Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Alureon infection


  • This topic is locked This topic is locked
41 replies to this topic

#1 gulop182

gulop182

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 26 May 2010 - 09:22 AM

My computer seems to be infected with the Win32/Alureon virus. I am using Windows Vista.

I was not using the computer at the time it happened, but my friend who was using told me that suddenly Windows Explorer kept opening and giving her an error message, and that then AVG popped up a screen informing her that the computer was infected.

I ran an AVG scan, and it found several instances of the Win32/Alureon virus. It could only remove 7 of 14 of these instances. I tried to research about this the virus on that computer, but every time I tried to do a google search the search engine would bring me to a completely unrelated website with advertisements.

I restarted the computer this morning and tried to go into Control Panel to turn on Window firewall, but a window popped up stating something about having to shut down immediately so as to protect my computer. I therefore physically unplugged the computer from the internet so that the virus couldn't keep downloading more malware and increasing the problem. I started Windows again in Safe Mode, and was able to run the dss and GMER scans, although I had to download them from another computer because of my internet problems.

I think that at the current moment I can only run Windows in Safe Mode, and I do not have proper access to the internet. I can download any programs, but I have to download them on another computer, and then transfer them to the infected computer to run them.

I have attached the results of the DDS and GMER logs.

Thanks for any help!!

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 27 May 2010 - 04:40 PM

Hi gulop182,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You have the options to clean this machine or go for a reformat reinstall . If you decide to remove the infection please let me know.


#3 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 27 May 2010 - 07:11 PM

Almost as soon as the computer became infected I disconnected it from the internet and turned it off. I have only turned it on again in safe mode to the the two scans, the logs of which I posted in my last message. I kept the internet physically unplugged from the computer. I have not turned the computer back on since I completed the scans.

I will take the steps that you advised though with regards to my financial instutions.

I would very much prefer to clean the computer without resorting to reformating it, if that is possible. I would be grateful if you could provide me with any instructions or help as to how to do this.

Thanks for your response.

#4 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 27 May 2010 - 07:13 PM

I forgot to mention, yes I agree not to make any system changes while we are fixing the computer. I even agree to keep the computer physically turned off until we have made the fixes, other than when I must turn it on to follow any of your instructions

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 07:06 AM

This round is and the next round are important. This round you have more work to do but if this round goes well, the next round will be easy. This round we clean the computer from the rogue software and the downloader and and next round we take care of the rootkit.


Do all the steps in "Safe Mode with Networking" but if MBAM needed a reboot to clean the malware make sure you reboot to normal mode.
(You may make the batch file on a clean computer and transfer if to the infected computer. TDLFix.exe and mbr.exe could be also downloaded from another computer.
Also the MBAM setup file could be download from another computer but you deed to updated it and you need at least "Safe Mode with Networking" to do that.)

The order of the fix is not vital, so if you faced any problem with one step proceed with the next and tell me the problem you faced.
  1. Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
      • The option Obtain an IP address automatically should be checked.
      • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.
      • The option Obtain an IP address automatically should be checked.
      • The option Obtain DNS server address automatically should be checked.
    • Click OK twice.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v NameServer /f
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{E8FB5A72-D167-4102-B968-0BB2F8326436} /v NameServer /f
    Reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v lwnsvqom /f
    sc config MSWU-57726aed start= disabled
    sc delete MSWU-57726aed
    ren c:\users\assistant\appdata\local\xldmvvfbg\wuvvonhtssd.exe wuvvonhtssd.old
    ren c:\windows\system32\f36decbb.exe f36decbb.old
    ren c:\windows\Ekikya.exe Ekikya.old
    ren c:\windows\system32\57726aed.exe 57726aed.old

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A window opens briefly and closes, this is normal.

  3. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

  4. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.

    Double-click to run TDLfix.exe, type the following in the command window and press Enter:

    mbr

    A log file opens up. please post the content to your reply.

  5. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Note:
    In case malware prevented the mbam-setup.exe file from installing rename it to something.exe

    In case malware prevented it from updating or running using Windows Explorer (right-click start > Explorer) navigate to the following folder: C"\Program Files\Malwarebyte' Anti-Malware
    Locate the file mbam.exe and rename it to clear.exe then double-click to run it.

    In case the Malwarebytes exe gets deleted by the malware (Code 2 error, mbam.exe not found) download a randomized renamed mbam.exe version from here.
    Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder and run the renamed file from there directly instead of using the shortcut.


#6 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 May 2010 - 11:41 AM

I did everything you indicated in your last post, and it appears that everything ran smoothly.

The contents of the logs are below. I have also uploaded the .txt files in case that is helpful. Thanks so much for all of your help.



The content of the mbr log is as follows:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85FE1D01]<<
kernel: MBR read successfully
user & kernel MBR OK



The content of the mbam log is as follows:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4151

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882

28/05/2010 12:31:33 PM
mbam-log-2010-05-28 (12-31-33).txt

Scan type: Quick scan
Objects scanned: 131572
Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\System32\57726aed.old (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\f36decbb.old (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\spool\prtprocs\w32x86\17yWSK.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\spool\prtprocs\w32x86\OCE93k79.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\Users\Assistant\AppData\Local\Temp\slJk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1g931k9.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\55555iQ.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Attached Files



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 12:18 PM

Well done. thumbup2.gif
  1. Close all the open windows.
    • Disable real-time protection of your security software and make sure it will not run at startup after reboot. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Right-click TDLfix.exe and select "run as administrator", a command window opens.
    • Type (or copy the following and right-click to paste) in the command window and press Enter:

      mouclass

    • The application shall restart the computer immediately and runs after restart.
    • Tell me if the computer rebooted and ran to completion.

  2. Reboot the computer once manually then run TDLFix again, type mbr and press Enter. Copy and paste the log it creates.

Edited by farbar, 28 May 2010 - 12:24 PM.


#8 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 May 2010 - 01:32 PM

I did as you stated, and the log reads as follows:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
kernel: MBR read successfully
user & kernel MBR OK


I don't know if this matters, but I realized that I left my computer in safe mode during all of the previous procedures that I undertook. I set the msconfig boot option to automatically restart under safe mode, because I couldn't intervene while the computer was starting up to put it into safe mode (I tried hitting F8, although maybe I didn't do it fast enough). I realize now that your last instructions state that if MBAM wants to reboot I should reboot in normal mode. I also did everything you just told me to do in your last post from safe mode. Please let me know if there is anything that I should do now to rectify this.

Although I started up in safe mode, the computer seemed to be running smoothly. I didn't try in normal mode though to see if it is the same result.

Attached Files

  • Attached File  mbr2.txt   291bytes   5 downloads


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 03:18 PM

You mean you even run TDLfix in Safe Mode and it rebooted to safe mode again and you are still in Safe Mode?

Edited by farbar, 28 May 2010 - 03:20 PM.
spelling


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 03:50 PM

Going to Safe Mode using msconfig is a risky business and I frankly don't know why Microsoft has created such a dangerous option. Suppose this malware had corrupted the Safe Mode, you could never have been able to boot to Windows again without using a Boot CD and modifying the boot.ini file.

I also asked to disable your AV and making sure it will not run at startup prior to applying TDLfix which you probably will not be to do in safe mode.
So if AVG detects the Trojan the tool was going to remove on reboot it might interfere with the tool and lock the file. That way the rootkit becomes active on the next boot.

So though the mbr log is clean now it means nothing unless we make sure the rootkit file is removed.

Please don't redo anything and don't do anything and just tell me if you have booted to normal mode or not.




Edited by farbar, 28 May 2010 - 04:10 PM.


#11 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 May 2010 - 04:39 PM

I have not rebooted in normal mode. After completing the last instructions that you gave me I realized that I should have booted in normal mode and have not done anything further other than shut off my computer.

AVG was not running when I followed the last instructions, including on reboot. I'm not sure why it wasn't running because it almost always starts on startup, but I assume that it's because for some reason it doesn't run in safe mode.

FYI, when I tried to start my computer again in Safe Mode, but realized that I couldn't do so easily since my computer had shut down normally the last time (it only automatically prompts a person to select Safe Mode if the computer shut down irregularly the last time it was used). I searched on google how to force my computer into safe mode, and found information off this website on how to do so by either pressing F8 or by going into msconfig. F8 didn't work for me the first time, so I tried msconfig. The link to the page is as follows: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/. The link worked earlier today, but for some reason now I can't get it to work. You may consider removing the information from the website re going to safe mode via msconfig if someone could inadvertently harm their computer this way.

Sorry for the screw up! Please let me know what to do next. I will not do anything further with the computer (not even turn it on again) until I hear from you.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 05:02 PM

You are right and the information on that page should be modified with warning about the risk.

But the rootkit file is still not removed and since AVG is not disabled if you now boot to normal mode it might interfere wit the tool.

Please do the following, note that the batch file should be run in Safe Mode, don't boot to normal mode yet.:

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
takeown /f c:\system32\drivers\mouclass.sys /a >log.txt 2>&1
del /a/f/q c:\system32\drivers\mouclass.sys >>log.txt 2>&1
copy /v /y  c:\backup\mouclass.sys c:\system32\drivers\ >>log.txt 2>&1
dir /a/b c:\system32\drivers\mouclass.sys >>log.txt 2>&1
start log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: lfix.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate fix.bat on the desktop. It should look like this:
  • Right-click to run it as administrator.
  • A log file opens, please post it to your reply.




#13 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 May 2010 - 05:17 PM

The log reads as follows. I hope it's not bad news:

ERROR: The system cannot find the path specified.

The system cannot find the path specified.
The system cannot find the path specified.
0 file(s) copied.
The system cannot find the path specified.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:56 PM

Posted 28 May 2010 - 05:25 PM

My bad, it is not bad news don't worry, but we have to redo it with the following syntax:

QUOTE
@ECHO OFF
takeown /f c:\windows\system32\drivers\mouclass.sys /a >log.txt 2>&1
del /a/f/q c:\windows\system32\drivers\mouclass.sys >>log.txt 2>&1
copy /v /y c:\backup\mouclass.sys c:\windows\system32\drivers >>log.txt 2>&1
dir /a/b c:\windows\system32\drivers\mouclass.sys >>log.txt 2>&1
start log.txt



#15 gulop182

gulop182
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 28 May 2010 - 05:33 PM

The log reads as follows. I prefer the word "success" to "error."


SUCCESS: The file (or folder): "c:\windows\system32\drivers\mouclass.sys" now owned by the administrators group.
c:\windows\system32\drivers\mouclass.sys
Access is denied.
Access is denied.
0 file(s) copied.
mouclass.sys





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users