Trojan:Dos/Alureon.E.

Hello, I believe I have the same problem as a previous thread by Anubis185 (http://forums.majorgeeks.com/showthread.php?t=248612)

I had reformatted my computer with Windows 7 Ultimate and after the reformat and MSE install, my MSE detected the TrojanOS/Alureon.E.

The same message was received when i tried to repair it through MSE:

"Error code 0x8000704ec. This program is blocked by group policy. For more information contact your system administrator."

I had run TDSSKiller and deleted TDSS system files that had been found. Unfortunately, I do not have the log. Now when I run TDSS Killer, there are no infections found, however; MSE still detects Trojanos/Alureon.E.

List of Run Wares: TDSSKiller, Hitman Pro 3.5, MBR Check, Bit Defender Removal, Malware Bytes and ASWMBR.

I stumbled upon your fix with gparted but would like a review of my current logs and some advice before I try it. I have attached all the current logs I can.

BitDefender can detect the virus and calls it:

C:\ Rootkit.MBR.Sst.B(Boot image) Status Infected

Bit Defender prompts a restart to delete but is never able to delete it after restart and cannot provide logs.

Thank you very much for your help, patience, and time. Did my best and tried almost everything. Just very frustrated at this time. :cry

 

Hi and welcome to Major Geeks, Dynathecat!

Yes you do have a hidden partition that is part of the TDL4 rootkit. See below:

Here are the GParted instructions in your case:

Preferably from a clean computer, I need you to download: gparted-live-0.11.0-10.iso (121.1 MB)
Create a bootable CD for GParted. You can use ImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.
http://img534.imageshack.us/img534/5492/gpartedsplash011010.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.00 MiB (1.00 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
Is boot next to your OS drive? According to your logs, your OS drive is the 931.4 GiB sized partition.
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags


In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now press the Close button to save these changes.
Now double-click the http://img715.imageshack.us/img715/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Thank you very much for your advice thisisu.

Will follow through tomorrow. (Forgot I dun have blank disc for img burn. Needs to go buy. )

 

Ok :cool

 

Mission Completed.

Albeit I had a problem autorunning gparted. For some reason, my dvdrw saw the burned discs as usb storage. So I used Win 7 disk management to delete the partitions i was concerned with.

At this time, no more MSE notices for Alureon.E and no more infections after running all scans.

Also ran MGtools and attached log below.

Thanks once again for your help, time, and advice Thisisu! Methinks you guys got these tdl4s down to a science and hope you continue to good fight.

 

Good job.. and you're welcome.

There is one suspicious file. Can you upload this file to VirusTotal?

• C:\Windows\SysNative\drivers\42706226.sys

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe