Trojan: dos/alureon.a

Welcome to Major Geeks!

You have several infections.

Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.


Now run the READ & RUN ME if possible and attach the logs from it.

 

• Tell me exactly what happens?
• Can you boot your PC up in normal mode?
• Do you get to having your Desktop displayed?
• What exactly happens when you try to run something? What have you tried to run?

Please run run a full scan with FRST like you did when you were posting your first message. Attach the new log.

 

Okay it sounds like you have the ability to run some things. Let's see if you can run the below. Try each step.


Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator



You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've tries them, immediately run the following even if Rkill did not seem to run.

Try running MGtools per the instructions here > Using MGtools

Your last log from FRST does show you still have a serious infection that we arleady tried to remove. The below shows

 

Did the C:\MGtools folder get created? If yes, look in this folder and see if you can run the FixFA.bat program by right clicking on it and selecting Run As Administrator.

 

Also let's try another fix with FRST. I will also have it kill a couple items from Spybot and Adware to make sure they are not getting in the way. Next step may be to remove Symantec.


Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Indeed!

Please run run a full scan with FRST like you did when you were posting your first message. Attach the new log. I want to see if we were really able to remove the C:\Windows\svchost.exe file. I tend to doubt it. I believe you do have a partition level infection which has to be fixed before we can get rid of this file. But without being able to run some to the other tools, it is problematic.

Do you have all important data backed up? You could be heading towards a reinstall. Also attempts to remove this infection could result in making things worse since we cannot run some of the typical tools.

​

 

Well the below infection is still present and this is the problem. If we could get your PC to boot and run a couple tools like TDSSKiller, we could probably fix it.

You can try making the below special boot CD using another computer. Then use it to try an fix the problems. It may or may not work.


The Kaspersky WindowsUnlocker utility to fight ransom malware

 

Looking much better.


Uninstall the below old versions of software:
Java(TM) 6 Update 33
Java(TM) 7 Update 5

Now install the current version of Sun Java from: Sun Java Runtime Environment


Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
C:\Windows\TEMP\*.*
C:\Users\MorDirn\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap]
[-HKEY_USERS\S-1-5-21-2000701249-2408814517-837372123-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Per the READ & RUN ME, you should not be doing anything but what we ask you to do.

You forgot to tell me how things are working. If everything is okay, continue with the below.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Excellent. I glad we were able to fix it without having to reinstall.