MBR:Alureon-L [Rtk]

Hi!

I was searching in the web for any solution to remove the Alureon-L Virus (MBR), but I was not able alone.

No viruses detected with Malewarebytes and Avast! (virus detected with Startup analysis, see aswBoot.tst attached)

Could anyone help me, please?

Thank you very much in advance.

Gemma

NB: It is not possible to run aswMBR.exe and TDSSKiller.exe in my computer

More logs…

A malware removal specialist has been informed of your topic.

Great!

Thanks DavidR

Thanks for all the logs ;D

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;127.0.0.1:9421;<local>
IE - HKU\S-1-5-21-3927925257-714619915-3580257784-1001\..\SearchScopes\{B5B86DFA-62C9-4FF6-9498-729DAA49D455}: "URL" = http://www.zinio.com/search/index.jsp?s={searchTerms}&rf=sonyie8search
[2012/10/06 15:39:25 | 000,006,522 | ---- | M] () -- C:\Users\gmulachs\AppData\Roaming\mozilla\firefox\profiles\j7zymhuw.default\searchplugins\bProtect.xml
[2012/06/27 20:27:34 | 000,003,998 | ---- | M] () -- C:\Users\gmulachs\AppData\Roaming\mozilla\firefox\profiles\j7zymhuw.default\searchplugins\sweetim.xml

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach the log at C:\TDSSKiller date time in your next reply.

Thanks essexboy for your help.

Find attached the file result of OTL fix and log file of OTL Scan.

The problem is that I am not able to run TDSSKiller :-[.

Regads,

Gemma

OK that narrows it down, could you restart your computer and press then hold F8 to get to the safe mode menu
On the menu is there the option “repair my Computer”
If selected does it run ?

Do you also have listparts on a USB stick, or could you put it on there as we will need to work outside of windows

Hi!

“Repair my computer” doesn’t work. My computer is blocked trying to load files (“Windows is loading files…” screen) :(.

Yes, I have listparts on a USB stick, and I could you put it on there as we will need to work outside of windows ;),

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64bit RC
  3. ListParts64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy Listparts to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\Listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

https://dl.dropbox.com/u/73555776/listparts.GIF

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

Hi essexboy, here you are log files:

  1. Without BCD list (Result.txt)

  2. With BCD list option selected (Result_BCD.txt)

Thanks!

Sorry, you said copy and paste ::slight_smile:

Percentage of memory in use: 12%
Total physical RAM: 3950.1 MB
Available physical RAM: 3462.75 MB
Total Pagefile: 3948.25 MB
Available Pagefile: 3441.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Datos) (Fixed) (Total:224.29 GB) (Free:192.79 GB) NTFS
3 Drive e: () (Fixed) (Total:230.52 GB) (Free:72.92 GB) NTFS
4 Drive f: (Recovery) (Fixed) (Total:10.84 GB) (Free:0.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive h: () (Removable) (Total:1.91 GB) (Free:1.71 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt


Disk 0 Online 465 GB 9 MB
Disk 1 Online 1955 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset


Partition 1 Recovery 10 GB 1024 KB
Partition 2 Primary 100 MB 10 GB
Partition 3 Primary 230 GB 10 GB
Partition 0 Extended 224 GB 241 GB
Partition 4 Logical 224 GB 241 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 4 F Recovery NTFS Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 1 C System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 2 E NTFS Partition 230 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 3 D Datos NTFS Partition 224 GB Healthy

======================================================================================================

Partitions of Disk 1:

Partition ### Type Size Offset


Partition 1 Primary 1955 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 5 H NTFS Removable 1955 MB Healthy

======================================================================================================

TDL4: custom:26000022

****** End Of Log ******

Intriguing the initial listparts log showed a possible infected partition, but now it does not

Restart the recovery console please and select command prompt
At the command prompt type the following pressing enter after each line

bootrec /fixmbr
bootrec /fixboot

Reboot to normal windows and run TDSSKiller again please

I am very sorry, but after the last operation (bootrec) I cannot start my computer (neither restoring nor normal) :o :'(.

Maybe I could restore my system from an image (that I suppose is infected). Do you have a better solution?

From the safe mode menu select startup repair please and let me know if that works

Trying to restore…

Did you try startup repair ? This look to be a new variant so it may not be on your backup

It doesn’t work, it’s impossible to start the computer :‘( :’( :cry:

I was able to restore, but I can’t start Windows.

From the recovery console could you run listparts again please and post the log

Here you are:

ListParts by Farbar Version: 30-10-2012
Ran by SYSTEM (administrator) on 16-12-2012 at 19:37:40
Windows 7 (X64)
Running From: H:
Language: 0C0A


========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 3950.1 MB
Available physical RAM: 3483.59 MB
Total Pagefile: 3948.25 MB
Available Pagefile: 3459.97 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Datos) (Fixed) (Total:224.29 GB) (Free:192.79 GB) NTFS
3 Drive e: () (Fixed) (Total:230.52 GB) (Free:73.24 GB) NTFS
4 Drive f: (Recovery) (Fixed) (Total:10.84 GB) (Free:0.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive h: () (Removable) (Total:1.91 GB) (Free:1.71 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

N£m Disco Estado Tama¤o Disp Din Gpt


Disco 0 En l¡nea 465 GB 9 MB
Disco 1 En l¡nea 1955 MB 0 B

Partitions of Disk 0:

N£m Partici¢n Tipo Tama¤o Desplazamiento


Partici¢n 1 Recuperaci¢n 10 GB 1024 KB
Partici¢n 2 Principal 100 MB 10 GB
Partici¢n 3 Principal 230 GB 10 GB
Partici¢n 0 Extendido 224 GB 241 GB
Partici¢n 4 L¢gico 224 GB 241 GB

======================================================================================================

Disk: 0
Partici¢n 1
Tipo : 27
Oculta : S¡
Activa : No

N£m Volumen Ltr Etiqueta Fs Tipo Tama¤o Estado Info


  • Volumen 4 F Recovery NTFS Partici¢n 10 GB Correcto Oculto

======================================================================================================

Disk: 0
Partici¢n 2
Tipo : 07
Oculta : No
Activa : S¡

N£m Volumen Ltr Etiqueta Fs Tipo Tama¤o Estado Info


  • Volumen 1 C System Res NTFS Partici¢n 100 MB Correcto

======================================================================================================

Disk: 0
Partici¢n 3
Tipo : 07
Oculta : No
Activa : No

N£m Volumen Ltr Etiqueta Fs Tipo Tama¤o Estado Info


  • Volumen 2 E NTFS Partici¢n 230 GB Correcto

======================================================================================================

Disk: 0
Partici¢n 4
Tipo : 07
Oculta : No
Activa : No

N£m Volumen Ltr Etiqueta Fs Tipo Tama¤o Estado Info


  • Volumen 3 D Datos NTFS Partici¢n 224 GB Correcto

======================================================================================================

Partitions of Disk 1:

N£m Partici¢n Tipo Tama¤o Desplazamiento


Partici¢n 1 Principal 1955 MB 16 KB

======================================================================================================

Disk: 1
Partici¢n 1
Tipo : 07
Oculta : No
Activa : S¡

N£m Volumen Ltr Etiqueta Fs Tipo Tama¤o Estado Info


  • Volumen 5 H NTFS Extra¡ble 1955 MB Correcto

======================================================================================================

TDL4: custom:26000022

****** End Of Log ******