Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Not Remove Trojan:DOS/Alureon.J On Windows 7 Laptop


  • This topic is locked This topic is locked
4 replies to this topic

#1 jackhammer

jackhammer

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 05 December 2013 - 11:26 PM

Recently my Norton Anti-Virus was near expiration on both of my Dell computers. I found comcast offered a free copy of Norton Security Suite so I followed the instructions to download and install. The install worked perfectly on my Dell desktop which is Windows Vista. However, I was not so lucky on my Dell Inspiron laptop which is Windows 7 64-bit.

 

The first step of the install was to remove the existing Norton software. When I attempted to remove through the Control Panel > Programs > Uninstall I got an Access Denied alert so I attempted a reboot of the computer. After the system restart completed a window appeared which stated the server was busy. When I clicked the [Retry] button on that window the blue screen appeared. At this point I searched for issues with Norton removal which led me to run MSE.

 

Trying to Clean PC was unsuccessful with MSE. The prompt recommended creating Windows Defender Offline CD which I did. I made change in the BIOS so the computer would boot first from the CD. I then ran a full scan then selected Clean PC.

 

The history tab shows

Detected item   Trojan:DOS/Alureon.J

Alert level          Severe

Date                  12/5/2013

Action taken      Removed

 

The following error occurred: Error code 0x8007065b. Function failed during execution.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:

boot:\\.\PHYSICALDRIVE0\Partition0 (Type 00)

 

http://go.microsoft.com/fwlink/?linkid=142185&name=Trojan:DOS/Alureon.J&threatid=2147658331

 

I am unsure where I should go from here. I found a related thread in the forums but it appeared to be terminated before resolution was found.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:47 AM

Posted 06 December 2013 - 12:33 AM

Hello please run these scans -

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Next -

Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.
If a log is produced, save it, or post it back here -

Important: Do not reboot your computer until you complete the next step.

 

Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* NOW : Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and Paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Next -

Please scan your computer with ESET Online Scanner
Disable active Antivirus and Antimalware programs How To Temporarily Disable Your Anti-virus
This scan is best performed with Internet Explorer, as it uses ActiveX
If you will not use Internet Explorer, then please read item 3 in this post
1 - Open Internet Explorer and hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 - Click the ESET Online Scanner button.
3 - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
a - Click on eset.exe to download the ESET Smart Installer. Save it to your desktop.
b - Double click on the  icon on your desktop.
4 - Check "YES, I accept the Terms of Use."
5 - Click the Start button.
6 - Accept any security warnings from your browser.
7 - Under scan settings, check "Scan Archives" and "Remove found threats"
8 - Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 - ESET will then download updates for itself, install itself, and begin scanning your computer.
10 - Please be patient as this will take some time (first time scans are always longer).
11 - When the scan completes, click List Threats
12 - Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13 - Click the Back button and then Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.
If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
If no infections are found then please tell me -
You can ignore any ESET detection of AdwCleaner...it is a false positive detection.

 

Thank You -



#3 jackhammer

jackhammer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 06 December 2013 - 04:46 PM

Logfile checkup.txt

 

 Results of screen317's Security Check version 0.99.77 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Microsoft Security Essentials  
Norton Internet Security       
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 JavaFX 2.1.1   
 Java 7 Update 45 
 Adobe Flash Player 11.9.900.117 
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Google Chrome 30.0.1599.101 
 Google Chrome 31.0.1650.63 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

Logfile RKill

 

Rkill 2.6.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/06/2013 10:12:47 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\Eugenia\Desktop\rkill\rkill-12-06-2013-10-12-50.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\   \...\ﯹ๛\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\ [ZA Dir]
     * C:\Users\Eugenia\AppData\Local\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\ [ZA Dir]
     * C:\Users\Eugenia\AppData\Local\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\❤≸⋙\ [ZA Dir]
     * C:\Users\Eugenia\AppData\Local\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\Eugenia\AppData\Local\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\ [ZA Dir]
     * C:\Users\Eugenia\AppData\Local\Google\Desktop\Install\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\ [ZA Dir]

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/06/2013 10:13:21 AM
Execution time: 0 hours(s), 0 minute(s), and 34 seconds(s)

 

Logfile AdwCleaner[So].txt

 

# AdwCleaner v3.014 - Report created 06/12/2013 at 10:24:13
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Eugenia - EUGENIA-PC
# Running from : C:\Users\Eugenia\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\Eugenia\AppData\Local\Conduit
Folder Deleted : C:\Users\Eugenia\AppData\LocalLow\Conduit
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3106574
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKLM\Software\Conduit

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Eugenia\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [2435 octets] - [06/12/2013 10:17:27]
AdwCleaner[S0].txt - [2408 octets] - [06/12/2013 10:24:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2468 octets] ##########

 

Logfile ESET

 

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Users\Eugenia\AppData\Local\Google\Chrome\User Data\Default\Default\aaggdfdadcdaddgcgcdcgfdcdedhgdgf\background.js Win32/TrojanDownloader.Tracur.V trojan cleaned by deleting - quarantined
C:\Users\Eugenia\AppData\Local\Google\Chrome\User Data\Default\Default\aaggdfdadcdaddgcgcdcgfdcdedhgdgf\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan cleaned by deleting - quarantined

***********************************************

 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:47 AM

Posted 06 December 2013 - 04:53 PM

* ALERT: ZEROACCESS rootkit symptoms found!

 

As you are badly infected, please follow the instructions in the Preparation Guide starting at Step #6.

 

When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

 

If you are unable to complete any step, please still post the topic and leave a full description of your problems.

 

Please do this as soon as you can to get help with your problem -

 

 Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.

 

 If Help Bot responds to your topic, please follow his Step #1 so the team will be notified.

 

 
Thank You -



#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:47 AM

Posted 07 December 2013 - 06:17 AM

Reference:  http://www.bleepingcomputer.com/forums/t/516647/windows-7-laptop-zeroaccess-rootkit-symptoms-found/#entry3226621 .

 

Now that you have properly posted a malware log topic, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users