Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Trojan: Win32/Alureon.FO


  • Please log in to reply
27 replies to this topic

#1 willaver

willaver

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 30 July 2012 - 12:15 PM

Hi Bleeping Community,

I humbly come to you for help with my problem.

I got a virus or trojan or something last week and can't seem to get rid of it. Microsoft Security Essentials tells me that it is called Trojan: Win32/Alureon.FO
Periodically, once a day, maybe more sometimes I get a pop-up from Microsoft Security Essentials telling me there is an infection and its being cleaned. I then run a quick scan with Malwarebytes which somtimes finds 1-3 items (usually .tmp files) and then have both programs clean the computer and restart. Repeated scans show no more infections, until later when it pops up again, usually when using an internet browser.

I'm running Windows 7 Professional 64-bit.

I downloaded the DDS program and the GMER program.

Which I double-click the DDS program it opens in Notepad and nothing happens. I don't know how to correct this.

When I run the GMER program I don't have the same default options that the Prep Guide suggested. So, I clicked on 'Scan' with the default options and it scanned everything and at the end it said that it detected no modifications.

Also, I see a file taskhost.exe running in taskmanager which looks suspicious to me its location is C:/Windows/System32/taskhost.exe

Earlier there was a dllhost.exe file running also but I don't see it now.

I apologize for for ignorance on the subject beforehand and also thank you for any help you can offer.

How should I proceed?



Sincerely,

Willaver

BC AdBot (Login to Remove)

 


#2 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 31 July 2012 - 02:13 PM

Okay, I got the DDS.scr working thanks to some help on the Windows 7 forums here.

Here are my log files from the dds.scr

As I said the GMER didn't create any logs.

Attached Files



#3 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:45 PM

Posted 01 August 2012 - 02:23 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#4 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 03:07 PM

Hi D-FRED-BROWN,

I got your response. Thank you.

So far I've downloaded TDSSkiller and Combofix.

I ran TDSSkiller and it found 1 malicious object. I left the options to 'skip' and clicked on continue. However it did not prompt me to reboot my computer. I'm going to reboot it and then I guess come back and do the combofix part.

Here's the log created from TDSSkiller attached.

Attached Files



#5 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:45 PM

Posted 01 August 2012 - 03:14 PM

I'm going to reboot it and then I guess come back and do the combofix part.

Sounds good. Keep me posted.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#6 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 03:34 PM

Okay,

I'm a little panicky now.

I did Combofix.

I turned off Microsoft Security Essentials realtime protection and ran Combofix. It rebooted after the 50 steps. But when I got back to my desktop and got the log file, immediately afterward none of my icons will work. Everything I click on says registry key is marked for deletion and nothing works. I had to go into windows explorer via the shortcut 'Windows + E' and browse to IE and it luckily opened that way.

Anyway, here's my Combofix log.

I'm not sure if I'll be able to run the security check app or not.

I'll be back ASAP with that log if it works.

Thanks

Attached Files



#7 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 03:41 PM

Okay, here is the security check log. I may have messed up and not turned off the windows firewall before I ran combofix after looking at this log, but I guess I didn't realize it was even on.

Attached Files



#8 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 03:43 PM

Should I turn off windows firewall and re-run combofix?

#9 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 03:54 PM

I turned off windows firewall public and private networks. And re-ran combofix.

All of my icons and programs still say cannot run as registry keys are marked for deletion. However, if I right click on them and run as administrator they seem to operate.

Here's the second combo-fix log.

Thank you for helping me, I hope you can fix this.

Attached Files



#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:45 PM

Posted 01 August 2012 - 08:14 PM

Give it a reboot. That should fix the registry messages. :thumbup2:

Next,
  • Download ListParts64 to a USB flash drive.
  • Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

  • Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
  • Select Repair your computer.
  • Select Language and click Next
  • Enter password (if necessary) and click OK, you should now see the screen below ...

Posted Image

  • Select the Command Prompt option.
  • A command window will open.
  • Type notepad then hit Enter.
  • Notepad will open.
  • Click File > Open then select Computer.
  • Note down the drive letter for your USB Drive.
  • Close Notepad.
[*]Back in the command window ....
  • Type e:/listparts64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
  • ListParts will start to run.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on the flash drive.
[*]Close the command window.
[*]Boot back into normal mode and post me the Result.txt log please.
[/list]
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 08:57 PM

Here's the result.txt file.

I have to admit that I'm seriously impressed. You guys are amazing and this is an incredible resource.

I don't know where to even begin to thank you.

Assuming we are getting near the end of fixing this problem....you'll remind when I should turn my firewall back on and microsoft security essentials, correct?

Attached Files



#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:45 PM

Posted 01 August 2012 - 09:08 PM

Forgot to mention, taskhost and dllhost are both legitimate applications. Don't worry about them.

Also, the object that TDSSKiller picked up shouldn't be removed- it's also legitimate.


I have to admit that I'm seriously impressed. You guys are amazing and this is an incredible resource.

I don't know where to even begin to thank you.

Cheers! And no problem. :)

Assuming we are getting near the end of fixing this problem....you'll remind when I should turn my firewall back on and microsoft security essentials, correct?

Yep, for sure. :thumbup2:


----------Step 1----------------
Please do the following:
  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

NOTE: the Avast free scan is selected by default. You can opt-out of this since I don't need you to run it.


----------Step 2----------------
We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


----------Step 3----------------
Please include both the aswMBR report (and the MBR.dat zip file) as well as the OTL report.

Are things running good? Are any of your browsers getting redirected? Please let me know. :)

Edited by D-FRED-BROWN, 01 August 2012 - 09:09 PM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 09:50 PM

Here are the reports from the past two steps.

Attached Files



#14 willaver

willaver
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 01 August 2012 - 09:52 PM

For some reason I had to zip these two text files from the OTL program to get them to upload.

Here they are.

Its getting late here and I'm going to have to crash for the night. Thank you for your time and help, I'll get back to finishing whatever else we need to tomorrow.

Attached Files



#15 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:45 PM

Posted 01 August 2012 - 11:22 PM

Have a good night. :)

We need to run an OTL Fix. This, among taking care of some remnants of the infection, will also clean up some unnecessary junk leftover by unused programs.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Files
    C:\Users\Bryan\AppData\Local\{6df6a74d-d3e1-b293-ef70-c12b185fb4b5}
    C:\Windows\Installer\{6df6a74d-d3e1-b293-ef70-c12b185fb4b5}
    
    :OTL
    [2012/01/11 01:13:18 | 000,002,048 | -HS- | C] () -- C:\Users\Bryan\AppData\Local\{6df6a74d-d3e1-b293-ef70-c12b185fb4b5}\@
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Edited by D-FRED-BROWN, 01 August 2012 - 11:24 PM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users