Sign in to follow this  
geo

Trojan.Alureon!E2

Recommended Posts

My Labtop is infected by a series of viruses or trojan (The operaton system is win7 64 bit).

The first attemped was carried out by running Eset smart security Nod32. The scan log show win32/Olmarik.TDL4 trojan, but unable to clean it.

07136459325325911408.jpg

The next solution was Emsisoft pakage. After running your Emsisoft Internet Security, The result show 10 Trojans and qaurantied 9 of them which has a low risk and the high risk trojan that named Trojan.Alureon!E2 was unable to clean or quarantined.

(Scan with malware.txt)

07393946212637910442.jpg

I follow the instructions to created a report.

after runnig the EEk, the result log dosen't show the high risk trojan that was mentioned above.

26845693641704950216.jpg

Share this post


Link to post
Share on other sites

Lets start out with TDSSKiller. Here's a link to instructions on how to run it. Go ahead and delete anything it finds, and if it given you an option to save a report them go ahead and save that on your desktop and attach it to a reply by using the More Reply Options button to the lower-left of where you type in your reply.

Share this post


Link to post
Share on other sites

Lets start out with TDSSKiller. Here's a link to instructions on how to run it. Go ahead and delete anything it finds, and if it given you an option to save a report them go ahead and save that on your desktop and attach it to a reply by using the More Reply Options button to the lower-left of where you type in your reply.

Hi

I run the TDSSkiller in two separation modes :(checkmark option)

91825066496285869202.jpg

in the first scan, finde this threat : (cure)

29263101489379152915.png

70176857000449757520.png

and in the second scan, find :(delete)

92121040073253536000.jpg

also during the scanning, nod32 show me the alert like this:

84392127427350517386.png

Share this post


Link to post
Share on other sites

OK, it looks like NOD32 detected the files as TDSSKiller was quarantining them. So long as NOD32 didn't interfere with TDSSKiller removing the infection, then everything should be fine, otherwise you may need to turn off NOD32 and run TDSSKiller again.

If TDSSKiller is no longer showing any detected items, or if it cannot remove what it finds, then we can move on to ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save Combo-Fix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

I forgot to send you the report of GMER program in the last post.(see the attachment please)

************

After turning off the other Anti viruse and malware, I run TDSSKiller again, but no infected file has report.

.

Share this post


Link to post
Share on other sites

That ComboFix log looks good, however that GMER log shows what are most likely leftovers from the TDL4 rootkit.

Do you know how to export information from the Windows registry? I want to take a look at the contents of those registry keys that were listed in the GMER log before we just blindly delete them.

Share this post


Link to post
Share on other sites

That ComboFix log looks good, however that GMER log shows what are most likely leftovers from the TDL4 rootkit.

Do you know how to export information from the Windows registry? I want to take a look at the contents of those registry keys that were listed in the GMER log before we just blindly delete them.

Dear Mr Wilkinson

I think the problem maybe solved, because the performance of my system seems to be ok.

and running again the NOD32 and Emsisoft show no threats (even the high risk- Trojan.Alureon!E2)

let me test my system and report the final result.

Thanks.

Share this post


Link to post
Share on other sites

Dear Mr Wilkinson

I think the problem maybe solved, because the performance of my system seems to be ok.

and running again the NOD32 and Emsisoft show no threats (even the high risk- Trojan.Alureon!E2)

let me test my system and report the final result.

Thanks.

unfortunately, it does not work properly. After a few minute some of the programs like windows media player, mozilla,IE and ... are stop working and show the message : Not responding then I should shutdown manually.

I don not know how to get information from registry.

Are you agree with me about change the OS now? (restore the First backup)

Share this post


Link to post
Share on other sites

unfortunately, it does not work properly. After a few minute some of the programs like windows media player, mozilla,IE and ... are stop working and show the message : Not responding then I should shutdown windows manually.

I don not know how to get information from registry.

Are you agree with me about change the OS now? (restore the First backup)

Share this post


Link to post
Share on other sites

You can reinstall Windows if you wish, however I do not believe that it will be required.

I don not know how to get information from registry.

If you wish to continue trying to fix this without reinstalling, then please download Farbar Service Scanner and run it on the computer with the issue.

  1. Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

[*]Press "Scan".

[*]It will create a log (FSS.txt) in the same directory the tool is run.

[*]Please copy and paste the log to your reply.

Share this post


Link to post
Share on other sites

I've asked someone else to look at that log to verify whether or not some of the system files it listed have been modified. Lets go ahead and get a registry export while we wait for that.

For 32-bit Windows, please download MiniRegTool.zip and unzip it.

For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

  1. Run the MiniRegTool download.
  2. Copy and paste the following into the rectangular white box in MiniRegTool:
    HKLM\SYSTEM\ControlSet001\services\BTHPORT
    HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
    HKLM\SYSTEM\ControlSet003\services\BTHPORT


  3. Check Export keys radio button.
  4. Press Go button, save the results as a Text Document on your desktop, and attach them to a reply.

Share this post


Link to post
Share on other sites

I've asked someone else to look at that log to verify whether or not some of the system files it listed have been modified. Lets go ahead and get a registry export while we wait for that.

For 32-bit Windows, please download MiniRegTool.zip and unzip it.

For 64-bit Windows, please download MiniRegTool64.zip and unzip it.

  1. Run the MiniRegTool download.
  2. Copy and paste the following into the rectangular white box in MiniRegTool:
    HKLM\SYSTEM\ControlSet001\services\BTHPORT
    	HKLM\SYSTEM\CurrentControlSet\services\BTHPORT
    	HKLM\SYSTEM\ControlSet003\services\BTHPORT


  3. Check Export keys radio button.
  4. Press Go button, save the results as a Text Document on your desktop, and attach them to a reply.

Thank you.

Share this post


Link to post
Share on other sites

According to that log, the entries that GMER found do not exist. You may need to run a virus scan with a boot CD in order to determine if there's still an infection.

Lets try the Dr.Web LiveCD first, and see if it finds anything. Here's a link to the webpage where you can download the ISO image. Let me know if you need any help burning it to a CD.

Share this post


Link to post
Share on other sites

According to that log, the entries that GMER found do not exist. You may need to run a virus scan with a boot CD in order to determine if there's still an infection.

Lets try the Dr.Web LiveCD first, and see if it finds anything. Here's a link to the webpage where you can download the ISO image. Let me know if you need any help burning it to a CD.

ok.

Iam downloading the software and let me try it.

I know how to write it as a bootable cd.

Share this post


Link to post
Share on other sites

The scan started from 10 hours ago and lock on 61% .

I cannot get any result from Dr.Web, so i take some pictures.

76910460207121262987.jpg

23553490208797439673.jpg

89106869607286370394.jpg

97539934950211579615.jpg

would you please tell me what is the Final solution ?

we should test and test and test the most famous anti viruse?

:blush:

I think we should put the labtop in the garbage!

Share this post


Link to post
Share on other sites

That log isn't showing anything major. Just a few trojans on another partition (sda6 should be the 6th partition on your primary hard drive, although Windows partitions hard drives in an odd way, so you may not actually have 6 partitions). Everything else in the log is either errors or detections of the files backed up in TDSSKiller's quarantine.

I do recommend that you delete the following files, assuming that the Avira AntiVir Rescue System hasn't already done so, as they may be infected with something (due to the way Linux maps hard drives, I can't be certain what drive you will find these files on in Windows):

/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/h.exe/itl.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/seminar jafar.exe.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/Temp.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/D=0.5d Test problem.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/D/1/1/1/star them hossein/Blazing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]
/D/1/1/1/star them hossein/Color Cubes/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]
/D/1/1/1/star them hossein/Pulsing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]

Share this post


Link to post
Share on other sites

That log isn't showing anything major. Just a few trojans on another partition (sda6 should be the 6th partition on your primary hard drive, although Windows partitions hard drives in an odd way, so you may not actually have 6 partitions). Everything else in the log is either errors or detections of the files backed up in TDSSKiller's quarantine.

I do recommend that you delete the following files, assuming that the Avira AntiVir Rescue System hasn't already done so, as they may be infected with something (due to the way Linux maps hard drives, I can't be certain what drive you will find these files on in Windows):

/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/h.exe/itl.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/seminar jafar.exe.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/comprise interface.DT3.exe/Temp.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/reset/seminar jafar.exe.exe/D=0.5d Test problem.exe <<< Is the Trojan horse TR/Crypt.CFI.Gen [renamed]
/D/1/1/1/star them hossein/Blazing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]
/D/1/1/1/star them hossein/Color Cubes/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]
/D/1/1/1/star them hossein/Pulsing Colors/Setup.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]

ok.

Thanks again Mr Wilkinson.

It's seems that there is no clear solution for this type of threat.

I delete these files manually. I also search a phrase exe.exe in the search box and let the system to find them, during the search, the NOD32 show a notification

about win32/VB.OCR worm.

fc9fd4c6654d.jpg

Share this post


Link to post
Share on other sites

Have you run a full scan of all of your hard drives with your ESET Smart Security?

Share this post


Link to post
Share on other sites

Have you run a full scan of all of your hard drives with your ESET Smart Security?

yes,I do it.

but it can not find them,until i open these folders manually

Share this post


Link to post
Share on other sites

Please download GMER from this link. Note that the file will have a random name, so make note of the file's name and save it to the root of your C: drive.

  1. Disconnect from the Internet and close all running programs.
  2. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  3. Click on this link to see a list of programs that should be disabled while running GMER (please try to avoid the advertisements on that page).
  4. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  5. Allow the driver to load if asked.
  6. You may be prompted to scan immediately if it detects rootkit activity.
  7. If you are prompted to scan your system click "No", save the log and post back the results.
  8. If not prompted, click the "Rootkit/Malware" tab.
  9. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  10. Select all drives that are connected to your system to be scanned.
  11. Click the Scan button to begin. (Please be patient as it can take some time to complete)
  12. When the scan is finished, click Save to save the scan results to your Desktop.
  13. Save the file as Results.log and please attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply (you may need to ZIP the log by right-clicking on it, going to Send to, and clicking on Compressed (zipped) folder before you can attach it).
  14. Exit the program and re-enable all active protection when done.

Share this post


Link to post
Share on other sites

I'm sorry, you did give me a GMER log earlier. Lets try a scan with Malwarebytes' Anti-Malware. Please run a scan with Malwarebytes' Anti-Malware by following the instructions below:

  1. Please download and install Malwarebytes' Anti-Malware from one of the three mirrors listed below (beware of excessive advertising on some of the download pages):

[*] When first running Malwarebytes' Anti-Malware, it will ask you if you want to operate it in a free trial mode. You can say no to this (the trial can be unlocked again at a later time if you want to try it).

[*] Make sure to go to the Update tab and click the Check for Updates button to get the latest database.

[*] Switch back to the Scanner tab and run a Quick Scan.

[*] When it is done, remove anything it finds.

[*] Whether or not it finds anything, you should be presented with a log in Notepad, which you should save to your desktop.

[*] Attach the log you saved on your desktop to a reply for me to take a look at. You can attach files to a reply by clicking the More Reply Options to the lower-right of where you type in your reply. When the page loads, there will be a button right below the box to type in (on the left side) that says Choose Files... which will allow you to select the log file to attach it.

Share this post


Link to post
Share on other sites

OK, that is a good sign. You can run a Full Scan with Malwarebytes' Anti-Malware on your other hard drives if you wish, in order to check and see if it detects anything. You may also want to run a Deep Scan with Emsisoft Anti-Malware as well (making sure to check those extra drives).

Other than possibly a few infected files on your other hard drives, I don't think your system is still infected, so here's some final instructions for you:

1. Make Sure Java is Updated:

  1. Click on the
    Start
    button.

  2. Click on
    Control Panel
    .

  3. Click
    Uninstall a program
    .

  4. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed.

  5. Click on
    this link
    and download and install the latest Java (the
    Windows Online
    download will be faster).

2. Make Sure Adobe Flash is Updated:

  1. Click on
    this link
    and download the latest version of Adobe Flash Player for your web browser.

  2. You will need to close your web browser when installing Flash.

3. Make Sure Your Computer Has The Latest Windows Updates:

  1. Click on the
    Start
    button.

  2. Go to
    All Programs
    .

  3. Click on
    Windows Update
    .

  4. Click
    Check for updates
    in the menu on the left (should be near the top).

  5. Once it is done checking for updates, click the
    Install updates
    button on the right.

  6. Make sure that if your computer wants to restart after the updates are done, that you allow it so.

4. Web Of Trust Extension:

While this is not a requirement, I highly recommend that you click
this link
and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database.

5. Empty The System Restore:

  1. Click on the
    Start
    button.

  2. Right-click on
    Computer

  3. Select
    Properties
    from the list.

  4. In the window that pops up, click on the
    System protection
    link in the menu on the left.

  5. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you
    C:
    drive) and click the
    Configure...
    button.

  6. Click the button near the bottom-right that says
    Delete
    to clear all System Restore data.

  7. Once finished, click
    OK
    to close that window.

  8. Now you will want to make sure that the correct drive is selected again (usually your
    C:
    drive) and click on the
    Create
    button to create a new restore point.

  9. Fill in a name for the restore point, and click the
    Create
    button.

  10. Once it is done, you can close the windows that were opened to get to the System Restore settings.

Share this post


Link to post
Share on other sites

Thanks a lot Mr.Wilkinson

Today, I see your last comment.

I think the problem solved.

but i don't know which one is the best and help us to do the cure.

(I want to know if the procedure - follow the threat step by step in this topic is useful for your anti malware database?)

Share this post


Link to post
Share on other sites

(I want to know if the procedure - follow the threat step by step in this topic is useful for your anti malware database?)

Most of those logs aren't useful without samples, and our researchers would prefer a copy of whatever file originally caused the infection so that they can learn the most about this.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.