Alureon-K

hi there…a few months back I became aware I had a trojan problem. I have used Panda for years but somehow this got past my security (I removed Panda a few days ago upon downloading Avast) and I had to do the unhide.exe to retrieve sight of my docs etc. I also bought TrojanKiller and I have PC Optimiser too - I have been running very frequent scans on all these products but nothing was improving my pc’s performance and I was sure something was remaining hidden. I have v. up to date xp security updates too. All to no avail and my system has slowed down considerably. Avast however has made me aware that Alureon-K is in the boot up system and I ran a pre-boot scan (great idea) which removed some files but I wonder if something is still lurking. How can I be sure Alureon-K is gone from my boot system and is not being re-loaded each time I boot up?
thank you

Hi vix

I also bought TrojanKiller and I have PC Optimiser too

what programs are these? :wink:

Can you visit the following page:

http://forum.avast.com/index.php?topic=53253.0

and complete the scans please

once completed can you post the logs here in a attachment

our malware experts are offline at the moment. 8)

Did you buy TrojanKiller?It’s a trash programe.I feel sorry for your money :smiley: .
Were you able to do a scan with aswMBR?If so,post the log please.

Monitoring… :smiley:

I also bought TrojanKiller and I have PC Optimiser too
See here re World Of Trust ratings for PC Optimizer: http://www.mywot.com/en/scorecard/pcoptimizerpro.com

As WOT is a reputation-based service and vendor, ratings are based on member opinions and experiences on this site.

Just a brief perusal on Google search indicates this may not be the best program to have on your system.

Please follow adotd’s advice and follow the steps outlined in http://forum.avast.com/index.php?topic=53253.0 I see jeffce is already monitoring your thread, so attaching the logs here will get you going.

hi there…MBR log as requested. There were lots of other programs listed on that link…do I have to go through all of them? I note the MBR log doesn’t list Alueron-K but Avast keeps getting me to do a pre-boot scan and it’s been found there a few times. I have moved them to the chest.

thanks for your help!!

ps - i bought pc optimizer because I hadn’t spoken to you first :slight_smile:

Hi,

Please run the scans for OTL and aswMBR and then attach the logs that are created. :slight_smile:

As requested :slight_smile: .

Do you need any avast scan logs too?

thank you

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2000478354-1979792683-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
FF - prefs.js..browser.search.selectedEngine: "Yahoo.co.uk"
O3 - HKU\S-1-5-21-2000478354-1979792683-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2000478354-1979792683-839522115-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/09/18 22:05:40 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/28 10:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon

:Files
ipconfig /flushdsn /c

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"=-
"445:TCP"=-
"137:UDP"=-
"138:UDP"=-

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

HI JeffCE…I have tried this process twice and it has frozen my pc both times. It states “killing processes. DO NOT INTERRUPT” but then freezes and i have to reboot. The second time I left it a good few hours thinking it would do something but it wasn’t going to work. Any ideas?
thankyou.

Hi,

Boot into Safe Mode and perform the same actions and hopefully it will run through then. :slight_smile:

ah, when I try to boot in safe mode my keyboard mysteriously stops working… :-\

Hi,

Open the Run box by going to Start >> Run

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

attached…

at the moment I can’t burn from another pc but can try to arrange to later this week. what do I need to burn?

Hi,

See if you are able to perform the following instructions from another computer…

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here… Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted.
Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 10mb

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Open the Run box by going to Start >> Run

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

hi there. (had a bit of break because I had flu then your forum was down). Got my IT guy at work to burn a disk for me. However my machine doesn’t boot up from it at all. I get the following options

1 - normal
2 - hard disk drive c
3 - system set up
4 - IDE drive diagnostics
5 - boot to utility partition

it first of all tells me my keyboard is disabled.

thoughts? :frowning:

Let’s try to get that keyboard working…

[*]Click [b]Start > Programs >> Accessories >> select Notepad.
[]This will open an empty Notepad file.
[
]Copy/Paste the contents of the box below into Notepad.


@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0

[*]Click Format and ensure Wordwrap is unchecked.
[*]Save as RegExp.bat
[*]Save as file type All Files or it won’t work.
[*]Now double click on RegExp.bat to run it.
[*]A file look.txt will open on your Desktop, please post the contents in your next reply.

OKay…it says…

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass]
“ErrorControl”=dword:00000001
“Group”=“Keyboard Class”
“Start”=dword:00000001
“Tag”=dword:00000001
“Type”=dword:00000001
“DisplayName”=“Keyboard Class Driver”
“ImagePath”=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6b,00,62,00,64,00,63,00,6c,00,61,
00,73,00,73,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass\Parameters]
“ConnectMultiplePorts”=dword:00000000
“KeyboardDataQueueSize”=dword:00000064
“KeyboardDeviceBaseName”=“KeyboardClass”
“MaximumPortsServiced”=dword:00000003
“SendOutputToAllPorts”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbdclass\Enum]
“0”=“Root\RDP_KBD\0000”
“Count”=dword:00000002
“NextInstance”=dword:00000002
“1”=“ACPI\PNP0303\4&11876118&0”

Hi,

Next I would like you to take the following steps:
[*] Click Start >> Accessories >> Notepad and click Ok
[*] Copy and Paste the contents of the Code box below into Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Kbdclass]
"ErrorControl"=dword:00000001
"Group"="Keyboard Class"
"Start"=dword:00000001
"Tag"=dword:00000001
"Type"=dword:00000001
"DisplayName"="Keyboard Class Driver"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6b,00,62,00,64,00,63,00,6c,00,61,\
  00,73,00,73,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Kbdclass\Parameters]
"ConnectMultiplePorts"=dword:00000000
"KeyboardDataQueueSize"=dword:00000064
"KeyboardDeviceBaseName"="KeyboardClass"
"MaximumPortsServiced"=dword:00000003
"SendOutputToAllPorts"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Kbdclass\Enum]
"0"="Root\\RDP_KBD\\0000"
"Count"=dword:00000002
"NextInstance"=dword:00000002
"1"="ACPI\\PNP0303\\4&1d401fb5&0"

[*] Save as regfix.reg to your Desktop
[*] Make sure to save file type as All Files
[*] Now right-click regfix.reg and select Merge

Is your keyboard working?

my keyboard works fine…it is only when i try to get into safe mode or into another boot mode it disables. It is as if this is part of the infection…that it prevents me doing these things that will help repair the pc. :-\