Solved

how do i remove the trojan:dos/alureon.a in Vista

Posted on 2010-11-19
22
1,665 Views
Last Modified: 2012-05-10
How do i remove the trojan:dos/alureon.a in Vista?  I am working on a clients computer and have pulled the HD to scan from my computer.  As I understand it this effects the MBR.  MSE first detected it and I am running other malware scans.  If it is in the MBR will these methods find and remove it?
0
Comment
Question by:MagsMcKinley14
  • 12
  • 8
22 Comments
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34178637
Hi.  I guess this is going around a lot these days:

http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/Q_26509751.html?sfQueryTermInfo=1+10+30+alureon.a+do

There are other posts about it.  Search "alureon.a"

Good luck!

mug
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 34178682
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Author Comment

by:MagsMcKinley14
ID: 34179828
johnb6767:  I will try your solution first.  I was un able to log on the the computer, which is why I pulled the HD, but found and removed other viruses.  Can TDSSKiller.exe be run on an attached drive?  I may try that first and if it will not san it I will reinstall the HD into my clients computer.  I will try to start in safe mode with command line prompt in case I need to use that option.

muganthony: I did see that post but most of it related to XP.  If the above does not work I will go through the first suggestion which was from Microsoft and did pertain to Vista.  Thank you!

Wish me luck!!

0
 

Author Comment

by:MagsMcKinley14
ID: 34180174
This thing is a bear...reinstalled HD, choose Safe Mode with command prompt and it won't let me in.  The User name is "Other User" and when I put in their User Name and password I get this message, "The specified domain either does not exist or could not be contacted."  This is a personal desktop, Dell Inspiron 531, Vista Home Premium.

Help!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34180527
Did you try the local Administrator account in Safe Mode as well?

Might need to blank out the password......

Forgot your Windows NT/2k/XP/Vista/Win7 admin password?
http://www.pogostick.net/~pnh/ntpasswd/

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34180530
Oh, and you can reset other accounts with that as well. As well as enable an account.....
0
 

Author Comment

by:MagsMcKinley14
ID: 34181173
Why am I getting the message "The specified domain either does not exist or could not be contacted."?  I've never seen that when trying to log on.

How safe is it to make the boot disk as described in you link above?  Never done that before.  It's like something is not allowing me to log on.  I have the correct user name and password.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 500 total points
ID: 34181651
Something might have corrupted the pasword on the account. Either that, or you have something starting as a serice early on preventing the logon.....

The boot disk is safe, but you need to read the directions during the use.

Is the drive still slaved by any chance? If so, navigate to that disk\Windows\System32\Drivers, and sort bate the Date Modified column in the Details view, and see what the 5 most recent modified drivers are... Post a screenshot if you like as well....
0
 

Author Comment

by:MagsMcKinley14
ID: 34183931
So if I understand you correctly I have to be able to log on in order to run TDSSKiller.exe which is the best product to get rid of the above mentioned virus and that it can not be done from another computer with the drive attached.  Is this correct?

In getting the System32/Drivers for you I found CIAxxxxxxx.exe and superbobrx.exe listed on the C: drive.  Looks like viruses to me.  Running Malwarebytes now on the drive...whenever I attach the drive to my computer MSE finds it but can not get rid of it.
Drivers-page-1.jpg
Drivers-page-2.jpg
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 500 total points
ID: 34184382
I would delete that top cmkhvkfs.sys file. At MINIMUM, rename it to .OLD, from .SYS....

Then next bootup, you should hopefully be able to log into it, and since it is not running in memory, should prevent it from being hidden, and protected. Then retry your additional scans.

And Yes, your first statement is correct I believe.....
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:MagsMcKinley14
ID: 34184444
I love you!!! I'm in!!!!  Thank you, Thank you, Thank you!!!!!!!!!!!!!!!!!!!  I'll run the rest of the scans!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34184555
lol.... Also, if the scans do not find the startup entries for this, need to look in the registry for it. Just highlight My Computer in the registry, and hit F3.

search for "cmkhvkfs.sys"

Probably sitting in HKLM\System\Services\cmkhvkfs.sys or HKLM\System\Services\cmkhvkfs

Key should be exported, and then removed... Just in case....
0
 

Author Comment

by:MagsMcKinley14
ID: 34185380
Did not find "cmkhvkfs.sys" when I searched the registry.

I am constantly getting the message "This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."  I can not open System Protection (under System), Security Center and if I want to run most things, even to open IE I have to "Run as Administrator"

I ran SpyDLLRemover and found GOEC62~1.DLL, the process name is iexplore.exe.  Want to remove in but I can not set a system restore point.  What do you thinkl?

Can I award extra points?  You have been awesome!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34185392
No, max is 500pts... But thanks.....

""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.""

What actions is making this appear?

"GOEC62~1.DLL"

Thats probably a Google component if I had to guess....

Process Explorer
http://live.sysinternals.com/procexp.exe

Do a search in there for that .DLL, then maybe you can get to it and see the file properties.

Also, is there an Open Browser Window with iexplore.exe running, or is it hidden?

0
 

Author Comment

by:MagsMcKinley14
ID: 34185475
What causes ""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."" to appear is ever time I try and lauch something, I click on any icon on the desktop and get the message.  I attempted to open your link above and unless I save it then open it with "Run as Administrator" I get that message.  It happens if I try and run a program.  When I click on Internet Explorer I get the message and have to run in as an Administrator.  Could it just be the way they have their computer set up or does this look fishy?

That's what I found as well with the GOEC62~1.DLL, it only should up as suspicious.

Loaded the Process Explorer and I typed it in under find, if that is correct and it found nothing.

iexplorer.exe only seems to be running when IE is open.  Looks like it may be ok.

Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center.

Window Update failed to update Vista to SP1

0
 

Author Comment

by:MagsMcKinley14
ID: 34185541
The computer is booting normally do I need to do the following??  Instruction from Microsoft - http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3ADOS%2FAlureon.A

Additional recovery instructions for Trojan:DOS/Alureon.A
This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:
 
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd
 
For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".
0
 

Author Comment

by:MagsMcKinley14
ID: 34185560
Can't even change the time...get the same message - This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.  Refers to C:\Windows\system32\rundll32.exe
0
 

Author Comment

by:MagsMcKinley14
ID: 34185664
Should I run sfc /scannow? If you think so can it be run in Safe Mode or should it be run in Normal Mode?

Good night for now...I'll check back in the morning.  Thanks for all your help John.
Warm regards,
Margaret
0
 

Author Comment

by:MagsMcKinley14
ID: 34193216
ran sfc /scannow, among other things today.  Could not repair tepmon.ini.

Seems as if trojan:dos/alureon.a is gone but still having many of the above issues.  Looks like some damage was done.  Should I add a new post to address those individually?
0
 

Author Closing Comment

by:MagsMcKinley14
ID: 34197065
Got rid of Trojan Virus.  Still havimg issue not related to this post.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34199140
Sorry, I havent been active much past few days.... Where do you stand with everything? If you havent created another post, I would do so, to get the full attention of the community. Only people involved in this thread would see any further activity on this one.....

"Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center."

In the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

Is there a value of "DisableConfig", set to 1? If so, kill the value entirely. But DO NOT GO BACK TO A SYSTEM RESTORE POINT, as you might reinfect yourself......

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now