Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 Alureon.h trojan, need help removing


  • This topic is locked This topic is locked
4 replies to this topic

#1 comngroundsaudio

comngroundsaudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 17 June 2010 - 05:31 PM

Hello,
I have read a lot of posts trying to get rid of alureon.h, scans after scans... this one is nasty. to give you a heads up. I currently have the newest version of Avast, updated. I also have the current Zone alarm. when i got this virus, my trendmicro internet security just expired and i installed AVG. in that time-frame, i then noticed that i was attacked, then what was "download my anti-virus to clean your machine" pop ups. i got rid of that then that's when i noticed this virus. i don't know if its of the same virus or a separate infection; nor do i really care at this point. i need some help removing this thing!

I'd say i am a strong intermediate user, i know enough to be dangerous... that's why i am asking for you assistance.

WinXP Pro

Thank you.
michael

Attached Files


Edited by comngroundsaudio, 17 June 2010 - 05:58 PM.


BC AdBot (Login to Remove)

 


#2 comngroundsaudio

comngroundsaudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 19 June 2010 - 02:44 AM

Problem has been solved, read for MY how to, hope it helps.
Note: the post above states that i had a malware "purchase my antivirus" that i already deleted by using how to's i found in google by searching for..
remove {programs name} and following those instructions i found.


after this i realized that my user32.dll was infected by using Avast 5.0, run avast (www.download.com and get free copy) run the scan and it will verify this for you; if you have the same infection i had. i think quick scan finds it, but i know full scan will.

Download and install Zone Alarm Firewall (www.download.com) this way you can control what goes in and out of your network; stopping the virus from communicating; it will ask you if you want let certain files to access the net. if you say yes, it will. so be careful on what you say yes to, also check your logs in Zone Alarm to see what is trying to go in and out.


IF YOU ARE GOING TO USE MY INSTRUCTIONS, PRINT THIS BECAUSE YOU WILL WISH YOU HAD, YOU'LL BE IN DOS AND HAVE NO ACCESS TO VIEW THE FILES.

What i ended up having to do, is going to my windows install CD, take the file user32.dl_ off of it.
copy user32.dl_ from the CD under \i386\ and paste to c:\ not in a folder, just the root.

then go Start, run... cmd


Dos window shows up.
find the file that i copied.. (i put it under C:\ so that it would be easy to find..)

type the following..
expand c:\user32.dl_ (put a space after .dl_, i think it makes a difference)

then type..

dir

to verify that it expanded it. you should have 2 user32 files.
user32.dll
user32.dl_

once you verify... reboot PC with system disc, boot from cd.
welcome to setup screen, press R for recovery console

it will then ask which version of windows (mine was 1, note: use the numbers above the letters on your keyboard. num lock is off, don't get excited and press one on the key pad on the right then press enter.. it will CANCEL. that sucks, you'll have to reboot and do this all again. make sure you see the number on the screen before hitting enter.)

then asked for admin password. if you haven't set it, just hit enter.


now you should be in DOS. yay.
now type..
cd c:\windows\system32


now you're going to rename the corrupt file, type the following just as i am now...
rename user32.dll user32.old


now verify
dir


while still in the c:\windows\system32 directory.. type the following...
copy c:\user32.dll


Whew.. stressful huh?! now type
dir


verify again that you have both files user32.dll and user32.old in the c:\windows\system32 directory. if you see them take out your system disc and reboot your box.

should come up as normal. now run your virus scanner, it will find a 2 i think. the user32.old and one in your system restore if i am not mistaken.

if you have all the remnants off of your machine, you should be cured.
good luck. i spent a lot of time on this so, i wanted to help anyone that may find my post to help.

Edited by comngroundsaudio, 19 June 2010 - 02:47 AM.


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:54 AM

Posted 23 June 2010 - 11:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 comngroundsaudio

comngroundsaudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 23 June 2010 - 11:54 PM

i am assuming by your post that it was a computer generated one; if not, then simply my posts were not read.
I have solved the problem.
Thank you for allowing me to post my problem and my solution on this board to possibly help others.

Thank you again.
michael

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:54 AM

Posted 25 June 2010 - 12:45 PM

Thanks for letting me know.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users