Jump to content

Please! Help needed to remove this...boot:\Device\HarddiskVolume3\ boot:\\.\PHYSICALDRIVE0\Partition2 (Type 17)


Recommended Posts

Hi everyone,

 

I hope someone can help, my laptop had this Trojan:DOS/alureon.E on it. I had avast installed and it always found the trojan but could never remove it after numerous restart attempts. Eventually my laptop (windows vista) gave up on me but yesterday I had someone come and use a boot disk so I could retrieve all my files and documents onto my external hard drive, which we did, he then factory reset my laptop which I was hoping would eliminate this trojan. My laptop now seems to be working fine.

 

Unfortunately the infected file must still be on my hard drive as now Microsoft Security Essentials is now finding this trojan again.

 

Now I'm in a loop of MSE finding the infected files, removing them, asking me to restart, finding them again etc etc..

 

I have run the bootrec.exe commands which said they were successful but I would like to know how I could get rid of this completely!!

 

I obviously need to removed the dodgy files from my external hard drive, but how do I get it of my laptop?

 

Any help would be much appreciated and please bear with me as although I know a little about computers, I am nowhere near an expert!

 

Thanks so much 

Link to post
Share on other sites

Welcome to the forum, please start HERE

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Hi,

 

I downloaded the anti-malware and it didn't detect anything. Here is the log:

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.13.03
 
Windows Vista x86 NTFS
Internet Explorer 7.0.6000.16982
holmes :: HOLMES-PC [administrator]
 
13/09/2013 09:30:06
mbam-log-2013-09-13 (09-30-06).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200389
Time elapsed: 5 minute(s), 56 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 

 

Next I tried the dds. The dds.scr wouldn't even load up, the dds.com would get to about 75% complete and stay at that point for ages, much longer than then 3 minutes!

 

I had turned off my MSE, and disconnected from the internet. I don't know how to disable any script blocker that I may or may not have!

 

What do you recommend I do now?

 

Thanks for your help! 

Link to post
Share on other sites

Yes, here's the report:

 

RogueKiller V8.6.11 [sep 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6000 ) 32 bits version
Started in : Normal mode
User : holmes [Admin rights]
Mode : Scan -- Date : 09/13/2013 12:40:33
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[iRP_MJ_CREATE] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x807980C2)
[Address] IRP[iRP_MJ_CLOSE] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x807980C2)
[Address] IRP[iRP_MJ_DEVICE_CONTROL] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x807869F4)
[Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x807869C6)
[Address] IRP[iRP_MJ_POWER] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x80786A22)
[Address] IRP[iRP_MJ_SYSTEM_CONTROL] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x80793B36)
[Address] IRP[iRP_MJ_PNP] : C:\Windows\system32\drivers\atapi.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x80793B02)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: Hitachi HTS541612J9SA00 ATA Device +++++
--- User ---
[MBR] 6290fdb9a623b9fdac8a566cf778686c
[bSP] 49ae8ef5029e38adaf355d7e2453bd0f : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 109230 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 223705125 | Size: 5239 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 234436545 | Size: 2 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_09132013_124033.txt >>
Link to post
Share on other sites

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    image000q.png

  • Put a checkmark beside loaded modules.

    2012081514h0118.png

  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    clip.jpg

  • Click the Start Scan button.

    19695967.jpg

  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    67776163.jpg

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If in doubt about an entry....please ask or choose Skip

  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    62117367.jpg

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

I only have 2 logs but maybe because it didn't give me any options to cure anything and so didn't ask me to reboot for the final time either.

 

12:59:21.0092 0x0c98  TDSS rootkit removing tool 2.9.2.0 Aug 15 2013 16:44:29
12:59:21.0464 0x0c98  ============================================================
12:59:21.0464 0x0c98  Current date / time: 2013/09/13 12:59:21.0464
12:59:21.0464 0x0c98  SystemInfo:
12:59:21.0464 0x0c98  
12:59:21.0465 0x0c98  OS Version: 6.0.6000 ServicePack: 0.0
12:59:21.0465 0x0c98  Product type: Workstation
12:59:21.0465 0x0c98  ComputerName: HOLMES-PC
12:59:21.0466 0x0c98  UserName: holmes
12:59:21.0466 0x0c98  Windows directory: C:\Windows
12:59:21.0466 0x0c98  System windows directory: C:\Windows
12:59:21.0466 0x0c98  Processor architecture: Intel x86
12:59:21.0466 0x0c98  Number of processors: 2
12:59:21.0466 0x0c98  Page size: 0x1000
12:59:21.0466 0x0c98  Boot type: Normal boot
12:59:21.0466 0x0c98  ============================================================
12:59:22.0821 0x0c98  Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
12:59:22.0823 0x0c98  ============================================================
12:59:22.0823 0x0c98  \Device\Harddisk0\DR0:
12:59:22.0824 0x0c98  MBR partitions:
12:59:22.0824 0x0c98  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xD5577E6
12:59:22.0824 0x0c98  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xD557825, BlocksNum 0xA3BF9C
12:59:22.0824 0x0c98  ============================================================
12:59:22.0920 0x0c98  C: <-> \Device\Harddisk0\DR0\Partition1
12:59:22.0968 0x0c98  D: <-> \Device\Harddisk0\DR0\Partition2
12:59:22.0968 0x0c98  ============================================================
12:59:22.0968 0x0c98  Initialize success
12:59:22.0968 0x0c98  ============================================================
12:59:55.0190 0x0f88  Deinitialize success
 
 
2nd log is attached as it's too long
 
 
thanks

 

TDSSKiller.2.9.2.0_13.09.2013_13.02.39_log.txt

Link to post
Share on other sites

Run TDSSKiller again and choose Delete for this one only: (no need to post the log)

13:05:52.0406 0x0724 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

13:05:52.0406 0x0724 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

--------------------------------

Then.......

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

Looks like MBAR found the problem, is avast still detecting it??

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Run this scan first and then ComboFix:

Download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

MrC

Link to post
Share on other sites

Try it like this......

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown: (copy and paste)

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

Link to post
Share on other sites

Good........

Lets clean out any adware while you're here: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
# AdwCleaner v3.004 - Report created 17/09/2013 at 16:45:16

# Updated 15/09/2013 by Xplode

# Operating System : Windows Vista Home Premium  (32 bits)

# Username : holmes - HOLMES-PC

# Running from : C:\Users\holmes\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v7.0.6000.16982

 

 

-\\ Google Chrome v29.0.1547.66

 

[ File : C:\Users\holmes\AppData\Local\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [947 octets] - [17/09/2013 16:42:18]

AdwCleaner[s0].txt - [873 octets] - [17/09/2013 16:45:16]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [932 octets] ##########

 

 

Scan came up clean, laptop seems to be running ok, had a few occasions where the internet connection went down today but that may just be my internet provider.

mbam-log-2013-09-17 (16-53-10).txt

Link to post
Share on other sites

Good......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites
 Results of screen317's Security Check version 0.99.73  

 Windows Vista  x86 (UAC is enabled)  


 Internet Explorer 7 Out of date! 

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Malwarebytes Anti-Malware version 1.75.0.1300  

 Adobe Reader 8 Adobe Reader out of Date! 

 Google Chrome 29.0.1547.66  

````````Process Check: objlist.exe by Laurent````````  

 Microsoft Security Essentials MSMpEng.exe 

 Microsoft Security Essentials msseces.exe 

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 7 % Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Out of date service pack!! <-----please check Windows Update for this
Internet Explorer 7 Out of date!


-------------------------------------

Adobe Reader 8 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

If you used FRST:
Download the fixlist.txt to the same folder as FRST.
Run FRST and click Fix only once and wait
That will delete the quarantine folder created by FRST.

-----------------------------

Please download OTC to your desktop.
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.