Alureon virus and boot time scan crash

[cyderspace]

IE and java both now updated. All settings as described by essexboy for IE and firefox. Still seeing the HMP warning but no google re-direct or any other symptoms that I can see. A possible error with HMP?

[essexboy]

That is my thought

Lets run for 24 hours and if you have no further symptoms I will remove my tools and tidy up

[cyderspace]

Cool,

Can't tell you how grateful I am for all of your input.

[cyderspace]

Hi Guys,
Not fantastic news on this Sunday evening - although I haven't noticed any symptoms as such, A full scan with avast still finds the same alureon virus. It only needed to be deleted a few times though in order to complete the scan, something of an improvement.
I will paste in the relevant scan log section since there doesn't seem to be an easy way to get the log of the scan just completed.
Let me know if any other information will be useful, or perhaps avast is simply finding the remnants of what was previously there? It does seem slightly suspicious that HMP also still finds that proxy server but cannot permanently repair it.

[cyderspace]

23/05/2010 09:18:03   SYSTEM   1472   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
23/05/2010 11:29:26   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pci.sys.vir" file. 
23/05/2010 13:20:32   SYSTEM   1472   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
23/05/2010 17:22:52   SYSTEM   1472   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
23/05/2010 18:25:34   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0003954.sys" file. 
23/05/2010 18:25:55   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\A0004139.sys" file. 
23/05/2010 21:25:11   SYSTEM   1472   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 

[polonus]

Hi cyderspace,

Open up: http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html
# Click on the SCAN NOW  button on the main page.
# The program will launch and fill in the Information section on the left.
# Read the "Requirements and Limitations" then press the Accept button.
# The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
# Once the files have been downloaded, click on the settings button.
In the scan settings make sure the following are selected:

    * Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    * Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    * Click the Save button, if you made any changes.

# Now under the Scan section on the left:

Select My Computer
# The program will now start and scan your system. This will run for a while, be patient and let it finish.
# Once the scan is complete, click on View scan report
# Now, click on the Save Report as button.
# Save the file to your desktop.
# Copy and paste that information and attach your next post.

You can refer to this animation if needed: http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

polonus

[DavidR]

First, this on is the result of having run another tool in essexboy's removal process and it placing a file in its quarantine, so there shouldn't be any other issues to resolve if a) you let avast send it to the chest and b) uninstall that other tool.

23/05/2010 11:29:26   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pci.sys.vir" file.

Second this error I believe related to a proxy error:
23/05/2010 13:20:32   SYSTEM   1472   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 

Check the avast Settings, Updates, Proxy Settings (click the inverted triangle to expand the details) and set it too Direct connection (no proxy), assuming that you don't use a proxy to connect to the internet.

Last, these are infected restore points and my thoughts differ from essexboy:
23/05/2010 18:25:34   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0003954.sys" file.
23/05/2010 18:25:55   Leo Kirkman   2492   Sign of "Win32:Alureon-FZ" has been found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\A0004139.sys" file.

####
Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
 
- Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
 
- So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

[essexboy]

Aye panic not they are quarantined files - so lets clear them

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN
 
Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
  Malwarebytes.  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

[polonus]

Hi DavidR & essexboy,

I do not disagree with your vision per se that these are cleansing remnants, but their normal cleansing routine at geeks2go for Alureon also closes with a final online av scan as I proposed above,

Damian

[cyderspace]

Thanks a lot once again guys,
You have achieved easily what I could not on my own. I have followed all of essexboys recommendations exactly and will try a full avast and Kaspersky scan sometime later in the week. All symptoms - including the HMP proxy notice - fully cleared up as far as I can tell.
If nobody minds, I will now remove all posted attachment logs with details of my system in them.
Have yourselves a cider on me!

[DavidR]

You're welcome, hopefully that is you done and dusted.

[essexboy]

Is it rough cider you be offering 

[cyderspace]

A quick post script to my case, which may provide useful info for future malware solving;
All symptoms now cleared up.
Avast full scan now clean
Kaspersky online scan (attached) shows only two 'threats' - not dangerous I think.

One important point though;
When I came home from work I noticed that my wife was using the computer in her profile and I noticed that the blue avast ball was not in the system tray. A quick check revealed that although I had corrected the broken exe links in my profile using the fix from  - http://www.dougknox.com/xp/file_assoc.htm  - this had only fixed my profile and so when she booted up and logged in, she managed to get firefox loaded by asking it to use itself to open, when prompted , but there was no anti-virus or firewall running because no exe files had run at startup. Dangerous! She is a novice and so didn't notice. This is sorted out now though.
Hope this info is of some use.

Thanks once again guys - a very happy avast forumer!

Continue the fight- and may the roughest cider aide you all the way!

[DavidR]

Thanks for the feedback, hopefully it may help others too.