Solved

can't remove alureon.a infection

Posted on 2010-11-18
21
1,458 Views
Last Modified: 2013-11-22
I have a machine running windows xp SP3.  It recently had a pretty serious virus infection.  I used Combofix, Malwarebytes, Hijackthis and Microsoft Security Essentials to remove the infections.  Now, when I run Combofix it scans clean, Malwarebytes (full scan) runs clean, and Hijack this shows no errors.  HOWEVER, when I run Microsoft Security Essentials, I get an infection called: "Trojan: DOS/Alureon.A".  Microsoft Security Essentials is not able to remove it.  I've rerun Combofix and Malwarebytes, neither finds or removes it. Please help me remove this.  The computer definitely acts strange (MS Word closes without warning sometimes) so I do think it's a real infection that Microsoft Security Essentials is finding.
0
Comment
Question by:mattbiel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +5
21 Comments
 
LVL 12

Expert Comment

by:udaya kumar laligondla
ID: 34170491
0
 
LVL 10

Assisted Solution

by:Fayaz
Fayaz earned 100 total points
ID: 34170541
Download Dr. Web Cure it (free) and scan the machine in Safe mode.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34170611
How to remove malware belonging to the family Rootkit.Win32.TDSS ...
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34170670
If you ever have any malware, here is the best step-by-step guides and information on combating malware yourself.
http://www.geekstogo.com/forum/topic/2852-malware-and-spyware-cleaning-guide/

However, at this time, you can go to http://www.LivePCSupport.com.  Comodo Live Support is free for 60 days and an actual virus removal specialist will remove any malware you have for free.

Thanks!

mug
0
 

Author Comment

by:mattbiel
ID: 34170679
Thanks, I'm running Dr Web cureit right now, full scan from safe mode.

If that doesn't work and I have to try the fixmbr route, I'm nervous about that.  I can just boot into recovery console and then type "fixmbr" and press enter and it will do it?  Are there risks involved with this?  Sounds kind of risky.
0
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34170723
Yes, the main risk with using fixmbr is that an error could occur that would stop your computer from booting at all.  This can be remedied, but not easily.  My suggestion would be to back up your data first and create a full system image if at all possible before running fixmbr.

Thanks.

mug
0
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34170745
Here is a boot sector removal tool from Avira...  http://www.avira.com/en/support-download-antivir-boot-sector-repair-tool

Thanks!

mug
0
 
LVL 22

Expert Comment

by:orangutang
ID: 34170773
0
 
LVL 92

Accepted Solution

by:
nobus earned 400 total points
ID: 34170975
0
 

Author Comment

by:mattbiel
ID: 34171592
Dr. Web found it. BackDoor.Tdss.4005 is the status,  "MBR_HardDisk0.mbr" is the object.  It could not cure it so it moved it.  the path is c:\Qoobox\quarantine.  Will I still need to do a fixmbr after this scan is done?  (it's still scanning, 4 hours in so far)
0
 
LVL 92

Expert Comment

by:nobus
ID: 34172000
that depends on the fact that the mbr is infected or not
0
 

Author Comment

by:mattbiel
ID: 34172317
So Dr. Web finished and like I said it found it, but it couldn't remove it.  It's in the MBR.   I booted to Recovery Console, selected the C drive, and then typed in fixmbr and pressed enter.  I got a warning that my table was non-standard or something and if i continued I may lose access to the drive and I probably should not continue.  So I said "no" and exited.  Is this warning standard or what?  I'm gonna do an image of the hard drive before I continue, but that's gonna take a few days.  I'll keep you guys posted
0
 
LVL 92

Expert Comment

by:nobus
ID: 34173780
did you use the fix i posted, or not?
0
 

Author Comment

by:mattbiel
ID: 34178129
Yes, the fix you posted was to boot to recovery console and do fixmbr and then fixboot.  I posted above what happened when I did fixmbr...an ominous warning message, so I said "no" when it asked me If I was sure.  now I'm gonna do an image of the hdd first.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34178347
"Dr. Web found it. BackDoor.Tdss.4005"

Did you try the tool I referenced above?

"How to remove malware belonging to the family Rootkit.Win32.TDSS ...
http://support.kaspersky.com/viruses/solutions?qid=208280684"

Specifically designed to remove this family of threats.....
0
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34178627
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 34192882
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34193731
@SSharma....

TDSSKiller has previously been suggested.....
0
 

Author Comment

by:mattbiel
ID: 34202328
OK so I have resolution.  If anyone else is trying to remove this virus, forget about doing anything UNTIL you do the MBR.  I tried every scanner, every option out there, but this dang thing would not go away until I did the MBR.  Once I did it, I then used Dr. Web Cureit and it scanned clean, and now all is good.  

For safety precautions I had to image the hard drive first, which is why it took me so long to get a resolution.  Thanks everyone!  I'm also accepting Dr.Web Cureit as a partial solution because I think it's the best scanner I've seen, even better than Malwarebytes or Combofix.  
0
 

Author Closing Comment

by:mattbiel
ID: 34202334
Thanks everyone, very helpful!
0
 
LVL 92

Expert Comment

by:nobus
ID: 34203067
tx for the feedback !
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What is Ransomware? 16 98
full control root but more restrictive lower permissions 1 58
Windows XP under Hyper-V Server 2016 15 170
Is attached iPhone screen an IOC 5 35
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question