Help Requested to Remove Alureon FL

Welcome to Major Geeks!

It always creates a log by default. You were supposed to disable scanning for tracking cookies. See the instructions for running it.

Very bad idea and you could damage your PC by doing this once it started. You need to run it and get us the log.

What you have is basically an empty log. You need to let MGtools run all the way thru to completion. Also you need to have any protection software disabled before running it and also you must make sure you run it as administrator. Try the below:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Did you look in C:\ for the MGlogs.zip file to be sure?

If there really is no C:\MGlogs.zip file then do the below.


Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
getnetinf <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

You're welcome.

Ah! So MGtools actually really did run and create a log. All of those files including combofix.txt would not be in the ZIP otherwise.

I see you already ran TDSSkiller a few times. Let's all check your MBR.


Now please also download MBRCheck to your desktop.

See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

You have an infected partition added to your hard disk as shown below in bold red:

Code:

Get Partition Info From WMI in K-bytes                          
==============================================================  
Bootable  Name                   Size          Type                     
TRUE      Disk #0, Partition #0  208666624     Installable File System  
FALSE     Disk #0, Partition #1  226493464576  Installable File System  
FALSE     Disk #0, Partition #2  29243736064   Installable File System  
[B][COLOR=red]FALSE     Disk #0, Partition #3  112549888     Unknown[/COLOR][/B]                  

Do you have your Windows 7 Boot DVD? If not, see if you can follow the instructions in the below to create a bootable repair disk.

http://windows.microsoft.com/en-us/windows7/Create-a-system-repair-disc

Let me know when/if you can make this disc.

 

Okay now let's get rid of the infected partition which requires you creating another special bootable CD. More fun!

Preferably from a clean computer but not necessary if you do not have another computer, I need you to download: gparted-live-0.11.0-7.iso (114 MB)
Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

You should be here...
Press ENTER

By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 107.34 MiB (107.34 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:

Now you should be here:

Is boot next to your OS drive? According to your logs, your OS drive is the 210.94 GB sized partition.

If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:

Now press the Close button to save these changes.
Now double-click the button.
You should receive a small pop up like this:

Choose reboot and then press OK.


Now reboot from the Windows 7 Recovery Disc and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...
Re-run another scan withMBRCheck and attach its latest log. (How to attach)

 

From your message, I cannot tell what you ran properly and what you did not run. So to see where things stand, I will need a new log from MGtools.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

 

Okay it looks like you were able to remove the infected partition with Gparted. Now just do the below.

Now reboot from the Windows 7 Recovery Disc and select command prompt. Execute the following commands at the Command prompt.

• bootrec /fixmbr
• bootrec /fixboot
• exit

After booting back up normally, rerun MBRcheck and attach a new log

 

Are you running MBRcheck by using the Run As Administrator method???

 

Okay then I'm not sure why the below is occurring

Code:

\\.\C: -->  error 5
[URL="file://\\.\D"]\\.\D[/URL]: -->  error 5
[URL="file://\\.\F"]\\.\F[/URL]: -->  error 5
PhysicalDrive0 Model Number: <error opening>
      Size  Device Name          MBR Status
  --------------------------------------------
ERROR Opening: [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL] (5)

I thought error 5 was is an access denied type message but I don't know why you are getting this.

Are you having any malware problems?

 

That's the reason!!! As I said, access was being denied and that was because you were not running as administrator which you always have to do for all tools. You cannot perform malware cleanup in a user account that is restricted. You have to give it admin permissions during the cleanup and then after finished, you can set it back to restricted.

How is everything working now?​

 

Are you referring to the DLL user account? Try the following unhide program.

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing ( like shortcuts, Start Programs... etc )?

Give it a try now.

 

Okay then you have been posting logs from the wrong user account. To properly clean any user account, the scans have to be run on that account otherwise only things that are common to all user accounts will be found and not things unique to a particular user account.

Restricted User Accounts have to be given administrator priviledges while performing the cleaning process.

 

Yes but not really. Admin type accounts get infected all the time too and we clean them anyway. Restricted accounts will not be able to run many tools properly inorder to clean them. If they are already infected, you have no choice.

Normal boot mode is always preferred unless it cannot be run. However this is another reason for making Restricted Accounts become admin accounts. You cannot log into a restricted account in safe mode. The account name will not even appear unless it is an admin account.

Correct. You probably will not even need this disc since we already used it.

Remove SUPERAntiSpyware and run Malwarebytes instead. Then run ComboFix, and then run MGtools. You don't need to run MBRcheck as the MBR is not user account specific. It relates to the whole PC.

 

No malware is being detected.

Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing ( like shortcuts, Start Programs... etc )?

If they don't come back, they are most likely gone for good and you would have to manually restore what you need. Either by copying from another user account or by reinstalling software.

Is this info missing for the DLL and NRL accounts too. ComboFix does have some APPDATA info from these accounts saved in the Quarantine

 

Okay. My point was to see if you can copy various items/shortcuts...etc from the other accounts to this account. If unhide did not restore them, there is nothing to restore.

No.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

There are many types of hackers, some want to steal info and possibly your money. And other just want to make life difficult for you.