how do i remove the trojan:dos/alureon.a in Vista

How do i remove the trojan:dos/alureon.a in Vista?  I am working on a clients computer and have pulled the HD to scan from my computer.  As I understand it this effects the MBR.  MSE first detected it and I am running other malware scans.  If it is in the MBR will these methods find and remove it?
MagsOwnerAsked:
Who is Participating?
 
johnb6767Commented:
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 
Kris MontgomeryCommented:
Hi.  I guess this is going around a lot these days:

http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/Q_26509751.html?sfQueryTermInfo=1+10+30+alureon.a+do

There are other posts about it.  Search "alureon.a"

Good luck!

mug
0
 
MagsOwnerAuthor Commented:
johnb6767:  I will try your solution first.  I was un able to log on the the computer, which is why I pulled the HD, but found and removed other viruses.  Can TDSSKiller.exe be run on an attached drive?  I may try that first and if it will not san it I will reinstall the HD into my clients computer.  I will try to start in safe mode with command line prompt in case I need to use that option.

muganthony: I did see that post but most of it related to XP.  If the above does not work I will go through the first suggestion which was from Microsoft and did pertain to Vista.  Thank you!

Wish me luck!!

0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
MagsOwnerAuthor Commented:
This thing is a bear...reinstalled HD, choose Safe Mode with command prompt and it won't let me in.  The User name is "Other User" and when I put in their User Name and password I get this message, "The specified domain either does not exist or could not be contacted."  This is a personal desktop, Dell Inspiron 531, Vista Home Premium.

Help!!
0
 
johnb6767Commented:
Did you try the local Administrator account in Safe Mode as well?

Might need to blank out the password......

Forgot your Windows NT/2k/XP/Vista/Win7 admin password?
http://www.pogostick.net/~pnh/ntpasswd/

0
 
johnb6767Commented:
Oh, and you can reset other accounts with that as well. As well as enable an account.....
0
 
MagsOwnerAuthor Commented:
Why am I getting the message "The specified domain either does not exist or could not be contacted."?  I've never seen that when trying to log on.

How safe is it to make the boot disk as described in you link above?  Never done that before.  It's like something is not allowing me to log on.  I have the correct user name and password.
0
 
johnb6767Commented:
Something might have corrupted the pasword on the account. Either that, or you have something starting as a serice early on preventing the logon.....

The boot disk is safe, but you need to read the directions during the use.

Is the drive still slaved by any chance? If so, navigate to that disk\Windows\System32\Drivers, and sort bate the Date Modified column in the Details view, and see what the 5 most recent modified drivers are... Post a screenshot if you like as well....
0
 
MagsOwnerAuthor Commented:
So if I understand you correctly I have to be able to log on in order to run TDSSKiller.exe which is the best product to get rid of the above mentioned virus and that it can not be done from another computer with the drive attached.  Is this correct?

In getting the System32/Drivers for you I found CIAxxxxxxx.exe and superbobrx.exe listed on the C: drive.  Looks like viruses to me.  Running Malwarebytes now on the drive...whenever I attach the drive to my computer MSE finds it but can not get rid of it.
Drivers-page-1.jpg
Drivers-page-2.jpg
0
 
johnb6767Commented:
I would delete that top cmkhvkfs.sys file. At MINIMUM, rename it to .OLD, from .SYS....

Then next bootup, you should hopefully be able to log into it, and since it is not running in memory, should prevent it from being hidden, and protected. Then retry your additional scans.

And Yes, your first statement is correct I believe.....
0
 
MagsOwnerAuthor Commented:
I love you!!! I'm in!!!!  Thank you, Thank you, Thank you!!!!!!!!!!!!!!!!!!!  I'll run the rest of the scans!!
0
 
johnb6767Commented:
lol.... Also, if the scans do not find the startup entries for this, need to look in the registry for it. Just highlight My Computer in the registry, and hit F3.

search for "cmkhvkfs.sys"

Probably sitting in HKLM\System\Services\cmkhvkfs.sys or HKLM\System\Services\cmkhvkfs

Key should be exported, and then removed... Just in case....
0
 
MagsOwnerAuthor Commented:
Did not find "cmkhvkfs.sys" when I searched the registry.

I am constantly getting the message "This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."  I can not open System Protection (under System), Security Center and if I want to run most things, even to open IE I have to "Run as Administrator"

I ran SpyDLLRemover and found GOEC62~1.DLL, the process name is iexplore.exe.  Want to remove in but I can not set a system restore point.  What do you thinkl?

Can I award extra points?  You have been awesome!
0
 
johnb6767Commented:
No, max is 500pts... But thanks.....

""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.""

What actions is making this appear?

"GOEC62~1.DLL"

Thats probably a Google component if I had to guess....

Process Explorer
http://live.sysinternals.com/procexp.exe

Do a search in there for that .DLL, then maybe you can get to it and see the file properties.

Also, is there an Open Browser Window with iexplore.exe running, or is it hidden?

0
 
MagsOwnerAuthor Commented:
What causes ""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."" to appear is ever time I try and lauch something, I click on any icon on the desktop and get the message.  I attempted to open your link above and unless I save it then open it with "Run as Administrator" I get that message.  It happens if I try and run a program.  When I click on Internet Explorer I get the message and have to run in as an Administrator.  Could it just be the way they have their computer set up or does this look fishy?

That's what I found as well with the GOEC62~1.DLL, it only should up as suspicious.

Loaded the Process Explorer and I typed it in under find, if that is correct and it found nothing.

iexplorer.exe only seems to be running when IE is open.  Looks like it may be ok.

Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center.

Window Update failed to update Vista to SP1

0
 
MagsOwnerAuthor Commented:
The computer is booting normally do I need to do the following??  Instruction from Microsoft - http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3ADOS%2FAlureon.A

Additional recovery instructions for Trojan:DOS/Alureon.A
This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:
 
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd
 
For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".
0
 
MagsOwnerAuthor Commented:
Can't even change the time...get the same message - This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.  Refers to C:\Windows\system32\rundll32.exe
0
 
MagsOwnerAuthor Commented:
Should I run sfc /scannow? If you think so can it be run in Safe Mode or should it be run in Normal Mode?

Good night for now...I'll check back in the morning.  Thanks for all your help John.
Warm regards,
Margaret
0
 
MagsOwnerAuthor Commented:
ran sfc /scannow, among other things today.  Could not repair tepmon.ini.

Seems as if trojan:dos/alureon.a is gone but still having many of the above issues.  Looks like some damage was done.  Should I add a new post to address those individually?
0
 
MagsOwnerAuthor Commented:
Got rid of Trojan Virus.  Still havimg issue not related to this post.
0
 
johnb6767Commented:
Sorry, I havent been active much past few days.... Where do you stand with everything? If you havent created another post, I would do so, to get the full attention of the community. Only people involved in this thread would see any further activity on this one.....

"Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center."

In the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

Is there a value of "DisableConfig", set to 1? If so, kill the value entirely. But DO NOT GO BACK TO A SYSTEM RESTORE POINT, as you might reinfect yourself......

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.