Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Trojan:Win32/FakeSysdef

07 Jul 2012   #1

W7 Pro SP1 64bit
Trojan:Win32/FakeSysdef - Trojan:DOS/Alureon.E

This computer again:
IE9 32bit context menu fails on W7 Pro 64bit

Here is some of what I know about the box build.

I was asked to cleanup the aftermath of this:
Encyclopedia entry: Trojan:Win32/FakeSysdef - Learn more about malware - Microsoft Malware Protection Center

There were no disk images or system restore points.

(See my rant about MSE's heuristics.) MSE is using default settings - except it is set to update and do a full scan every night. This computer does not sleep. The infection occurred on 01 July. The computer was turned off until I could deal with it.

A manual full scan by MSE found/cleaned this:

A full scan by Malwarebytes came up clean. I then started unhiding or replacing shortcuts and folders in the Start Menu - as well as uninstalling some stuff.

These started showing within minutes of the infection and yet they continue:

Did the infection scramble something on the hard drive?

Chkdsk came out like this:

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 5)...
  114432 file records processed.                                         

File verification completed.
  173 large file records processed.                                   

  0 bad file records processed.                                     

  2 EA records processed.                                           

  108 reparse records processed.                                      

CHKDSK is verifying indexes (stage 2 of 5)...
  158098 index entries processed.                                        

Index verification completed.
  0 unindexed files scanned.                                        

  0 unindexed files recovered.                                      

CHKDSK is verifying security descriptors (stage 3 of 5)...
  114432 file SDs/SIDs processed.                                        

Cleaning up 589 unused index entries from index $SII of file 0x9.
Cleaning up 589 unused index entries from index $SDH of file 0x9.
Cleaning up 589 unused security descriptors.
Security descriptor verification completed.
  21834 data files processed.                                           

CHKDSK is verifying Usn Journal...
  34642016 USN bytes processed.                                            

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  114416 files processed.                                                

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  100054981 free clusters processed.                                        

Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 488272919 KB total disk space.
  87764456 KB in 89229 files.
     58584 KB in 21835 indexes.
         0 KB in bad sectors.
    229951 KB in use by the system.
     65536 KB occupied by the log file.
 400219928 KB available on disk.

      4096 bytes in each allocation unit.
 122068229 total allocation units on disk.
 100054982 allocation units available on disk.

Internal Info:
00 bf 01 00 e0 b1 01 00 5c 1d 03 00 00 00 00 00  ........\.......
4d 42 00 00 6c 00 00 00 00 00 00 00 00 00 00 00  MB..l...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

My System SpecsSystem Spec
07 Jul 2012   #2

Windows 7 Ultimate x64 - Service Pack 1

Hello, UsernameIssues.

1. Try with Windows Defender Offline, to boot with it and before Windows start to delete all Trojans (Tutorial : Windows Defender Offline )

2. Do sfc /scannow to repair system files (Tutorial : SFC /SCANNOW Command - System File Checker )

3. Try to uninstall all after 01 July.

Try with this...... Look at processes , msconfig , startup items and other , maybe you will find that virus.
My System SpecsSystem Spec
08 Jul 2012   #3

W7 Pro SP1 64bit

Thanks for the reply. So many computer problems and so little time

I'm doing all of this via remote control. I'll give Windows Defender a try the next time I'm near that computer.

I should have mentioned that SFC showed no problems.
My System SpecsSystem Spec

12 Jul 2012   #4

W7 Pro SP1 64bit

Windows Defender Offline found one problem that it could not fix:

Edit: the plan is to put some of the labor back on those that use this computer. The computer that this one replaced should still be functional. We'll get that one back in service and then spend some time on this infected one. Probably going to format the drive on this one, but I want to see if I can get the Event ID 55 stuff to go away first. I need to know if the drive is bad or if the rootkit is causing those entries.
My System SpecsSystem Spec
12 Jul 2012   #5

Windows 7 Professional SP1 64-bit

If I recall Alureon is a trojan that creates a hidden partition and recopies itself from that partition everytime you remove it. In order to remove it completely use Hiren's boot CD to find and delete the partition. It should be about a 1MB in size and should labled as "(Hidden)". After removing the partition use Windows Defender Offline (WDO) to completely remove the virus. See links below for Hiren's Boot CD and WDO.

Download Hiren
What is Windows Defender Offline?
My System SpecsSystem Spec
12 Jul 2012   #6

W7 Pro SP1 64bit

Thanks - I sure wish that MSE had prevented this infection :-(

Once the backup computer is functional, we will attack this again.

From within Windows:

My System SpecsSystem Spec
12 Jul 2012   #7

Windows 7 Professional SP1 64-bit

Alureon is pretty tough Trojan to deal with. It's not a really an issue with MSE. It's an issue with all the smart people the spend so much time and effort trying to f*** over other people
My System SpecsSystem Spec


Thread Tools

Similar help and support threads
Thread Forum
I let SuperAntivirus and then Microsoft Security essentials try and take care of the problem. I suspect something is still wrong and I am wondering if some files are missing as the computer is not behaving normally. Any ideas to find out if I am missing part of windows 7 now and if this is...
System Security
Downloaded and ran the Microsoft Safety Scanner and it found this. Trojan:Win32/Comroki!rts Safety Scanner removed so it says. All I found with Google besides sales pitches to buy things is this at MS. Encyclopedia entry: Trojan:Win32/Comroki - Learn more about malware - Microsoft Malware...
System Security
trojan downloader:win32/ HELP!
Microsoft Security Essentials discovered this trojan virus today and three times it said I needed to restart to clean computer yet, it never leaves and is caught again on returning to Desktop. I've looked this up on Microsoft KB and that document says to keep MSSE up to date however, the problem...
System Security
I found this awesome virus "Trojan-Downloader.Win32.VB.bbl" and analyzed its behaviour in a VirtualBox and quickly found a weaknes :p It is very hard to remove, it closes antivirus setups and then deletes them, closes all windows containg anything about antivirus tools (even if you google anything...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

İ Designer Media Ltd

All times are GMT -5. The time now is 09:50.
Twitter Facebook Google+