BSOD after removing Alureon.a

[thenecessity]

I'm currently unable to access the computer that has the issue but I was haivng some blue screen stop error issues and went to the blue screen forum for help. I had removed my old norton 360 to get Microsoft security essentials and malware bytes. The MSE initial scan found the alureon trojan on my computer and instructed me to use windows defender offline, which I did. When the defender finished, I followed the instructions, deleted the trojan, and then restarted. The computer blue screened after that and has continued doing so on multiple restarts. I tried to use system restore to go back to yesterday but it didn't fix anything. I did chkdsk for the cmd option and nothing showed up there either. The blue screen error is 0x0000007b.

This is my initial thread. http://www.sevenforums.com/bsod-help-support/286890-changing-bsods-startup-2.html#post2370875 . All the computer information is in there in the initial post. There is a picture of the actual blue screen in the post but I somehow took it upside down. The strings with the stop error are 0xFFFFF880009A9928,0xFFFFFFFFC000000D,0x0000000000000000,0x0000000000000000

 

[VistaKing]

thenecessity

Do you have a USB flash drive ? If you do you might want to get that ready

 

[thenecessity]

Yes I have one, it was used for the defender offline scan.

 

[cottonball]

thenecessity,

Would appreciate some info from you:
Can you boot to the Advanced Boot Options, and if you can, do you have the Repair your computer option listed?

To find out:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Is the Repair your computer option listed? BTW, we will be using this option to get to a Command Prompt and run a tool.

If you do not have the option, or cannot boot to it, do you have your Windows 7 installation CD/DVD available?

Presuming you have access to another computer that is not infected, and, if you do not have access to Repair your computer, or a W7 Installation CD/DVD, we still have another option.

 

[thenecessity]

Yes I am able to get to advanced boot options and repair your computer option is there

The options in order are repair your computer
Safe mode
Safe mode with networking
Safe mode with command prompt

Enable boot logging.
Enable low res video
Last known good configuration
Directory services restore mode
Debugging mode
Disable automatic restart on system failure
Disable driver signature enforcement

Start windows normally

 

[cottonball]

OK, we are ready to roll...

You will need a USB flash drive and access to a clean computer for the procedure outlined below.

Also, you may want to print these instructions so you can have access to follow them.

Please plug a flash drive into a clean computer.
Go to Start > Computer
Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.
Remove when done.

Now, the Operating System is 64-bit,so, proceed with Downloading Farbar Recovery Scan Tool
Save the program to the >> USB flash drive.
Next, plug the flash drive into the infected computer.

>>>Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select your language settings, and click: Next
• Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:

• 
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Scan your computer's memory for errors.
  Command Prompt

Select Command Prompt

Now, either use this option to find out the drive letter of your USB flash drive in the System Recovery Environment:

>>At the Command Prompt type the commands below, one at a time, and press ENTER after each:

Diskpart
List volume

>>Or, use this option to find out the drive letter of your USB flash drive:

• In the Command window, at the bliking cursor type notepad and press: Enter
• In Notepad, under the File menu select: Open
• Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
• Close out of Notepad.

Next...

• Click the Command Prtompt window
• Type g:\frst64.exe, and press: Enter
  Note: Replace the drive letter g with the drive letter of your flash drive!
• The tool starts and prepares to run. Follow the prompts.
• Click Yes to the disclaimer.
• Press the Scan button.
• The program saves the FRST.txt, on the flash drive.
• Click the Command prompt window, type exit, and press: Enter
• Back at the System Recovery Options, press: ShutDown

Please remove the USB flash drive from the infected computer, plug it into the clean computer, and copy/paste the FRST.txt in your reply.

 

[thenecessity]

I'm getting an error when I do it. G:\frst64.exe is not a valid win32 application.

 

[thenecessity]

Nvm. I got it I think now. Rechecked the download and messed something up. Il edit this with the txt file

 

[VistaKing]

thenecessity

You getting an error due to the drive letter .

Type in the commands below to get the drive letter of your flash drive

diskpart

press <ENTER>

list volume

press <ENTER>

Make note of the USB flash drive then run the command that Cottonball is referring to change G:\ to the actual USB drive letter

 

[thenecessity]

Nah the error wasnt from the drive letter. I messed up the download somehow. first frst64.exe i put in the flash drive wasnt the right size. didnt copy the whole file somehow.

THe two txt files were made at the same time.

 

[VistaKing]

Looking at the logs you do indeed have a rootkit . Lets wait for Cottonball's further assistance .


You still have Norton installed along with Norton360

 

[thenecessity]

I know, before I told you about the blue screen, I tried to do a system return to yesterday when I knew everything worked. Brought back norton with it.

 

[VistaKing]

thenecessity

We could uninstall the programs from the command prompts but lets go with removing the rootkit first . Don't want to step on anyone's toes .

 

[thenecessity]

Yeh, no worries about when its done. Guessing though its the alureon one so windows defender offline couldn't actually remove it? It said it did though.

 

[VistaKing]

WDO … Doesn't remove Rootkits. I don't find that tool to be helpful .

 

[cottonball]

thenecessity,

My apology for the delay, crowded restaurant...

Please do the following:
Open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the quote box below (Do not copy the word 'Quote');
Save it on the flash drive that has FRST64 and name it: fixlist.txt

start
C:\Windows\svchost.exe
TDL4: custom:26000022 <===== ATTENTION!
end

Now, enter System Recovery Options and select the Command Prompt as done before.
Run FRST64, and press the Fix button, just once, and wait.

The tool creates a report on the flash drive called: Fixlog.txt
Please post the Fixlog.txt in your reply.

Restart the computer.


Now, go to the TDSSKiller Download
Select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_12.04.2013_15.31.43_log.txt

Also post or attach the TDSSKiller log in your reply.

 

[thenecessity]

Alright, quick update, it worked and I am on the infected computer right now. Here is the fixlog. And a question then with it, is that the same thing as the alureon?

Nothing malicious found, only suspicious

 

[cottonball]

TDL4 is known as TDSS or Alureon

FRST:
C:\Windows\svchost.exe ATTENTION ====> Check for partition/boot infection.
svchost.exe: injected component which implements the main payload.

TDL4: custom:26000022 <===== ATTENTION!

TDSSKiller:
\Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

Let's press on...

Please run TDSSKiller once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete

When done, attach the new TDSSKiller log in your reply.

Please provide an update on how the computer is working. Any BSODs, are programs running OK?

 

[thenecessity]

Here ya go

 

[cottonball]

Please provide an update on how the computer is working. Any BSODs, are programs running OK?