Help with removal of trojan:DOS\Alureon.e virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by 1yousefi, Apr 8, 2012.

  1. 1yousefi

    1yousefi Private E-2

    Hello, I was having a lot of error messages on my computer and it became very apparent that it was infected with a virus. So I used the built in partition to do a factory reset, after I ran windows update all the way and installed microsoft security essentials, it said it found Alureon.E on there again.

    This confuses me, because I haven't used the computer for anything after doing a factory recovery from partition. I have read the FAQ and followed all the instructions.

    Combofix crashes every time I try to use it, I can't get any error messages or logs out of it, and rootrepealer also crashes too, either way, I have attached the corresponding logs here for everything.

    Any help would be greatly appreciated,

    Thanks in advance.
     

    Attached Files:

  2. 1yousefi

    1yousefi Private E-2

    Here are the rest of the logs.

    A bit more information:

    These are work computers, running windows vista Business, the machines are Acer Veriton L460, and the hardware has not been modified.

    I called Acer to purchase recovery CDs but apparently they don't sell them for my specific machine. I have another computer just like this one that a co-worker uses, and I used that machine to build a set of recovery CDs, but I'm afraid if I do the recovery again it would just be a waste of time? There appears to be 4 partitions in the hard disk and I'm not exactly sure why.

    Anyway, that's my rant! Hopefully someone can help! :D
     

    Attached Files:

  3. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, 1yousefi!

    One of them needs to be deleted as it is the bulk of the infection.
    Code:
    Partition	Disk #0, [B][COLOR="Red"]Partition #3[/COLOR][/B]	
    Partition Size	[B][COLOR="Red"]1.83 MB[/COLOR][/B] (1,916,928 bytes)	
    Partition Starting Offset	160,039,960,576 bytes	
    __

    Preferably from a clean computer, I need you to download: gparted-live-0.11.0-10.iso (121.1 MB)
    Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
    If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

    Now boot off of the newly created GParted CD.
    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 1.83 MiB (1.83 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is boot next to your OS drive? According to your logs, your OS drive is the 69.77 GiB sized partition.
    [​IMG]
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags


    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.

    __

    Once you are back in Windows...

    [​IMG] Re-scan with TDSSKiller with the parameters you used before.
    This time if TDSS File System appears, delete it!
    Then attach the latest TDSSKiller log. (How to attach)

    __

    [​IMG] Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  4. 1yousefi

    1yousefi Private E-2

    Thanks for the rapid response!

    I deleted the 1.83 mb partition, ran TDSskiller (which didn't find anything other than "suspicious" files, no frank malware or rootkits found. I also ran the mgtool and attached the log.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    MSE is no longer reporting DOS\Alureon.e either right?
    Your latest logs look fine.

    __

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     
  6. 1yousefi

    1yousefi Private E-2

    I hadn't enable it again, wasn't sure if I was supposed to, but I did now, and it seems everything is cleaned up!

    Thank you so much for the help!
     
  7. thisisu

    thisisu Malware Consultant

    You're welcome. Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds