I've been chasing this thing for weeks. All tests report computer is fine and it is running great.
.Alureon.A must be runnig in the MBR. I am tripple booting with EasyBCD into C:win7PRO 64Bit, D:Linux, and E:Win7PRO 32bit.
I guess I need help getting .Alureon.A out of MBR without loosing the functioning computer.
Thankx,
Dusty
Auleron.A is a rootkit/bootkit.....TDSSKiller will remove it:
Anti-rootkit utility TDSSKiller
Ive run TDSSKiller multiple times. It finds no problems.
I only know I have it because on a reboot my ISP (TDS) reports:
Hacker Alert previously sent you an alert for a Cybercrime threat which places your home network at risk level: HIGH.
Hacker Alert has detected the a Cybercrime [ Win32.Bot.Alureon.A - Runtime Detected ] threat again. You should click here and follow the step-by-step instructions to remove the threat from the computers(s) running and protect your computers
Running their cleaning programs find computer is clean.
It only shows up on boot.
Download DDS from one of these links:
DDS.com
DDS.pif
- Disable any script blocking protection
- Double click the dds icon to run the tool.
- When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt <--- will be minimized in the task tray
- Save both reports to your desktop.
Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/5/2012 9:23:56 PM
System Uptime: 10/25/2013 12:11:55 AM (24 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M4A87TD EVO
Processor: AMD Phenom(tm) II X4 965 Processor | AM3 | 2176/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1024 GiB total, 909.802 GiB free.
E: is FIXED (NTFS) - 373 GiB total, 224.523 GiB free.
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP180: 10/25/2013 12:06:04 AM - ComboFix created restore point
.
==== Installed Programs ======================
.
7-zip v9.20
Acronis True Image Home 2012
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.05)
AI Suite
AMD USB Filter Driver
Apple Application Support
Apple Software Update
AssistUO version 1.0.1
ASUSUpdate
ATI Catalyst Install Manager
Audacity 2.0
CCleaner
CH Gameport Devices
Corel MediaOne
Corel Paint Shop Pro Photo X2
Corel Painter Photo Essentials 4
EaseUS Partition Master 9.1.1 Professional
Easy DVD Player
EasyBCD 2.1.2
Elevated Installer
EPSON Scan
EPU
eReg
Family Tree Maker 2012
FinePixViewer Ver.5.5
Garmin Express
Garmin Express Tray
ImageSkill Background Remover 3
iSEEK AnswerWorks English Runtime
Java 7 Update 45 (64-bit)
LightScribe System Software
LiveUpdate 3.2 (Symantec Corporation)
Lizardtech DjVu Control
Lock On: Modern Air Combat
Logitech Harmony Remote Software 7
Logitech iTouch Software
Logitech SetPoint 6.51
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Corporation
Microsoft LifeCam
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 12
Nero Audio Pack 1
Nero BackItUp
Nero BackItUp Help (CHM)
Nero Backup Drivers
Nero Blu-ray Player
Nero Blu-ray Player Help (CHM)
Nero Burning ROM
Nero Burning ROM Help (CHM)
Nero ControlCenter
Nero ControlCenter Help (CHM)
Nero Core Components
Nero Disc Menus Basic
Nero Effects Basic
Nero Express
Nero Express Help (CHM)
Nero Kwik Media
Nero Kwik Media Help (CHM)
Nero Kwik Themes Basic
Nero PiP Effects Basic
Nero Recode
Nero Recode Help (CHM)
Nero RescueAgent
Nero RescueAgent Help (CHM)
Nero SharedVideoCodecs
Nero Update
Nero Video
Nero Video Help (CHM)
neroxml
Norton Bootable Recovery Tool Wizard
Norton Ghost
Norton Internet Security
Nuance Cloud Connector
Nuance PDF Converter Professional 7
NVIDIA Control Panel 307.83
NVIDIA Display Control Panel
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
OverDrive Media Console
Paragon Partition Manager™ 12 Free
PC Magazine DiskAction v.3.0.3
PC Magazine TapeCalc 3.0
PC Magazine TaskPower 5.0
PC Probe II
PCMag.com RegistryMaster
PCMag.com What's Going On 2
PHOTORECOVERY LE
Picasa 3
Pinnacle Instant DVD Recorder
Pinnacle Studio 12
Pinnacle Video Driver
Platform
PowerChute Personal Edition 3.0.2
Prerequisite installer
PVSonyDll
Quicken 2012
Quicken WillMaker Plus 2012
QuickTime
Realtek Ethernet Controller Driver For Windows 7
Recover My Files
Remote Control USB Driver
Renesas Electronics USB 3.0 Host Controller Driver
RoboForm 7-9-2-2 (All Users)
Scansoft PDF Professional
Seagate Dashboard 2.0
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827329) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825999) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2827330) 32-Bit Edition
Skype™ 6.9
Snagit 11
The Right Track (R) Software
TurboTax 2011
TurboTax 2011 WinPerFedFormset
TurboTax 2011 WinPerReleaseEngine
TurboTax 2011 WinPerTaxSupport
TurboTax 2011 wnhiper
TurboTax 2011 wrapper
TurboTax 2012
TurboTax 2012 WinPerFedFormset
TurboTax 2012 WinPerReleaseEngine
TurboTax 2012 WinPerTaxSupport
TurboTax 2012 wnhiper
TurboTax 2012 wrapper
Twin Commander
Ultima Online Classic Client
UO Auto-Map 8.3.0.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2827325) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Welcome App (Start-up experience)
Windows Media Encoder 9 Series
Windows XP Mode
WinZip 17.5
World of Warcraft
XTrkCAD 4.0.3a
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
10/25/2013 9:31:12 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
10/25/2013 9:31:12 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
10/25/2013 12:15:06 AM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
10/25/2013 12:15:06 AM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
10/22/2013 11:16:46 AM, Error: Schannel [36887] - The following fatal alert was received: 80.
10/22/2013 10:13:03 PM, Error: mbamchameleon [61440] -
10/19/2013 12:52:46 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
10/19/2013 12:52:46 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
.
==== End Of File ===========================
When you run TDSSKiller, try changing the parameters. Click on the "change parameters" blue text & be sure the additional modules are checked (Detect TDLFS File System, Use KSN to scan objects & Verify digital signatures), also in the above box be sure System Memory, Services & Drivers & Boot Sectors is checked.
Alureon can be tough to remove. It creates a hidden boot sector that generally does not show up on disk management.
If you want to verify if you actually do have Alureon, use a Boot Partition Manager. GParted is free. Make it on a different machine & use it as a boot disk.
GParted -- A free application for graphically managing disk device partitions
Alureon will show up on the end of the drive as a hidden partition, between 1 - 10 MB depending on the variant.
TDSSKiller reports no threats found.
Nothing unusual on partions.
Uninstall Java unless you need it. If you must keep Java, then see near the bottom of this post for info on setting the schedule for checking for updates on a 64bit system - if you use a 64bit browser.
For those lurking in this thread (like I was)...
...this link might be of interest:
Tds Telecom: Internet and Telephone Service for Home and Business
Or maybe not.
I've worked on a computer infected with a different version of Alureon and I've seen the traffic patterns that it can generate. Windows Defender Offline detected the infection, but could not cure it. You might also try Kaspersky's offline scanner (Rescue Disk). Both WDO and KRD can be run from USB... but I'm not sure if I would trust those tools to automatically fix the things that they may find on a multi-boot system.
In the version of Alureon that I worked with, Alureon was using Windows Explorer to make dozens of connections to the internet. This was easily seen within Resource Monitor and easily blocked via the Windows firewall.
Dusty45,
Let's see if we can find Alureon tracks, and know what it is we are working with...
Please use the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.
When the tool opens click Yes to the disclaimer.
Press the Scan button.
The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply.
The first time the tool is run, it also makes another log: Addition.txt
Quote