Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how do i remove the trojan:dos/alureon.a in Vista

Posted on 2010-11-19
22
Medium Priority
?
1,676 Views
Last Modified: 2012-05-10
How do i remove the trojan:dos/alureon.a in Vista?  I am working on a clients computer and have pulled the HD to scan from my computer.  As I understand it this effects the MBR.  MSE first detected it and I am running other malware scans.  If it is in the MBR will these methods find and remove it?
0
Comment
Question by:Mags
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 8
22 Comments
 
LVL 6

Expert Comment

by:Kris Montgomery
ID: 34178637
Hi.  I guess this is going around a lot these days:

http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/Q_26509751.html?sfQueryTermInfo=1+10+30+alureon.a+do

There are other posts about it.  Search "alureon.a"

Good luck!

mug
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 34178682
How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Author Comment

by:Mags
ID: 34179828
johnb6767:  I will try your solution first.  I was un able to log on the the computer, which is why I pulled the HD, but found and removed other viruses.  Can TDSSKiller.exe be run on an attached drive?  I may try that first and if it will not san it I will reinstall the HD into my clients computer.  I will try to start in safe mode with command line prompt in case I need to use that option.

muganthony: I did see that post but most of it related to XP.  If the above does not work I will go through the first suggestion which was from Microsoft and did pertain to Vista.  Thank you!

Wish me luck!!

0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:Mags
ID: 34180174
This thing is a bear...reinstalled HD, choose Safe Mode with command prompt and it won't let me in.  The User name is "Other User" and when I put in their User Name and password I get this message, "The specified domain either does not exist or could not be contacted."  This is a personal desktop, Dell Inspiron 531, Vista Home Premium.

Help!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34180527
Did you try the local Administrator account in Safe Mode as well?

Might need to blank out the password......

Forgot your Windows NT/2k/XP/Vista/Win7 admin password?
http://www.pogostick.net/~pnh/ntpasswd/

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34180530
Oh, and you can reset other accounts with that as well. As well as enable an account.....
0
 

Author Comment

by:Mags
ID: 34181173
Why am I getting the message "The specified domain either does not exist or could not be contacted."?  I've never seen that when trying to log on.

How safe is it to make the boot disk as described in you link above?  Never done that before.  It's like something is not allowing me to log on.  I have the correct user name and password.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 2000 total points
ID: 34181651
Something might have corrupted the pasword on the account. Either that, or you have something starting as a serice early on preventing the logon.....

The boot disk is safe, but you need to read the directions during the use.

Is the drive still slaved by any chance? If so, navigate to that disk\Windows\System32\Drivers, and sort bate the Date Modified column in the Details view, and see what the 5 most recent modified drivers are... Post a screenshot if you like as well....
0
 

Author Comment

by:Mags
ID: 34183931
So if I understand you correctly I have to be able to log on in order to run TDSSKiller.exe which is the best product to get rid of the above mentioned virus and that it can not be done from another computer with the drive attached.  Is this correct?

In getting the System32/Drivers for you I found CIAxxxxxxx.exe and superbobrx.exe listed on the C: drive.  Looks like viruses to me.  Running Malwarebytes now on the drive...whenever I attach the drive to my computer MSE finds it but can not get rid of it.
Drivers-page-1.jpg
Drivers-page-2.jpg
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 2000 total points
ID: 34184382
I would delete that top cmkhvkfs.sys file. At MINIMUM, rename it to .OLD, from .SYS....

Then next bootup, you should hopefully be able to log into it, and since it is not running in memory, should prevent it from being hidden, and protected. Then retry your additional scans.

And Yes, your first statement is correct I believe.....
0
 

Author Comment

by:Mags
ID: 34184444
I love you!!! I'm in!!!!  Thank you, Thank you, Thank you!!!!!!!!!!!!!!!!!!!  I'll run the rest of the scans!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34184555
lol.... Also, if the scans do not find the startup entries for this, need to look in the registry for it. Just highlight My Computer in the registry, and hit F3.

search for "cmkhvkfs.sys"

Probably sitting in HKLM\System\Services\cmkhvkfs.sys or HKLM\System\Services\cmkhvkfs

Key should be exported, and then removed... Just in case....
0
 

Author Comment

by:Mags
ID: 34185380
Did not find "cmkhvkfs.sys" when I searched the registry.

I am constantly getting the message "This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."  I can not open System Protection (under System), Security Center and if I want to run most things, even to open IE I have to "Run as Administrator"

I ran SpyDLLRemover and found GOEC62~1.DLL, the process name is iexplore.exe.  Want to remove in but I can not set a system restore point.  What do you thinkl?

Can I award extra points?  You have been awesome!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34185392
No, max is 500pts... But thanks.....

""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.""

What actions is making this appear?

"GOEC62~1.DLL"

Thats probably a Google component if I had to guess....

Process Explorer
http://live.sysinternals.com/procexp.exe

Do a search in there for that .DLL, then maybe you can get to it and see the file properties.

Also, is there an Open Browser Window with iexplore.exe running, or is it hidden?

0
 

Author Comment

by:Mags
ID: 34185475
What causes ""This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel."" to appear is ever time I try and lauch something, I click on any icon on the desktop and get the message.  I attempted to open your link above and unless I save it then open it with "Run as Administrator" I get that message.  It happens if I try and run a program.  When I click on Internet Explorer I get the message and have to run in as an Administrator.  Could it just be the way they have their computer set up or does this look fishy?

That's what I found as well with the GOEC62~1.DLL, it only should up as suspicious.

Loaded the Process Explorer and I typed it in under find, if that is correct and it found nothing.

iexplorer.exe only seems to be running when IE is open.  Looks like it may be ok.

Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center.

Window Update failed to update Vista to SP1

0
 

Author Comment

by:Mags
ID: 34185541
The computer is booting normally do I need to do the following??  Instruction from Microsoft - http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3ADOS%2FAlureon.A

Additional recovery instructions for Trojan:DOS/Alureon.A
This virus may cause damage to the Master Boot Record (MBR) and Boot Configuration Data (BCD). You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:
 
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd
 
For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".
0
 

Author Comment

by:Mags
ID: 34185560
Can't even change the time...get the same message - This file does not have a program assiciated with it for performing this action.  Create an associationin the Set Associatins control panel.  Refers to C:\Windows\system32\rundll32.exe
0
 

Author Comment

by:Mags
ID: 34185664
Should I run sfc /scannow? If you think so can it be run in Safe Mode or should it be run in Normal Mode?

Good night for now...I'll check back in the morning.  Thanks for all your help John.
Warm regards,
Margaret
0
 

Author Comment

by:Mags
ID: 34193216
ran sfc /scannow, among other things today.  Could not repair tepmon.ini.

Seems as if trojan:dos/alureon.a is gone but still having many of the above issues.  Looks like some damage was done.  Should I add a new post to address those individually?
0
 

Author Closing Comment

by:Mags
ID: 34197065
Got rid of Trojan Virus.  Still havimg issue not related to this post.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34199140
Sorry, I havent been active much past few days.... Where do you stand with everything? If you havent created another post, I would do so, to get the full attention of the community. Only people involved in this thread would see any further activity on this one.....

"Concerned that I can not get to - System restore (says it as been turned off by group policy) and get the above message when I try and open System Protection or Security Center."

In the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

Is there a value of "DisableConfig", set to 1? If so, kill the value entirely. But DO NOT GO BACK TO A SYSTEM RESTORE POINT, as you might reinfect yourself......

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question