionaries Support For Adobe Reader 8
SSRPM User Client Software
Toad for Oracle
Toolbox
tsp patch
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmiiper
TurboTax 2009 wrapper
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981726)
upekmsi
VC80CRTRedist - 8.0.50727.4053
ViewMail for Outlook 4.2(2)
VirtuaWin v4.1
VLC media player 1.0.5
Vuze
Wave Infrastructure Installer
Wave Support Software
WebEx
WebFldrs XP
Webshots Desktop
Windows Driver Package - Dell Inc. PBADRV System  (09/25/2006 6.0.0.0)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (03/08/2007 2.2.1.0)
Windows Driver Package - O2Micro (guardian2) SmartCardReader  (02/05/2007 1.1.3.7)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Support Tools
WinSCP 4.2.7
XML Paper Specification Shared Components Pack 1.0
Yahoo! BrowserPlus
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

5/25/2010 4:43:21 AM, error: FCSAM [1008]  - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576    Scan ID: {24C76FF8-61D7-4676-8CD4-A4B4CB494E96}      Scan Type: AntiMalware    User: CRICKET\iraval    Name: Virus:Win32/Alureon.H    ID: 2147632576    Severity: Severe    Category: Virus    Path: rootkit:Alureon->TermDD    Action: Clean    Error Code: 0x80508026    Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/25/2010 4:17:02 AM, error: Setup [60055]  - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
5/25/2010 4:11:25 AM, error: DCOM [10005]  - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
5/25/2010 1:19:46 AM, error: SideBySide [59]  - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
5/25/2010 1:19:46 AM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
5/25/2010 1:19:26 AM, error: SCardSvr [616]  - Reader monitor 'O2Micro CCID SC Reader 0' received uncaught error code:  The device does not recognize the command.
5/25/2010 1:19:26 AM, error: SCardSvr [612]  - Reader insertion monitor error retry threshold reached:  The device does not recognize the command.
5/25/2010 1:10:56 AM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/25/2010 1:10:56 AM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
5/24/2010 9:19:22 AM, error: Dhcp [1002]  - The IP address lease 10.0.62.22 for the Network Card with network address 00FF98BC358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/24/2010 10:36:40 PM, error: FCSAM [1008]  - Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576    Scan ID: {A3ECBBA0-C52C-44DC-B153-3D339689E25A}      Scan Type: AntiMalware    User: CRICKET\iraval    Name: Virus:Win32/Alureon.H    ID: 2147632576    Severity: Severe    Category: Virus    Path: rootkit:Alureon->atapi    Action: Remove    Error Code: 0x80508026    Error description: This program can't remove a potentially harmful item from the contents of an archived file. To remove the item, you need to delete the archive. For more information, search for removing spyware in Help and Support.
5/23/2010 5:56:56 PM, error: Dhcp [1002]  - The IP address lease 10.0.62.96 for the Network Card with network address 00FF90B2338A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/22/2010 7:59:30 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
5/22/2010 7:59:09 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
5/21/2010 8:02:04 PM, error: NETLOGON [5719]  - No Domain Controller is available for domain CRICKET due to the following:  There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
5/21/2010 10:31:36 AM, error: Dhcp [1002]  - The IP address lease 10.0.60.88 for the Network Card with network address 00FF20EA348A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/20/2010 9:16:32 AM, error: Dhcp [1002]  - The IP address lease 10.0.62.198 for the Network Card with network address 00FFA827358A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/19/2010 9:46:25 AM, error: Dhcp [1002]  - The IP address lease 10.0.62.198 for the Network Card with network address 00FF30753B8A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).
5/18/2010 9:51:57 AM, error: Dhcp [1002]  - The IP address lease 10.0.62.78 for the Network Card with network address 00FF985C478A has been denied by the DHCP server 10.0.9.52 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

[ishan]

Well, as last resource, I repaired my windows XP installation, but still TermDD rootkit virus remains.

Any help?

[Allan]

A repair will not eliminate viruses. Either do a full format and reinstall or wait for one of CH's malware specialists to check your logs.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

First of all, you only have 12 GiB of free space on your HD. You should have 15%. Soon your computer will start having operating problems including crashes. You need to free up some more space.

============================
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

======================================

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

======================================

Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

[ishan]

Hi SuperDave!

Thanks a lot for your help!

I am sorry for being a bit impatient in this case and not replying to your email quickly.

I did not have access to any other computer than infected one and I did not want to connect that to Internet.

It seems like the issue is fixed, but please verify the logs that I am going to upload and advise. Yes, I used combofix, but before you updated this, I was already on it so did not cancel that.

1. I downloaded Anti Trojan Elite (Free) and it did find virus. However, free version of the software does not allow to kill those viruses. So no help!

2. As already mentioned by Allan, I downloaded and SUPERAntiSpyware Free edition, which found and cleaned a few cookies. I did not think they were malicious, but I deleted them anyway.

3. My Microsoft Forefront Client security still complained about termDD rootkit virus in quick scan itself, as you can see from logs it was simply unable to remove it. I visited safety.live.com and did a quick scan. Onecare also found an issue and was unable to remove it.

4. I downloaded Combobox and decided to use with whatsoever side effects. Simply ran it and it did find rootkit activity. After reboot, it did some clean up (it fixed atapi.sys and few other files which I think were infected before I repaired the installation).

Excerpt of Combofix.txt

Other Delections
----------------
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All users\application data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\VB40032.DLL



5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt

TDL::
C:\WINDOWS\system32\drivers\termdd.sys

and ran combofix again with this script

6. Again combofix found rootkit activity and forced a reboot. After reboot it was fixing the issue, it crashed with memory dump and blue screen.

7. I rebooted my machine, and did scan again. Well, not so easy ..  No luck this time. I just simply re-ran combobox (without CFScript.txt) and I think it ran well except a few memory 'can not be read' errors.

9. checked combofix log, and it seems that it fixed the rootkit! I did quick scan again with Forefront, it did not complain this time.

Excerpt of Combofix.txt

Other Delections
----------------
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\termdd.sys was found and disinfected
Restored copy from - Kitty ate it :p




10. At the moment, A full scan is being performed to find out more issues.


What do you suggest if full scan does not find any issue?

Thanks a lot once again!

Ishan

[ishan]

Hi Admin,

Please remove username/domain information from log that I posted earlier as I am unable to do it now.

thanks for your help.

[SuperDave]

I specifically asked you not to do this. If you want my help, you will have to follow instructions.

4. Please DO NOT run any other tools or scans while I am helping you.

5. Microsoft Forefront still complained about TermDD rootkit virus. From a similar forum on bleepingcomputer.com on Alureon.H threat, I created a CFScript.txt
TDL::
C:\WINDOWS\system32\drivers\termdd.sys

There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.

I still haven't seen any complete logs which I will need.

[ishan]

I specifically asked you not to do this. If you want my help, you will have to follow instructions.
There is no syntax in ComboFix for TDL:: Please do not run anything until I ask you to do so!.

I am sorry, but by the time you updated this thread I already executed Combofix.

I still haven't seen any complete logs which I will need.

what logs shall I upload now?

[SuperDave]

I will need to see the SAS, MBAM and ComboFix logs, in this order.