Avast WEBforum
Other => Viruses and worms => Topic started by: themadness on March 31, 2012, 02:24:08 PM
-
i have the alureon-k and have been through a list of things to get it out. after a fresh install of avast, a full scan finally recognized it but wont get rid of it. moving it to the chest isnt an option. deleting it doesnt get rid of it.
here is what i have tried thus far(with no supervision by anyone who knows what they are doing) ;)
avast boot scan- all clear
MBAM- full scan didnt find it
Superantispyware- removed the typical stuff but didnt find this
combofix- wouldnt scan at all, just hung up at the starting of the scan
tdsskiller- wouldnt open or run
eset- found nothing
bitdefender- nothing
microsoft security essentials- found nothing
stared at the screen with an angry face- didnt work
threatened with a baseball bat- nothing
i have read there is a "partition" that is protecting the files from being removed. if you guys can walk me through this i would greatly appreciate it.
running windows xp pro service pack 3
-
OK lets see what aswMBR says
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
-
wont open :-\
-
OK before I proceed with the tedious bit
In the run box type the following
diskmgmt.msc
When disc management opens expand it so that all drives are visible
Take a screenshot and post it here
Are you able to burn a CD on another computer ?
-
i'm using the only computer i have(laptop)
-
I need you to download:
gparted-live-0.10.0-3.iso (http://sourceforge.net/projects/gparted/files/latest/download?source=files) (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn (http://download.imgburn.com/SetupImgBurn_2.5.6.0.exe) do this.
Now boot off of the newly created Gparted CD.
(http://img829.imageshack.us/img829/5772/gpartedsplash.th.png)
You should be here... Press ENTER
(http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png)
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.
(http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png)
Choose your language and press ENTER. English is default [33]
(http://img140.imageshack.us/img140/7958/gpartedgui.th.png)
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
(http://img32.imageshack.us/img32/1122/gpartedo.th.png)
According to your logs, the partition that you want to delete is 2 MB
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
(http://img233.imageshack.us/img233/1533/gpartedsteps.th.png)
Now you should be here:
(http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png)
(http://img194.imageshack.us/img194/7753/gpartedboot.th.png)
Is "boot" next to your OS drive?
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
(http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png)
Now double-click the (http://img822.imageshack.us/img822/641/gpartedexit.png) button.
You should receive a small pop up like this:
(http://img88.imageshack.us/img88/8986/gpartedexitreboot.png)
Choose reboot and then press OK.
-
is there any way to do it without making a boot disc? my cd drive has decided to quit working. i had a similar virus on a desktop several years ago that did the same thing to the cd drive.
-
Download and install LinuxLive USB Creator on your MS Windows computer. http://www.linuxliveusb.com/
Download the GParted Live iso file. http://gparted.sourceforge.net/download.php
From Windows, install then run the LinuxLive USB Creator program and follow the instructions in the GUI to install GParted Live on your USB flash drive.
Then reboot from the flash drive and follow the previous instructions
-
not working either :(
port wont recognize the usb drive
-
Within disc management could you right click bad partition and see if the delete option is available - just look
Then copy aswMBR.exe to your root c drive and rename it to explorer so you then get C:\explorer.exe
Then from the run key type in the following
C:\explorer.exe -ap 1
Does it run ?
THEN
We need to install the recovery console so I will use Combofix to do that. When it runs allow the installation of the recovery console
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
to be sure i am renaming it right. aswMBR is on my c: drive folder. just click the icon and rename it "explorer"?
and i already have combofix. i downloaded it yesterday
-
Yes rename it and see if we can fool the malware
Is the delete option available for that partition ?
-
aswMBR gave me "application failed to initialize"
and the delete option was unavailable
-
OK go and run combofix - so that I will have the option of using the recovery console to switch partitions
By the time it has finished running and you have posted the log I may have a way around this
-
ok i will run combofix.
just to note though. i bought this laptop used several months ago and dont have a recovery cd. what other options do i have if i cant get rid of this virus? baseball bat?
-
As a last resort the recovery cd will work but mayhap we can do it in without resorting to that and losing all your data
-
What do i do if combofix freezes?since i dont have a recovery cd what
Options will i have?nnn
-
Combofix locked up. Clock wouldnt even keep time :-[
-
Could you reboot
Then look in C:\ and see if there is an i386 folder
-
there is an i386 folder
-
Could you locate the cmdcons file and double click it please - that should install the recovery console
Let me know if it does
-
no file by that name in i386 folder
-
Could you show hidden files - do you know how to do that ?
Control Panel
Folder options
We need show hidden files and remove the tick from hide system files
Then relook
-
still no file by that name in the folder.
sorry for late response
-
OK lets get CF to install the recovery console
Go to Microsoft's website => http://support.microsoft.com/kb/310994 (http://support.microsoft.com/kb/310994)
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Note: If you have SP3, use the SP2 package.
---------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif)
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
-
update:
i ran SAS and MBAM lastnight and both pulled up a lot more stuff. MBAM found a trojan that wasnt there before. i ran avast again and it too found a new trojan as well as the alureon. the alureon would not delete. i ran it again in safe mode and avast didnt not find anything.
i ran combofix again in normal mode and again it froze the system. i let it run over night and the clock on the pc stopped at 1145pm, which was about an hour after i started it.
i have downloaded the boot disks you referred and will wait for further instructions.
-
As aswMBR will not run then we cannot cure it through that
Install the recovery console via combofix
Then reboot pressing F8 to get to the boot menu
Select the recovery console option
At the C prompt type the following hitting enter after the commands :
Fixmbr
bootcfg /rebuild
Reboot to normal windows and try to run aswMBR
-
combofix froze at start and aswMBR wouldnt open either
-
Did it get to install the recovery console ?
As if we cannot access that or run from CD/USB then we are fried
-
after a restart about 10 mins ago i saw a recovery console option on boot up that wasnt there earlier. will that get rid of the virus or will i just have factory settings again.
i'm nervous as hooker in church about using this thing. :(
i read an article saying this particular virus is the most sophisticated in recent history and law enforcement agencies are having a hard time cracking it. :o
-
Thats good - select the recovery console option and enter the commands as I pasted in post 26
-
the recovery console wont go past its loading screen :'(
guess its a wrap unless i can format a drive or get a used copy since this one was bought used i dont have any disks
-
That is the problem with this malware I need to work outside of windows where it is totally inert
You could retry TDSSKiller as a new version was released today
-
;D
new tdsskiller ran and picked it up. i cured the file, restarted to safe mode with networking, updated mbam and scanned. mbam came up clean. i restarted, updated avast and ran a full scan. it came up with 12 threats, all of them related or different versions of the rootkit.
what do i do now? move them to the chest or delete them?
how will i know if i am clean and secure again. i REALLY dont want to use this machine for personal info if there is a monster in the background.
-
Could you attach the TDSSKiller log please and the aswMBR log
-
how do i post the logs? they're kind of long
-
Attach them
At the bottom of the post board is an additional options link
Click that and navaigate to the logsSelect them and then post
-
1st tdss log(first scan)
-
2nd tdss scan
-
here we go....
-
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
Could you then retry combofix please, allow it to update
-
combofix
-
Looks good - how is the computer behaving ?
-
no more redirects so far but its a little sluggish. crazy thing is it was blazin' with the virus on it. how can i be sure everything is gone and i am secure again?
i put the files in the avast quarantine, should i delete them? this is my only laptop and i normally do online banking and buying so i want to be overkill cautious to get it back to normal.
-
OK final check, could you run an OTL quickscan please and ensure all users is selected
-
OTL link?
-
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
OTL
-
That looks good - what problems remain ?
-
right now i'm not having any symptoms but i want to be super thorough.
thanks for all your help!!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave: