Solved Ran Windows Defender Offline, can't boot up computer. Help please!

[bsever]

So a google search tells me that this seems to happen pretty often. Microsoft Malicious Software Removal Tool detected Alereon (sp?), directed me to use Windows Defender Offline. I did and now I can't boot up.

I have followed the directions given here to prior victims and have attached the FRST scan log. Thank you for any help you can give.

 

[ICIT2LOL]

Hello and welcome bsever mate try one of these I would try the Kaspersky one first.

5 Bootable AntiVirus Rescue CD for Windows: Free Download

 

[Slartybart]

alureon virus

ICit2lol gave you a starting point - Kaspersky is very good.

Follow one path at a time, take ICit2lol 's suggestion.

If your machine is still infected after running that, you can wait for someone more experience than I have to drop in.

This is a tough bug to squash, but members on the Security team have successfully tackled other cases.

I read through a few and the FRST report you posted jogeed something in my memory.

TDL4: custom:26000022 <===== ATTENTION!
There's a procedure to deal with the above. I believe it was one of the last things done to prevent reappearance. I just don't recall the details.

Hang in there, I'm sure one of the team will drop in to help.

Good Luck.

 

[Golden]

I dont think running another bootable rescue disk will help....he has already run WDO in an attempt to clean up the rootkit. Sounds like MBR is buggered as a consequence of that?

In this case, OP might consider clean install. Often a safe option with rootkits.

 

[ICIT2LOL]

Ok I only suggested cos the OP cannot boot at all so thought at least it was an option.

If the data needs saving then maybe using the Ubuntu to boot and retrieve that data might be worth a try before the clean install if he has stuff he needs to keep.

I know there is a tutorial on this but this is what I have used in the past

BOOTABLEUBUNTU

Make a bootable Ubuntu disk http://www.ubuntu.com/download

Set the BIOS to boot from theoptical when the machine boots it will show you a screen with TRY or INSTALL> select TRY

When it is finished - it takes verylittle time you will get a screen like in the pic .

Open the drive you want > Userand dig down until you get to the data / settings you may be able to copy /paste the material you want to an external source or other installed drive doingthis.

I am not sure if it will but I haverecovered tons of data etc using this method both on "dead" or justplain drives that you cannot get data from using Windows.

 

[bsever]

Thanks for the suggestions! I don't want to have to try the ubuntu recovery or the clean install, but thank you for pointing me in that direction so I know what my options are. I have seen some folks here get some help after having WDO leave their machines un-bootable and it seems to be a happy ever-after story for some, so I guess I'm looking for a miracle too. A fellow can dream.

 

[ICIT2LOL]

Well mate you still have that rescue disk option it isn't going to cost you anything and what have you got to lose??

If you have all your data backed up then if it is store bought machine you have the option of factory defaulting it.

I just Googled the problem a while ago and there are a ton of refs there most mentioning that Aleuron problem.

 

[bsever]

Thanks ICit2lol, I appreciate the reply. I was hoping for some guidance in the same vein as in this thread:
http://www.sevenforums.com/system-s...-removing-alureon-virus-defender-offline.html
But in the meantime, I will try to hunt down a writeable disc to pursue the Ubuntu suggestion to see what data I can back up. Thanks again!

 

[Slartybart]

I'm going to disagree that WDO cleaned up the malware. (Part of my Dale Carnegie training )
edit: I going to agree that the OP consider a clean install. Malware is getting "smarter" and it's possible that this bug knows about WDO and as a self defense mechanism, messes up the boot. Not sure at this point.

I dont think running another bootable rescue disk will help....he has already run WDO in an attempt to clean up the rootkit. Sounds like MBR is buggered as a consequence of that?

In this case, OP might consider clean install. Often a safe option with rootkits.

I'm also going to recommend the Kaspersky Rescue Disk that ICIT2lol started with.
- I'm not certain it has the TDSSkiller incorporated on the disk, but it's a good place to start.

Just be sure to write the disc on a clean machine

Kaspersky Rescue Disk 10 is designed to scan, disinfect and restore infected operating systems. It should be used when it is impossible to boot the operating system.

Kaspersky Lab products are always upgraded and renewed. In order to restore your system, Kaspersky Lab specialists recommend to use the latest version of Kaspersky Rescue Disk 10.

You can download the distributive of Kaspersky Rescue Disk 10 from Kaspersky Lab servers.

There are always different options, but the path taken is your choice, bsever.
The Rescue disc won't hurt and it might give you a head start when a member of the Security Team stops by.

Your thread, your machine, your choice.
When someone does stop by you will more than likely get your miracle and step by step help. You've seen some of those threads, it takes a while.

Wait or Kasperky - you know what I think

Good luck getting rid of that miserable bug.

Edit: Just saw Kaspersky USB drive option when I was closing down open browser windows.
Also make sure the machine you create this on is free of malware
http://support.kaspersky.com/8092

 

[Layback Bear]

Just a thought.
After WDO was the boot order set back to proper drive?
I will go back to watching.

 

[bsever]

Just a thought.
After WDO was the boot order set back to proper drive?
I will go back to watching.

Surprisingly, it was set back to the proper drive after WDO.

 

[ICIT2LOL]

Yes bsever mate there is a huge amount of replies from wherever re this problem and I am guessing any one of the replies may well be right but it takes very little time to run the rescue and if nothing else eliminates some things.
There are in that list others too of which I have not used but I am sure if the Kaspersky does not pick anything up the others may or may not pick up malware as nothing is 100% foolproof. That goes for any security you are using really if you think about it until a malware is put out and it is recognised as such then it cannot be detected, the best you can do is to use a good program with a good reputation.

If you want to like Slartybart says use the TDSS Killer it is here Malware Removal Tools | Free Virus Removal | Kaspersky Lab scroll down to the TDSS and use it - again it takes only a very short time to run and eliminates yet another probable cause.

 

[Slartybart]

Jacee is one of the best around here - I copied a post from a similar thread that might get you booted.

I noticed a slight difference between the other thread and your thread.

Your specs state Win7 x64 - is that correct?
If you already have the 64 bit version, you can skip the download, if you aren't certain, please download.

Is the exe named FRST64 or FRST? You want FRST64.exe

So the first thing I'd like you to do is download the
64 bit version of Farbar: Downloading Farbar Recovery Scan Tool
[download prompt should offer Run, Safe, Cancel bar]

Then follow the instruction in the quote.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

start
TDL4: custom:26000022
end

Now please enter System Recovery Options as you did to get the log.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot and see if you can open windows normally..

The next steps Jacee asks OP to run AdwCleaner, but Cottonball (also one of the best) interjects wih something he sees in the FRST64 report. I'm not up on FARBR reports - so another member can take a look at it and determine if an additional script is required.

Given that those two are the best and there is some minor discussion about the order, the only thing I can safely say at this point is to follow the Jacee's quoted instructions above.

I'm sure the discussion was a minor detail - but they would be the ones who could answer if the order made a difference.

 

[bsever]

I am running the Kaspersky Rescue from USB as suggested earlier at the moment and will see what happens when that is over. The quoted text seems to be a fix that is unique to that case, but in the absence of further direction (and in deference to your expertise) I'll try the quoted fixlist text next if still necessary. I appreciate the guidance!

Edit: Kaspersky ran a quick scan of the disk boot sectors and hidden startup objects and didn't find anything, so I am having it run a scan of c drive and all other available objects/places to scan that it gave me. I have to leave for the night so I won't know the results of this scan until the morning, but if nothing turns up I guess I'll be at square one and will try the fix quoted by Slartybart. Thanks again.

 

[Jacee]

What you have is a 'Rootkit'. I don't even try to help folks with this problem. My best advice is to wipe and do a "clean" install. You can read what a rootkit is all about here: Rootkit - Wikipedia, the free encyclopedia

There are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.[82][83] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits.

I'm one of these 'experts'.

 

[Slartybart]

Jacee: Is there any hope for user data or is that also suspect?

bsever: Looks like we should have waited.
I was leaning on her posts anyway, so I'll lean her post# 15 above.

 

[cottonball]

bsever,

Let's try this script...

:info: Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the USB pen drive, and name it: fixlist.txt

start
HKLM-x32\...\Run: [] - [x]
C:\Windows\Installer\{3c1bccc7-061b-c6af-40d2-8b0efa244643}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{3c1bccc7-061b-c6af-40d2-8b0efa244643}
C:\Users\POSTAL\AppData\Local\{3c1bccc7-061b-c6af-40d2-8b0efa244643}
C:\Users\POSTAL\AppData\Local\Temp\APNStub.exe
C:\Users\POSTAL\AppData\Local\Temp\imagepackage64.exe
C:\Users\POSTAL\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\POSTAL\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\POSTAL\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\POSTAL\AppData\Local\Temp\lhi65wsr.dll
C:\Users\POSTAL\AppData\Local\Temp\mpam-fex64.exe
C:\Users\POSTAL\AppData\Local\Temp\qdg_ju8x.dll
C:\Users\POSTAL\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\POSTAL\AppData\Local\Temp\z6jjfaa1.dll
C:\Windows\svchost.exe
TDL4: custom:26000022
end

Once again, run FRST64 as you did before.
When the tool opens click Yes to disclaimer.

Now, press the Fix button, only once, and wait.

When done, FRST produces Fixlog.txt on the USB pen drive.

:ar: Please provide the content of Fixlog.txt on your reply.

Thanks!

 

[bsever]

Thanks, cottonball. I've attached the Fixlog as requested.

 

[cottonball]

bsever,

The fixlog looks good, but, the big question is: Does the computer boot to Windows???

 

[bsever]

Yes! What a sweet relief to see the desktop come up, oh sweet beautiful desktop. I didn't even think to try to reboot after the fix.

Thank you!!!