Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

alureon.fl (tdss family) backdoor trojan rootkit -- worst trojan EVER!!!


  • Please log in to reply
6 replies to this topic

#1 f0xh0und

f0xh0und

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 11 December 2011 - 11:21 PM

k... i'll keep this short n sweet. i was browsing the web with a FULLY updated ie (first mistake), windows 7 (second mistake) and java (HAHA... ugh), and i was on rlslog (evil, EVIL website) and msse (FOURTH mistake) "intercepted" 'alureon.fl' (of course, AFTER it had 'installed' itself on my system... wut a useless pile of @#$%). i knew this trojan just HAD to be similar to 'smitfraud' (which i KNEW was bad, because ive removed it from several systems in the past). anywho, i IMMEDIATELY shut down my pc and proceeded to look up removal instructions online (using my jacked up vzw droid incredible with its half baked gingerbread (2.3) FORCED update (ugh), and the best i could come up with on how to remove the tdss 'strain' was:

1) tdsskiller (which didn't seem to FULLY work because...
2) anti virus scan (msse had me use msse 'offline' mode which found quite a few 'alureon' entries)
3) mbam (which found a couple of pum. (sp?) '.startmenu.' entries
4) combofix (which I GUESS (and please, PLEASE help me out on this one) took care of the rest of the 'aftermath' (missing start menu shortcuts, etc (i don't believe the trojan actually ever 'hid' any of my files (i've heard some strains do that, but i seem to see everything on my desktop and in my downloads folder and documents folder (etc) i'm not missing anything... am i?

AAAND...

5) otl (which i can't seem to 'login' to the analyzer... i guess that's normal?

i can post my otl log if needed (sticky/warning didn't say anything about not posting *otl* logs... but just to be safe...

edit: 6) (or 4a) *running unhide.exe just as a precaution*

edit #2: thought i'd mention, system restore couldn't successfully complete (AFTER running tdsskiller (but not BEFORE running msse 'offline' from the disc i burned (which, like i said, seemed to take care of the root problem (main trojan removal process)... IF i ever get my system back to normal... should i just go ahead and run system restore to ONE day before i got the trojan (luckily i had installed some software before i got the trojan)... would that get EVERYTHING back to normal (AND remove all the bad registry entries??? :\

edit #3: i DO plan on running ccleaner and disk cleanup (as well as defrag (after scandisk/chkdsk, of course), but ABSOLUTELY not until i know everything on my system is back to normal!!

edit #4: haven't had a reply yet... but... i'm just wondering... is my system FUBAR... will it ever be the same (look the same, act the same, run the same ('speed'-wise)... java updated and i got an error (could be coincidence (just a bad install (download/file/installer), could not... right?)? :( :'(

ugh... sry for all the edits guys... just worried about my rig :P

ran hijackthis (v2.0.4 (final/stable) and got THIS: error message:

Posted Image

Edited by f0xh0und, 11 December 2011 - 11:53 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:23 AM

Posted 11 December 2011 - 11:48 PM

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 f0xh0und

f0xh0und
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 12 December 2011 - 12:11 AM

...

uh... dds won't download (broken link/icon)

(and i can't run gmer, because i'm running 64-bit windows 7)

:(

edit: like i said, i DO have an otl (AND (now) hijackthis log (which, i used the hijackthis.de log analyzer, and everything looked clean (like i said, i've successfully removed smitfraud in the past (AND tdss (not sure if it was alureon or not (almost :P came back :S ) on other (people's) pcs... so i know how to read a hijackthis log (or at least analyze it (online :P )

Edited by f0xh0und, 12 December 2011 - 12:14 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:23 AM

Posted 12 December 2011 - 12:16 AM

You have to create new topic in malware removal forum and state your problems there.
GMER will run on 64-bit.
You can post OTL log instead of DDS.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 f0xh0und

f0xh0und
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 12 December 2011 - 12:04 PM

well, i ran hijackthis, and, like i said, checked it on hijackthis.de, and everything looks okay... so, i think i'm clean, but i'm just wondering how "scarred" windows is now (e.g., when i went to 'reset' my notification area (system/status icons), i noticed that wmc (media center) had the sysinternals desktops (virtual desktop manager) icon instead of the wmc icon :\ ). i'm just wondering how much of this weird stuff is going on that i'm not seeing (like my sidebar gadgets not functioning (news/rss feeds) -- at least until i rebooted (before i rebooted i couldn't even get into my gadgets via the control panel).

should i try and restore windows to the day before the virus (when i installed some software), or will that not make any difference, and i should just "repair" windows, itself, or will that just make things (my programs) worse (is the registry "scarred for life" now)? :(

edit: i still haven't run a chkdsk (not like that makes any real difference to windows... right?) nor ccleaner (temp OR registry), as i'm afraid i'll delete some temp file that may have some settings stored that the trojan changed (but, like i said, i ran combofix and got all my start menu shortcuts back and ran unhide.exe (just as a precaution).

Edited by f0xh0und, 12 December 2011 - 12:07 PM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:23 AM

Posted 12 December 2011 - 12:07 PM

You should follow my reply #2.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 f0xh0und

f0xh0und
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 12 December 2011 - 05:21 PM

i will, but in the meantime, i'm pretty sure my pc is cured, however, i think unhide.exe UNHID normally (not only hidden) windows SYSTEM folders (such as config.msi, boot, recovery, programdata, $recycle.bin, etc. -- and that's just on the root of my c: drive) :'( what can i do!? is there, like, an UNunhide.exe (for important windows system folders that should not only be hidden, but inaccessable by me (the (non-administrator) user)?? :(

Edited by f0xh0und, 12 December 2011 - 05:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users