Bout with Alureon, am I clean?

Older Vista laptop that I use was recently infected with the Alureon/Smart HDD trojan. I’ve tried various methods such as MBAM and TDSSKiller and now quick scans come up clean, but the computer itself is a little slow to load when I log into my account (though admittedly there is a lot of stuff stored on here). Anyway, I just want to make sure there aren’t any hidden nasties left and so I’ve attached the ADW, MBAM, and OTL logs. I downloaded and ran aswMBR but I got a blue screen halfway so I’m not sure if I should reinstall and run again?

Any and all help is much appreciated! :slight_smile:

You can try it in safe mode.

Ah ok I’ll try that right now, thank you!

You’re welcome.

Here is the attached aswMBR log.

Computer booted up normally though there is still some lag (though this may be due to the amount of stuff I have on here as I noted in my first post. I ran TDSSKiller and found 17 suspicious objects of medium risk. I’ve included the log just in case it’s any help.

I will give a link for the Norton removal tool at the end … If you run this your speed should perk up a bit

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O2 - BHO: (Reg Error: Value error.) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll (Symantec Corporation)
[2012/09/27 21:01:24 | 000,000,000 | ---D | C] -- C:\Users\jon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/27 21:41:48 | 000,000,152 | ---- | M] () -- C:\ProgramData\-xkNVRyLIjxW7CKr
[2012/09/27 21:41:48 | 000,000,144 | ---- | M] () -- C:\ProgramData\-xkNVRyLIjxW7CK
[2012/09/27 21:41:34 | 000,000,368 | ---- | M] () -- C:\ProgramData\xkNVRyLIjxW7CK
[2012/09/27 21:01:27 | 000,000,631 | ---- | M] () -- C:\Users\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
[2012/09/27 21:01:27 | 000,000,607 | ---- | M] () -- C:\Users\jon\Desktop\File_Recovery.lnk
2012/09/27 21:41:48 | 000,000,152 | ---- | C] () -- C:\ProgramData\-xkNVRyLIjxW7CKr
[2012/09/27 21:41:47 | 000,000,144 | ---- | C] () -- C:\ProgramData\-xkNVRyLIjxW7CK
[2012/09/27 21:01:27 | 000,000,631 | ---- | C] () -- C:\Users\jon\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
[2012/09/27 21:01:27 | 000,000,607 | ---- | C] () -- C:\Users\jon\Desktop\File_Recovery.lnk
[2012/09/27 20:51:19 | 000,000,368 | ---- | C] () -- C:\ProgramData\xkNVRyLIjxW7CK

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=kb20080710133834EN_EndUserProfile_en_us&product=home&pvid=f-home&version=1&lg=en&ct=us Norton removal tool

Hello,

I’ve run the OTL fix and all that’s left in the box is

[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

There’s no activity showing at the bottom of the window and everything else has disappeared, is this normal?

Thanks!

It is MBAM being a pain, or your temporary folders are very very full. Is there a little green bar at the bottom moving ?

No green bar :frowning:

OK close OTL and reboot

Done, awaiting further instructions :slight_smile:

OK run the Norton removal tool and then run a fresh OTL scan please, also let me know if the boot has improved once Norton has gone

Norton removed, still sluggish but slightly faster than before. Running OTL scan now.

Here is the latest OTL scan.

OK lets get rid of the rest of Norton and do a final check on the MBR

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070110.052\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20070110.052\NAVENG.SYS -- (NAVENG)
[2012/09/29 11:48:19 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/09/17 22:11:00 | 000,000,020 | ---- | M] () -- C:\ProgramData\PKP_DLec.DAT

:Files
C:\PROGRA~2\Symantec
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Hello again! Unfortunately I got a blue screen as soon as I tried to Run Fix :frowning:

OK go forward to the TDSSKiller run please

Here is the attached TDSS log, couldn’t copy and paste because it exceeded the character limit.

That looks good, what problems remain ?