Solved

Infected with Trojan:DOS/Alureon.E, etc

Posted on 2013-05-09
19
596 Views
Last Modified: 2013-11-22
Client complained of a slow computer...no other issues.
Updated his internet security with MSE & MBAM Pro (setup to work together).

Bam...MSE found Trojan:DOS/Alureon.E but couldn't get rid of it so I did some research and attacked!

Ran aswMBR, fixed MBR and found and deleted the hidden partition.

Pulled out the guns and ran every tool I could think of...tdsskiller was clean but I did not change any of the parameters.

Did not run ComboFix.  Will run only with your request.

Running a new full MSE scan now.

I am working on this computer remotely.

Thanks for your assistance!!
Mags
Rkill--1.txt
RKreport-1--S-05082013-02d1235.txt
RKreport-2--D-05082013-02d1237.txt
RKreport-3--H-05082013-02d1237.txt
RogueKiller-MBR-Error.jpg
aswMBR--2.txt
Hidden-Partition-Trojan-DOS-Alur.jpg
RKreport-1--S-05082013-02d1943.txt
mbam-log-2013-05-08--19-51-58-.txt
aswMBR--3.txt
Rkill--2.txt
HitmanPro-20130509-0645.log
a2scan-130509-070050.txt
AdwCleaner-S1-.txt
JRT.txt
0
Comment
Question by:MagsMcKinley14
  • 12
  • 5
  • 2
19 Comments
 
LVL 23

Assisted Solution

by:tailoreddigital
tailoreddigital earned 100 total points
Comment Utility
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Yes, that's the one I used ;-)  What about MBAM finding the Trojan, Vundo and the things Hitman found??  Does it seem that they took care of the issues?  Any other scan, such as ComboFix (which I don't know how to read) that you think need to be run or rerun?
MSE scan still running.
Thanks,
Mags
0
 
LVL 23

Expert Comment

by:tailoreddigital
Comment Utility
This thread,

http://guides.yoosecurity.com/permanently-remove-trojandosalureon-e-virus-from-win-7-vista-or-xp/

Gives me the impression that MSE removes it but it reoccurs.   It points out some manual removing done in the registry (on the lower part of the page)


Is MSE removing it?
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
Comment Utility
Please run TDSSKiller with "Detect TDLS file system" option selected and post the logs.

TDSSKIller TDLS option
Sudeep
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
tailoreddigital MSE did not rid the computer of the trojan but running aswMBR fixed the MBR then I delete the hidden partition...after running above mentioned scans MSE no longer found the Trojan:DOS/Alureon.E...it appears to be gone.

Hey Sudeep...great minds think alike...that was the parameter I was going to check...ran the scan and it found no threats.

So what do we think?  Is the computer Trojan free at last?!?
0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 400 total points
Comment Utility
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Thanks Sudeep.  I will run ComboFix as soon as the computer is available then send you the log.
Thank you!
Mags
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Here is the ComboFix Log...also the TDSSKiller log
Thanks a million!!
Mags
ComboFix-log.txt
TDSSKiller.2.8.16.0-13.05.2013-1.txt
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
Comment Utility
TDSSKiller looks good and Combofix has removed some files and restored an infected process file named "userinit.exe". Below are the Combofix logs

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\assembly\tmp
c:\users\Owner\Documents\~WRL3798.tmp
c:\users\Owner\g2ax_customer_downloadhelper_win32_x86.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\jucheck.exe
c:\windows\system32\jusched.exe
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!WINDOWS!System32!userinit.exe

Now please run an online scan from ESET and let us know if it found any infection.
ESET online scan
http://www.eset.com/us/online-scanner

Sudeep
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:MagsMcKinley14
Comment Utility
Running now.  Thanks Sudeep.
Mags
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
No infection was found.  Anything else or am I ready for cleanup?
Thanks,
Mags
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
Comment Utility
Yes you are good to go.

Just make sure to uninstall the Combofix.

To uninstall it in Run type Combofix /uninstall.

Also update Flash players and Adobe Acrobat Reader and Java on the system.

Sudeep
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Will do!  That was part of my cleanup plan.  I found a great program called Secunia Online Software Inspector that helps me find programs that are not up-to-date since I can't read the logs like you can.

Sudeep thank you for your assistance.  I'll be doing the cleanup this morning and will send in a final post.
Mags
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Why would he have a driver (\\10.32.164.242) (Z:) which appears to be a network driver, with a big red X through it...
(Z:)
When clicked on I get the message
Restoring Network Connections - An error occurred while reconnecting Z: to \\10.32.164.242\driver  Microsoft Windows Network: The network path was not found.  This connection has not been restored.

I have no idea what this would try and connect to...I will see what happens when I do clean up.  I tried to get info on it and I'm thinking it should be deleted.  It does not show up in Disk Management but it is mapped.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Is the network device or system 10.32.164.24 accessible.

Make sure you could ping it fine and it has windows files sharing on it.

Try to browse is by typing \\10.32.164.24 in the Run.

Sudeep
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
No...error code 0x80070035 the network path was not found.  Diagnosed and got the message cannot communicate with 10.32.164.24, Network diagnostics pinged the remote host but did not receive a response.  Option...Reset the network adapter "Wireless Network Connection"  Resetting the adapter can sometimes resolve an intermittent problem.

I'm hesitant to do so since I am working remotely...could this be trojan related?
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Weird thing...I could not rename files or print his screen.  Ran RKill, file attached, and know I can rename files but still cannot print his screen.  Rkill also has a different log saying -

Checking Windows Service Integrity: * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

For cleanup I -
Uninstalled Combo Fix
Ran CCleaner
Ran Revo Junk removal
Turned off System restore to flush all restore points then turned system restore back on
Ran Windows Update...no important updates needed
Used Secunia Online Software Inspector to update Adobe Flash player and since he had the most recent Java I uninstalled the old Java updates

PS  When opening, let say "Computer" it takes a while to populate.
Rkill.txt
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Sudeep...any suggestions on how to handle the unknown network drive?
0
 

Author Comment

by:MagsMcKinley14
Comment Utility
Okay...I disconnected the mystery Z: drive and voila...no issues and when opening up "Computer" it populates quickly.

Still question the rkill log -

Checking Windows Service Integrity:

 * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

What does this mean?

Thanks,
Mags
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now