Help! Trojan removal (malware)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by eZAK, Jan 3, 2012.

  1. eZAK

    eZAK Private E-2

    Here is my situation as in stands;
    I'm running Running WinXP Pro. SP3..
    I have a 80GB master, a 250GB slave, and a 1TB external storage.
    Also run Trend Mircro I.S. 2010 Pro

    Then yesturday I ran what I thought was a Windows scan.....NOT......................

    I got a bad virus instead, Trojan: DOS/Alureon.E (according to MS sec. es.)
    So after a hasty shut down!!...............
    I was not able to boot to Windows
    Just 'Error file not found' (flashing, but unusable, prompt)

    I have True Image Home 2010 running (and did make a Bootable Rescue Media)

    My first course of action was to use the Bootable Rescue Media.
    That failed! :(
    The screen did come up but my options were to recover or clone the WHOLE 1TB drive!
    AAARRRRGGG!!!! :(
    So plan 2 was to dump the 80GB master, reload WinXP, then transfer files and folders from the partitioned ext. storage to the main hard drives were needed. My last Backup was on 11/30/2011.
    I thought this would be a safe bet. I was wrong again.
    After reloading T.I.H. I tried to access the ext. storage.
    I now get the message "A.T.I.H. backup archive file is corrupted........try mounting"
    That doesn't work either. I tried every backup I have with the same results

    Also, on a side note, all disk and their partitions appear in 'My Computer' But all 'appear' empty when clicked on except for the main C: drive which has one folder "Windows"
    They All also show a usage when hovered over and in properties. Which one would think then that there IS data stored on them. Correct?

    Please let me how to remove this!
    and What my next course of action should be!

    I have tried MS Help, tdsskiller, etc.

    Thank You!

    Pat Zak
     
  2. thisisu

    thisisu Malware Consultant

    Hi and welcome to Major Geeks, eZAK!

    I am unsure what the current state of your computer is.
    You mentioned you hastily shutdown your computer and then kept receiving "'Error file not found' (flashing, but unusable, prompt)" upon boot.

    Then later you mentioned that you ran TDSSKiller and MSE which to me sounds like you are able to boot again.

    Trojan: DOS/Alureon.E typically means you have an infected partition on the OS drive.

    If you are able to boot into Windows, please run the scans from the following guide: READ & RUN ME FIRST Malware Removal Guide so that we may check for malware.
     
  3. eZAK

    eZAK Private E-2

    Thanks for replying!

    My original post was intended to be a time line of the problem I have encountered, although it may not have read that way.

    Just so everyone is on the same page, I will run through it briefly.

    On Dec. 30th my computer was infected from a pop up disguised as a MS scan tool. Once I realized it, I powered off the PC.
    Upon the subsequent power up, the PC would boot to Windows.
    I proceeded to recover my back ups by using Acronis True Image. This ended up not working.

    On Dec. 31st I decided to re-install Win XP Pro SP-3.
    Boot to Windows is now successful But I am unable to access any drives.
    I.E. 8 is installed. web browsing is now possible.

    Jan. 2nd, Acronis re-installed but access to backup is denied.

    Jan 3rd, MS Security Essentials was installed.
    MSSE identifies a virus as "Trojan: DOS/Alureon.E"
    Numerous attempts have been to delete this. such as MS help, TDSSKiller, Malwarebytes, and others.

    Jan. 5th.
    With that said, I will be following your suggestion next.

    Stay tuned!
     
  4. eZAK

    eZAK Private E-2

    OK, I went through both The "Malware removal Guide" and the "XP Malware Removal/Cleaning Procedure"

    Although I can access the drives. The folders show as ghost (previously hidden)

    Logs attached!
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    Code:
    Description	Disk drive	
    Manufacturer	(Standard disk drives)	
    Model	WDC WD800JB-00JJA0
    Partition	Disk #0, Partition [B][COLOR="Red"]#1[/COLOR][/B]	
    Partition Size	10.33 MB ([B][COLOR="Red"]10,829,824 bytes[/COLOR][/B])	
    Partition Starting Offset	80,015,523,840 bytes
    
              Disk #0, Partition [B][COLOR="Red"]#1[/COLOR][/B]  [B][COLOR="Red"]10829824[/COLOR][/B]       Unknown    
    Do you have your data backed up and your Windows XP CD? The highlighted is a TDL4 partition that needs to be deleted. This is the root of your problems.

    Also need you to run this scan:

    [​IMG] Please download MBRCheck by clicking here and save it to your desktop.

    • Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
    • A window will open on your desktop.
    • If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter.
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
    • Attach this file to your next message. (How to attach)

    [​IMG] And you forgot to run ComboFix. Please do so now.
     
  6. eZAK

    eZAK Private E-2

    Yes! Data appears backed up and I do have the WinXP CD.

    I did try 'ComboFix' but it froze (unresponsive) on 3 different occasions for 30 min., 45min, & over an hour!
    This happened on the ".....will take 10min ........or double" page (blue page DOS prompt)

    I'll be gone the rest of the evening. Look for your post tomorrow.

    Thanks
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    Ok good.

    No problem, thanks for letting me know.

    Here are the next steps to perform:

    Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (114 MB)

    Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
    If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

    Now boot off of the newly created GParted CD.

    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 10.33 MiB (10.33 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    Is "boot" next to your OS drive? According to your logs, your OS drive is the 74.52 GB sized partition.
    [​IMG]
    If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now press the Close button to save these changes.
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.

    Once back in Windows...

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     
  8. eZAK

    eZAK Private E-2

    SIR! Mission accomplished SIR!

    Data Attached Sir!

    Please verify Sir!
     

    Attached Files:

  9. thisisu

    thisisu Malware Consultant

    Good job :)

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run
    Note: this is different than the way you have previously run it so make sure to fully read the link :)

    [​IMG] From Add/Remove Programs (via Control Panel), please uninstall the below:
    • Ask Toolbar

    [​IMG] Please download Disable/Remove Windows Messenger to your desktop.
    • Double-click MessengerDisable.exe to run it.
    • Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
    • Click Apply
    • Click Exit

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    [COLOR="DarkRed"]:files[/COLOR]
    C:\Documents and Settings\ZAK.ZAK-MAIN\Local Settings\Application Data\AskToolbar
    C:\Documents and Settings\All Users.WINDOWS\Application Data\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
    C:\ComboFix
    C:\Documents and Settings\ZAK.ZAK-MAIN\Desktop\ComboFix.exe
    C:\Documents and Settings\ZAK.ZAK-MAIN\Application Data\87279C07-C6BB-4156-B419-315F9CAEB62D
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\862c458d-e8b7-4b01-beeb-ab8c756baf4d.com
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\superantispyware.db3
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\SUPERAntiSpyware.exe
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\Uninstall.dat
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\Uninstall.dat-journal
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\RUNSAS.EXE
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\PROCESSLISTRELATED.DB
    C:\Documents and Settings\ZAK.ZAK-MAIN\My Documents\PROCESSLIST.DB
    C:\Program Files\Ask.com
    C:\Program Files\Free Offers from Freeze.com
    C:\NV10281968.TMP
    C:\NV30441584.TMP
    dir /s "C:\WINDOWS\system32\GroupPolicy\" /c
    xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
    xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
    xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
    xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
    [COLOR="DarkRed"]:reg[/COLOR]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "RegistryBooster"=-
    "SUPERAntiSpyware"=-
    [HKEY_USERS\S-1-5-21-527237240-1275210071-839522115-1003\Software\Microsoft\Windows\CurrentVersion\run]
    "RegistryBooster"=-
    [COLOR="DarkRed"]:commands[/COLOR]
    [purity]
    [emptytemp]
    
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    Attach this log to your next message. (How to attach)

    [​IMG] Now download a new copy of ComboFix to your desktop.
    Try to run this new copy by doing the following:
    Click the [​IMG] button. > Run - copy and paste this command in the box "%userprofile%\desktop\combofix" /nombr then click OK.

    If it runs this time, attach c:\ComboFix.txt

    Regardless of if you were able to get ComboFix to run or not, complete the below:

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

    Also let me know how the PC is running.
     
  10. eZAK

    eZAK Private E-2

    Mission Incomplete!

    OTL Froze! Did Not Complete!

    Other mission objectives have been reached!

    Data Attached!

    Computer seems to be running A OK.
     

    Attached Files:

  11. thisisu

    thisisu Malware Consultant

    [​IMG] Attached is peek.zip.
    Inside is peek.bat. Extract peek.bat to your desktop and run by double-clicking it. Attach the peek.txt file that pops-up when it is finished to your next message. (How to attach)

    [​IMG] Now run C:\MGtools\GetLogs.bat by double-clicking it.
    This updates all of the logs inside MGlogs.zip.
    When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)
     

    Attached Files:

    • peek.zip
      File size:
      574 bytes
      Views:
      2
  12. eZAK

    eZAK Private E-2

    Done!


    As far as the PC condition is concerned, I did notice that most Sub Folders stil appear as Ghost (Hidden)
     

    Attached Files:

  13. thisisu

    thisisu Malware Consultant

    Which folders are you referring to? Give me some examples.
     
  14. eZAK

    eZAK Private E-2

    Just about every folder in C: drive has ghost folders.

    Example; When I double click on 'Doc & Sets' all the folders in there will be as if they are supposed to be hidden (ghost)
     
  15. thisisu

    thisisu Malware Consultant

    [​IMG] Please download RogueKiller to your desktop.

    Rename RogueKiller.exe to winlogon.exe
    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the number "6" and press ENTER.
    When it is finished -- Notepad will open with the report and the log is saved to your desktop.
    Attach RKreport[1].txt to your next message. (How to attach)
    You can now type the number "0" and press ENTER to exit RogueKiller.

    Let me know if this helped at all.
     
  16. eZAK

    eZAK Private E-2

    Yes! That worked on the folder issue.
     

    Attached Files:

  17. thisisu

    thisisu Malware Consultant

    Good ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Take care and be safe! :)
     
  18. eZAK

    eZAK Private E-2

    Congratulations on a Job Well Done Soldier!

    A Big HHOOO!!!! RRAAAHHHHH!!!!!!

    :major Goes out to you and Major Geeks!


    I resolve to be a lot safer browser!



    Thanks Again! :major
     
  19. thisisu

    thisisu Malware Consultant

    You're welcome :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds