Help with Alureon Please check my log files

I followed the instructions by TwinHeadedEagle at this post http://forum.avast.com/index.php?topic=145854.0
After runnung avast, adlinker comes up as my infection although I know I have Alureon after running MSE. I followed the instructions at the link above and am attaching my .txt files. I have tried steps from other forums and almost lost my windows boot up (thought the virus software deleted important files). I went to the boot menu and I think it may have restored or reinstalled what I deleted cause I can get on windows again (obviously), but my cpu usage is still excessive. Instead of taking unnecessary risks of crashing my computer I thought I would ask for help here. This virus has been on this computer a long time and I tried several things to remove it to no avail. Please help? Thanx

also attach OTL diagnostic log http://forum.avast.com/index.php?topic=53253.0

malware experts are notified…

TDSSKiller took out the Pihar MBR problem so now we will need to see what other problems remain

The OTL scan will show important services and other areas that FRST does not look, I use both logs together

OTL file attached. Thanx

What problems are you experiencing at the moment ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=R_l3TmuY3TLxKcKa5GYRigwZZsA?q={searchTerms}
IE - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB9}: "URL" = http://www.daemon-search.com/search/web?q={searchTerms}
FF - prefs.js..extensions.enabledItems: {2B9787A6-CFF4-4A08-BD2E-0D3EFE6D3E6C}:1.9.1
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{2B9787A6-CFF4-4A08-BD2E-0D3EFE6D3E6C}: C:\Users\Busy Welding\AppData\Local\{2B9787A6-CFF4-4A08-BD2E-0D3EFE6D3E6C} [2010/01/08 00:03:09 | 000,000,000 | ---D | M]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-3204183578-1214996656-301348003-1000\..\Toolbar\WebBrowser: (no name) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I think things are right now. CPU usage is 1-4% when idle. Still many svchost in the task manager but not using all my memory. Whereas, before your help the fan in my computer was running so fast I thought it might take flight. ;D

After running the scan, I unchecked and kept some iwin app data because I am pretty sure it belongs to games I play.

I thought I saw Limewire as well as a bittorrent somewhere in one of the logs that my son put on the computer some time ago, can you tell me if it is gone?

Hopefully everything looks good in the log files (attached).

Thank you for your quick response and assistance.

Let us consign limewire and bittorrent to the history bin :slight_smile:

How is the computer behaving overall now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Busy Welding\AppData\Roaming\LimeWire
C:\Users\Busy Welding\AppData\Roaming\BitTorrent

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Started the OTL scan with the commands you posted. OTL said “not responding” then began scan but stopped before empty temp and reboot. I had to force reboot and no log file appeared.

In addition there are now some strange transparent icons on my desktop named:
~Stumns game cards.docx
desktop.ini (2 of them)
Thumbs.db

I do not know if this means anything but when I look in the task manager and select Show processes from all users there are still 13 svchost running. Is this normal? I am only asking because the Alureon virus seemed to create svchost processes.

Thanks once again, Virginia

The transparent icons are protected system files, dont touch them.

For the svchost processes wait for essexboy to reply, maybe he will use another program to check that.

I wont touch the transparent icons on the desktop but I am sure they were not there before because I had just cleaned up and organized the desktop. Hopefully you can help me put them back where they belong. Everything seems much better with the processes running though. My CPU usage was spiking prior to this and now it is running at 3-11%. Fan is finally quiet.
Thanks

OK. Thats good to hear, please wait for essexboy to cleanup if youre clean.
He will remove all used tools at the end.

The transparent icons should be gone sometime.
Otherwise you can open your desktop or any other folder and go to folder and search options.
Tick hide protected system files (recommended) there and theyre gone.

It was MBAM that stopped OTL from clearing the temp files

The transparent icons will disappear once I clean my tools away :slight_smile:

With regard to svchost I currently have about 20 or so running on my windows 8. This is the workhorse file of the system

How is the system behaving overall before I tidy up ?

Everything seems to be good. Do you think bittorrent and Limewire was removed? Other than that I think I am ready for cleanup, although I put my logfiles and downloaded programs in a folder should I drag them to the desktop for cleanup?

Can you explain to me step by step how to “go to folder and search options.
Tick hide protected system files” I am unsure how to do this.
Thanx, Virginia

Aye put them on the desktop, limewire and torrent were removed before OTL was blocked :slight_smile:

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Whoops just saw your other post, delfix will reset your hidden files as part of its’ routine

I ran Delfix and the transparent icons are gone from the desktop. :slight_smile:

Cryptoprevent is different from the screenshot you posted. I have an additional option that says - Protect %userprofile% / %programdata% / Startup Folder
Should I check that box also? Does this run in the background or is it something I need to initiate regularly? What does this tool do exactly?

I have Malwarbytes on my computer from 2012. Should I uninstall and re-install a new version? Obviously I didn’t run it regularly or wouldn’t have gotten a virus. ::slight_smile: I will run it regularly.

Right now Avast! and MSE are running in the taskbar, is this acceptable or will they conflict?

I Need help with updating Java. The install security updates was incomplete. Tried to look at help files and I do not know what to do. Maybe you can direct me to a download link? Windows Vista Home Premium Service pack 2 32-bit OS

Thanks for all your help! I will be recommending avast! to friends & family.
Sincere Thanx, Virginia

Oops they have updated it again… Yes check the boxes, cryptoprevent is a fire and forget programme it adjusts the registry so that known malware cannot run from its known launch folders. Check the programme monthly for updates by using the update checker within the programme

I would recommend disabling MSE :
Open the MSE GUI (doube-click tray icon or use the Start menu shortcut), select Settings , Real-time protection and deselect the Turn on real-time protection option.

OK for Java lets go the easy way :

Download Javara from here http://singularlabs.com/software/javara/ the download link is on the right hand side
Run the programme and select update Java runtime
Once it is done then uninstall Javara :slight_smile:

For malwarebytes run the programme and select Update and it will then download the latest

I am in a mess now. When I clicked on your link to install javara I believe I downloaded the zipextractor on the page by mistake and when unzipped it installed a virus checker called Websteroids and Speedcleaner I was able to uninstall. (see screenshot of add/remove programs - Installcoverter bundle. It will not let me uninstall). it states I do not have permission. I have no idea how to change permissions. I can click on the exe file and Run as Administrator but I cannot stop it in the task manager long enough to uninstall it!

I am now receiving popups and page hijacks (see the screenshots) One hijack page has avast in it!(below)
http://n11.adshostnet.com/ads?key=8cddb633571d69198083fbe9c2fe7a48&keyvalue1=forum.avast.com
&keyvalue2=72771&keyvalue3=TSCP&keyvalue4=666F72756D2E61766173742E636F6D&appendvalue1=TSCP&ch=forum.avast.com

What was this generated by? An affiliate link?

Please help me get this new issue resolved. I see you have many other issues pending and appreciate all the time you have already assited me with. Thanx, Virginia

This is all my fault from clicking the Ad on the Javara page I thought was the Download button. See screenshots. I have flashing pop ups floating on top of the browser. The link address for the flashing popup also has avast in it! http://www.medtech-itsupport.com/rp/?aff_id=forum.avast.com
Seems as though avast is an affiliate?

I will run the adware cleaner you suggested earlier.