Alureon removed by Windows Defender Offline, now won't boot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bdclark, Sep 7, 2012.

  1. bdclark

    bdclark Private E-2

    Running NOD 32, and it detected Olmarik a few days ago. Couldn't get it removed, so I ran Windows Defender Offline which detected Alureon. Ever since then, I just get a blinking cursor when I try to boot. Trying to fix the MBR & such hasn't yielded any noticeable results yet either. I figure you guys need a FARBAR scan, so I went ahead and ran that and attached to this post. Thanks in advance!
     

    Attached Files:

    bdclark, Sep 7, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Did Windows Defender actually remove something? What about Nod?

    Can you boot in safe mode?


    It does look like from your FRST log that you have been doing quite alot of other stuff too?????? Who asked you to run OTL, ComboFix, RogueKiller .....etc
     
    chaslang, Sep 8, 2012
    #2
  3. bdclark

    bdclark Private E-2

    Defender did remove something, I was looking to see if I could find a log file but I'm not seeing one. From what I've read it's supposed to be in C:\Windows\Windows Defender Offline\Support, but no sign of WDO in C:\Windows. NOD32 said it found Olmarik TDL4 before I ran WDO, but couldn't remove it.

    Nobody asked me to run the other stuff, I was pretty much desperate to get it working right. None of the programs would run though, whatever was installed was blocking most everything. I also did a quick scan with MBAM, and it didn't find anything. I'm unable to boot into Windows at all. From looking at that Farbar log, it looks like it created a hidden partition and marked it active. The drive letter for my system drive has been changed to D:, and C: only has a $UPGDRV$ listed there.
     
    bdclark, Sep 8, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I saw the below in your log
    Code:
    Partitions of Disk 0:
===============
  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
[B][COLOR=darkgreen] Partition 1    Primary            100 MB  1024 KB[/COLOR][/B]
  Partition 2    Primary            372 GB   101 MB
[COLOR=red][B] Partition 3    Primary             10 MB   372 GB[/B][/COLOR]
    The partition in red was likely from the infection and the green one is likely the partition that you PC manufacturer put on as a boot partition to run Windows.

    Since you are posting here, I assume you have another PC where you can try making the G-Parted Disk mentioned in the below instructions.

    Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (124 MB)
    Create a bootable CD for GParted. You can useImgBurn to accomplish this.
    If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image
    Now boot off of the newly created GParted CD.
    http://img717.imageshack.us/img717/6546/gpartedsplash01107.th.png
    You should be here...
    Press ENTER
    http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
    Choose your language and press ENTER. English is default [33]
    http://img140.imageshack.us/img140/7958/gpartedgui.th.png
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    http://img32.imageshack.us/img32/1122/gpartedo.th.png
    According to your logs, the partition that you want to delete is 10 MiB (10 MB)
    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
    Now you should be here:
    http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
    Is boot next to your OS drive? According to your logs, your OS drive is the 100 GB sized partition.
    http://img194.imageshack.us/img194/7753/gpartedboot.th.png
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
    In the menu that pops up, place a checkmark in boot like the picture below:
    http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
    Now press the Close button to save these changes.
    Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
    You should receive a small pop up like this:
    http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
    Choose reboot and then press OK.

    See if you can bootup into normal Windows. If not, then rerun G-Parted and try making the 372 GB partition the boot partition
     
    chaslang, Sep 8, 2012
    #4
  5. bdclark

    bdclark Private E-2

    GParted did the trick, ran a scan with NOD32 when I logged in and it looks like we're all clear. Thanks a ton!
     
    bdclark, Sep 8, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Sep 8, 2012
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds