Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Trojan:Win32/FakeSysdef


07 Jul 2012   #1

W7 Pro SP1 64bit
 
 
Trojan:Win32/FakeSysdef - Trojan:DOS/Alureon.E

This computer again:
IE9 32bit context menu fails on W7 Pro 64bit

Here is some of what I know about the box build.
Name:  1spec.JPG
Views: 31
Size:  42.7 KB



I was asked to cleanup the aftermath of this:
Encyclopedia entry: Trojan:Win32/FakeSysdef - Learn more about malware - Microsoft Malware Protection Center

There were no disk images or system restore points.

(See my rant about MSE's heuristics.) MSE is using default settings - except it is set to update and do a full scan every night. This computer does not sleep. The infection occurred on 01 July. The computer was turned off until I could deal with it.

A manual full scan by MSE found/cleaned this:
Name:  2infection.JPG
Views: 42
Size:  28.1 KB


A full scan by Malwarebytes came up clean. I then started unhiding or replacing shortcuts and folders in the Start Menu - as well as uninstalling some stuff.


These started showing within minutes of the infection and yet they continue:
Name:  3disk-error.JPG
Views: 45
Size:  59.6 KB


Did the infection scramble something on the hard drive?

Chkdsk came out like this:

Code:
Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  114432 file records processed.                                         

File verification completed.
  173 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  108 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  158098 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  114432 file SDs/SIDs processed.                                        

Cleaning up 589 unused index entries from index $SII of file 0x9.
Cleaning up 589 unused index entries from index $SDH of file 0x9.
Cleaning up 589 unused security descriptors.
Security descriptor verification completed.
  21834 data files processed.                                           

CHKDSK is verifying Usn Journal...
  34642016 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  114416 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  100054981 free clusters processed.                                        

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 488272919 KB total disk space.
  87764456 KB in 89229 files.
     58584 KB in 21835 indexes.
         0 KB in bad sectors.
    229951 KB in use by the system.
     65536 KB occupied by the log file.
 400219928 KB available on disk.

      4096 bytes in each allocation unit.
 122068229 total allocation units on disk.
 100054982 allocation units available on disk.

Internal Info:
00 bf 01 00 e0 b1 01 00 5c 1d 03 00 00 00 00 00  ........\.......
4d 42 00 00 6c 00 00 00 00 00 00 00 00 00 00 00  MB..l...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.




My System SpecsSystem Spec
.

07 Jul 2012   #2

Windows 7 Ultimate x64 - Service Pack 1
 
 

Hello, UsernameIssues.

1. Try with Windows Defender Offline, to boot with it and before Windows start to delete all Trojans (Tutorial : Windows Defender Offline )

2. Do sfc /scannow to repair system files (Tutorial : SFC /SCANNOW Command - System File Checker )

3. Try to uninstall all after 01 July.

Try with this...... Look at processes , msconfig , startup items and other , maybe you will find that virus.
My System SpecsSystem Spec
08 Jul 2012   #3

W7 Pro SP1 64bit
 
 

Thanks for the reply. So many computer problems and so little time :-)

I'm doing all of this via remote control. I'll give Windows Defender a try the next time I'm near that computer.

I should have mentioned that SFC showed no problems.
My System SpecsSystem Spec
.


12 Jul 2012   #4

W7 Pro SP1 64bit
 
 

Windows Defender Offline found one problem that it could not fix:
Trojan:DOS/Alureon.E

Edit: the plan is to put some of the labor back on those that use this computer. The computer that this one replaced should still be functional. We'll get that one back in service and then spend some time on this infected one. Probably going to format the drive on this one, but I want to see if I can get the Event ID 55 stuff to go away first. I need to know if the drive is bad or if the rootkit is causing those entries.
My System SpecsSystem Spec
12 Jul 2012   #5

Windows 7 Professional SP1 64-bit
 
 

If I recall Alureon is a trojan that creates a hidden partition and recopies itself from that partition everytime you remove it. In order to remove it completely use Hiren's boot CD to find and delete the partition. It should be about a 1MB in size and should labled as "(Hidden)". After removing the partition use Windows Defender Offline (WDO) to completely remove the virus. See links below for Hiren's Boot CD and WDO.

Download Hiren
What is Windows Defender Offline?
My System SpecsSystem Spec
12 Jul 2012   #6

W7 Pro SP1 64bit
 
 

Thanks - I sure wish that MSE had prevented this infection :-(

Once the backup computer is functional, we will attack this again.

From within Windows:
Trojan:Win32/FakeSysdef-partitions.jpg


My System SpecsSystem Spec
12 Jul 2012   #7

Windows 7 Professional SP1 64-bit
 
 

Alureon is pretty tough Trojan to deal with. It's not a really an issue with MSE. It's an issue with all the smart people the spend so much time and effort trying to f*** over other people
My System SpecsSystem Spec
Reply

 Trojan:Win32/FakeSysdef




Thread Tools



Similar help and support threads for2: Trojan:Win32/FakeSysdef
Thread Forum
Trojan.Win32.Jorik.Midhos.axf System Security
Win32/fynlovski.aa trojan problem System Security
Solved Trojan:Win32/Comroki!rts System Security
Totally lost - win32/olmarik.ajl trojan System Security
Win32/Lethic is a trojan Security News
trojan downloader:win32/cutwail.ba HELP! System Security
Trojan-Downloader.Win32.VB.bbl System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:51 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33