Alureon - log check please

Hi guys,

apparently even though I try to update my Avast fairly often it didn’t stop the raving Alureon from infecting my notebook. So I read some of the topics here, with a help from Gparted got rid of the small 3MB partition, then re-activated my Desktop and Start menu with Malwarebytes, deleted some of the gunk manually, run TDSSKiller and aswMBR and also manually set back the folders from “read-only” and “hidden” status. The notebook behaves normally now, but still I would appreciate if someone with trained eye could give a look into my logs. Thanks in advance!

btw: Do you know whether the virus can also tamper somehow the ThinkVantage Client Security Solution? I tried not to type any passwords on the machine and only used the fingerprint reader to gain access to the computer, but the TCSS now bugs me that the Windows password was changed and I should do some changes in TCSS as well.

Depending on what variant of Alureon was detected, actions of trojan are different.

See: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=alureon

Unfortunately no AV to my knowledge is able to block this as it changes on a daily basis, but at least Avast stops it calling home. Are you experiencing any problems at the moment ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 [2010/05/19 01:02:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/12/05 15:41:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2011/02/04 12:04:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} O4 - HKLM..\Run: [OWnJICFAheC.exe] C:\Documents and Settings\All Users\Application Data\OWnJICFAheC.exe File not found O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you for your help! No problems at the moment. I deleted the OWnJICFAheC.exe before, so I guess that even though it was trying to open it I stayed allright. Plus I use Opera and only very rarely FF.

You did a good job, GParted was the main trick for this one