Alureon.A infection - nothing will open

Welcome to Major Geeks!

Which version of Windows are you running?

 

Yes it is always important to know the OS version.


Click Start, All Programs, and then scoll as nessary until you see he Accessories folder and select it. You see something like below.

http://forums.majorgeeks.com/attachment.php?attachmentid=170564&thumb=1&d=1324150745

Right click on the little black icon saying Command Prompt and select Run As Administrator.

A command prompt window should open with a title of Administrator:Command Prompt. Do you get this?? If yes, continue with the below.

Enter the below command into the command prompt window and hit enter>

tasklist

Did you get a list of running processes? If yes, continue.

Now enter the command as below:

tasklist > proclist.txt


This will put the running process list into the proclist.txt file in your C:\Users\useraccount folder ( where useraccount is your user name ), Attach this proclist.txt file to your next message. (See: HOW TO: Attach Items To Your Post )

 

Yes because for some reason it open up the command prompt in the system32 folder. Did you run it exactly how I requested from Accessories and as Administrator?

Either way, no bad processes are showing there.

See if you can follow the instructions in the below to run MGtools

Using MGtools

 

Where exactly did you save the MGtools.exe file to?


Also Click Start, All Programs, and then scoll as nessary until you see he Accessories folder and select it. You see something like below.

http://forums.majorgeeks.com/attachment.php?attachmentid=170564&thumb=1&d=1324150745

Right click on the little black icon saying Command Prompt and select Run As Administrator.

A command prompt window should open with a title of Administrator:Command Prompt. Do you get this??
What does the prompt in the window show? Is it C:\Windows\system32>

Just keep this command prompt window open if it worked, but just come back and answer my questions.

 

You did not answer my first question in my last post?

 

Okay, then in the command prompt window you have open, do the below.


Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational. Tell me what happens at each step especially if something fails to work.

• NOTE: If you are running a 64 bit version of Windows, instead of typing GetRunKey and ShowNew in the below, use GRK64 and SN64

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
getnetinf <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

Okay. In the command prompt window enter each of the below.

cd C:\ << your prompt should change to c:\>

mgtools.exe << this attempts to run mgtools. What happens?

 

See if the below will run.

Download OTL by Old Timer and save it to your Desktop.
See the download links under this icon http://www.majorgeeks.com/images/dll.gif

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
  
  Code:

  netsvcs
  drivers32 
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg 
  %systemroot%\*.jpg 
  %systemroot%\*.png 
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.* 
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav 
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lnk /x 
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Desktop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  %systemroot%\AppPatch\Custom\*.*
  %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
  %PROGRAMFILES%\PC-Doctor\Downloads\*.*
  %PROGRAMFILES%\Internet Explorer\*.tmp
  %PROGRAMFILES%\Internet Explorer\*.dat
  %USERPROFILE%\My Documents\*.exe
  %USERPROFILE%\*.exe
  %systemroot%\ADDINS\*.*
  %systemroot%\assembly\*.bak2
  %systemroot%\Config\*.*
  %systemroot%\REPAIR\*.bak2
  %systemroot%\SECURITY\Database\*.sdb /x
  %systemroot%\SYSTEM\*.bak2
  %systemroot%\Web\*.bak2
  %systemroot%\Driver Cache\*.*
  %PROGRAMFILES%\Mozilla Firefox\0*.exe
  %ProgramFiles%\Microsoft Common\*.*
  %ProgramFiles%\TinyProxy.
  %USERPROFILE%\Favorites\*.url /x
  %systemroot%\system32\*.bk
  %systemroot%\*.te
  %systemroot%\system32\system32\*.*
  %ALLUSERSPROFILE%\*.dat /x
  %systemroot%\system32\drivers\*.rmv
  dir /b "%systemroot%\system32\*.exe" | find /i " " /c
  dir /b "%systemroot%\*.exe" | find /i " " /c
  %PROGRAMFILES%\Microsoft\*.*
  %systemroot%\System32\Wbem\proquota.exe
  %PROGRAMFILES%\Mozilla Firefox\*.dat
  %USERPROFILE%\Cookies\*.txt /x
  %SystemRoot%\system32\fonts\*.*
  %systemroot%\system32\winlog\*.*
  %systemroot%\system32\Language\*.*
  %systemroot%\system32\Settings\*.*
  %systemroot%\system32\*.quo
  %SYSTEMROOT%\AppPatch\*.exe
  %SYSTEMROOT%\inf\*.exe
  %SYSTEMROOT%\Installer\*.exe
  %systemroot%\system32\config\*.bak2
  %systemroot%\system32\Computers\*.*
  %SystemRoot%\system32\Sound\*.*
  %SystemRoot%\system32\SpecialImg\*.*
  %SystemRoot%\system32\code\*.*
  %SystemRoot%\system32\draft\*.*
  %SystemRoot%\system32\MSSSys\*.*
  %ProgramFiles%\Javascript\*.*
  %systemroot%\pchealth\helpctr\System\*.exe /s
  %systemroot%\Web\*.exe
  %systemroot%\system32\msn\*.*
  %systemroot%\system32\*.tro
  %AppData%\Microsoft\Installer\msupdates\*.*
  %ProgramFiles%\Messenger\*.*
  %systemroot%\system32\systhem32\*.*
  %systemroot%\system\*.exe
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs
  /md5start
  /md5stop
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long..
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Just close these notepad windows and attach the two log files to your next message.

 

Can you boot your computer in safe mode?

If you can, then see MGtools.exe and also the OTL scan will run in safe mode. Also check to see if Malwarebytes will run in safe mode. Each time you try to run something, make sure you tell me exactly what happens. Don't just say "it won't run". Please tell me of any error messages received or that when you right click and select Run As Admin , nothing at all happens....etc. I need to have an exact idea of what is happening.

 

From a command prompt window if you type the below and hit enter, does a new Windows Explorer window open?

explorer

If yes, see if you can rename, MGtools.exe to explore.exe and then see if it will run.

It is starting to look like you have new type of TDL infection.


Also does compmgmt.msc run if enter into a Run box?

 

If we cannot get anything at all to work then yes that would be the case. However as you noticed in the thread you point out, there are still other options. The FSRT program was where I was soon headed with you to. Either this or one of the special rescue disks which can be used to boot your PC and run scans offline. Some of these disks are mentioned at the end of the below link:

Alternative Scans

But FSRT would be my preferred next step.

 

There are no signs of malware in this log. The only questionable item is that FSRT could not access part of the registry. Did you run this after you booted into the System Recovery Environment?

Does System Restore work? If so, you may want to try using it.

 

Ah! That explains the registry issue. It has to be run as stated in the instructions from the System Recovery Environment.

 

From what you are discribing, it is possibly you have an infection that hides files, folders, etc. We have had a bunch of these in the past but perhaps you have new form. The below unhide program has been helpful with these in the past. See if you can get it to run.


Please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Now see if you can find the items that seemed to be missing?

 

Since IE9 opens up, tell me what happens if you copy and paste the below into the Address Bar and hit enter

file://c:\Program Files (x86)

• Does a Windows Explorer windows open with the above folder show?
• If yes, right click on the folder and select Properties.
  • What do you see for Attributes? Is Read-only checked? Is Hidden checked?
  • Click the Security tab and tell me what you
    see listed in the Group or user names box while at the same time observing what Permissions for that user name are shown in the lower box. Be sure to scroll in these boxes as necessary to see all content.
  • For example: Two of the names should be SYSTEM and Users ( pcname\Users ) where pcname is the name of your computer and I want to see permissions. So you should give me a list like below but for all user names seen.

For user name = SYSTEM
Permissions:

Full control
Modify
Read & execute
List folder contents
Read
Write
Special permissions - Allowed

​

For user name = Users ( pcname\Users )
Permissions:

Full control
Modify
Read & execute - Allowed
List folder contents - Allowed
Read - Allowed
Write
Special permissions
​

 

You're welcome.

Not to sure about that. We still are not really getting anywhere with this. We need to be able to run some useful scans that produce logs so that we can hopefully find the reason for your problems.

Earlier we did determine that you could open up a command prompt window. Please do this again ( don't forget to Run As Administrator ). At the command prompt, type the below command each follow by the enter key and tell me what happens after each one. Note that the bold black is the command. The bold brown is just FYI or questions.

• cd \ << There is a space after the cd
• attrib
• dir > flist.txt
• dir /S C:\users >> flist.txt << There is a space after the dir and before the C:

Does a c:\flist.txt file now exist? If yes, attach it here.

 

Did the attrib command run and did it show a list of files?

 

See if you can do the below.


Now download this subinacl and save it to either your root folder ( C:\ ) or if you cannot save it there, save it to your Desktop.

Now download this perm.cmd and save it to the exact same location you saved subinacl to.

Now right click on perm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.

Once it finishes, reboot your PC..... that is assuming it runs.

 

Tell me exactly where you saved both files to.

 

Right click on subinacl.exe and select Properties and then the Security tab. What permissions are setup for your user account and who is the Owner.

 

Are there other user accounts on this PC? If so do any of them work properly?

We are running out of options and you may have to cut your losses and backup what you can and reinstall. External scans from special boot CDs may be possible, but I'm not sure they would find anything. It is also possible that if they did find a serious infection that is causing this, that the act of removal could make you PC unbootable.

 

Yes this is possible. Even removing your hard disk from this infected compter and slaving it to another computer to be scan is a possibility. However you have to understand the risks too:

1. It is possible that nothing major will be found.
2. It is also possible that something may be found and the scanner may delete it but since the scanner will not be running from the Windows environment of the PC that is infected, it may remove files that are necessary for your Windows Operating System to even boot up. Thus the end result could be your PC is unbootable and you had better transfer import data to you other PC first.
3. Similar scanning operations can also be performed using your infected PC by making specialized CDs meant for this purposed. The same dangers as mention in number 2 above would still exist. Example CDs are mentioned at the bottom of the below link
   • Alternative Scans