Alureon-GEN virus & Google redirects

My computer got infected with 9 different viruses/malware and 2 of them were the Alureon-GEN x 2 (it showed I had it 2 times) and the FraudPack.gen trojan. I was using the free Avast anti-virus software and at least one or more of these trojans infected it too.

After going through a whole bunch of failed attempts to fix my computer, I came to this forum and followed some of the solutions offered here. I figured I’d share the exact steps I took so that it might help someone else with the same issue:

1 - I disabled my wireless internet on the infected computer.
2 - completely unistalled Avast Anit-virus
3 - deleted the installation file for Avast I had saved on my computer (I did this because it had evidenlty gotten infected too as did some other files in My Docs folder - these were some nasty infections)
4 - control panel ->internet options-> delete all browsing history and offline content
5 - reboot computer
6 - ran a FULL scan with Malwarebytes Anti Malware (I already had it installed and updated)
7 - clicked “fix”
8- installed tdsskiller and ran it
9 - installed OTS and ran it checking Registry “All” and selected some options in the additional scans:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
After that finished:
10 - selected “cleanup” on OTS
11- selected “runFix” the trick is it seems like eveything is frozen up but it isnt. Wait a long time then cntrl/alt/del see that it is running then close that window and the OTS will ask to reboot to finish fix
11 - purchased Avast internet security and installed it

Everything seemed fine until I went on google and did a search - then had redirects Soooo

1- Avast full scan checking all the options boxes. It showed Alureon-GEN twice and someother error files. Selected “chest” option- Avast rebooted and ran scan in safemode:
Showed Opera browser was corrupted in the applications data file(I never use that browser) so I unistalled and deleted the Opera file from the applications data folder.
2 -Repeated MBAM scan - showed clean
3 -Repeated tdsskiller - showed clean
4- Repeated OTS scan
5- installed Combofix.exe and ran it: ( had to disable both MBAM and Avast internet Security BUT had to reconnect to internet for combofix to run (scary but it turned out ok))Not sure what those results were but it did something
6 - Enable just Avast Security and ran one more full system scan

Everything seems fine now. No more redirects from Google searches, and all other issues seem to be gone.

This is what is showing in the Avast virus chest:

C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\arpot Virus: Win32:Rootkit-gen
C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\arpot Virus: MBR:Alureon-G
C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\arpot Virus: MBR:Alureon-G

Is there anything else I should do or be aware of? This all took 2 days to complete, and as of this moment, everything seems to be in proper working order.

I dont know if I should have done anything different to avoid have to repeat scans, but the above is what I did.

welcome to the forum Survivor08

i say you have done very good from your part.

do you have any problems now?

please post the otl log and the combofix so we could have a look on them.

Also run aswMBR to make sure everything is fine.
Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm

Double click the aswMBR.exe to run it
Click the [Scan] button to start scan
On completion of the scan click [Save log], save it to your desktop and post in your next reply

Ive attached the OTSlog I dont know where to find the combofix log. If you can tell me where it might be stored on my system, Ill be happy to attach it to.

I dont seem to be having any problems so far. Ive done maybe 10 Google searches which were successful.

The combofix log should be in the root directory, C:\ComboFix.txt.

However that said combofix isn’t generally a tool that we would recommend be used without advice and guidance.

Looks like it was a .job redirect and not an MBR one, I will be doing some tidying up as well so the fix may take a tad longer than normal to run

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (LiveUpdate) LiveUpdate [On_Demand | Stopped] -> 
YN -> (Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Auto | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: SearchURL\\"provider" -> gogl
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> [AVG Safe Search]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-66214333-3168541619-743113820-1006\] > -> HKEY_USERS\S-1-5-21-66214333-3168541619-743113820-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "avast5" -> ["C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-66214333-3168541619-743113820-1006\] > -> HKEY_USERS\S-1-5-21-66214333-3168541619-743113820-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Owner.YOUR-C531FCA5B0\Desktop\My Kazaa Gold\giFT\giFTl.exe" -> [C:\Documents and Settings\Owner.YOUR-C531FCA5B0\Desktop\My Kazaa Gold\giFT\giFTl.exe:*:Enabled:giFT Loader for My Kazaa Gold(http://www.MyKazaaGold.com)]
YN -> "F:\My Kazaa Gold\giFT\giFTl.exe" -> [F:\My Kazaa Gold\giFT\giFTl.exe:*:Enabled:giFT Loader for My Kazaa Gold(http://www.MyKazaaGold.com)]
[Files/Folders - Modified Within 30 Days]
NY ->  jdyqggv.job -> C:\WINDOWS\tasks\jdyqggv.job
[Files - No Company Name]
NY ->  mswmdmv.dll -> C:\WINDOWS\System32\mswmdmv.dll
NY ->  jdyqggv.job -> C:\WINDOWS\tasks\jdyqggv.job
[File - Lop Check]
NY ->  Alwil Software -> C:\Documents and Settings\All Users\Application Data\Alwil Software
NY ->  Avg7 -> C:\Documents and Settings\All Users\Application Data\Avg7
NY ->  jdyqggv.job -> C:\WINDOWS\Tasks\jdyqggv.job
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Thanks so much essexboy for your help! I ran OTS again and attached the log. I found the combofix folder but there was no “combofix.txt” file in it. It was a scary program to run, I just started it and left it alone till it told me to do something. But I will say that after I ran it, the redirecting stopped.

Anyway, I’ll wait for your next reply of what to do, let me know if I should still run the aswMBR.exe thing or not. Thanks again!

Aye run aswMBR but use the latest version - what are your current problems ?

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

I ran the aswMBR software. It was about 1 1/2 hours into the scan when all of a sudden my screen went black wirh green vertical stripes. I waited for about 20 min and no change so I manually turned my machine off. I have no idea if it completed the scan or not and frankly afraid to try it again. I was not running any other programs during this scan, but I did not turn off Avast Security, dont know if that had anything to do with it.

Anyway, my computer is still working properly as far as I can tell and no more redirects.

I will wait for further instructions before proceeding any further. Thanks again for your patience and help!

Try running aswMBR, but don’t select the Quick scan in the AV engine: option, choose None and that should be fairly quick and hopefully complete so you can save and post the log.

Alright, I was able to re-run scan and it finished. I have attached the log to this reply. I have the program minimized awaiting further instructions. Thanks!!

That looks OK now - any further problems ?

No more problems ;D Thanks again for everyones help!! ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Uninstall ComboFix

Remove Combofix now that we’re done with it.

[*]Please press the Windows Key and R on your keyboard. This will bring up the Run… command.[*]Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.
[indent]
http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/CFuninstall.gif
[/indent][]Please follow the prompts to uninstall Combofix.[]This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.[*]You will then recieve a message saying Combofix was uninstalled successfully once it’s done uninstalling itself.

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran-1.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

I followed all the above intructions and happy to report that all is running well still and everything appears to be cleaned out. I cant say thanks enough for everyones help!!! Im an Avast customer for life!!

Glad we could help ;D