Windows 7 DOS:Alureon.a trojan removal

I realize there are several posts with solutions to this problem. I have attempted most, if not all, of the "solutions" on this site without success. I have gone through the READ & RUN ME FIRST Malware Removal guide. I am not able to post a log from MBRcheck because the virus will not allow me to open any programs, even in safe mode or with the extensions changed.

*My computer shows an established internet connection but Google Chrome and Internet Explorer will not open.
*All malware remove tools were copied to a flash drive from a non-infected computer and transferred.

Brief explanation:

1. Microsoft Security Essentials, Microsoft Word, and Calculator are the only programs that will start up.
2. MSE detected Alureon but was unable to remove it and recommended I use Windows Defender Offline. I ran WDO through a bootable CD but it was not able to detect any threat.
3. I attempted to use Rkill, ComboFix, Kaspersky, and TDSSKiller. Like the rest of the programs, these removal tools were not able to run. These programs did not run in safe mode or with altered extensions.

*I appreciate any help given. Please let me know if you need additional information. I will try and be as detailed as possible. I have taken care of more than a few viruses in my time but I have never dealt with one like this.

 

Welcome to MajorGeeks, BlondGrim
The infection you describe is known as Pihar.b

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Thank you again for the assistance

 

No problem.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

Now continue with this procedure: How to Remove TrojanOS/Alureon.A

 

Scan went smoothly.

 

The programs are behaving the same was as before; refusing to open. I also tried safe mode and different extensions without success. I'm not sure if this means improvement but when I tried to open MBRcheck the command prompt appeared, the gray bar blinked a few times, and the window closed. During previous attempts it would not make it to the command prompt stage.

 

Hi,

Please do another scan using FRST64.exe
Then attach the latest FRST.txt.

 

Here is the log.

 

Do you have your Windows 7 DVD?
The malware is back. It is best to remove those bad entries while the OS is inactive (while you are booting off a DVD).

 

No. Unfortunately I do not have a Windows 7 DVD.

 

Hrm, we may need it. In the meantime, try this new fixlist.txt (see attached) I've created for you.

Once you get back into Windows, try to immediately run TDSSKiller.

 

It was still not able to open.

 

Can you attach the fixlog.txt?

 

Certainly

 

I think we will need the Windows 7 DVD or at least a recovery console CD in order to get past this.

You can see here for more details on how to obtain one.

 

Thanks for the information. I will work on acquiring a disc and post when one is obtained.

 

Disc obtained. Awaiting further instruction.

 

Great

Now boot from the disc you have and enter System Recovery Options. Read OPTION TWO on this page: Using a Windows 7 Installation or System Repair Disc if you need help.

Once you get to this screen, select the Command Prompt
In the Command Prompt window, type in these commands, pressing ENTER after each one:

• bootrec /fixmbr
• exit

Now reboot your computer into Normal Mode of Windows (do not boot from the DVD again).

If you have done this correctly, your programs should now open. Let me know if you need additional assistance.

 

hmm. I booted from the disk but my menus look nothing like the one in the link you provided. Here is what mine looks like:

http://neosmart.net/wiki/display/EasyRE/PC+Recovery+with+EasyRE

I selected "Launch Command Line" and typed in the commands you gave me but they were not recognized.

 

That is the disc purchased from here? http://systemdiscs.com/

I will try to help you although I am not sure why they did not just sell you the Recovery Console DVD for Windows 7.

Are you able to take a picture of what their Command Prompt looks like?

You may also want to try their Automated Repair.

 

Yes, the CD was obtained through that link. I tried the automated repair but it did not work.

 

Honestly I am not sure why they sent you this disc. It's not the one I intended for you to obtain.

Please send an email to support@systemdiscs.com to get a different version that might work.

Source: http://neosmart.net/forums/showthread.php?t=9474

_____________

You can also try to create your own (maybe even from the infected computer). See here: How to Create a Windows 7 System Repair Disc

 

Thanks for the links. I'll post an update within the next few days.

 

Success! (sort of) I was able to create a repair disk through the *How to Create a Windows 7 System Repair Disc link you provided. I went into the command prompt, typed in bootrec /fixmbr, it said it was successful so I typed in *exit and booted normally. Unfortunately my programs will still not open.

 

Intriguing. I'm glad you were able to create the boot CD. Hopefully you can still get a refund from that website as the CD offered is not what they have given you.
Could you give me detailed descriptions on:

1) The programs you are trying to launch
2) Which extension these programs have
3) What exactly happens when you try to open a program.

Alternatively if you're not opposed to it, I could take a look and try to fix the problem remotely using TeamViewer.

 

I would be more than happy to use the TeamViewer program. I think it will be the most efficient method.

 

Ok, e-mail here with the ID and password

 

I tried to install TeamViewer onto my computer through a USB but the program is behaving just like the others and refusing to open.

 

Ok,

See if these programs are blocked too:

Download FixTDSS

• Double-click it to run.
• Follow the prompts.
• After it has finished, retry running TDSSKiller.

__

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select Yes when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

Both programs failed to launch.

 

Give this one a try:

• Please download MBRScan and save it to your desktop.
• Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on run as administrator).
• Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
• When the scan is finished, a log file will appear.
• Please attach MbrScan.log to your next message. (How to attach)

 

Failed to launch.

 

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Click on Start and follow the prompts to burn the image to a CD.
• Remove the USB & CD and insert it in the sick computer
• Boot the Sick computer with the CD you just burned
• The computer must be set to boot from the CD
• Gently tap F12 and choose to boot from the CD
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Press Tool at the top
• Choose Open Terminal
• Type the following and press enter:
  
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  
• Press Enter
• After it has finished a file will be located on your USB drive named mbr.bin
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

 

Code:

2012-04-12 16:50 - 2012-01-21 11:49 - 0000926 ____A C:\Users\Public\Desktop\TrueCrypt.lnk

You have this software installed? http://www.truecrypt.org/

 

Yes, I have TrueCrypt installed.

 

Hi,

Is TrueCrypt still working? (do you still have to enter a password for the program each time Windows boots?)
I am not too familiar with this software but I think it may be somewhat preventing the bootrec /fixmbr command from working.

Are you against removing it, at least temporarily to try to fix this problem? I am out of other ideas at this point.

 

I only use TrueCrypt to encrypt USB's. I have never encrypted files or my hard drive so I don't think that is an issue. But just to be safe, I went to uninstall TrueCrypt but to my surprise (not) I am not able to uninstall it. Unfortunately this seems to be the case with other programs; (i.e.) attempted to uninstall Spybot Search and Destroy.

I am in the process of running the program and saving the information on the USB but I am running into some difficulty. I selected my USB device (sdb1) and went through the instructions you posted. In the program it shows that mbr.bin has saved to my USB but when I remove it and put it into my computer it is not there.

 

An isolated incident apparently. After a few tries it finally saved properly.

 

The MBR is clean (thanks Elise).

__

Next two things I'd like you to do.

1) Boot into Safe Mode with Command Prompt and enter this command: sfc /scannow
Be patient as this runs. When finished, reboot PC and test if programs are still blocked.
__

2) Download the latest FRST64.exe and run a new scan and attach the latest log.

 

The programs will not open. I did a little reading and it turns out Alureon.a appears as a LOCKED file making it, "almost impossible to delete", but you may have known this already.

The scan results are attached.

Source: http://peterhallam.com.au/tag/dos-alureon-a/

 

Since you are able to run MSE. Can you run a full scan on the system and let me know what it detects now? Thanks

 

Detected items:
TrojanOS/Alureon.A

Alert Level: Severe

Status: Active

Items: rootkit:Alureon->Mbr::Alureon

 

Thank you.

Please follow these instructions carefully.

Download this fixlist.txt to your flash drive.
You should have both FRST64.exe and fixlist.txt on the flash drive, in the same directory.

Boot your computer using the Windows 7 Recovery Disc that you made on your own. Do NOT use the Windows Defender Offline disc / ISO anymore.

________________________________________

Re-enter the Windows 7 Recovery Disc's Command Prompt to launch FRST64 and press Fix one time.

Attach the Fixlog.txt that it creates onto your desktop to your next message.

Now reboot normally, without using any type of CD or flash drive and test to see if programs will now open.
I did remove a few of the old ones, please download a new copy of TDSSKiller and try to run it.

 

Still unable to open programs. Including the latest download of TDSSKiller.

 

Hello.

Apparently the MBR is in fact clean but the partition table is messed up due to Windows Defender Offline failing (thanks Farbar).

Download this ISO file to make into a CD: MiniTool® Partition Wizard Bootable CD 7.1
Burn it onto a CD. I assume you know how to do this already as you created the Windows Defender Offline boot CD.
Now boot from this new CD
Locate your operating system partition which accordingly to your logs is the 451.48 GB size partition.

What we want to do here is toggle this partition as active and inactive about 4 times in a row.

Select this partition by left mouse clicking it and choose:

• Inactive -> Apply
• Active -> Apply
• Inactive -> Apply
• Active -> Apply

Now restart the computer normally.

 

When I first went into the program it gave me QSERVICE, SYSTEM RESERVED, and Gateway as partitions. Their statuses were originally set to "none", "active", and "none", respectively. I selected Gateway, began the active/inactive cycle and ended with its status set to "active". I restarted normally and it said "BOOTMGR is missing". I went back into the program and set it to the original "none, "active", and "none" but when I restart it says there was a problem restarting and it gives me the option to Restart Normally or run a system repair (recommended fix). Restarting normally only brings me back to the screen so I tried system repair but it said it was not able to successfully repair.

 

OK now set system reserved as active

 

It brings me back to the system repair/restart normally screen and fails to restart or repair.

 

System Reserved should be left at Active.

With this in mind, reboot using your Windows 7 Recovery CD and go into the System Recovery Options like displayed in the picture below:

From here, select Startup Repair and let me know if the repair is still unsuccessful.

 

Still unsuccessful.