Aleuron Trojan

Thereisnosaurus · Feb 9, 2011

Hello, I contracted a trojan some time ago, the original one successfully corrupted my main drive causing it to suffer from a reboot loop. I took the computer into a tech support centre and they recommended a reformat and reinstall.

As I had data I wanted to recover on the infected drive, they suggested I install windows on a new hard drive while my other drives were disconnected, install MSE and then reinstall the old hardrives and immediately scan them. I did this and discovered several threats, removed them but continued to get a threat detected popup, which appears to be the same trojan that caused the problem in the first place. A friend suggested I try using TGSkiller, which I did. It detected the trojan but failed to remove it. Once I recovered the data I needed, I formatted the old windows drive and then did another clean install since I had very little software installed and I thought this might finally get rid of the thing. Apparently not.

I've followed the read and run me first procedure, however I skipped parts 1 through 3 as I'm working off a new installation of windows, the only software I have installed is the basic google pack software, MSE and the requisite tools. If I still need to do those checks, please stop here, tell me and I'll redo the process.

I followed the remaining procedure, however I ran into an error when working with rootrepeal as follows: when starting the program I got the following error:

FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)

The program then started normally, I followed the instructions and when starting the scan got the following error:

could not initialise driver! please contact author! once for each hard drive and

could not scan drive H (error 0xc0000024) once, which is an external USB connected hard drive.

all other scans worked normally, I have attached the logs as requested. I have reactivated MSE in the meantime and it is still detecting the trojan.

Thanks in advance for your assistance

Kestrel13! · Feb 9, 2011

I have reactivated MSE in the meantime and it is still detecting the trojan.
Click to expand...

Where exactly is the trojan being located? Let me know the file path that MSSE reports. Because after you have done so I am going to ask that you uninstall MSSE temporarily whilst I have you run TDSSKiller again and attach the log.

Thereisnosaurus · Feb 9, 2011

thanks for your help.

This is what I can pull from MSE

The trojan is appearing in a couple of different places. these are the two paths being reported>

boot:\Device\Harddisk3\DR3
boot:\Device\Harddisk3\DR3\(MBR)

boot:\\.\PHYSICALDRIVE3\(MBR)\(MBR)\(MBR)\(MBR)
boot:\\.\PHYSICALDRIVE3\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)
boot:\\.\PHYSICALDRIVE3\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)
boot:\\.\PHYSICALDRIVE3\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)
boot:\\.\PHYSICALDRIVE3\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)\(MBR)

(presumably the MBR iteration is just the thing copying itself, but I included them to be safe)

I'll edit in the TDSSkiller logs shortly
edit: uninstalled MSE, ran TDSSkiller with identical results to previous. log is attached.

Kestrel13! · Feb 9, 2011

Run the below too after running TDSSKiller with MSSSE uninstalled. I just want to see if it makes a difference without it possibly interfering.

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some data on it

Right click on the screen and select > Select All

Press Control+C

Open a notepad and press Control+V

now please ATTACH that report to this thread

Thereisnosaurus · Feb 9, 2011

done. MBRcheck results attached

Kestrel13! · Feb 10, 2011

Download bootkit_remover.rar

Click the underlined DOWNLOAD text to download the file and save it to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip

After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.

Attach or post inline here, the output from remover.exe

Thereisnosaurus · Feb 10, 2011

running has the following result:

>>>>>>>>>>>

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

System volume is \\.\C:
main(): CreateFile() ERROR 5
ERROR: Can't open volume device \\.\C:

Done;
Press any key to quit...

<<<<<<<<<<<<<

I have attached the log output

Kestrel13! · Feb 10, 2011

What are drives E:\ and G:\?

Thereisnosaurus · Feb 10, 2011

both are data drives, one stores the primary files for most of my work (writing and digital art) as well as my games and the other is mostly empty, it only has a few utility apps like seven zip and winamp

as a note, both drives have a folder called $RECYCLE.BIN that respawn if deleted. I'm not sure if these are system files or possibly a trojan vessel.

edit: G drive is the main data one, E is the utility app drive

Kestrel13! · Feb 11, 2011

Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

Also note if you have a Dell PC which uses a non-standard MBR ( or another manufacturer's who does similar to Dell) , fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.

Now if you wish to continue and fix the malware - please do the following:

Run MBRCheck.exe

Wait until you see the following lines:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

Please push the 'Y' key and then press Enter

When the program asks you to Enter your choice: enter 2 to Rstore the MBR and press the Enter key

Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"

Enter 5 and press the Enter key.

The program will show Available MBR codes as below

Enter the physical disk number to fix (0-99, -1 to cancel): You need to fix disks 1 and 3 so you may have to repeat this twice.
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Click to expand...

You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.

The program will prompt for confirmation. Type 'YES' and hit Enter.

Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All

You will see all the text in the window get highlighted.

Hit the Enter key on your keyboard to copy all of the text into the clipboard.

Paste that text into Notepad, save it to your desktop as MBRfix.txt

Restart your PC.

Attach the MBRfix.txt files to your next message..

Also tell me how things are working.

Thereisnosaurus · Feb 11, 2011

Hi kestrel, I'll go through the procedure, but I'd just like to check up some things

My computer currently has 5 available drives

My current C drive- new, I got it after the virus crash
My old C drive- completely blank, freshly reformatted
My old D drive- not much stuff on it, might reformat it as well
My old G drive- The main storage drive for my important data and also my steam library (which I really don't want to have to re-download as it's over 100 gb)

finally, my external hardrive, this is where I currently have most of my stuff backed up.

I'd like to backup my documents and steam games, the rest I can deal with losing. If I copy them all to my old C drive and update my backups on the external, will this be sufficient to ensure no data loss if the process goes black?

Further, can I freely copy folders without risk of copying the infection onto new drives? has the infection been cleaned out excepting lower level areas, or do I have to worry about the original infecting files when I transfer stuff for backup?

Kestrel13! · Feb 11, 2011

If I copy them all to my old C drive and update my backups on the external, will this be sufficient to ensure no data loss if the process goes black?
Click to expand...

Yes, you should be alright.

Further, can I freely copy folders without risk of copying the infection onto new drives?
Click to expand...

Yes you should be okay. Run my instructions and we will see what the next step is.

Log in or Sign up

Aleuron Trojan

Thereisnosaurus Private E-2

Attached Files:

mbam-log-2011-02-10 (11-12-27).txt

combofixlog.txt

MGlogs.zip

SAS scanlog.log

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Thereisnosaurus Private E-2

Attached Files:

TDSSKillerlog.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Thereisnosaurus Private E-2

Attached Files:

MBRCheckresults.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Thereisnosaurus Private E-2

Attached Files:

bootkit_remover_debug_log.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Thereisnosaurus Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Thereisnosaurus Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member