Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Infected with Trojan:DOS/Alureon.E, etc

Posted on 2013-05-09
19
605 Views
Last Modified: 2013-11-22
Client complained of a slow computer...no other issues.
Updated his internet security with MSE & MBAM Pro (setup to work together).

Bam...MSE found Trojan:DOS/Alureon.E but couldn't get rid of it so I did some research and attacked!

Ran aswMBR, fixed MBR and found and deleted the hidden partition.

Pulled out the guns and ran every tool I could think of...tdsskiller was clean but I did not change any of the parameters.

Did not run ComboFix.  Will run only with your request.

Running a new full MSE scan now.

I am working on this computer remotely.

Thanks for your assistance!!
Mags
Rkill--1.txt
RKreport-1--S-05082013-02d1235.txt
RKreport-2--D-05082013-02d1237.txt
RKreport-3--H-05082013-02d1237.txt
RogueKiller-MBR-Error.jpg
aswMBR--2.txt
Hidden-Partition-Trojan-DOS-Alur.jpg
RKreport-1--S-05082013-02d1943.txt
mbam-log-2013-05-08--19-51-58-.txt
aswMBR--3.txt
Rkill--2.txt
HitmanPro-20130509-0645.log
a2scan-130509-070050.txt
AdwCleaner-S1-.txt
JRT.txt
0
Comment
Question by:MagsMcKinley14
  • 12
  • 5
  • 2
19 Comments
 
LVL 23

Assisted Solution

by:tailoreddigital
tailoreddigital earned 100 total points
ID: 39154129
0
 

Author Comment

by:MagsMcKinley14
ID: 39154254
Yes, that's the one I used ;-)  What about MBAM finding the Trojan, Vundo and the things Hitman found??  Does it seem that they took care of the issues?  Any other scan, such as ComboFix (which I don't know how to read) that you think need to be run or rerun?
MSE scan still running.
Thanks,
Mags
0
 
LVL 23

Expert Comment

by:tailoreddigital
ID: 39154266
This thread,

http://guides.yoosecurity.com/permanently-remove-trojandosalureon-e-virus-from-win-7-vista-or-xp/

Gives me the impression that MSE removes it but it reoccurs.   It points out some manual removing done in the registry (on the lower part of the page)


Is MSE removing it?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 39155390
Please run TDSSKiller with "Detect TDLS file system" option selected and post the logs.

TDSSKIller TDLS option
Sudeep
0
 

Author Comment

by:MagsMcKinley14
ID: 39156308
tailoreddigital MSE did not rid the computer of the trojan but running aswMBR fixed the MBR then I delete the hidden partition...after running above mentioned scans MSE no longer found the Trojan:DOS/Alureon.E...it appears to be gone.

Hey Sudeep...great minds think alike...that was the parameter I was going to check...ran the scan and it found no threats.

So what do we think?  Is the computer Trojan free at last?!?
0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 400 total points
ID: 39157728
0
 

Author Comment

by:MagsMcKinley14
ID: 39158381
Thanks Sudeep.  I will run ComboFix as soon as the computer is available then send you the log.
Thank you!
Mags
0
 

Author Comment

by:MagsMcKinley14
ID: 39162785
Here is the ComboFix Log...also the TDSSKiller log
Thanks a million!!
Mags
ComboFix-log.txt
TDSSKiller.2.8.16.0-13.05.2013-1.txt
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 39164789
TDSSKiller looks good and Combofix has removed some files and restored an infected process file named "userinit.exe". Below are the Combofix logs

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\assembly\tmp
c:\users\Owner\Documents\~WRL3798.tmp
c:\users\Owner\g2ax_customer_downloadhelper_win32_x86.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\jucheck.exe
c:\windows\system32\jusched.exe
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!WINDOWS!System32!userinit.exe

Now please run an online scan from ESET and let us know if it found any infection.
ESET online scan
http://www.eset.com/us/online-scanner

Sudeep
0
 

Author Comment

by:MagsMcKinley14
ID: 39169314
Running now.  Thanks Sudeep.
Mags
0
 

Author Comment

by:MagsMcKinley14
ID: 39170302
No infection was found.  Anything else or am I ready for cleanup?
Thanks,
Mags
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 39171446
Yes you are good to go.

Just make sure to uninstall the Combofix.

To uninstall it in Run type Combofix /uninstall.

Also update Flash players and Adobe Acrobat Reader and Java on the system.

Sudeep
0
 

Author Comment

by:MagsMcKinley14
ID: 39171534
Will do!  That was part of my cleanup plan.  I found a great program called Secunia Online Software Inspector that helps me find programs that are not up-to-date since I can't read the logs like you can.

Sudeep thank you for your assistance.  I'll be doing the cleanup this morning and will send in a final post.
Mags
0
 

Author Comment

by:MagsMcKinley14
ID: 39172035
Why would he have a driver (\\10.32.164.242) (Z:) which appears to be a network driver, with a big red X through it...
(Z:)
When clicked on I get the message
Restoring Network Connections - An error occurred while reconnecting Z: to \\10.32.164.242\driver  Microsoft Windows Network: The network path was not found.  This connection has not been restored.

I have no idea what this would try and connect to...I will see what happens when I do clean up.  I tried to get info on it and I'm thinking it should be deleted.  It does not show up in Disk Management but it is mapped.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39172058
Is the network device or system 10.32.164.24 accessible.

Make sure you could ping it fine and it has windows files sharing on it.

Try to browse is by typing \\10.32.164.24 in the Run.

Sudeep
0
 

Author Comment

by:MagsMcKinley14
ID: 39172595
No...error code 0x80070035 the network path was not found.  Diagnosed and got the message cannot communicate with 10.32.164.24, Network diagnostics pinged the remote host but did not receive a response.  Option...Reset the network adapter "Wireless Network Connection"  Resetting the adapter can sometimes resolve an intermittent problem.

I'm hesitant to do so since I am working remotely...could this be trojan related?
0
 

Author Comment

by:MagsMcKinley14
ID: 39172793
Weird thing...I could not rename files or print his screen.  Ran RKill, file attached, and know I can rename files but still cannot print his screen.  Rkill also has a different log saying -

Checking Windows Service Integrity: * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

For cleanup I -
Uninstalled Combo Fix
Ran CCleaner
Ran Revo Junk removal
Turned off System restore to flush all restore points then turned system restore back on
Ran Windows Update...no important updates needed
Used Secunia Online Software Inspector to update Adobe Flash player and since he had the most recent Java I uninstalled the old Java updates

PS  When opening, let say "Computer" it takes a while to populate.
Rkill.txt
0
 

Author Comment

by:MagsMcKinley14
ID: 39181946
Sudeep...any suggestions on how to handle the unknown network drive?
0
 

Author Comment

by:MagsMcKinley14
ID: 39183290
Okay...I disconnected the mystery Z: drive and voila...no issues and when opening up "Computer" it populates quickly.

Still question the rkill log -

Checking Windows Service Integrity:

 * msiserver => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]

What does this mean?

Thanks,
Mags
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Read about achieving the basic levels of HRIS security in the workplace.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question