help with Alureon.A on win7

Hello,
I have a huge problem. Yesterday my son was playing some games and the laptop rebooted itself and from that point on, I can't do anything with it. I somehow managed to run a scan with MSE and it showed me that my laptop is infected with DOS/Alureon.A however, when I click to remove it, it says it did, but the problem is still there and additional scans show it's still there. I can't run any other anti virus program (ad-aware, malwarebytes) to help me remove it. Moreover, I can't run ANY .exe files on that laptop except for MSE and somehow Hitman Pro. I managed to scan the laptop with HitMan and I got this:

Master Boot Record (Sector 0) Rootkit
Rootkit. MBR.Pihar.D (Boot Image) (Engine A)
Trojan.Tdlphaze.1
Rootkit.Win32.Pihar!IK
Win64/Bootkit

From what I managed to find I know that Alureon rewrote my MBR.
I've tried Safe Mode, Safe Mode with Networking, and nothing helps. For the life of me I can't run any .exe files (programs). I even tried to rename them and changing them to .com but still NOTHING. Can't even use Win Recovery Disc. It does not load. Can't even use internet
I'm just lost. All info I found involves installing some programs, which are not an option to me (can't run them). Please help! Any help will be very appreciated.

I'm on win7 64 bit

Please forgive me if I posted in the wrong section, first time posting!

Konrad

 

Hi and welcome to Major Geeks, konrad74!

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop on the PC with the infection.

Open up this newly created folder and then open the "files" folder (...\windows repair v1.6.3\files)
From here, locate the fix_exe_hijack.inf file and then Right-mouse click it one time, then choose "Install".
Once you have done this, you should now be able to open applications again.
Let me know the results or if you need additional help.

If applications now open, immediately start reading and following the instructions in this thread: How to Remove TrojanOS/Alureon.A

 

Hi thisisu!
Thank You for responding.
I tried your suggestion, unfortunately it did not work. After right-clicking on the file and selecting 'install' I'm getting an Error window saying "Installation failed'. I also tried installation in safe mode and still nothing.

 

In the same directory, there is one called: FixNCR.reg
Double-click this and allow it to merge into the registry. Try to launch programs afterwards if the merge was successful.

 

No such file, here is the list of files in this dir:
firewall_reg_permissions.txt
firewall_settings.reg
fix_exe_hijack.inf
psexec.exe
psexec/exe_eula.txt
regini.exe
setACL.exe
subinacl.exe
system_files_reg_list.txt

It's not even in the main directory.

 

Sorry, must have been something I added to the one I have.

You can get the individual file from here: FixNCR.reg

 

still nothing

 

Try rebooting to see if you can launche .exes then. You can run FixNCR.reg again after reboot.

Another thing to try is:

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Rename RogueKiller.exe to firefox.com
Double-click firefox.com to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)
Then you can press the Delete button. Then attach RKreport[2].txt to your next message.

 

can't run the RogueKiller - nothing happens

 

Rename firefox.com to winlogon.exe
Then try to launch winlogon.exe

 

nothing

 

A few others to rename Roguekiller to:

• winlogon.pif
• winlogon.scr
• svchost.exe
• firefox.exe

Also, you can try running these multiple times, same applies to the FixNCR.reg and fix_exe_hijack.inf files

 

changing names didn't help

 

a question, Hitman Pro managed to find it and it's the only (along with useless MSE) program I can run. The problem is my 30-day free trial ended. I know I can purchase the activation key online and enter it in the program, but I think it needs internet to verify the key. Any idea if that would work - I mean help to actually remove the trojan?

 

Are you still able to launch Hitman Pro? And yes I believe you do need internet to activate the product. Have never done it myself as it's not needed.

Can you try the below:

http://img827.imageshack.us/img827/1263/frst.gif For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

ok, I managed to run the scan - attached is the log file

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now continue with the Read and Run Me first

 

here is the log file

 

Looks good. You should be able to run the .exes from the Read and Run Me First thread now. Let me know if you still cannot.

 

ok, I think I'm in the clear now, thanks to YOU!
I have no idea what, but something got rid of the trojan.
I run scans with all programs you mentioned along with a couple of others I have on that machine. Nothing found. I went thru the steps in the link you sent me and I attached the log file. Also, I attached the log file for the RougueKiller. Could you please take a quick look at these logs to see if the infection was in fact removed.

 

You're welcome.

The FRST fix did the trick.

These logs look fine, however, I would recommend that you attach all the other logs even though they did not find anything. The MGlogs.zip will help me a lot to locate any leftovers.

 

I can't get the MGtools to run. Windows keeps asking me if I allow MG to modify registry and even if I click 'yes' it just repeats itself (the window pops up again). Clicking yes does not do anything. I guess we will have to end it at that. Thanks again for all your help! I could not have done that without you!!!!

 

You're welcome.