Trojan:DOS/Alureon PLEASE HELP

Discussion in 'Malware Help (A Specialist Will Reply)' started by Will DOS, Apr 7, 2013.

  1. Will DOS

    Will DOS Private E-2

    SOLDIER IN NEED OF ASSISTANCE ASAP

    I too have "TRIED" to correct this issue but was uninformed of the correct way until now. I started when Microsoft MSE found the Alureon.A and recommended that I download their offline tool to remove it. I did that and after removing it using MSE offline, windows no longer boots. It would show the starting windows screen briefly then crashes.
    I get the BSOD with error STOP: 0x0000007B (0xFFFFF880009A9928, 0xFFFFFFFFC0000000D, 0x0000000000000000, 0x0000000000000000).

    I have ran a mem test and chkdsk with all having HEALTHLY results, so I am to believe they are still good and not a hardware issue. I had tried system restore, yet failed with a result of:
    Problem Event name: StartupRepairOffline
    Problem Signature 01: 6.1.7600.16385
    Problem Signature 02: 6.1.7600.16385
    Problem Signature 03: unknown
    Problem Signature 04: 21200143
    Problem Signature 05: AutoFailover
    Problem Signature 06: 22
    Problem Signature 07: NoRootCause
    OS Version: 6.1.7600.2.0.0.256.1
    Locale ID: 1033

    SAFEMODE is a no go. Tried to load it with CMD enabled and again crashes at "classpnp.sys". Did my home work, mostly saying caused by hardware, and ran chksdks and still all having HEALTHLY results.

    Later after research I found this site and I know now I should of use TDSSKiller first. But now that I can't boot to windows. I found a couple threads where people ran the FRST tool so I did that and attached the log.

    I'm trying to avoid having to do a factory image restore. My PC's been out of commission for over 2 weeks now and my daughter needs her Netflix fix when I am at work, to give my wife a break from her using her tablet since this issue caused the BSOD. I finally have some time now to summit my TEXT file from FRST64. PLEASE I am in need of some assistance.

    Thank you for your time and AID.

    SGT B
    5-101 CAB
     

    Attached Files:

    Will DOS, Apr 7, 2013
    #1
  2. Will DOS

    Will DOS Private E-2

    Windows 7
    64 bit
    System OS on SSHDD 80Gb
    12 Gb RAM
    Any other system questions please let me know and I will gladly assist to provide them.
    Thanks again for your time.
     
    Will DOS, Apr 7, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Download this >> View attachment fixlist.txt


    Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.
    Now reboot back into the System Recovery Options as you did previously.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (See how to attach)

    Now see if you can boot into normal Windows.
     
    chaslang, Apr 10, 2013
    #3
  4. Will DOS

    Will DOS Private E-2

    Worked like a charm "HOORAH!", Thank You So Much, booted smoothly. I have attached the fixlog.txt as requested.

    I will await your next instructions, or should I just follow the guidelines, now that windows has booted, as proscribed in the:
    "How to Remove Trojan:DOS/Alureon.A" forum.

    I can't wait to get my PC back to full operations.
     

    Attached Files:

    Will DOS, Apr 11, 2013
    #4
  5. Will DOS

    Will DOS Private E-2

    TDSSkiller = 0 found attached log from TDSSKiller below.

    MBRCheck.exe = result "DONE! Press ENTER to exit." Screenshot attached below.

    Ccleaner = CLEANING COMPLETE - (19.315 secs)
    ANALYSIS COMPLETE - (0.294 secs)

    RogueKiller = LOG Attached (RKreport[1]_S_04112013_02d0029)
    Found 2 in Registry. (Tab Both Deleted) RKreport[2]_D_04112013_02d0104
    (Processes/Hosts/Proxy/DNS/Driver/Files Empty)

    I will continue with "Malware Removal Guide" Step 6:
    Vista and Win 7 Malware Removal/Cleaning Procedure:
    Malwarebytes Anti-Malware
    HitmanPro
    MGtools

    Thank You again for all your assistance and future expertise and advice. Truly experts and professionals. Please let me know how else I may assist you by providing any additional data.

    V/r,

    SGT B
    5-101 CAB
     

    Attached Files:

    Will DOS, Apr 11, 2013
    #5
  6. Will DOS

    Will DOS Private E-2

    TDSSkiller = Log attached (TDSSKiller.2.8.16.0_11.04.2013_00.11.59_log)

    MBRCheck.exe = "DONE! Press ENTER to Exit..." No issues found

    CCleaner = CLEANING COMPLETE - (1.289 secs)

    Step 6: Windows OS Specific Cleaning Instructions
    Vista and Win 7 Malware Removal/Cleaning Procedure

    RogueKiller = Log attached (RKreport[1]_S_04112013_02d0029)
    2 deletions (RKreport[2]_D_04112013_02d0104)

    Will continue tomorrow:
    Malwarebytes Anti-Malware
    HitmanPro
    MGtools

    Please let me know how I may be of further assistance by providing any additional information.

    V/r,

    SGT B
    5-101 CAB
     

    Attached Files:

    Will DOS, Apr 11, 2013
    #6
  7. Will DOS

    Will DOS Private E-2

    Sorry please ignore my last two posts. I had posted twice because when I loaded the first one, it didn't show up. I thought it may had been blocked due to attaching a .jpg screen shot. To my findings I was wrong, not only did I post the information twice. It was also not accurate do to not Disabling User Account Control. I DID NOT Disabling User Account Control before using scans previous to this post. I will do so as soon as I finish downloading all additional programs.

    My apologies for posting incorrect information. I will ensure I will read thoroughly before taking appropriate actions in the future. As we say "Attention to detail" is key.

    I have a 12 mile ruck march and our formation is at 04:00 in the morning so I must prepare. I didn't want to leave my post with inconclusive data without informing you of my error. I will post my findings again with Disabling User Account Control to find more accurate results. Again I am sorry for jumping head and will not next time.

    V/r,

    SGT B
    5-101 CAB
     
    Will DOS, Apr 11, 2013
    #7
  8. Will DOS

    Will DOS Private E-2

    OK now I have ran all requested scans and Disabled Account Control (UAC):

    I ran the CCleaner prior to scanning with tools and cleaned.

    I also had the following in the MAlwarebytes Quarantine from my scans on the 11th of April:
    Adware.Agent
    Adware.Agent
    PUP.CrossFire.SA
    Adware.Agent
    PUP.CrossFire.SA
    PUP.AdBundle
    PUP.AdBundle

    I will add the screen shots in my next post.

    Thank You again for all your assistance and future expertise and advice. Truly experts and professionals. Please let me know how else I may assist you by providing any additional data.

    Awaiting next instruction.

    V/r,

    SGT B
    5-101 CAB
     

    Attached Files:

    Will DOS, Apr 13, 2013
    #8
  9. Will DOS

    Will DOS Private E-2

    Here are the screen shots of the Malwarebytes result and items found and deleted from the 11th of April scan.

    Thank You again for all your assistance and future expertise and advice. Truly experts and professionals. Please let me know how else I may assist you by providing any additional data.

    Awaiting next instruction.

    V/r,

    SGT B
    5-101 CAB
     
    Will DOS, Apr 13, 2013
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not post any screen shots but it is just as well because we do not want screen shots. We just want the logs to be attached from the scans just like with the other tools. So please just attach the logs. They are always available on your PC. See the below folder:

    C:\Users\MY COMPUTER\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs

    Now let's get started on removing all the junk you installed on your PC.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=Down...c22-33ded658d8cf&searchtype=ds&q={searchTerms}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=Down...c22-33ded658d8cf&searchtype=ds&q={searchTerms}
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kl.startnow.com/?src=startpa...a314&browser=IE&os=win&os_version=6.1-x64-SP1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=Down...c22-33ded658d8cf&searchtype=ds&q={searchTerms}
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=Down...c22-33ded658d8cf&searchtype=ds&q={searchTerms}
    R3 - URLSearchHook: YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
    O2 - BHO: FLV Runner - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll
    O2 - BHO: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
    O2 - BHO: YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
    O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    O3 - Toolbar: FLV Runner Toolbar - {3bbd3c14-4c16-4989-8366-95bc9179779d} - C:\Program Files (x86)\FLV_Runner\prxtbFLV_.dll
    O3 - Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - (no file)
    O3 - Toolbar: YTD Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YTD Toolbar\IE\7.0\ytdToolbarIE.dll
    O3 - Toolbar: StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
    O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

    After clicking Fix, exit HJT.

    Now uninstall the below programs:
    FLV Runner Toolbar
    StartNow Toolbar
    Yontoo 1.10.02
    YTD Toolbar v7.0
    YTD Video Downloader 4.0


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Services
Updater Service for StartNow Toolbar
 
:Files
C:\Program Files (x86)\FLV_Runner
C:\Program Files (x86)\YTD Toolbar
C:\Program Files (x86)\StartNow Toolbar
C:\Program Files (x86)\Yontoo
C:\ProgramData\Tarma Installer
C:\ProgramData\WeCareReminder
C:\ProgramData\YTD Video Downloader
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader
C:\Users\MY COMPUTER\AppData\LocalLow\BabylonToolbar
C:\Users\MY COMPUTER\AppData\Roaming\Babylon
C:\Users\MY COMPUTER\AppData\Roaming\Mozilla\Firefox\Profiles\of2gu6e1.default\extensions\plugin@yontoo.com
C:\Program Files (x86)\Common Files\Spigot
 
:Reg
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"SearchSettings"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Layers.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Layers]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Prod.cap\ (Claro)
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{8D8654CD-7FBC-4C7E-84E9-371BFA8DB04E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Babylon]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_USERS\S-1-5-21-1151865626-718977629-4187860855-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{C2768DD4-229F-40d5-8EA4-1959EA50AFED}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A6EF2014-39A2-455A-AE91-94988F38C429}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B224AA02-F7C8-3A2B-859F-560B80767E4A}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.txt log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 17, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds