Trojan:DOSAlureon.A Keeps Coming Back

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DavyCarradice, Dec 5, 2010.

  1. DavyCarradice

    DavyCarradice Private E-2

    Good Evening from Scotland

    I am having a bit of a nightmare with the above and wonder if you could help. This started about two or three weeks ago - probably as a result of another user being on messenger / facebook and the likes.

    I have been running AVG (free) 9 but it did not see it coming !

    First signs of problem was when I clicked on a Google search result and was regularly redirected. I was eventually sent to a page which said my security had been bazooka'd by someone and gave me an email address to contact. I should have taken details but didn't.

    I eventually downloaded Microsoft Security Essentials (MSE) and it found the trojan when I start the computer. It either suspends or removes it and then asks for a computer restart to complete the process. If I use the internet at this point it seems ok with no redirect but I am not sure what is happening in the background and the processor/fan seems to be working in overdrive.

    On restart the trojan is back - MSE finds it and suspends or removes it and asks for a restart and we are back on the merry-go-round.

    I regularly get an error message on restart saying MSE could not complete the process.

    I followed all of your instructions in the Windows XP Cleaning Procedure Section. Before running anything I disconnected from the internet (unplugged from wireless box) but I did not run the programmes from safe mode - just normal.

    Everything went fairly well until I started using ComboFix. It objected to AVG 9 although I thought I had removed this. I tried to remove AVG 9 but it was not happy being removed whilst MSE was present. So I removed MSE and then tried again to remove AVG 9 but it refused. I found a removal tool on another site apparently posted by AVG staff and this seemed to have removed AVG 9 but there were still bits of it apparent such as icons.

    Anyway, I tried ComboFix again and it agreed to proceed on the understanding that it still thought AVG 9 was present and it was my fault if anything went wrong. The only significant thing, I think, that ComboFix came up with was that it detected rootkit action and restarted before it continued?

    Everything else seemed to work fine. At the end I reloaded MSE from the internet and when I eventually rebooted MSE said it had found the trojan and we were back on the merry-go-round. So it seems that I have not been able to delete the trojan.

    At the moment I have left all of the internet and other settings as instructed prior to carrying out all of the checks.

    From what I have read it seems that I have something in my rootkit (not sure if thats the right term) so the deletion of the trojan by MSE is only superficial and it reloads every time I restart the computer ?

    thanks

    Davy
     

    Attached Files:

    DavyCarradice, Dec 5, 2010
    #1
  2. DavyCarradice

    DavyCarradice Private E-2

    Final log attached

    thanks

    Davy
     

    Attached Files:

    DavyCarradice, Dec 5, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now reboot into safe mode.
    • From safe mode. double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    You can reboot into normal mode to attach your logs.
     
    chaslang, Dec 5, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 5, 2010
    #4
  5. DavyCarradice

    DavyCarradice Private E-2

    Hi

    Thanks very much for the quick response. I have done what you told me to - dont want to speak to soon but MSE hasn't found anything on the last two restarts.

    I have attached the two logs asked for.

    ta

    Davy
     

    Attached Files:

    DavyCarradice, Dec 5, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not too sure it actually fixed your problem. It looks like you may have a Master Boot Record ( MBR ) infection and we may need to use your Windows CD to fix it. Do you have your CD?

    Let's try those last two scan again but this time I want you to run them in the opposite order. Run TDSSkiller first and make sure that you reboot. Then run MBRcheck. Attach the two new logs.
     
    chaslang, Dec 5, 2010
    #6
  7. DavyCarradice

    DavyCarradice Private E-2

    Hi

    I think I have found the CD

    Did the checks again and logs attached

    Thanks for all this help

    Davy
     

    Attached Files:

    DavyCarradice, Dec 6, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the TDL4 ( Alureon ) infection does seem to be gone. Your MBR is just showing as unknown but this may be due to it being a Dell PC which uses non-standard MBRs to allow for their Recovery Partition.

    If everything is still working okay, I think we should ignore the non-standard MBR and just move on to final steps.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 6, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds