Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Computer wont start after removing alureon virus with defender offline

15 Oct 2013   #21
TomAdams93

windows 7 64 bit
 
 

==================== One Month Modified Files and Folders =======

2013-10-15 14:41 - 2012-10-22 22:09 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-15 14:20 - 2012-08-10 13:04 - 01233147 _____ C:\Windows\WindowsUpdate.log
2013-10-15 14:12 - 2013-09-30 00:32 - 00000000 ____D C:\ProgramData\Oracle
2013-10-15 14:12 - 2012-08-10 13:09 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{6C5CD60A-31F7-41D4-A5FB-FAE9D506F321}
2013-10-15 14:11 - 2013-10-15 14:11 - 00004154 _____ C:\Windows\SysWOW64\jupdate-1.7.0_45-b18.log
2013-10-15 14:11 - 2012-08-26 16:40 - 00000000 ____D C:\Program Files (x86)\Java
2013-10-15 14:10 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-15 14:10 - 2009-07-13 23:45 - 00031472 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-15 14:09 - 2009-07-14 00:13 - 00783812 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-15 14:07 - 2013-10-15 14:07 - 00028101 _____ C:\Users\Thomas\Downloads\FRST.txt
2013-10-15 14:04 - 2013-10-15 14:04 - 00000000 ____D C:\Users\Thomas\AppData\Local\{F99F3C16-183A-4CEA-A7E8-B8C30205E214}
2013-10-15 14:04 - 2012-09-07 17:49 - 00000000 ____D C:\Users\Thomas\Tracing
2013-10-15 14:03 - 2012-10-22 22:09 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-15 14:03 - 2012-08-10 13:05 - 00000000 ____D C:\Users\Thomas
2013-10-15 14:03 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-15 14:03 - 2009-07-13 23:51 - 00061499 _____ C:\Windows\setupact.log
2013-10-11 04:11 - 2013-10-11 04:11 - 00000000 ____D C:\FRST
2013-10-11 03:40 - 2013-09-30 00:32 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-10-11 03:37 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-10-11 01:59 - 2013-10-11 01:59 - 00000000 _____ C:\Windows\system32\config\SOFTWARE296d3e66
2013-10-10 19:33 - 2013-10-10 19:33 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-10-10 16:07 - 2013-10-10 16:07 - 00000000 ____D C:\Users\Thomas\Desktop\ME 210 homework
2013-10-10 16:07 - 2013-10-10 16:07 - 00000000 ____D C:\Users\Thomas\Desktop\CE 301 lab
2013-10-10 16:06 - 2013-10-10 16:06 - 00000000 ____D C:\Users\Thomas\Desktop\CE 301 Course Hero
2013-10-10 15:54 - 2013-10-10 15:54 - 00000000 ____D C:\Users\Thomas\AppData\Local\{5F3FC84E-2FBD-4453-80EB-5BE0C94825CE}
2013-10-09 16:39 - 2013-10-07 16:29 - 00000000 ____D C:\Users\Thomas\AppData\Local\{6ABB75AE-E56B-48AB-BE14-CD5C2E5496D2}
2013-10-08 20:36 - 2012-10-22 22:09 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-08 20:36 - 2012-10-22 22:09 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-08 07:50 - 2013-10-15 14:11 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-10-08 07:46 - 2013-10-15 14:11 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-10-08 07:46 - 2013-10-15 14:11 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-10-08 07:46 - 2013-10-15 14:11 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-10-07 16:59 - 2012-10-22 22:09 - 00002143 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-06 16:35 - 2013-03-26 20:37 - 00003192 _____ C:\Windows\System32\Tasks\HPCeeScheduleForThomas
2013-10-06 16:35 - 2013-03-26 20:37 - 00000336 _____ C:\Windows\Tasks\HPCeeScheduleForThomas.job
2013-10-02 16:58 - 2013-10-02 16:58 - 00000000 ____D C:\Users\Thomas\AppData\Local\{CE243D4A-0C8F-4F38-833E-BF78C6E4242F}
2013-10-02 16:56 - 2010-11-20 22:47 - 00080528 _____ C:\Windows\PFRO.log
2013-09-30 02:27 - 2013-09-30 00:37 - 00000000 ____D C:\Users\Thomas\AppData\Roaming\Systweak
2013-09-30 00:45 - 2013-09-30 00:31 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-09-30 00:44 - 2012-08-21 14:50 - 00000000 ____D C:\Users\Thomas\AppData\Local\Adobe
2013-09-30 00:43 - 2013-09-30 00:43 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-30 00:43 - 2013-09-30 00:43 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-30 00:42 - 2013-09-30 00:38 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-09-30 00:42 - 2012-08-10 13:09 - 00000000 ___RD C:\Users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-30 00:38 - 2013-09-30 00:38 - 00000000 ____D C:\Users\Thomas\AppData\Local\avgchrome
2013-09-30 00:37 - 2013-09-30 00:37 - 00000000 ____D C:\ProgramData\DSearchLink
2013-09-30 00:36 - 2013-09-30 00:36 - 00142258 _____ C:\Users\Thomas\Downloads\Adobe_Flash_Player.exe
2013-09-30 00:33 - 2013-09-30 00:33 - 00881168 _____ (Microsoft Corporation) C:\Users\Thomas\Downloads\mssstool64 (1).exe
2013-09-29 19:14 - 2013-09-29 19:14 - 00881168 _____ (Microsoft Corporation) C:\Users\Thomas\Downloads\mssstool64.exe
2013-09-29 17:32 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-09-29 16:38 - 2013-09-29 16:37 - 00000000 ____D C:\Users\Thomas\AppData\Local\{020ED3BF-5DB2-4DAF-87F0-F57DE4492BFF}
2013-09-28 17:43 - 2013-09-28 17:43 - 00001945 _____ C:\Windows\epplauncher.mif
2013-09-28 17:42 - 2013-03-19 23:10 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-09-28 17:42 - 2013-03-19 23:09 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-28 17:40 - 2013-09-28 17:39 - 13813944 _____ (Microsoft Corporation) C:\Users\Thomas\Downloads\mseinstall.exe
2013-09-28 17:34 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2013-09-23 21:31 - 2013-08-28 14:21 - 00000000 ____D C:\Windows\system32\MpEngineStore
2013-09-23 14:30 - 2013-09-23 14:30 - 00000000 ____D C:\Users\Thomas\AppData\Local\{E524E8F5-ABDF-4F0F-89F4-5E3339DABF67}
2013-09-23 14:29 - 2012-08-10 13:09 - 00000000 ___RD C:\Users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-23 03:50 - 2013-08-26 15:52 - 00000000 ____D C:\Windows\system32\MRT
2013-09-23 03:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2013-09-23 03:49 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-09-23 03:47 - 2012-10-22 22:03 - 00000000 ____D C:\ProgramData\Real
2013-09-23 00:57 - 2013-09-23 00:56 - 00000000 ____D C:\Users\Thomas\AppData\Local\{957C27E9-24D7-4B94-B489-6EF5238C2006}
2013-09-23 00:54 - 2009-07-13 23:45 - 00416688 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-17 21:32 - 2012-11-20 22:50 - 00000000 ____D C:\Users\Thomas\Documents\Outlook Files
2013-09-17 14:12 - 2012-08-10 16:35 - 00000000 ____D C:\Users\Thomas\AppData\Local\CrashDumps
2013-09-17 14:10 - 2013-09-17 14:09 - 00000000 ____D C:\Users\Thomas\AppData\Local\{F18A33F7-88CA-4626-9629-9F160DF8DABE}
2013-09-16 16:40 - 2012-08-21 14:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2013-09-16 16:40 - 2012-05-12 15:15 - 00800508 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-09-16 16:36 - 2012-08-31 10:14 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-16 16:36 - 2012-08-30 19:45 - 00000000 ____D C:\ProgramData\Microsoft Help

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1682970989-2299201136-1404161508-1001\$286bf40a02ffec57eae78ccedc6b55bb

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$286bf40a02ffec57eae78ccedc6b55bb

Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.
C:\ProgramData\eM1y4153.dat
C:\ProgramData\xhietgwvfjxqvqgabbr.reg


Some content of TEMP:
====================
C:\Users\Thomas\AppData\Local\Temp\adobe-reader.exe
C:\Users\Thomas\AppData\Local\Temp\BackupSetup.exe
C:\Users\Thomas\AppData\Local\Temp\contentDATs.exe
C:\Users\Thomas\AppData\Local\Temp\CouponDropDown.exe
C:\Users\Thomas\AppData\Local\Temp\DeltaTB.exe
C:\Users\Thomas\AppData\Local\Temp\Extract.exe
C:\Users\Thomas\AppData\Local\Temp\iet7CC4.tmp.exe
C:\Users\Thomas\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\Thomas\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Thomas\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\Thomas\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Thomas\AppData\Local\Temp\mssinstaller.exe
C:\Users\Thomas\AppData\Local\Temp\npp.6.2.Installer.exe
C:\Users\Thomas\AppData\Local\Temp\nsj6798.exe
C:\Users\Thomas\AppData\Local\Temp\nsj696D.exe
C:\Users\Thomas\AppData\Local\Temp\nsoAF83.exe
C:\Users\Thomas\AppData\Local\Temp\nsoFF84.exe
C:\Users\Thomas\AppData\Local\Temp\nstE39A.exe
C:\Users\Thomas\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Thomas\AppData\Local\Temp\setup-Jutera_US_pscombined-bunndle-cb-1.1-x86x64_20120808.exe
C:\Users\Thomas\AppData\Local\Temp\setup_coupondropdown.exe
C:\Users\Thomas\AppData\Local\Temp\SP57698.exe
C:\Users\Thomas\AppData\Local\Temp\SP57935.exe
C:\Users\Thomas\AppData\Local\Temp\SP57965.exe
C:\Users\Thomas\AppData\Local\Temp\SP58871.exe
C:\Users\Thomas\AppData\Local\Temp\sp58915.exe
C:\Users\Thomas\AppData\Local\Temp\SP59202.exe
C:\Users\Thomas\AppData\Local\Temp\SPStub.exe
C:\Users\Thomas\AppData\Local\Temp\tbedrs.dll
C:\Users\Thomas\AppData\Local\Temp\tbuTor.dll
C:\Users\Thomas\AppData\Local\Temp\tbWhi0.dll
C:\Users\Thomas\AppData\Local\Temp\ToolbarHelper.exe
C:\Users\Thomas\AppData\Local\Temp\uninst1.exe
C:\Users\Thomas\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Thomas\AppData\Local\Temp\UpdUninstall.exe
C:\Users\Thomas\AppData\Local\Temp\utt1677.tmp.exe
C:\Users\Thomas\AppData\Local\Temp\xmlUpdater.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-10-15 14:35

==================== End Of Log ============================


My System SpecsSystem Spec
.
15 Oct 2013   #22
cottonball

Windows 7 Home Premium
 
 

Let's press on...

FRST was last locarted on the USB drive:
Running from E:\

Since Boot Mode: Normal, please take FRST64 (just the actual program, nothing else (no fixlist or fixlog, or plfixlog), and move it to the Desktop!!

Now, on the Desktop, open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'Code').
Save to the Desktop, and name it: fixlist.txt

Make sure both FRST64 and the fixlist.txt are on the Desktop!!!
No exceptions to this, please!!

Code:
start
HKLM-x32\...\Run: [] - [x]
URLSearchHook: (No Name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - No File
URLSearchHook: (No Name) - {49c795c2-604a-4d18-aeb1-b3eba27e5ea2} - No File
BHO-x32: No Name - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {3BBD3C14-4C16-4989-8366-95BC9179779D} - No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKCU - No Name - {49C795C2-604A-4D18-AEB1-B3EBA27E5EA2} - No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.400.43) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction
C:\$Recycle.Bin\S-1-5-21-1682970989-2299201136-1404161508-1001\$286bf40a02ffec57eae78ccedc6b55bb
C:\$Recycle.Bin\S-1-5-18\$286bf40a02ffec57eae78ccedc6b55bb
C:\Windows\svchost.exe
C:\ProgramData\eM1y4153.dat
C:\ProgramData\xhietgwvfjxqvqgabbr.reg
end
Once again, double-click FRST to run it.
When the tool opens click Yes to disclaimer.
Press the Fix button once, and wait.

When done, FRST produces Fixlog.txt on the Desktop.
Please provide the Fixlog.txt on your reply.


Now, go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.
When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue

If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip. Do not select: Delete

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\
Logs have a name like:
C:\TDSSKiller.X.X.X_15.10.2013_15.31.43_log.txt

Also provide the TDSSKiller report in your reply.


We still will have more work to do. There are other entries to get rid of with other programs. However, the above should place you on some stable ground.
My System SpecsSystem Spec
15 Oct 2013   #23
TomAdams93

windows 7 64 bit
 
 

fixlog


Attached Files
File Type: txt Fixlog.txt (3.4 KB, 1 views)
My System SpecsSystem Spec
.

15 Oct 2013   #24
TomAdams93

windows 7 64 bit
 
 

and heres the other file


Attached Files
File Type: txt TDSSKiller.3.0.0.14_15.10.2013_17.39.18_log.txt (213.2 KB, 3 views)
My System SpecsSystem Spec
15 Oct 2013   #25
cottonball

Windows 7 Home Premium
 
 

On TDSSKiller...
Please run it once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete

Please post the new TDSSKiller log in your reply.


Next, download the Temporary File Cleaner (TFC)
http://oldtimer.geekstogo.com/TFC.exe
Save to your Desktop.
  • Save any work in progress!! TFC closes open applications and removes unsaved work!! Close all windows.
  • Right-click TFC.exe and select: Run as Administrator
  • If prompted, click "Yes" to reboot.
Please download AdwCleaner to your Desktop.
http://general-changelog-team.fr/fr/...e/2-adwcleaner
•Close all open programs and internet browsers.
•Double click on AdwCleaner.exe to run the tool.
•Click the Scan button and wait for the process to complete.

If you find entries or programs you wish to keep, please uncheck them.
•Click on the Clean button to remove the rest, and follow the prompts.

•A report automatically opens after the scan is finished.

Please post the content of C:\AdwCleaner[Sn].txt your reply.

(You can also find the report at C:\AdwCleaner[Sn].txt (n is a number).)


Last, please run FRST (located on the Desktop) once again, do a Scan, and post its report.

You should be in better shape now.
My System SpecsSystem Spec
15 Oct 2013   #26
TomAdams93

windows 7 64 bit
 
 

These are them.


Attached Files
File Type: txt TDSSKiller.3.0.0.14_15.10.2013_17.39.18_log.txt (422.6 KB, 1 views)
File Type: txt AdwCleaner[S0].txt (8.7 KB, 1 views)
File Type: txt FRST.txt (40.9 KB, 0 views)
My System SpecsSystem Spec
05 Jul 2016   #27
jeremija93

Windows 7 64 Ultimate
 
 

http://www.sevenforums.com/attachmen...1&d=1467720495
Result
HERE IS MY RESULT!
Please visit this and help me i cant run my PC! :/


Attached Files
File Type: txt Result.txt (6.9 KB, 1 views)
My System SpecsSystem Spec
Reply

 Computer wont start after removing alureon virus with defender offline




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
BSOD after removing Alureon using Windows Defender Offline
I removed a Alureon virus using the Windows Defender Offline and everything was successful until I restarted the computer, I got the BSOD. Then unplugged all the various drives I had attached and used the Start Up Repair option and it said that it couldn't repair the computer. So I searched on a...
BSOD Help and Support
How To Update Windows Defender Offline's Virus Definitions Manually
I tried to run Windows Defender Offline 64 bit on a friend's laptop using WDO installed on a USB stick, but it refused to scan the disk because it insisted on getting Updates to its definitions before scanning. So either the definitions on the USB stick were too old or not present at all or...
System Security
Ran Windows Defender Offline, can't boot up computer. Help please!
So a google search tells me that this seems to happen pretty often. Microsoft Malicious Software Removal Tool detected Alereon (sp?), directed me to use Windows Defender Offline. I did and now I can't boot up. I have followed the directions given here to prior victims and have attached the...
System Security
Computer won't boot after using Defender offline
Well, it seems this is a common problem. I'm mildly tech savvy, but this has me beat. Kid's college computer got Alureon, ran Defender Offline from a USB which appeared to work to remove the virus, but now it's in the start cycle of black and white Acer screen, a quick flash from a blue screen,...
System Security
Win64/Alureon.gen!A*Virus preventing computer startup
I had been experiencing blue screens for months before I posted on this site to hopefully receive some assistance. After taking the actions suggested by a member of the BSOD forums, I eliminated a lot of possible causes for the BSODs but one in specific has given me some trouble....
System Security
Windows Defender Offline crashed computer
Microsoft Security Essentials said I needed to run Windows Defender Offline to remove a trojan. I made the disk and ran it and it said it removed the trojan and to restart the computer. Only problem is it only goes to the Windows Error Recovery Screen. It will not repair or start normally. I...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 16:09.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App