Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan:Win32/Alureon.gen!AC REMOVAL

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby sketch lagit » July 29th, 2011, 12:45 am

not found:
C:\Windows\System32\drivers\iaStor.sys
C:\Windows\System32\drivers\iaStorV.sys
C:\Windows\System32\drivers\nvraid.sys
C:\Windows\System32\drivers\nvstor.sys
sketch lagit
Regular Member
 
Posts: 32
Joined: July 16th, 2011, 9:53 pm
Advertisement
Register to Remove

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby Gary R » July 29th, 2011, 2:28 am

OK, I think we should remove the following files and folders ....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\version
C:\ml-20110714032055.xml
C:\Windows\SysWow64\wrLZMA.dll
C:\Windows\system32\wrLZMA.dll
C:\CD3rdPartyWrapper.log
C:\lv.log
ipconfig /flushdns /c

:Commands
[emptytemp]
[emptyflash]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

To see the driver files I asked you to scan, you'll need to do the following, sorry my fault I should have told you to do this earlier .....

  • Click Start > Control Panel > Appearance and personalization
  • Under Folder Options click on Show hidden files and folders
  • A Folder Options window will open
    • Click the show hidden files, folders and drives button.
    • scroll down and uncheck hide extensions for known file types
    • scroll down and uncheck hide protected operating system files (recommended) Click Yes when prompted.
    • Click OK and exit the Folder Options window.

C:\Windows\System32\drivers\iaStor.sys
C:\Windows\System32\drivers\iaStorV.sys
C:\Windows\System32\drivers\nvraid.sys
C:\Windows\System32\drivers\nvstor.sys

  • Browse to the first file in the quote box above.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby sketch lagit » July 30th, 2011, 12:06 pm

All processes killed
========== FILES ==========
C:\version moved successfully.
C:\ml-20110714032055.xml moved successfully.
File move failed. C:\Windows\SysWow64\wrLZMA.dll scheduled to be moved on reboot.
File move failed. C:\Windows\system32\wrLZMA.dll scheduled to be moved on reboot.
C:\CD3rdPartyWrapper.log moved successfully.
C:\lv.log moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Dakota\Downloads\cmd.bat deleted successfully.
C:\Users\Dakota\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Dakota
->Temp folder emptied: 6997396627 bytes
->Temporary Internet Files folder emptied: 2326618 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 242677918 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 7706 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17440 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6,907.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Dakota
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.1 log created on 07302011_003519

Files\Folders moved on Reboot...
File move failed. C:\Windows\SysWow64\wrLZMA.dll scheduled to be moved on reboot.
File move failed. C:\Windows\system32\wrLZMA.dll scheduled to be moved on reboot.
C:\Users\Dakota\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
sketch lagit
Regular Member
 
Posts: 32
Joined: July 16th, 2011, 9:53 pm

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby sketch lagit » July 30th, 2011, 12:13 pm

none of the files where found
sketch lagit
Regular Member
 
Posts: 32
Joined: July 16th, 2011, 9:53 pm

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby Gary R » July 30th, 2011, 4:02 pm

It's not clear whether the two wrLZMA.dll files were successfully removed.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
wrLZMA.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No idea why you're unable to see the driver files I asked you to scan at VT or Jotti's, OTL clearly sees them.

  • Download aswMBR.exe to your desktop.
  • Double click aswMBR.exe to run it
Image
  • Click the SCAN button to start the scan.
Image
  • On completion of the scan click SAVE LOG and save it to your desktop.
  • Post the log contents in your next reply please.

DO NOT ATTEMPT TO FIX ANYTHING ASWMBR MAY FIND
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby sketch lagit » July 31st, 2011, 1:39 am

SystemLook 04.09.10 by jpshortstuff
Log created at 23:35 on 30/07/2011 by Dakota
Administrator - Elevation successful

========== filefind ==========

Searching for "wrLZMA.dll"
C:\Windows\SysWOW64\wrLZMA.dll --a---- 30424 bytes [05:01 02/11/2010] [02:44 08/12/2010] (Unable to calculate MD5)

-= EOF =-
sketch lagit
Regular Member
 
Posts: 32
Joined: July 16th, 2011, 9:53 pm

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby sketch lagit » July 31st, 2011, 1:45 am

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-30 23:43:50
-----------------------------
23:43:50.861 OS Version: Windows x64 6.1.7600
23:43:50.861 Number of processors: 2 586 0x170A
23:43:50.862 ComputerName: DAKOTA-VAIO UserName: Dakota
23:43:51.919 Initialize success
23:44:25.932 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:44:25.936 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
23:44:25.941 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006a
23:44:25.945 Disk 1 Vendor: RICOH 01 Size: 305245MB BusType: 0
23:44:25.948 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006b
23:44:25.952 Disk 2 Vendor: RICOH 02 Size: 305245MB BusType: 0
23:44:25.955 Disk 0 MBR read error 0
23:44:25.960 Disk 0 MBR scan
23:44:25.964 Disk 0 unknown MBR code
23:44:25.968 MBR BIOS signature not found 0
23:44:25.972 Service scanning
23:44:26.811 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
23:44:27.423 Modules scanning
23:44:27.431 Disk 0 trace - called modules:
23:44:27.488 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys sptd.sys hal.dll
23:44:27.499 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c3d060]
23:44:27.509 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa8004711e40]
23:44:27.519 5 ACPI.sys[fffff88000ee8781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004710050]
23:44:27.530 Scan finished successfully
23:45:12.346 Disk 0 MBR has been saved successfully to "C:\Users\Dakota\Downloads\MBR.dat"
23:45:12.352 The log file has been saved successfully to "C:\Users\Dakota\Downloads\girk.txt"
sketch lagit
Regular Member
 
Posts: 32
Joined: July 16th, 2011, 9:53 pm

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby Gary R » July 31st, 2011, 9:37 am

If you still have Combofix on your machine, please run it using the instructions below, if not download a new copy from .....

Link 1
Link 2

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
Rootkit::
C:\Windows\SysWOW64\wrLZMA.dll

  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.

Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

How's your computer behaving now ?
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Trojan:Win32/Alureon.gen!AC REMOVAL

Unread postby Gary R » August 4th, 2011, 12:50 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware