The Dreaded ALUREON-K rkt VIRUS ...grrrrrrr HELP!

[Jessette0514]

Hello ANYONE who can help me! LOL ! I've been battling this thing for 3 days now and it's time to call in the big guns. I am not super knowledgable about computers, but I can usually manage..... however this time, I am stumped. I need help. My laptop is running super slow and I am having difficulty getting any programs to run. I am now using a different computer so I can receive emails. I have ran MalwareBytes (on the infected laptop) and will include the log. I can not download the aswmbr.exe file however. Not sure what to do next - Please help anyone that can. I will follow any advice or suggestion. Thanks so much in advance!!!!!!!!!!!!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.10.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Valued Customer :: VALUED-92BF5E73 [administrator]

4/13/2012 12:01:34 PM
mbam-log-2012-04-13 (12-01-34).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231608
Time elapsed: 53 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) -> Data: rundll32.exe "C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll",DllRegisterServer -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Valued Customer\Local Settings\Temp\0.5999004351177931 (Exploit.Drop.9) -> Quarantined and deleted successfully.
C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll (Trojan.Agent.GMAGen) -> Delete on reboot.

(end)

[Jessette0514]

Oops forgot to mention - I could not get TDSS Killer to open in Safe Mode or normal mode either! Really at a loss

[Pondus]

Are You Able to run OTL and attach the log?

[Jessette0514]

Thank you sooooo much for responding! Yes I just completed the scan - see the attached log.

[Pondus]

Essexboy is in bed now..... So i guess You want see any of the removal experts untill tomorrow

[jeffce]

Hi,

Let's take a look and see what we have

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

[Jessette0514]

OK, took me an hour to get diskmgmt to work, but I got it finally. And yes I can burn CD's. Thank you!

[jeffce]

Hi,

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB) 

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD. 



You should be here... Press ENTER



By default, "do not touch keymap" is highlighted.
Leave this setting alone and just press ENTER. 



Choose your language and press ENTER. English is default [33]



Once again, at this prompt, press ENTER 
You will now be taken to the main GUI screen below



According to your logs, the partition that you want to delete is 1mb

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions: 

 

Now you should be here:

 



Is "boot" next to your OS drive? 
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags 

In the menu that pops up, place a checkmark in boot like the picture below:

 


Now double-click the button. 

You should receive a small pop up like this:



Choose reboot and then press OK.

[Jessette0514]

Thanks Jeff!
I made the disk ahead of time while I was reading other posts with this issue. I have now completed the boot from the disk, removal of the 1MB and now have rebooted. Ready for the next step

[jeffce]

Hi,

Great Job!!  Be careful though with what you review on other logs and applying it to your own system.  Those instructions are just meant for those people, just like the instructions I give you are only meant for you. 
-----------

Go ahead and give aswMBR a shot and see if it will run and produce a log.  If the log is made, attach it to your next reply. 

[Jessette0514]

Thanks Jeff! I totally understand and won't do anything without your approval! I greatly appreciate the help! I hope you get paid for helping people with this crap! LOL! Anyways, that darn aswMBR took 2 1/2 hours to run - dear lord I hope that's the last scan I have to perform that takes that long! JEEZ!! Told ya my laptop is running slllllooooowww. I attached the aswMBR log - thanks again 

[jeffce]

Hi,

Good job getting those instructions ran. 


Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
5. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.
---------

[Jessette0514]

Alright, got that completed and have the ComboFix log attached. Thank you!

[jeffce]

Hi,

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  

Code: [Select]

ClearJavaCache::

Folder::
c:\documents and settings\Valued Customer\.frostwire5
c:\program files\FrostWire 5
c:\program files\Ask.com

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-


• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

[Jessette0514]

I think I performed that step correctly - here's the log