Solved Win64/Alureon.gen!A*Virus preventing computer startup

[cottonball]

^^^ Post above was edited!!! ^^^

 

[kyle7282]

While attempting to bring up the error screen my computer actually started up all the way normally. It is on right now if that's useful.

In your instructions it said save it to the desktop so I did using Notepad. Was that a bad thing?

And yes, I ran FRST on the problem computer, I thought that was correct since you said the same routine as the other post.

I will now take the steps you have given to me and I'll update you once I've completed them.

Edit: I didn't know how to find Notepad on Windows 8, which is why I did it on the infected computer.

 

[kyle7282]

Here is what you requested. Everything should be in order.

 

[cottonball]

Good job, kyle7282!!

If I understand you correctly, the system is booting up to Windows now. Olease confirm.

We do have more work to do, so, let's press on...


:info: Also, download Farbar Service Scanner
Save to the Desktop

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press: Scan
• FSS creates a log, FSS.txt, on the Desktop.

:ar: Please provide the FSS.txt in your reply.

 

[kyle7282]

Correct, it is booting up to Windows ^_^

And here it is just as you asked.

 

[cottonball]

We need to make sure Alureon is not in the picture, remnants or otherwise...

:info: Please go to the TDSSKiller Download, and select the .exe version
Double-click on TDSSKiller.exe to run the program.

When the TDSSKiller console opens, click on: Change Parameters
Under Additional Options, place a check in the box next to: Detect TDLFS File System
Click: OK

Press: Start Scan

•If a suspicious object is detected by this program, the default action is Skip. Leave this action as is, and click on: Continue
•If malicious objects are found, they show in the Scan results.
•Ensure Cure (the default action) is selected, then click: Continue > Reboot now, to finish the cleaning process.
(Note: If Cure is not available, select Skip, >>Do not select: Delete<<)

When done, the tool creates a log on the disk with the Windows Operating System, normally C:\

Logs have a name like:
C:\TDSSKiller.X.X.X_08.30.2013_15.31.43_log.txt

:ar: Please attach the TDSSKiller log in your reply.

 

[kyle7282]

That didn't take long at all. Here you go.

 

[cottonball]

Some remnants on TDSSKiller...

:info: Please run it once again, and this time, when presented with the TDSS File System entry in Threats Detected, select: Delete
:ar: Then post the new TDSSKiller log in your reply.


Now that you are in Windows, let's place the pen drive aside.

:info: Please get a new copy of the Farbar Recovery Scan Tool Download
Select the 64-bit version.
Save to the Desktop. We will use it shortly...

:info: Once again, open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it to the Desktop, and name it: fixlist.txt

start
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
end

:info: Double-click the FRST downloaded file to run it.
When the tool opens click Yes to disclaimer.
Press the Fix button.
When done, FRST makes a log (FRST.txt) on the Desktop.

:info: Run FRST once again.
This time check: Addition.txt
Then press: Scan

:ar: Please provide the Fixlog.txt, FRST.txt, and the Addition.txt on your reply.

 

[kyle7282]

Here you go, hope it helps.

 

[cottonball]

Looking good.

How is the computer running? Any more BSODs or error messages?

There is some 'stuff' here and there that you may want to get rid of, but, we will address it when you post the HijackThis results.


Now, let’s check your security status with the following...

:info: Download Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside the black box.

When done, a Notepad report opens automatically, called: checkup.txt

:ar: Please post the checkup.txt in your reply.
(Please do not take any corrective actions!)

:info: Also download HijackThis:
http://www.bleepingcomputer.com/download/hijackthis/
Save to a folder of its own on the Desktop. So, make a folder titled 'HijackThis' on the Desktop, and place HJT in it.
Right-click and select: Run as Administrator
Accept the License Agreement if you decide to run the program.

When the HijackThis console opens, press the following button: Do A system scan and save a logfile
When done scanning, a log opens in Notepad, and also appears on your Desktop.

:ar: Please post the HijackThis log in your reply.

 

[kyle7282]

No BSODs so far, I had some trouble with ransomware earlier but I did a System Restore that cleared it up I think.

And here are the attachments you requested.

 

[cottonball]

I had some trouble with ransomware earlier...

Did this happen while you have been working on your issues with me?

What exactly happened?

 

[kyle7282]

Yes, but it was unrelated I'm sure.

I allowed someone to use the laptop for something and after visiting some website an FBI virus installed itself on my computer and prevented me from doing anything. I apologize for not mentioning this, I hope this doesn't affect what you've helped me do so far.

 

[cottonball]

...hope this doesn't affect what you've helped me do so far

Hard telling, but we cannot take any chances...

Please do the following:

(You may want to print these instructions, so they are available to follow.)

:info: Load a USB flash drive with HitmanPro.Kickstart as follows...
Note: the contents of the USB flash drive are erased during this process!

Use a clean (non-infected) computer, and download:
HitmanPro.Kickstart - Anti ransomware, politievirus, bundestrojaner, Reveton, BKA, GVU - SurfRight

Under Download (on the right) select the program applicable to the infected system: 64-bit or 32-bit

When HitmanPro opens, click the KickStart icon at the bottom of the screen.

Plug in the USB flash drive.

When the USB flash drive is detected, a selection screen is presented.
Select the USB flash drive from the choices, and press: Install Kickstart
A warning that all contents of the selected flash drive will erase is presented.
Press: Yes

As the HitmanPro.Kickstart files are loaded, a progress indicator is shown on the screen.
Once the process is completed a screen is presented with the contents of HitmanPro.Kickstart

:ar: Remove the USB flash drive from the clean computer and press: Close


:info: Now, with the problem computer shut down, plug the USB flash drive into a USB port, and turn on the power.

When the computer starts, press the key that brings up the Boot Menu. (On some machines its F12, F10, or F2)

From there, select to boot from the USB drive. (It may say 'Removable Drive' in the options.)
Info: How to Remove Ransomware - Select Real Security

Once you select the USB flash drive to boot from, press: Enter

A KickStart prompt with USB boot options appears.
Select: 1 (Bypass the Master Boot Record (Default))

The system continues to boot from the hard drive and starts Windows.

If you get a message stating that Windows failed to start, etc., just select: Start Windows Normally

When Windows boots, you either get a logon screen, or the Desktop is started.
If you see a logon screen with your User name, logon with it.

In the next prompt, to start the program without installing to the local hard disk, select the option to do: One-time scan to check the computer

To start scanning for malware press: Next

If malware is detected, the program's Scan Results shows what malware is present on the system.
Select Next to quarantine the malware into a secure storage where it can no longer start.

At the next screen, activate the 30-day free license.
After successful activation (30 days), press: Next

A screen indicating that the malware was successfully disabled or removed is presented.
Press: Next

To obtain a report of the scan results, press: Save log
Save the Notepad log!!
It has a name such as: HitmanPro_xxxxxxxx_xxxx


Remove the USB drive, and press: Reboot
If no malware is found, press: Close

After HitmanPro.Kickstart is done, you should be back into normal Windows.

:ar: Please post the HitmanPro log in your reply.

 

[kyle7282]

I apologize for my late response, I got jammed up with work. Here is the log.

 

[UsernameIssues]

I would suggest that you uninstall Java and see if you can live without it.

If you must have it installed, then at least use the latest (safest?) version.

The versions that you have...
Java 7 Update 11 (x32 Version: 7.0.110)
Java Auto Updater (x32 Version: 2.1.9.0)
Java(TM) 6 Update 31 (x32 Version: 6.0.310)
JavaFX 2.1.1 (x32 Version: 2.1.1) <<< I doubt that you need this
...are way out of date.

You might want to read the bottom part of this post... and maybe this one too.

 

[cottonball]

kyle7282,

My apology for the delay.

Have not forgotten you. There are a couple of entries in the HitmanPro report that are of concern.

Checking on them, and will get back with you as soon as possible.

Thanks for your patience.

 

[cottonball]

kyle7282,

When you ran HitmanPro.Kickstart, did you follow these steps below, and the program indicated the malware was successfully disabled or removed?

If malware is detected, the program's Scan Results shows what malware is present on the system.
Select Next to quarantine the malware into a secure storage where it can no longer start.

At the next screen, activate the 30-day free license.
After successful activation (30 days), press: Next

A screen indicating that the malware was successfully disabled or removed is presented.

In any event, please do the following:


:info: Please go to the Farbar Recovery Scan Tool Download
Get an updated copy of the program.
Select the version that applies to your system.
This time, save it to your Desktop.http://www.sevenforums.com/
Double-click the downloaded file to run it.

When the tool opens click Yes to the disclaimer.
Under Optional Scan check the option: List BCD
Press the Scan button.

FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

:ar: Please provide the FRST.txt in your reply.

 

[kyle7282]

From what I recall it disabled the malware, but I'm not quite sure as it was a few days ago. I apologize for that

 

[cottonball]

OK, let's press on...

:info: Please run HijackThis, Scan, check box for the following:

R3 - URLSearchHook: (no name) - {cce665dd-f6dd-4808-968e-eaec971f70ef} - (no file)
O4 - HKCU\..\Run: [TempKeyedkfjsAdobe] C:\Adobe\rjNeY7PVTgjf\Loerijfsdantilib.exe
O4 - HKCU\..\Run: [JgDsClTqzA] C:\Users\Keenan\AppData\Roaming\iexplorer.exe

Select: Fix checked

Next, search for, and remove the following files:
C:\Adobe\rjNeY7PVTgjf\Loerijfsdantilib.exe
C:\Users\Keenan\AppData\Roaming\iexplorer.exe

Next, please submit the following file for analysis to VirusTotal:
http://www.virustotal.com/

File: C:\windows\SysWOW64\cmd.exe

Use the 'Choose File' button to navigate to the location of the file.

In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.
If you get a message saying: File has already been analyzed, click: Reanalyze file now
:ar: Once scanned, please provide the link to the results page in your reply.


:info: Next, download the Temporary File Cleaner (TFC)
http://oldtimer.geekstogo.com/TFC.exe
Save to your Desktop.

• Save any work in progress!! TFC closes open applications and removes unsaved work!!
• Close all windows.
• Right-click TFC.exe and select: Run as Administrator
• If prompted, click Yes to reboot.

:info: Also download AdwCleaner:
http://www.bleepingcomputer.com/download/adwcleaner/

• Save the program to the Desktop
• Close all open programs and internet browsers.
• Right-click on adwcleaner.exe and select: Run As Administrator
• At the program console, click on: Delete
• When the program is done, the computer is rebooted automatically, and a text file opens after the restart.

:ar: Please post the AdwCleaner report in your reply.


:info: Last, use the Junkware Removal Tool Download
Save to the Desktop.

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications.
These programs may interfere with the running of JRT.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Right-click JRT.exe and select: Run as Administrator

The tool opens and starts scanning the system. Please be patient as this can take a while...

When done, a report, JRT.txt is saved on the Desktop.

:ar: Please post the contents of JRT.txt in your reply.