Infected with Trojan:DOS/Alureon.E, etc

Client complained of a slow computer...no other issues.
Updated his internet security with MSE & MBAM Pro (setup to work together).

Bam...MSE found Trojan:DOS/Alureon.E but couldn't get rid of it so I did some research and attacked!

Ran aswMBR, fixed MBR and found and deleted the hidden partition.

Pulled out the guns and ran every tool I could think of...tdsskiller was clean but I did not change any of the parameters.

Did not run ComboFix.  Will run only with your request.

Running a new full MSE scan now.

I am working on this computer remotely.

Thanks for your assistance!!
Mags
Rkill--1.txt
RKreport-1--S-05082013-02d1235.txt
RKreport-2--D-05082013-02d1237.txt
RKreport-3--H-05082013-02d1237.txt
RogueKiller-MBR-Error.jpg
aswMBR--2.txt
Hidden-Partition-Trojan-DOS-Alur.jpg
RKreport-1--S-05082013-02d1943.txt
mbam-log-2013-05-08--19-51-58-.txt
aswMBR--3.txt
Rkill--2.txt
HitmanPro-20130509-0645.log
a2scan-130509-070050.txt
AdwCleaner-S1-.txt
JRT.txt
MagsOwnerAsked:
Who is Participating?
 
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
0
 
MagsOwnerAuthor Commented:
Yes, that's the one I used ;-)  What about MBAM finding the Trojan, Vundo and the things Hitman found??  Does it seem that they took care of the issues?  Any other scan, such as ComboFix (which I don't know how to read) that you think need to be run or rerun?
MSE scan still running.
Thanks,
Mags
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
tailoreddigitalCommented:
This thread,

http://guides.yoosecurity.com/permanently-remove-trojandosalureon-e-virus-from-win-7-vista-or-xp/

Gives me the impression that MSE removes it but it reoccurs.   It points out some manual removing done in the registry (on the lower part of the page)


Is MSE removing it?
0
 
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
Please run TDSSKiller with "Detect TDLS file system" option selected and post the logs.

TDSSKIller TDLS option
Sudeep
0
 
MagsOwnerAuthor Commented:
tailoreddigital MSE did not rid the computer of the trojan but running aswMBR fixed the MBR then I delete the hidden partition...after running above mentioned scans MSE no longer found the Trojan:DOS/Alureon.E...it appears to be gone.

Hey Sudeep...great minds think alike...that was the parameter I was going to check...ran the scan and it found no threats.

So what do we think?  Is the computer Trojan free at last?!?
0
 
MagsOwnerAuthor Commented:
Thanks Sudeep.  I will run ComboFix as soon as the computer is available then send you the log.
Thank you!
Mags
0
 
MagsOwnerAuthor Commented:
Here is the ComboFix Log...also the TDSSKiller log
Thanks a million!!
Mags
ComboFix-log.txt
TDSSKiller.2.8.16.0-13.05.2013-1.txt
0
 
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
TDSSKiller looks good and Combofix has removed some files and restored an infected process file named "userinit.exe". Below are the Combofix logs

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\assembly\tmp
c:\users\Owner\Documents\~WRL3798.tmp
c:\users\Owner\g2ax_customer_downloadhelper_win32_x86.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\jucheck.exe
c:\windows\system32\jusched.exe
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!WINDOWS!System32!userinit.exe

Now please run an online scan from ESET and let us know if it found any infection.
ESET online scan
http://www.eset.com/us/online-scanner

Sudeep
0
 
MagsOwnerAuthor Commented:
Running now.  Thanks Sudeep.
Mags
0
 
MagsOwnerAuthor Commented:
No infection was found.  Anything else or am I ready for cleanup?
Thanks,
Mags
0
 
Sudeep SharmaConnect With a Mentor Technical DesignerCommented:
Yes you are good to go.

Just make sure to uninstall the Combofix.

To uninstall it in Run type Combofix /uninstall.

Also update Flash players and Adobe Acrobat Reader and Java on the system.

Sudeep
0
 
MagsOwnerAuthor Commented:
Will do!  That was part of my cleanup plan.  I found a great program called Secunia Online Software Inspector that helps me find programs that are not up-to-date since I can't read the logs like you can.

Sudeep thank you for your assistance.  I'll be doing the cleanup this morning and will send in a final post.
Mags
0
 
MagsOwnerAuthor Commented:
Why would he have a driver (\\10.32.164.242) (Z:) which appears to be a network driver, with a big red X through it...
(Z:)
When clicked on I get the message
Restoring Network Connections - An error occurred while reconnecting Z: to \\10.32.164.242\driver  Microsoft Windows Network: The network path was not found.  This connection has not been restored.

I have no idea what this would try and connect to...I will see what happens when I do clean up.  I tried to get info on it and I'm thinking it should be deleted.  It does not show up in Disk Management but it is mapped.
0
 
Sudeep SharmaTechnical DesignerCommented:
Is the network device or system 10.32.164.24 accessible.

Make sure you could ping it fine and it has windows files sharing on it.

Try to browse is by typing \\10.32.164.24 in the Run.

Sudeep
0
 
MagsOwnerAuthor Commented:
No...error code 0x80070035 the network path was not found.  Diagnosed and got the message cannot communicate with 10.32.164.24, Network diagnostics pinged the remote host but did not receive a response.  Option...Reset the network adapter "Wireless Network Connection"  Resetting the adapter can sometimes resolve an intermittent problem.

I'm hesitant to do so since I am working remotely...could this be trojan related?
0
 
MagsOwnerAuthor Commented:
Weird thing...I could not rename files or print his screen.  Ran RKill, file attached, and know I can rename files but still cannot print his screen.  Rkill also has a different log saying -

Checking Windows Service Integrity: * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

For cleanup I -
Uninstalled Combo Fix
Ran CCleaner
Ran Revo Junk removal
Turned off System restore to flush all restore points then turned system restore back on
Ran Windows Update...no important updates needed
Used Secunia Online Software Inspector to update Adobe Flash player and since he had the most recent Java I uninstalled the old Java updates

PS  When opening, let say "Computer" it takes a while to populate.
Rkill.txt
0
 
MagsOwnerAuthor Commented:
Sudeep...any suggestions on how to handle the unknown network drive?
0
 
MagsOwnerAuthor Commented:
Okay...I disconnected the mystery Z: drive and voila...no issues and when opening up "Computer" it populates quickly.

Still question the rkill log -

Checking Windows Service Integrity:

 * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

What does this mean?

Thanks,
Mags
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.