The Dreaded ALUREON-K rkt VIRUS ...grrrrrrr HELP!

Hello ANYONE who can help me! LOL ! I’ve been battling this thing for 3 days now and it’s time to call in the big guns. I am not super knowledgable about computers, but I can usually manage… however this time, I am stumped. I need help. My laptop is running super slow and I am having difficulty getting any programs to run. I am now using a different computer so I can receive emails. I have ran MalwareBytes (on the infected laptop) and will include the log. I can not download the aswmbr.exe file however. Not sure what to do next - Please help anyone that can. I will follow any advice or suggestion. Thanks so much in advance!!!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.10.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Valued Customer :: VALUED-92BF5E73 [administrator]

4/13/2012 12:01:34 PM
mbam-log-2012-04-13 (12-01-34).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231608
Time elapsed: 53 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll (Trojan.Agent.GMAGen) → Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) → Data: rundll32.exe “C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll”,DllRegisterServer → Quarantined and deleted successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Update (Trojan.Agent.GMAGen) → Data: rundll32.exe “C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll”,DllRegisterServer → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Valued Customer\Local Settings\Temp\0.5999004351177931 (Exploit.Drop.9) → Quarantined and deleted successfully.
C:\Documents and Settings\Valued Customer\Application Data\Avira\Avira\sgpeue.dll (Trojan.Agent.GMAGen) → Delete on reboot.

(end)

Oops forgot to mention - I could not get TDSS Killer to open in Safe Mode or normal mode either! Really at a loss :frowning:

Are You Able to run OTL and attach the log?

Thank you sooooo much for responding! Yes I just completed the scan - see the attached log.

Essexboy is in bed now… So i guess You want see any of the removal experts untill tomorrow

Hi,

Let’s take a look and see what we have

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

OK, took me an hour to get diskmgmt to work, but I got it finally. And yes I can burn CD’s. Thank you!

Hi,

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here… Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted.
Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 1mb

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Thanks Jeff!
I made the disk ahead of time while I was reading other posts with this issue. I have now completed the boot from the disk, removal of the 1MB and now have rebooted. :slight_smile: Ready for the next step

Hi,

Great Job!! Be careful though with what you review on other logs and applying it to your own system. Those instructions are just meant for those people, just like the instructions I give you are only meant for you. :slight_smile:

Go ahead and give aswMBR a shot and see if it will run and produce a log. If the log is made, attach it to your next reply.

Thanks Jeff! I totally understand and won’t do anything without your approval! I greatly appreciate the help! I hope you get paid for helping people with this crap! LOL! Anyways, that darn aswMBR took 2 1/2 hours to run - dear lord I hope that’s the last scan I have to perform that takes that long! JEEZ!! Told ya my laptop is running slllllooooowww. I attached the aswMBR log - thanks again :-*

Hi,

Good job getting those instructions ran. :slight_smile:

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
5. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.

Alright, got that completed and have the ComboFix log attached. Thank you!

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

Folder::
c:\documents and settings\Valued Customer\.frostwire5
c:\program files\FrostWire 5
c:\program files\Ask.com

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

I think I performed that step correctly - here’s the log :slight_smile:

Hi,

Seems that worked well. :slight_smile:

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply please attach the logs made by Malwarebytes and ESET online scanner. :slight_smile:

Completed Malwarebytes scan and ESET scan - logs attached. :slight_smile:

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

File::
C:\Program Files\RegistryFix8\RegFix8.exe	
C:\Program Files\RegistryFix8\UninstlDll.dll	

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

In your next reply please attach the ComboFix log and let me know how your system is running. :slight_smile:

Things are running much faster now on my computer. I still can’t access some pictures and files, but majority of things seem to be ok. I attached the combofix log as well. I really appreciate all your help Jeff! You’re a godsend! :slight_smile:

Hi,

The ComboFix log looks good. I noticed that you have some remnants of Avira on your system? Did you used to have that?

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)
[*]In the Extra Registry section change it to All
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please post the Extra.txt.