Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dos:Alureon.E


  • Please log in to reply

#16
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
.

Edited by elguapo79, 02 December 2011 - 04:04 PM.

  • 0

Advertisements


#17
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
MSSE is still finding it.



I have a question about if I made the right selection following bootrec /RebuildBcd.

It found 1 installation of Windows (that's all I have)

The options then were YES NO or ALL.

I selected YES. (Sorry, I should have written down the question exactly).

Was the correct option? It took very little time after that, so I am worried I should have selected ALL.
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Don't think it really matters when you only have one.
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Run TDSSKiller with all options again and see if it still sees TDSS. IF so tell it to remove it. If no or if yes and MSSE is still seeing Aleureon after a reboot then I have one more thing to try. Download Hiren's boot Disk, unzip it and burn it to a CD then boot from Hiren's select the miniXP then run TDSSKiller. I've just had this work on one that was really stubborn.

http://www.hirensbootcd.org/download/

Burning instructions are at http://www.hirensbootcd.org/burning/ or you can get free iso burner and use it:

http://www.freeisoburner.com/
  • 0

#20
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
TDSS finds nothing. I'm starting on the Hiren's thing now.
  • 0

#21
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I did this, and I think I did everything right.

When I ran TDSS killer from miniXP, it scanned 3 items quickly and found nothing.

Everything remains the status quo.

I thought I'd include this screenshot of MSSE for you in case it would be of any help.

Link since the image is large.
  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Let's back up to Post #5 in this thread. I can't see from your screen print the size of the partition but let's assume it is the bad guy that MSSE is talking about.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows Vista 32-Bit (x86) Recovery Environment

Create a bootable CD, 1 for Gparted and 1 for the Windows Vista Recovery Enviroment, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image
According to your logs, the partition that you want to delete is the first one in the screen shot in post #5. You will have to get the size from Disk Management or you can see which partition is not 222.3 (Your C:) nor 10.58 (Your D:) so the remaining one is the one we want to delete.
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
Posted Image

Now you should be here:
Posted Image

Posted Image
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
Posted Image

Now double-click the Posted Image button.

You should receive a small pop up like this:
Posted Image
Choose reboot and then press OK.

Now reboot from the Windows Vista Recovery Environment CD and execute the following commands:

  • bootrec /FixMbr
  • bootrec /FixBoot
  • exit

Once back in Windows.

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Attach that file.

  • 0

#23
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I will do this tomorrow, and thanks again.

A quick question -- I have windows 7, but I am still creating a bootable CD for Windows Vista Recovery Enviroment, correct?
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Since you have the Windows 7 disk you do not need to create a Vista disk. Just use it instead.
  • 0

#25
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
A quick note on something I was unsure of.

When I executed the commands:

bootrec /FixMbr
bootrec /Fixboot
exit

I did so at the X/SOURCES> line. I wasn't sure if I should have followed your previous instructions as in post 12

------------------------------



I did as you suggested. Here is the MBRCheck txt file:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: GG755AV-ABA m8100y
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 181):
0x82A00000 \SystemRoot\system32\ntkrnlpa.exe
0x82E12000 \SystemRoot\system32\halmacpi.dll
0x80BCC000 \SystemRoot\system32\kdcom.dll
0x8B43A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B4BF000 \SystemRoot\system32\PSHED.dll
0x8B4D0000 \SystemRoot\system32\BOOTVID.dll
0x8B4D8000 \SystemRoot\system32\CLFS.SYS
0x8B51A000 \SystemRoot\system32\CI.dll
0x8B633000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8B6A4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8B6B2000 \SystemRoot\system32\drivers\ACPI.sys
0x8B6FA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8B703000 \SystemRoot\system32\drivers\msisadrv.sys
0x8B70B000 \SystemRoot\system32\drivers\pci.sys
0x8B735000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8B740000 \SystemRoot\System32\drivers\partmgr.sys
0x8B751000 \SystemRoot\system32\drivers\volmgr.sys
0x8B761000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B7AC000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B824000 \SystemRoot\system32\drivers\iaStorV.sys
0x8B8FF000 \SystemRoot\system32\drivers\amdxata.sys
0x8B908000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B93C000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BA10000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BB3F000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BB6A000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BB7D000 \SystemRoot\System32\Drivers\cng.sys
0x8BBDA000 \SystemRoot\System32\drivers\pcw.sys
0x8BBE8000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8BC07000 \SystemRoot\system32\drivers\ndis.sys
0x8BCBE000 \SystemRoot\system32\drivers\NETIO.SYS
0x8BCFC000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8BE21000 \SystemRoot\System32\drivers\tcpip.sys
0x8BF6B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BF9C000 \SystemRoot\system32\drivers\volsnap.sys
0x8BFDB000 \SystemRoot\System32\Drivers\spldr.sys
0x8BD21000 \SystemRoot\System32\drivers\rdyboost.sys
0x8BFE3000 \SystemRoot\System32\Drivers\mup.sys
0x8BFF3000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8BD4E000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8BE00000 \SystemRoot\system32\DRIVERS\disk.sys
0x8BD80000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x908ED000 \SystemRoot\system32\drivers\cdrom.sys
0x9090C000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x90933000 \SystemRoot\System32\Drivers\Null.SYS
0x9093A000 \SystemRoot\System32\Drivers\Beep.SYS
0x90941000 \SystemRoot\System32\drivers\vga.sys
0x9094D000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x9096E000 \SystemRoot\System32\drivers\watchdog.sys
0x9097B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x90983000 \SystemRoot\system32\drivers\rdpencdd.sys
0x9098B000 \SystemRoot\system32\drivers\rdprefmp.sys
0x90993000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9099E000 \SystemRoot\System32\Drivers\Npfs.SYS
0x909AC000 \SystemRoot\system32\DRIVERS\tdx.sys
0x909C3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8BDA5000 \SystemRoot\system32\drivers\afd.sys
0x8B94D000 \SystemRoot\System32\DRIVERS\netbt.sys
0x909CF000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x909D6000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8BBF1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8B97F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8B992000 \SystemRoot\system32\drivers\termdd.sys
0x8B9A3000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x909F5000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8BA00000 \SystemRoot\system32\drivers\mssmbios.sys
0x8B9E4000 \SystemRoot\System32\drivers\discache.sys
0x8B800000 \SystemRoot\System32\Drivers\dfsc.sys
0x8B9F0000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8B7C2000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8B7E3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x91838000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x9201D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x91878000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x9192F000 \SystemRoot\System32\drivers\dxgmms1.sys
0x927D5000 \SystemRoot\system32\drivers\HDAudBus.sys
0x91968000 \SystemRoot\system32\DRIVERS\e1e6232.sys
0x927F4000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x919A0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x92000000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x9603E000 \SystemRoot\system32\drivers\HCW85BDA.sys
0x9619F000 \SystemRoot\system32\drivers\BdaSup.SYS
0x961A2000 \SystemRoot\system32\drivers\ks.sys
0x96000000 \SystemRoot\system32\drivers\1394ohci.sys
0x961D6000 \SystemRoot\system32\drivers\i8042prt.sys
0x961EE000 \SystemRoot\system32\drivers\kbdclass.sys
0x9602D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x9200F000 \SystemRoot\system32\drivers\CompositeBus.sys
0x919EB000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x91800000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x96033000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B600000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x91818000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8B5C5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8B5DC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8B622000 \SystemRoot\system32\drivers\mouclass.sys
0x961FB000 \SystemRoot\system32\drivers\swenum.sys
0x8B400000 \SystemRoot\system32\DRIVERS\circlass.sys
0x8B40E000 \SystemRoot\system32\drivers\umbus.sys
0x9743E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x97482000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x97493000 \SystemRoot\system32\drivers\HdAudio.sys
0x974E3000 \SystemRoot\system32\drivers\portcls.sys
0x97512000 \SystemRoot\system32\drivers\drmk.sys
0x98100000 \SystemRoot\System32\win32k.sys
0x9752B000 \SystemRoot\System32\drivers\Dxapi.sys
0x97535000 \SystemRoot\system32\DRIVERS\udfs.sys
0x97575000 \SystemRoot\System32\Drivers\crashdmp.sys
0x90800000 \SystemRoot\System32\Drivers\dump_iaStorV.sys
0x97582000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97593000 \SystemRoot\system32\drivers\hidusb.sys
0x9759E000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0x975B1000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x975B8000 \SystemRoot\system32\drivers\USBD.SYS
0x975BA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x975C5000 \SystemRoot\system32\DRIVERS\monitor.sys
0x98360000 \SystemRoot\System32\TSDDD.dll
0x98390000 \SystemRoot\System32\cdd.dll
0x975D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x97400000 \SystemRoot\system32\drivers\luafv.sys
0x9741B000 \SystemRoot\system32\drivers\WudfPf.sys
0x975E7000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8B41C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9A204000 \SystemRoot\system32\drivers\usbcir.sys
0x9A21F000 \SystemRoot\system32\DRIVERS\hidir.sys
0x9A22E000 \SystemRoot\system32\drivers\kbdhid.sys
0x9A23A000 \SystemRoot\system32\drivers\HTTP.sys
0x9A2BF000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9A2D8000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9A2EA000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9A30D000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9A348000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9A363000 \SystemRoot\system32\drivers\peauth.sys
0x908DB000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9D42D000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9D44E000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9D45B000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9D4AB000 \SystemRoot\System32\DRIVERS\srv.sys
0x9D4FD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9D51E000 \??\C:\Windows\system32\drivers\mbam.sys
0x9D522000 \SystemRoot\system32\drivers\spsys.sys
0x9D58C000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77590000 \Windows\System32\ntdll.dll
0x48530000 \Windows\System32\smss.exe
0x777D0000 \Windows\System32\apisetschema.dll
0x002C0000 \Windows\System32\autochk.exe
0x77760000 \Windows\System32\shlwapi.dll
0x773F0000 \Windows\System32\setupapi.dll
0x77750000 \Windows\System32\nsi.dll
0x77350000 \Windows\System32\advapi32.dll
0x77270000 \Windows\System32\kernel32.dll
0x771E0000 \Windows\System32\clbcatq.dll
0x77740000 \Windows\System32\psapi.dll
0x776F0000 \Windows\System32\gdi32.dll
0x776E0000 \Windows\System32\lpk.dll
0x77110000 \Windows\System32\msctf.dll
0x76F50000 \Windows\System32\iertutil.dll
0x76EC0000 \Windows\System32\oleaut32.dll
0x76E20000 \Windows\System32\usp10.dll
0x76E00000 \Windows\System32\sechost.dll
0x76DE0000 \Windows\System32\imm32.dll
0x76D30000 \Windows\System32\msvcrt.dll
0x76BD0000 \Windows\System32\ole32.dll
0x76B90000 \Windows\System32\ws2_32.dll
0x76B60000 \Windows\System32\imagehlp.dll
0x76A40000 \Windows\System32\wininet.dll
0x769C0000 \Windows\System32\comdlg32.dll
0x768B0000 \Windows\System32\urlmon.dll
0x76850000 \Windows\System32\difxapi.dll
0x776D0000 \Windows\System32\normaliz.dll
0x75C00000 \Windows\System32\shell32.dll
0x75B30000 \Windows\System32\user32.dll
0x75AE0000 \Windows\System32\Wldap32.dll
0x75A30000 \Windows\System32\rpcrt4.dll
0x759E0000 \Windows\System32\KernelBase.dll
0x759B0000 \Windows\System32\wintrust.dll
0x75980000 \Windows\System32\cfgmgr32.dll
0x758F0000 \Windows\System32\comctl32.dll
0x758D0000 \Windows\System32\devobj.dll
0x757B0000 \Windows\System32\crypt32.dll
0x757A0000 \Windows\System32\msasn1.dll

Processes (total 51):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
380 csrss.exe
460 C:\Windows\System32\wininit.exe
472 csrss.exe
508 C:\Windows\System32\services.exe
532 C:\Windows\System32\lsass.exe
540 C:\Windows\System32\lsm.exe
600 C:\Windows\System32\winlogon.exe
696 C:\Windows\System32\svchost.exe
772 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\atiesrxx.exe
960 C:\Windows\System32\svchost.exe
1040 C:\Windows\System32\svchost.exe
1068 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\audiodg.exe
1200 C:\Windows\System32\svchost.exe
1244 C:\Windows\System32\atieclxx.exe
1316 C:\Windows\System32\svchost.exe
1488 C:\Windows\System32\spoolsv.exe
1516 C:\Windows\System32\svchost.exe
1596 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1632 C:\Program Files\Bonjour\mDNSResponder.exe
1692 C:\Windows\System32\svchost.exe
1740 C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
1804 C:\Windows\System32\taskhost.exe
1872 C:\Windows\System32\dwm.exe
1908 C:\Windows\explorer.exe
1996 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
1988 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2344 C:\Windows\System32\svchost.exe
2480 C:\Program Files\iTunes\iTunesHelper.exe
2492 C:\Program Files\Microsoft Security Client\msseces.exe
2572 WUDFHost.exe
2580 C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
2956 C:\Program Files\iPod\bin\iPodService.exe
3132 C:\Windows\System32\SearchIndexer.exe
3220 C:\Program Files\Windows Media Player\wmpnetwk.exe
3480 WmiPrvSE.exe
3840 C:\Windows\System32\svchost.exe
2692 C:\Windows\System32\SearchProtocolHost.exe
1584 C:\Windows\System32\SearchFilterHost.exe
3288 dllhost.exe
3452 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
3440 C:\Windows\System32\sppsvc.exe
1300 C:\Users\Jeremy\Desktop\MBRCheck.exe
3244 C:\Windows\System32\conhost.exe
3692 C:\Windows\System32\dllhost.exe
4028 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
3928 WmiPrvSE.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`937cb800 (NTFS)

PhysicalDrive0 Model Number: HitachiHDT725025VLA380, Rev: V5DOA7BA

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
I guess the question now is are you still getting the Alureon detection?
  • 0

#27
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I got caught up in the processes ... I'm getting no warnings just yet (knock on wood)!
  • 0

#28
elguapo79

elguapo79

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Still no problems!

Thanks so much for your help, Ron.

I've noticed that the experts here have ratings. If there is anything I can do regarding a post-help survey, please let me know.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP