Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot completely remove Alureon.A / malware


  • This topic is locked This topic is locked
28 replies to this topic

#1 jetta1208

jetta1208

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 26 January 2013 - 08:26 PM

Hello - I have been attempting to remove virus from HP laptop using Windows 7. Major problem was that it was super slow starting up, slow on processes and any antivurs that I tried was not able to update. AVG was not able to connect to server. Norton Antivirus could not update. Windows Security Essentials says that it could not completely remove and suggests using Windows Defender Offline. I tried Defender and had no success - when done it starts up and Security Essentials says there is still a risk and goes through and in the end does the same - cannot completely remove, use Windows Defender.... I tried Kaspersky TDSSKiller for Trojan:DOS/Alureon.A. that Security Essentials said it found. Kaspersky found it as well but gets stuck on the cure (hours with nothing on progress bar). Last run on Kaspersky came with Rootkit.Boot.Pihar.c Malware Object, high risk. Did not attempt to cure. attached at the log files after running initial scan. Thank you

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 26 January 2013 - 09:08 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 26 January 2013 - 10:14 PM

Thank You CatByte for your reply.

I tried to enter into the system recovery but got the blue screen of death......

'A problem has been detected and windows has been shut down to prevent damage to your computer.

BAD_SYSTEM_CONFIG_INFO

.......

Technical Information

*** STOP: 0x00000074 (0x0000000000000002, 0xFFFFF88003983B20, 0x0000000000000002, 0xFFFFFFFFC0000022)'

I tried this twice. It seems as if it is configuring then a flash as if Windows is starting up, then the blue screen.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 26 January 2013 - 10:28 PM

you may not have the recovery environment pre-installed on your machine.

Do you have an installation disk?

If not, you can make a recovery disk and use that to access the Recovery environment


Create a Windows 7 System Repair Disc

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

  • Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:

    recdisc.exe

  • Allow the UAC(User Account Control) prompt via selecting Yes.
  • You should now see a menu like the below:-
Posted Image

  • Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
  • Note: If a AutoPlay window pops up, just close it.
  • When the SRD has been created you will see the below:-
Posted Image

  • Now click on Close >> OK. Leave the disc in the drive as we will be using it shortly.
  • You now have a Windows 7 System Repair Disc.

Use this CD to boot the ailing computer instead of tapping on F8, and proceed with the instructions above in the command prompt.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 26 January 2013 - 11:14 PM

Here is the file from FRST

Attached Files

  • Attached File  FRST.txt   38.16KB   7 downloads


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 27 January 2013 - 09:24 AM

Please make sure you do all the steps in the order they are written.

  • For 64bit systems, download Listparts64 and save it to your flashdrive
  • Download
    Save it to your flash drive.
  • Please download
    Save it to your flash drive.
  • Boot to System Recovery Options and select "Command Prompt".

    Run FRST64 and press the fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it later on to your reply. You may close the tool.
  • While still in the recovery environment run ListParts by typing h:\listparts64 in the command prompt and pressing Enter
    Click Fix. Close the pop up after the fix is done.
  • Please restart, let it boot normally and then post the FixLog.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 January 2013 - 09:45 AM

Here is the log.

Attached Files



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 27 January 2013 - 09:59 AM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 January 2013 - 10:51 AM

I am unable to disable Microsoft Security Essentials. I went to the Security Center and it is listed as an antivirus but doesn't have an option to turn off. It is also listed in the spyware section along with Windows Defender. Defender is Off and has an option to turn on. Security Essentials is On but the option to turn off is Greyed out - unable to click it. Right click on the system tray only option was to open. Nothing on the interface to disable. Went to system configuration and unchecked Windows Security from startup - didn't show up on system tray so I thought it was off. Ran combofix and got a message saying


Combofix has detected the following real time scanner(s) to be active:

antivirus: Microsoft Security Essentials
antispyware: Microsoft Security Essentials

Antivirus and intrusion prevention programs are know to interfere.....................

Please disable these scanners before clicking 'OK'.


I cannot turn of Windows Security Essentials ..... any ideas? Thank You

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 27 January 2013 - 11:04 AM

open the MSE interface

click on "Settings"

in the left pane > select "Real Time Protection"

Uncheck the box beside "Turn on real time protection"

OK the warning

Edited by CatByte, 27 January 2013 - 11:04 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 January 2013 - 11:23 AM

CatByte - The interface said Off but in the security section in Control Panel MSE is listed as antivirus and spyware with no option to turn off.
If i knew the process name, maybe a disable would work????

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 27 January 2013 - 01:37 PM

as long as the real time protection is unchecked, then just OK through

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 January 2013 - 01:52 PM

Here is the log after running ComboFix

Attached Files

  • Attached File  log.txt   21.92KB   3 downloads


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:42 AM

Posted 27 January 2013 - 02:15 PM

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jetta1208

jetta1208
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 27 January 2013 - 07:24 PM

Here are the *.txt files for all four runs.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users