Laptop Infected with Alureon-K Virus

Hello!

I was searching the web for solutions to remove the Alureon-K Virus, but couldnt find any. I saw some people removing it sucessfully with the help od essexboy, I wounder if he could help me too. I’m not an expert in malware removal but i trying some software already. I cant run some .exes in my computer so its much harder to do anything.

Please help!

Ivan

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Monitoring if needed… :slight_smile:

Hey, thks for the reply.

Here are the logs you requested. I could run all of the softwares but aswMBR.exe

And here are the last two logs.

Please tell me if anything else is needed.

Thank you.

Hi,

Could you run and attach the logs for aswMBR as well please? :slight_smile:

Hi jeffce,

from all the programs i was supposed to run the aswMBR was the only one that wouldnt run in my PC. The .exe wont start.

Ok…

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

I already ran TDSSKiller. IT detected two threats

Rootkit.Boot.SST.b
Physical drive: \Device\Harddisk0\DR0
Malware object, High risk

in which i can selected Cure.

and

TDSS System
Physical Drive: \Device\Harddisk0\DR0
Suspiscious object, medium risk

in which i can only select between : Skip, Copy to quarantine and Delete.

in which i can selected Cure.

and

TDSS System
Physical Drive: \Device\Harddisk0\DR0
Suspiscious object, medium risk

in which i can only select between : Skip, Copy to quarantine and Delete.


Wait for jeffce to analyze and come back to you before doing anything with the second finding.

Hi,

I know you already ran it but I need to see what is on it so that we can give you the correct instructions. Please run TDSSKiller according to the instructions that I provided and attach the log created.

Here is the TDSSKiller log. Things are getting better already I think.

I run Avast Anti virus scan and it doesnt detect the Alureon-K virus anymore!

I must probably be free of it, is it possible ? I though it would be harder to remove it.

It’s nice to make progress! Jeffce will give the all clear when all elements of the infection are gone, and gone for good. He is so smart, he makes it look easy; but the same problem in the wrong hands can result in your computer becoming useless. If any file remnants are not completely removed, you could be back here once more with another infection, so…

Hi,

@mchain
Thanks for helping out here. The more eyes on a topic the better. :slight_smile:

@n3utraliz3r

Thanks for getting me that log. You still have an entry for that particular infection still on your system. I good rule of thumb is to remember that the absence of symptoms does not necessarily mean the absence of the infection. :slight_smile:

Run TDSSKiller again.
When you get to this entry >> \Device\Harddisk0\DR0 ( TDSS File System ) delete it.
Then attach the new log made by TDSSKiller.

Hello again :slight_smile:

I ran TDSSKiller but it didnt detect any infection. It didn’t found the entry \Device\Harddisk0\DR0 ( TDSS File System ).

here’s the latest log.

Hi,

That looked good. :slight_smile:

P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.

Please note: Even if you are using a “safe” P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Programs and Features.

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{D03B401A-3BA9-4BF2-938B-B6DC22683F91}: "URL" = http://www.tangosearch.com/?q={searchTerms}&a=SEARCH
IE - HKU\S-1-5-21-3970776676-1736875021-2570919691-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3970776676-1736875021-2570919691-1000\..\SearchScopes\{D03B401A-3BA9-4BF2-938B-B6DC22683F91}: "URL" = http://www.tangosearch.com/?q={searchTerms}&a=SEARCH
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O3 - HKU\S-1-5-21-3970776676-1736875021-2570919691-1000\..\Toolbar\WebBrowser: (Tango) - {7886FD7C-1E45-4964-AA75-03AEDC672844} - C:\Windows\SysWow64\e278.dll File not found
O4 - HKLM..\Run: [XCMsXSJotCWrp.exe] C:\ProgramData\XCMsXSJotCWrp.exe File not found
[2012-03-25 21:14:50 | 000,000,000 | ---D | C] -- C:\Users\Diana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012-03-25 22:20:47 | 000,000,440 | -H-- | M] () -- C:\ProgramData\gVmIvHA9CrTeXE
[2012-03-25 22:17:16 | 000,000,264 | -H-- | M] () -- C:\ProgramData\~gVmIvHA9CrTeXE
[2012-03-25 22:17:16 | 000,000,176 | -H-- | M] () -- C:\ProgramData\~gVmIvHA9CrTeXEr
[2012-03-25 21:14:50 | 000,000,677 | ---- | M] () -- C:\Users\Diana\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012-03-25 21:14:50 | 000,000,653 | ---- | M] () -- C:\Users\Diana\Desktop\System Check.lnk
[2010-10-07 22:42:55 | 000,008,704 | ---- | C] () -- C:\Users\Diana\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and attach a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

I’m not sure this last scans went very well. I had a few errors when I rebooted from the 1st scan.

But here are the OTL logs.

Hi,

Thanks for that log. Have you ran OTL again to get a new scan? If so please post that as well.

Yes I did, but I think it it were only those 2 scans ( I only have those 2 logs in the _OTL folder).