Trojan:Win32/NTAlureon.C cant clear off computer. Usb's not working.

Discussion in 'Malware Help (A Specialist Will Reply)' started by vectrex, Apr 13, 2009.

  1. vectrex

    vectrex Private E-2

    have not been able to find anyone with this trojan on any of these sites, really need help, use malwarebytes, spybot, avg 8.5, Windows malicious software removal, and deep scan from windows, but the only program that picks up on the trojan is the WMSR (windows one). It will say "found and removed" but if I run the program straight away again it says the same thing. I have a Windows professional xp, have updated everything, ran secunia, everything seems fine there. Cant use usb's, keep getting redirected to random google sites, have had all my system restore points disappear, also had a problem with "%fystemRoot% but managed to find a way to repair it to "%systemRoot%" before repair I also couldnt update or system restore, but fixing the "f" to an "s" seemed to fix this.

    Have had this problem posted at other site but no-one seems to know anything or be able to help. Maybe this doesnt seem like a big problem to anyone, but this is huge to me. For business and home use, and banking, ebay and paypal. Very concerened my details are out there don't know if this computer is safe anymore. PLEASE some expert advice. I am in over my head.:cry
     
  2. Corporal Punishment

    Corporal Punishment Head of Software Shenanigans Staff Member

    Sounds like a false positive - pretty typical these days. But to be safe - -------------


    Please begin by clicking Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
    • Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
    • Then search forTDSSserv.sys
    • Let me know if you find this or not.
    • If you do find it, right click on it, and select Disable. Do not try to uninstall it.
    • Also if TDSSserv.sys is found and you disable it, then reboot.
    • After reboot continue on with the below cleaning instructions.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:
    1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
  3. vectrex

    vectrex Private E-2

    Hi, thankyou so much for getting back to me! After not hearing something for a while I went searching (for hours!) again on google and this forum and did complete the "Read and run me first" section. This did find things and clear things up - well it seems to have anyway. USB's are working again, Trojan is all gone, although my screen did go funny this morning, the start bar went to the top of the screen, and kept kind of jumping, the screen was mostly white but the icons kept skipping to different places on the screen so I couldnt safely shut down and ended up having to push the off button on my tower. This happened to my last computer in the weeks leading up to it crashing, don't know if this is just the monitor and a weird coincidence, or if this is a sign that my new computer (this one) is going to die also.

    Anyway, have included the logs you reqested, these are the ones that I got a couple of days ago when I completed them from the read and run me first thread.
     

    Attached Files:

  4. vectrex

    vectrex Private E-2

    Hi again, am having some minor issues with my computer still, and have tried to run through the 'Read and run me first' things again, but, after double clicking on Combofix it goes to the run page and I click run and then I get the blue screen and flashing cursor, but nothing else happens. It just stays like that. I might add that Super anti spyware, malwarebytes, spybot, AVG and Malicious software removal all show no threats. But I still occasionally get redirected (jump) to pages from google, and my screen goes weird about once a day (goes mostly white, icons dissapear or move to different spot, start bar goes to top of page, therefore cannot safely restart computer because I cant see what Im clicking, also my computer is only 3-4 weeks old and changing monitors does not fix it) so I end up having to push the restart button. And as of today when I open an application it sometimes freezes when I try to minimise it, and the icons on desktop wont work, and if I open any more pages they just open and then freeze on top of the other frozen page. So I can be left with 5 or so pages frozen and unable to minimise/close any of them, but can still restart computer from start bar. Have got all my photos off onto a usb just in case pc is going to crash, please let me know if you think this is a computer issue (it is under warrenty for 3 years) or a virus?
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some/many of your problems may not be malware. Let's address what I see (like the redirection issue) and see what happens.

    When did you install IE8 and when did your problems begin?

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. vectrex

    vectrex Private E-2

    OK, I downloaded the latest internet explorer not long after getting the new computer (about 2 weeks ago). The problems with my computer redirecting, weird screen etc.. was around about a day or two after doing the whole "read and run me first" thing.

    But my old computer also used to get the weird screen issue, it started about a month or two before it died. this is why I was concerned that it was a virus as my old computer did the same thing then crashed. but i definately didnt have the latest internet explorer on the old one. It will be a couple of days to see if the screen issue is resolved as it happens every one or two days. So I will just have to wait and see for that one.

    As for attatching the logs, I did everything you said, including saying yes to rebooting after the "avenger" program, but I cannot find the log for it. I even searched for it in the search section, but with no luck. I do have the logs for MGtools attatched though. Not sure what went wrong with the avenger ones? Didnt want to run it again till I'd heard from you.
     

    Attached Files:

  7. vectrex

    vectrex Private E-2

    Still having screen issues, went to click on email and screen went weird again, after moving the mouse randomly around the mostly white screen, I saw a flickering message that when I put the mouse on one certain area of the screen, I managed to get it to stay and it was something like "MSOE couldnt open, maybe it isnt installed" but obviously it is installed. Also, today I got a new trojan, which I found by running malwarebytes because I got an email from apparently my phone/internet company that looked suspicious and told me that I had registered with a password and user name for internet bills which I hadnt actually done. So I rang my company and they said some information at their end suggested something dodgy was going on and that the email wasnt from them but their records said something about a registration on my account. This was for direct debit from my bank account, so I was very lucky to catch on quickly and not forward my details to the email. Also someone tried to register me to Jamstar yesterday, and I had to ring Jamstar to let them know that it wasnt me that registered and they told me that a registration had been done via internet the same day. So now I am very concerened because someone obviously has my details including the correct spelling of my name (it is unusual) my mobile number, my email address and some of my account details for my internet/phone company. I had already changed my passwords for banking, ebay, paypal etc.. from a different, clean computer, but someone knows my stuff and is actively trying to mess with me. The new trojan was "Trogan.Agent". This must have been from that email as I have not downloaded anything nor received any other weird email, and there was no trojan on here yesterday.

    I do not use a firewall other that windows at the moment because I don't know which one is the best to use. I did try to download one from here that was recommended but during installation my computer said that there was a massive error and force shut itself down to protect itself. So bit scared about doing it again. It said something like fatal error.

    Arrrrrrgggghhhhh!!!!! HELP!
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    So why were you running the READ & RUN ME if you were not having problems?


    You did not attach the log for MGtools. The log for MGtools is always C:\MGlogs.zip

    The problems with your screen are not malware problems.
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since this has been happening to you, the safest and most reliable course of action is to perform a total clean reinstall.

    Even though logs can appear clean, there are no guarantees that something is not hiding somewhere and since you are having so many problems, the reinstall would be a good idea anyway. We could perform a scan for rootkits which I will post below, but your PC may still be untrustworthy even if we find and remove anything.

    Please run this: Running GMER to detect rootkits and attach the GMER log.

    Also run this: Using Dr.Web CureIt and attach the log. Don't be alarmed by some of the results from this scan. It falsely detects some files used by ComboFix and MGtools as problems and they are not problems.



    Any firewall would have been better than the Windows firewall.
     
    Last edited: Apr 27, 2009

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds