alureon.e - Computer running OK but MSE keeps complaining

Hi,

I have a Windows XP Pro workstation that I am trying to clean. At this point the computer actually runs well (having spent some time cleaning nalware and fixing remnants such as hidden files). However Microsoft Security essentials keeps finding alureon.e trojan. It tries to delete it, can't, and then asks to reboot in order to delete it. This fails and so it goes through this loop.

I ran through the steps as per Read Me First:

SuperAntiSpyware - Full Scan - Zero Found (Let me know if you want to see log)
MBAM - QuickScan - Zero Found (Log attached)
Combofix did not run - hangs right before Stage 1
RootRepeal - Log attached
MGTools - Zipped logs attached

I have also attached the MSE Error Log when dealing with this Trojan

Appreciate any suggestions. TIA.

Joel

 

Hi and welcome to Major Geeks, CTNorthShore!

Code:

Partition	Disk #0, [B][COLOR="Red"]Partition #2[/COLOR][/B]	
Partition Size	[B][COLOR="Red"]1.76 MB[/COLOR][/B] (1,845,248 bytes)	
Partition Starting Offset	159,998,146,560 bytes	

Bootable  Name                   Size          Type                     
          Disk #0, Partition #0  49319424      Unknown                  
          Disk #0, Partition #1  159948794880  Installable File System  
[B][COLOR="Red"]TRUE[/COLOR][/B]      Disk #0, [COLOR="Red"][B]Partition #2[/B][/COLOR]  1845248       Unknown  

The red is the partition that we need to delete. It was created by a TDL4 rootkit/bootkit.

Quick question for you since most people complain about this and you say it's running OK. Is iexplore.exe (Internet Explorer) opening on it's own without your permission? According to your logs, or at least whenever you were running MGtools, it was NOT running the background. Just wondering as you may have ended the process (at least momentarily) before running MGtools or it may be a new variant of this TDL4 rootkit.

_________________________________________

Here are the steps you should to do resolve this:
Note: It is recommended that you back up your data just incase I am unable to get PC booting properly again. Usually this process goes without any problems. Just giving you a fair warning.

Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (119.8 MB)

Create a bootable CD using this .iso file. You can use ImgBurn for instructions on how to create this CD.
You will also need your Windows XP CD to get into the recovery console. You can download the Recovery Console alone from here

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER
http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.76 MiB (1.76 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? According to your logs, the OS drive is the 148.96 GB partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now click Close to save these changes.
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows XP CD and go into the Recovery Console.
Then type in the following commands, pressing ENTER after each one:

• fixmbr
• fixboot
• exit

Now reboot your PC.

Once back in Windows.

http://img707.imageshack.us/img707/6703/generalxpicon.gif Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Thanks thisisu, deleting that partition resolved the issue.

No, iexplorer was not opening by itself. There was literally no issues with the computer other than MSE complaining (good on MSE!). I did quite a bit of repair (fixing hidden files, ect) so perhaps I somehow fixed the issue of iexplore popping up.

Thanks for your help!

Joel

 

:cool

Dang, silent but deadly type of rootkit.
I guess the authors of this rootkit figured out a way to make it even less obvious to the victim that there is something wrong with their PC.

You're welcome!
Did you ever run MBRCheck? I'd like to make sure that you have a clean MBR.

Also you should run the below just to be safe:

http://img684.imageshack.us/img684/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run