Solved Win64/Alureon.gen!A*Virus preventing computer startup

[kyle7282]

I had been experiencing blue screens for months before I posted on this site to hopefully receive some assistance. After taking the actions suggested by a member of the BSOD forums, I eliminated a lot of possible causes for the BSODs but one in specific has given me some trouble. Win64/Alureon.gen!A was discovered by Windows Security Essentials and I attempted to download Windows Defender Offline to get rid of it but after successfully downloading and implementing the program my computer has been unable to start up and recieves an error regardless of if I do System Restore or Startup Repair. Assistance with this issue would be greatly appreciated, thank you.

For more information check out this thread: http://www.sevenforums.com/bsod-help-support/303539-bsod-past-several-months-error-0x0000001e.html

 

[cottonball]

kyle7282,

Do you have an installation CD/DVD for Windows 7?

If not, or, when you start the computer, tap the F8 key until the Advanced Boot Options menu appears.
Do you have access to the Repair your computer menu item?

Also, do you have a USB pen drive?

We need to run a tool from outside of Windows, but, need to know the above.

 

[cottonball]

Another option:

Do you have access to a computer with Windows 7 64-bit system, to create a System Repair Disk:

Instructions:
System Repair Disc - Create

 

[kyle7282]

Thank you for taking interest in my issue. I don't think I have an installation CD for Windows 7. And I don't see that option in the menu, unfortunately. However, I do have a USB flash drive if that's what you mean. I hope this information helps somewhat, let me know if you need anymore. I do have access to another Windows 7 computer, I believe. I shall try creating a repair disc and I'll update you on the results.

 

[kyle7282]

I was able to successfully create a repair disc but it appears to have had no effect because I am still encountering the same problem.

 

[UsernameIssues]

......I don't think I have an installation CD for Windows 7.....

See step one in this tutorial for instructions on downloading a W7 DVD:
http://www.sevenforums.com/tutorials/219487-clean-reinstall-factory-oem-windows-7-a.html

 

[Borg 386]

I attempted to download Windows Defender Offline to get rid of it but after successfully downloading and implementing the program my computer has been unable to start up and recieves an error regardless of if I do

Did you actually remove Alureon? WDO is good for detecting it, but doesn't always remove it. For that you need a rootkit tool like TDSSKiller. It would be a good idea to make sure it's gone before implementing repairs.

Alureon creates a cloaked boot partition which generally does not show up on Windows Disk Management & can be hard to get rid of. If that is still present, Alureon will always boot up before Windows does.

If you want to be sure it's gone, you can d/l a boot partition manager called GParted. Alureon shows up at the end of the drive as a hidden boot partition, between 1 - 10 MB

Note from the MS Site:

Alureon may modify some driver files so they become corrupted and unusable. These corrupted files won't be restored by detecting and removing this threat. The corrupted file must be restored from backup to restore functionality to the computer. We recommend you boot into a recovery environment and manually replace the file with a clean copy.

Depending on the damage it did, some of your files may be irrevocably damaged. If after confirming Alureon is gone & the system repair disk does not help, you may be able to do a repair install.

http://www.sevenforums.com/tutorials/3413-repair-install.html

Meanwhile, it might be prudent to migrate as many of your personal files to another storage medium just in case.

 

[kyle7282]

Windows Defender Offline said it was successfully cleaned and removed but it's hard to tell without being able to check since my laptop refuses to continue beyond the start up screen before it BSODs and restarts only to repeatedly do the same thing. Are there any methods that use the Setup utility that I could use to hopefully help?

 

[cottonball]

kyle7282,

The number of borked systems found because Windows Defender Offline was used to remove Alureon is more than what can be counted. WDO and Alureon do not seem to get along!!

There is a tool, Farbar Recovery Scan Tool that is used successfully to bring the system 'back to life', after the above described event.

However, the question at this point is, using the Windows 7 System Repair Disc you just created, can you boot to the System Recovery Options (Option Two), as per the following Instructions:
System Recovery Options

Can you select: Command Prompt?

If so, we are in business.

 

[cottonball]

To get the Windows 7 System Repair Disc to work, you need to boot the computer from the CD created:

1. Restart or turn on the infected computer with the disc in the CD/DVD drive
2. Go to the boot menu of the computer.

To access the boot menu, you need to press a specific key while the computer starts up.
Different computers have different ways of accessing the boot menu.
Some of the boot menu keys are listed below.
◦Dell: F12
◦HP: ESC (boot device options)
◦Other: F12

Note:
◦You must press a key like the ones described above before Windows begins to load.
◦Next, change the boot order in the BIOS.

3. Once you see a boot menu, you can look for the following option:
CD/DVD Drive (or something similar)

Use the arrow keys to select the appropriate option and then press the Enter key.

 

[kyle7282]

I can indeed open the the command prompt in the System Recovery Options I've been through how to change the boot order already though, but thanks for explaining it anyway. What can I do exactly in the command prompt?

 

[cottonball]

Good!!

You may want to print these instructions so you can have access to them.
Also, you may want to read them once before you apply them.

:info: Plug in a USB pen drive into the good working computer.

Go to the the Farbar Recovery Scan Tool Download
Select the 64-bit download.
Save the program to the >> USB pen drive.
Remove from the good computer when done.

:info: Now, go to the problem computer.
Plug in the USB pen drive which has FRST.

:info: Using the Windows 7 System Repair Disc just created, boot to the System Recovery Options Instructions: Use Option Two
http://www.sevenforums.com/tutorials/668-system-recovery-options.html

Select: Command Prompt

■In the Command Prompt window, at the blinking cursor, type notepad and press: Enter
■In Notepad, under the File menu select: Open
■Double-click the Computer icon on the left.
■Find the pen drive letter, remember what letter it is, click on it, and press: Open
■Close out of Notepad.

■Click the Command Prompt window
■Type x:\frst64.exe, and press: Enter
Note: Replace the drive letter x with the drive letter of your pen drive!
■FRST starts, and prepares to run. Follow the prompts.
■Click Yes to the Disclaimer.

■Press the Scan button.

The scan runs, and, the program saves the FRST.txt and Addition.txt, on the pen drive.

When done, click the Command Prompt window, type exit, and press: Enter
Back at the System Recovery Options, press: Shutdown
Remove the USB pen drive.

:ar: Plug the USB pen drive in the good working computer, and please provide the FRST.txt and Addition.txt in your reply.

 

[kyle7282]

Here you are. It didn't create an Addition.txt file however.

 

[cottonball]

kyle7282,

Pressing on with FRST...

:info: Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it on the pen drive, and name it: fixlist.txt

start
HKLM\...\Run: [] - [x]
HKLM-x32\...\Run: [] -  [x]
HKU\Keenan\...\Run: [TempKeyedkfjsAdobe] - C:\Adobe\rjNeY7PVTgjf\Loerijfsdantilib.exe
HKU\Keenan\...\Run: [JgDsClTqzA] - C:\Users\Keenan\AppData\Roaming\iexplorer.exe
HKU\Keenan\...\Run: [AdobeBridge] - [x]
C:\$Recycle.Bin\S-1-5-18\$1124a725e7eb82f4e97828044d39f9dc
C:\$Recycle.Bin\S-1-5-18\$1124a725e7eb82f4e97828044d39f9dc
C:\$Recycle.Bin\S-1-5-21-1546822543-3853009327-1610196860-1000\$1124a725e7eb82f4e97828044d39f9dc
C:\$Recycle.Bin\S-1-5-18\$1124a725e7eb82f4e97828044d39f9dc
C:\Users\Keenan\Info.bat
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
TDL4: custom:26000022 
end

Note: This script is written specifically for use only on this computer.
Running this on another computer may cause damage to the Operating System!!

Run FRST, and press the Fix button, just once, and wait.

The tool creates a report on the pen drive called: Fixlog.txt
:ar: Please post the Fixlog.txt in your reply.

Let's get the results from this program, and take it from there.

Edited: Made a mistake! Underlined above.

 

[kyle7282]

Do I run FRST on the infected computer?

 

[cottonball]

Same routine as Post #12, but, instead of running Scan, you run: Fix

 

[kyle7282]

Okay, thanks. Here you are. Also, I apologize for taking so long to reply, I have work throughout the week and it eats up most of my time.

 

[cottonball]

The question is...

...my computer has been unable to start up and receives an error...

...is the computer able to start normally?

Need to know before we continue.

 

[kyle7282]

No, it reads "Starting Windows", bluescreens very briefly and restarts.

 

[cottonball]

:ar: Do you still get an error message? If so, please be as specific as you can in describing what it says.

:ar: The FRST report shows it was run from C:. How did you get to C:?

Also, the Fixlog shows it was run from the Desktop.
Where these programs run from the problem computer?

:ar: Can you boot to Safe Mode?
Restart your computer.
When the computer starts, tap the F8 key on the keyboard repeatedly until presented with the Advanced Boot Options menu
Using the arrow keys, select: Safe Mode
Press the Enter key on your keyboard to boot into the selected mode.

Let us know if you can get to Safe Mode.

Pressing on...

:info: Using the good working computer, download ListParts:
http://www.bleepingcomputer.com/download/listparts/
Select the 64-bit download.
Save it to the same USB pen drive where you have the Farbar Recovery Scan Tool saved.

:info: Next, please remove any fixlist or fixlog from the USB pen drive.

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it on the pen drive, and name it: fixlist.txt

cmd: copy /y C:\$$PendingFiles [B][COLOR=red]X[/COLOR][/B]:\

(Replace X with the letter of the pen drive.

:info: Now, go to the problem computer.
Plug in the USB pen drive which now has FRST, ListParts, and a new fixlist on it.

:info: Using the Windows 7 System Repair Disc, boot to the System Recovery Options as you did before.
Option Two: http://www.sevenforums.com/tutorials/668-system-recovery-options.html

Select: Command Prompt

In the Command Prompt window, at the blinking cursor, type notepad and press: Enter
In Notepad, under the File menu select: Open
Double-click the Computer icon on the left.
Find the pen drive letter, remember what letter it is, click on it, and press: Open
Close out of Notepad.

:info: Click the Command Prompt window
Type x:\frst64.exe, and press: Enter
Note: Replace the drive letter x with the drive letter of your pen drive!

FRST starts, and prepares to run. Follow the prompts.
Click Yes to the Disclaimer.
Press the Scan button.
The scan runs, and the program saves the FRST.txt report on the pen drive.

:info: Go back to FRST, press the Fix button, just once, and wait until done.
The program saves a Fixlog.txt report on the pen drive.

:info: Now, go back to the Command Prompt, and this time type x:\listparts64.exe and press: Enter
Note: As before, replace the drive letter x with the drive letter of your pen drive!

When ListParts starts to run, check the box next to List BCD and click: Scan
When finished ListParts produces a log on the pen drive titled: Result.txt

:info: Next, click the Command Prompt window, type exit, and press: Enter
Back at the System Recovery Options, press: Shutdown

:info: Remove the USB pen drive.
Plug the USB pen drive in the good working computer.

:ar: Please provide the FRST.txt, the Fixlog.txt, and the Result.txt in your reply.