Solved Alureon.E (virus)trojan

[brato92]

I ran TDSSKILLER again, and this time it says 'No threats found'. I've attached the log file:
View attachment TDSSKiller.2.8.16.0_26.03.2013_16.20.34_log.txt

i also ran ListrParts. Here's the Result file:
View attachment Result.txt

P.S. : MSE now detects another threats. Look here:

 

[cottonball]

Let's take an additional step...


Please download Malwarebytes : Malwarebytes Anti-Rootkit

Save to the Desktop (easy to find)

Right-click the file and select: Extract here...


Run the program and follow ithe Usage instructions on the website from Step 3 to Step 6.
For now, please stop at Step 6.


When the program is done, two reports are created in the mbar folder:
1. system-log.txt
2. mbar-log-2013-02-18 (20-13-32).txt (corresponds to mbar-log-year-month-day (hour-minute-second).txt)


Please provide the mbar-log containing information on what was detected and removed.

 

[cottonball]

Also, let's see what the following short scan shows...

Please download
Tlcharger RogueKiller (Site Officiel)
•When you get to the website, go to where it says:
(Download link) Lien de téléchargement:

•Click the x64 button to download.
•Save to the Desktop

•Close all windows and browsers
•Right-click and select: Run as Administrator

•Press: SCAN

•A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.

 

[brato92]

The results after scanning are the following:
Malwarebytes Anti-Rootkit says 'Scan Finished: No malware found!' Report: View attachment mbar-log-2013-03-26 (20-06-51).txt

Tlcharger RogueKiller's Report: View attachment RKreport[1]_S_03262013_02d2111.txt

 

[cottonball]

We have a 7 hour time difference!

Please quit all programs...
•Right-click the RogueKiller file and select : Run as Administrator
•Wait until the Prescan finishes
•Click: Delete

Please post the new RKreport (Mode: Delete) in your reply.

~~~~
Now, run MSE once again. Any change?

~~~~
Next, please download: aswMBR
http://public.avast.com/~gmerek/aswMBR.exe
Save it to the Desktop.

>>Make sure your AntiVirus is temporarily disabled!!<<
For information on how to disable protective programs, refer to this Info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

Right-click aswMBR and select: Run as Administrator

When promped with: This Application can use the Avast! Free AntiVirus for scanning...etc.
Select: Yes

The last line of the run in progress will provide the status of the Avast! scan.
It will say: Downloading Avast! virus definitiond database, etc.
When the Avast! scan is done, the last line changes to: Avast Engine definitions #####

At this point, click the Scan button on the lower left of the aswMBR screen.
The last line will now say "Scanning" while it is in progress.

Upon completion of the scan, click >Save log< and save it to the Desktop.
Note: Please do NOT attempt to fix anything!!
Exit the program.

Please post the new aswMBR log in your reply.

Also, notice that another file is created on the Desktop.
It is named MBR.dat.

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

http://www.sevenforums.com/tutorials/277740-online-scanners-scan-suspicious-files-your-pc.html

If you get a message saying: 'File has already been analyzed', click: Reanalyze file

Once scanned, and you see the full results page on your screen, go up to the address bar at the top of the browser, and copy the http:\\etc. address there.

Then, provide the http:\\ address to the results page in your reply.

 

[brato92]

I've just completed the RogueKiller scan. Here's the RKreport after i press 'Delete' button: View attachment RKreport[2]_D_03262013_02d2353.txt

I ran MSE, after quick scan it said that 'No threats were detected during this scan', however, i'm still able to see those quarantined Trojans at 'History' pane. Here's a screenshot:


Shoud i proceed the next steps ?

EDIT: I've just restarted Windows, MSE didn't pop up again, but i noticed that my Start Menu has changed a little bit, despide i didn't change nothing before the restart (i have some new options on the right side - Downloads, Games, Recent Items, Run, also have a new application which i never installed - called Br0wwsae2saevEe). Look here:

 

[VistaKing]

I would proceed with the steps Cottonball advised you . To be sure .

The history on the MSE is nothing to worry about it just tells you want it found before .

 

[brato92]

Ok, i've completed the rest of the steps given by cottonball. Here we are:
Avast!'s log: View attachment aswMBR.txt

VirusTotal analysis link: https://www.virustotal.com/ro/file/...5de8ec16314702e17cc02d19/analysis/1364342665/

 

[cottonball]

brato92,

On the Br0wwsae2saevEe...
Is there an entry for it in Control Panel > Programs and Features?
If so, press on and Uninstall/Remove
Post back on whether it is there or not, and, if there, whether you removed the program.


Next, please do an: AdwCleaner Download
Save to the Desktop

Right-click on adwcleaner.exe and select: Run As Administrator

Click the Search button

When done, a text file opens.

Please post the content of the AdwCleaner[Sn].txt in your reply.
Note: You can also find the reports at C:\AdwCleaner[Sn].txt (S = search, n = order number), or, C:\AdwCleaner[Rn].txt (R = remove, n = order number)


Also do a Junkware Removal Tool Download
Save to the Desktop.

Make sure you temporarily disable your AntiVirus, Firewall, and any other security applications.
These programs may interfere with the running of JRT.
For information on how to disable protective programs, refer to this info:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

Right-click JRT.exe and select: Run as Administrator
The tool opens and starts scanning the system. Please be patient as this can take a while...

When done, a report (JRT.txt) is saved on the Desktop.

Please post the contents of JRT.txt in your reply.


Next, let's go back to FRST64.

Have used this tool since its release in 2010.
In my experience, it has detected malware when other tools have not.

Please follow the instrucions on Post #3, and tap the F8 key until the Advanced Boot Options menu appears.
Use the arrow keys to select the Repair your computer menu item.

See if you can get to the System Recovery Options menu and select the Command Prompt, vs. getting a black screen.

If so, proceed with FRST64.

 

[VistaKing]

You could remove "Downloads, Games, Recent Items, Run" by

:ar: Right click on the rb: button and click on Properties.

:ar: Click on the Customize button.

:ar: Uncheck Run and choose Don't display this item on the other items

 

[cottonball]

That's a good one, VistaKing.

@brato92,

RogueKiller apparently did some changes:
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowDownloads (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)

Nothing to be concerned about. If not wanted, then follow VK's guidance.

If we can get rid of the Br0wwsae2saevEe, whatever that is...
Just a thought...Is there any program installed on the machine in a language other than English?

 

[VistaKing]

Try to use Revo Uninstaller to remove Br0wwsae2saevEe just incase it locates left over registry files .

 

[brato92]

I've managed to uninstall Br0wwsae2saevEe from Control Panel, seems that it was a web plugin or something like that - uninstalled in a sec.

 

[VistaKing]

Did you get your start menu fixed

 

[brato92]

Yes, i've already fix my Start Menu last night (i knew how to remove those menus). Thanks anyway VistaKing.

 

[VistaKing]

You're welcome

 

[brato92]

Ok, i've scanned the system with AdwCleaner and Junkware Removal Tool. Here are the reports:
AdwCleaner: View attachment AdwCleaner[R1].txt

Junkware Removal Tool: View attachment JRT.txt

 

[VistaKing]

Run AdwCleaner again and choose Delete this time . Upload the log once you're done

 

[brato92]

@VistaKing: I ran AdwCleaner once again. Here's the report after i pressed 'Delete' and restart the system: View attachment AdwCleaner[S1].txt

@cottonball: i've proceeded your steps from post #3 once again, well, this time 'Repair Your Computer' option worked. Here's the log files:

Farbar Recovery Scan Tool: View attachment FRST.txt

List Parts: View attachment Result.txt

Hope that my laptop is clean now. I'm waiting for your replies.

 

[brato92]

I noticed that my laptop runs very smooth now, i can install Windows Updates once again, also i am able to plug out memory sticks from Safety Remove Hardware (before i followed your steps it kept telling me that the stick is used by another program and can't be removed), also when i start up or shut down Windows it respods very very quick.