Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost Virus & Trojan:Win64/Alureon.D


  • Please log in to reply
26 replies to this topic

#1 gsable

gsable

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 26 May 2013 - 08:58 PM

Windows 7,  64 bit.........I have big problems.  My son was watching things on YouTube when we started having problems. 

It acts like multiple viruses that have damaged things. 

We hear multiple audio feeds, first one, then multiple ones.  This happens each time we reboot. 

 

In Windows Task Manager, Processes, SVCHOST has multiple entries, most with 00 CPU.  But if I stop the one SVCHOST entry with CPU time, the audio feeds disappear. 

 

Microsoft Security Essentials found and deleted: Trojan:Win64/Alureon.D

 

Microsoft Security Essentials Recovery will not run. 

 

My Nero12 Recovery will not run. 

 

Malware Bytes will not run.  I get some error that says some service will not start.  I will post the exact message on my next post as soon as I can. 

 

RKill will not work, but I did manage to get it to run and it found nothing. 

 

Internet Explorer will run, I am using it now for this forum. 

 

But things seem to be getting worse. 

I am posting this fast now because things run slowly or just stop working.  Omigosh, I am hurtin' for certain!  

Help Help Help! 

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:59 PM

Posted 26 May 2013 - 09:00 PM

Welcome aboard p22002758.gif

 

This type of infection requires elevated help.

 

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 26 May 2013 - 09:03 PM

Microsoft Security Essentials, Recovery said it could not start.  I got a more detailed error about an hour ago. 

 

This is what Rkill said:

Rkill 2.4.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/26/2013 07:23:18 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Stephen\Desktop\rkill\rkill-05-26-2013-07-23-21.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/26/2013 07:23:35 PM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)



#4 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 26 May 2013 - 09:04 PM

Thanks BC Advisor. I have to go be with my wife now. I will work on this tomorrow. Thanks.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:59 PM

Posted 26 May 2013 - 09:51 PM

Make sure you follow my previous reply.

Do NOT post any logs here.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#6 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 27 May 2013 - 07:42 AM

Thanks Broni,
Good Morning from Kansas,
I started at step 6 and downloaded dds. I tried to run dds but received this error:

The Service cannot accept control messages at this time.

So, I tried to run it from DOS and received this error: "the dependency Service or group failed to start"
And - DOS said: "Access is denied"

I tried to turn off Microsoft Security Essentials and received this error: "The dependency service or group failed to start"

When I try to run Microsoft Security Essentials Recovery, I receive this error: "The dependency service or group failed to start"
When I try to run Malwarebytes I receive this error: "The dependency service or group failed to start"

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:59 PM

Posted 27 May 2013 - 11:05 AM

Instead of DDS try this...

 

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your new topic.

 


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#8 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 27 May 2013 - 02:51 PM

Broni, Thanks,

I downloaded OTL.  It would not run either. 

In the mean time, the computer is running and getting worse, I am trying to run these programs to make a log for you to see, ....and Windows Explorer is very slow and requires reboots....

 

...And now I get a notification that System Protector wants to install on my computer. 

 

Now.... I get the idea that things are getting worse.  How about you?  See, the System Protector by Systweak Inc   is a rogue, according to your site. 

 

And Microsoft Security Essentials intercepted another Trojan:Win64/Alureon.DG  -exactly 24 hours after the first attack. 

 

I think we need to be able to get around this error:  "The dependency service or group failed to start"  -because that's what we get when we try to run these things that would produce logs.

either that error appears or nothing happens. 

 

Many times, Windows Explorer just stops working and I have to reboot. 



#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:59 PM

Posted 27 May 2013 - 02:54 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#10 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 27 May 2013 - 05:27 PM

This error also comes up when trying to run OTL and DDS.   "The Service cannot accept Control Messages at this time."



#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:59 PM

Posted 27 May 2013 - 05:45 PM

 

I'll report this topic to appropriate helpers.

Hold on there....

 


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:59 PM

Posted 27 May 2013 - 08:10 PM

Hi and welcome.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:59 PM

Posted 27 May 2013 - 08:56 PM

Hello, just letting you know I moved this topic to here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Edited by boopme, 30 June 2014 - 07:36 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 gsable

gsable
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 28 May 2013 - 07:04 AM

Thanks JSntgRvr,  I will try it this evening, I am at work now in Kansas.   I have hope now. 



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:59 PM

Posted 28 May 2013 - 10:58 AM

:thumbup2:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users