Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJAN:DOS/Alureon.E Partially Removed


  • This topic is locked This topic is locked

#1
workinghard

workinghard

    Member

  • Member
  • PipPip
  • 39 posts
Hi...hope you great folks can help.

OPERATING SYSTEM WINXP PRO 32 BIT
BRAND Dell gx520 Pentium 3,
HARD DRIVE: 75 GB, 1 terrabyte external drive
RAM 2.49GB

I visited some websites and some
popups asking me to leave or stay
came up. After that I started
to have a lot of funny things
happening like webpage re-directs,
music playing randomly through the
speakers. The external drive would
not let me turn it off 'remove
safely' and I kept getting the
message 'drive can not be
removed application is accessing'.

I immediately re-formatted and
reinstalled the backed up hard drive
with Acronis. But the external
still had the problem being safely
removed with 'application is
accessing' so I knew
something was still wrong. The
external can now be turned off
safely, but I leave it turned off
mostly now.

I ran all the scanners I could think
with latest updates: Malawarebytes
SuperAntiSpyware, TDSSKiller.
Seemed to get rid of some junk
but Microsoft Safety Scanner
keeps saying it only
removed Alueron partially.

I ran Microsoft Safety Scan
in Safe Mode and it produced
this result:

'Trojan:DOS/Alureon.E (?) Partially Removed
Encyclopedia entry
Published: Oct 27, 2011
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you
download the latest definitions
to get protected. Detection
initially created:
Definition: 1.115.712.0
Released: Oct 27, 2011'

I have also installed Microsoft
Security Essentials which
has identified but is unable
to totally remove the Trojan.
Here is the report:

Trojan:DOS/Alureon.E
BOOT://PhysicalDrive0/partition0 (type 17)

Supposedly it quarantined it
but it is not in the quarantine
directory. When I tried to
remove it it gave an error code:

'1 or more actions could not be
performed error code 0x80501001'

Everytime I boot up the computer
Security Essnetials says it detects
it and suspends it and asks me
to remove it but when I try
to remove it same thing - it
performs the action but when I
re-boot it's there again with
same warning message.

I also scanned with TrendMicro's
Rootkit Buster and here is the
log:

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1041
| Computer Name: NONE
| User Name: winuser
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
MBR unsupported disk type
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134ed58
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134dc50
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134efd8
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134f300
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f230
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134ee78
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134ed58
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134f090
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f000
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134f298
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f208
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 2d
AccessType: 2f
FullLength: 0x45dbff0
DataSize : 0x134ede8
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134b230
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134b198
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f378
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134b230
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134b198
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134f378
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : (null)
Root : 134b230
SubKey : (null)
ValueName : (null)
Data : (null)
ValueType : 47
AccessType: 47
FullLength: 0x45db128
DataSize : 0x45db10c
13 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x806240f0
CurrentHandler : 0xba706b26
ServiceNumber : 0x29
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x805d1018
CurrentHandler : 0xba706b1c
ServiceNumber : 0x35
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x8062458c
CurrentHandler : 0xba706b2b
ServiceNumber : 0x3f
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x8062475c
CurrentHandler : 0xba706b35
ServiceNumber : 0x41
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x80626314
CurrentHandler : 0xba706b3a
ServiceNumber : 0x62
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x805cb440
CurrentHandler : 0xba706b08
ServiceNumber : 0x7a
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x805cb6cc
CurrentHandler : 0xba706b0d
ServiceNumber : 0x80
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x806261c4
CurrentHandler : 0xba706b44
ServiceNumber : 0xc1
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x80625ad0
CurrentHandler : 0xba706b3f
ServiceNumber : 0xcc
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x80622662
CurrentHandler : 0xba706b30
ServiceNumber : 0xf7
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path :
OriginalHandler : 0x805d29e2
CurrentHandler : 0xba706b17
ServiceNumber : 0x101
ModuleName :
SDTType : 0x0
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

EVERYTHING marked HOOKED could
not be fixed and everytime I
run the program there are always
registry entries marked as
threats along with the HOOKED
threat.

UPDATE: I have resolved the problem by formatting my harddrive and the Master Boot Record and restoring with Acronis True Image.

I would suggest everyone get a backup program like Acronis and an external hard drive to back up their entire hard drive. It's well worth it. Someone told me that techs who take care of employee computers these days don't even bother to 'fix' problems since the computers are backed up regularly, it's quicker and a lot more cost effective to reformat and restore the entire contents of the computer using programs like Acronis since the last recent backup which just takes a few minutes.

Mind you Acronis doesn't just back up data it will back up your entire computer, including programs and settings so that when you restore it's like nothing happened.

For more info on such programs:

http://pcsupport.abo...up_software.htm

This will solve A LOT of problems...costs relatively little and will save the good support staff on here a lot of headaches and work. I used to come here often and get help, and their advice about using firewalls, anti-virus, anti-malaware, updating your Operating system, etc. are all good, but over time, the number of people needing help has overwhelmed them and sometimes I and I'm sure many others never get a response to a problem they have submitted on here.

I can't blame them, the staff on here do a fine job helping people, but the sheer numbers are obviously too much for them to handle in a timely fashion if at all.

If you really need your computer and value its information and use as a work and/or entertainment tool, get a good external drive to back up with a good backup program. It will save you lots of heartache. The number, complexity, and increasing danger of malware, viruses, trojans is always increasing it seems. If you've had problems before you will probably have problems in the future...the best solution is to be able to take control of what happens AFTER you get a problem and that is using a good backup program. Don't depend on anyone else to take care your computer...it's YOUR responsibility.

BTW, as of this date November 12, 2011, I've discovered that Microsoft Security Essentials Scanner is VERY good as was the only one that detected my rootkit. It's free and has a great definition database that is continually improving. I've recently replaced my Avira scanner with MS Security Essentials. It's to be found here for free:

http://windows.micro...rity-essentials

Also, the new and free malware scanner by Emisoft is really great:

http://www.emsisoft....re/antimalware/

Edited by workinghard, 12 November 2011 - 01:53 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP