Help! - Another apparent Alureon-K victim

Hi, I am someone who is very far from being even a marginally knowledgeable computer user, but I see that Avast is telling me my machine has the Alureon-K virus.

I’ve read the advice here, and got no results from the latest version of TDSSKiller or aswMBR.exe (absolutely nothing happens when I try to run these). I am attaching a screen shot from the Disk Management Console, and a Malwarebytes Anti-Malware scan. I recognize from the discussions that I need the help of the leading experts. If someone can please let me know what additional scans are needed to figure out what I need to do (since the other threads indicate I should not take any further steps without expert advice), and what the next steps are, it would be greatly appreciated!

Thanks very much!

Jerry

Hi,

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here… Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted.
Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 1mb

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Try to run a new scan again with aswMBR. It should probably work now. :slight_smile:

[*]Download OTL to your desktop.
[*]Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please attach the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

In your next reply please attach the logs made by aswMBR and OTL. :slight_smile:

Thanks so much! It worked great (as far as I can tell)!

I am attaching the aswMBR file, and the two OTL files that you asked for. (I am also in the process now of running a “long” Avast scan on my machine; the quick scan did not detect the file that the aswMBR scan detected, which file I have not yet deleted or done anything with.)

Thanks again!

Jerry

Update – after the Avast scan finished, it found 4 infected items – the same one that aswMBR found (see above), and the Alureon-K virus in three files within Avast. I followed the instructions in Avast for moving these files to whatever protected location they move them to.

Question: is there advice somewhere on how to correct various things that the virus(es) changed? I notice a number of problems now. E.g.:

  1. When the computer shuts down, I get an error message that rundll32.exe is “not responding,” and I have to close it.
  2. When I try to stream Google Play movies, I get an error message and they do not play.
  3. When I try to play some Steam games (e.g., The Witcher Enhanced edition), I get an error message on start-up and they do not play.

Thanks!
Jerry

Hi Jerry (I hope its ok to call you that),

Even though you have good intentions, please don’t run any additional scans without being asked. You may accidentally remove and entry that could hold the whole key to the infection and we would never see it. I know we don’t want that. :slight_smile:

Let me look over the logs and I will return as quickly as I can. It may be later today due to having to travel for work today.

Hi,

I am so sorry for the delay in response. :frowning:

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/01/15 17:10:46 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Jeff,

There’s certainly no need for you to apologize for any delay. I am hugely in your debt for taking the time and effort to help me out.

So, I hopefully correctly followed your instructions. I am attaching the two logs that I saved from OTL.

Thanks again!

Best,
Jerry

Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply please attach the logs made by Malwarebytes and ESET online scanner. :slight_smile:

Jeff,

Attached are the Malwarebytes and ESET logs. For what it’s worth, my computer is still misbehaving in various ways; for example, after a google search using IE, clicking on a result link sometimes get directed to somewhere other than where that link should go.

Thanks,
Jerry

Hi,

Go ahead and run Malwarebytes again and remove the entries found this time. :slight_smile:

Once you get that complete please let me know if you are still having problems. If so let me know exactly what is going on.

Jeff,

So far, so good! No more hijacking of web searches, as far as I can see. And no other inappropriate behavior that I noticed.

Thanks so much for all your help!!!

Best,
Jerry

Hi,

Glad that your system is running better. :slight_smile:

Let’s get some updates on your system.

Please download JavaRa to your desktop and unzip it to its own
folder
[*]Run JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista), pick the language of your choice and click Select. Then
click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe (double-click for XP/right-click and Run as Administrator for Vista) again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest
Java Runtime Environment (JRE) version for your computer using the Offline version of either x86 (32bit operating system) or x64 (64bit operating system).


You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader X first. Be sure to move any PDF documents to another folder first though.

Please run a new scan with OTL and attach the new log to your next reply. :slight_smile:

Jeff,

Here is the new OTL log.

Thanks,
Jerry

Providing there are no more malware related problems…

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :smiley: SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :smiley:

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Clean up with OTL:

[*]Right-click and Run as Administrator OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.


Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted using right-click > delete so they aren’t cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
[*]Open Internet Explorer
[*]Click on Tools > Internet Options
[*]Press Security tab
[*]Select Internet zone then place check next to Enable Protected Mode if not already done
[*]Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
[*]Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found [color=blue]here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read TonyKlein’s good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Jeff,

I have used OTL for cleanup, as you instructed, and followed the other advice.

Thanks so much for all of your help! I am more than satisfied!! You were great!!!

Best,
Jerry

Glad that I could be of help. You are more than welcome! :slight_smile: