IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Alureon.E, Kaspersky AV's disinfection kills Windows
Espoo
post 7.01.2012 21:37
Post #1


Newbie
*

Group: Members
Posts: 1
Joined: 7.01.2012




Windows 7 computer (64-bit version 6.1.7600) was acting up, producing random popups ("You've won an iPhone") and redirecting Google search results to various game pages or obviously shady pages. Avira and Malwarebytes found nothing. Spybot S&D was able to find and remove a few trojans and other infections. Windows Defender Offline found Trojan:DOS/Alureon.E but was not able to remove it.

I found a very suspicious very small 3MB partition in Disk Management that was sometimes visible and sometimes active and sometimes not. Trying to delete that or trying to make the Windows partition active produced an I/O error message. (Sometimes even the recovery partition was marked as active!) Despite Googling for a long time, i was able to only find one page mentioning a similar problem (http://social.technet.microsoft.com/Forums/en-GB/w7itprosecurity/thread/4d93ae52-26d6-4082-b398-6a1e4f4d75a8) on the entire Internet, and that only had a typical generic ostrich response from MS.

Spyware Doctor also found Alureon.E, but i don't like their business model of trying to extort money from people in desperate straits instead of providing a fully functional trial version, so i tried Kaspersky AV 2012. KAV was able to remove Alureon.E (subsequent WDO scan was clean), but it killed Windows in the process! The computer screen went black when i allowed KAV to remove Alureon and reboot the computer as recommended, and then the reboot produced the Windows Error Recovery screen.

Running Startup Repair even several times was of no help. System Restore didn't help either.

I used the command prompt to run bootrec /fixmbr, bootrec /fixboot, and bootrec /rebuildbcd as advised on http://www.microsoft.com/security/portal/T...DOS%2FAlureon.E but only the first two were successful. Rebuildbcd produced "total identified windows installations: 0" The following didn't help either:

Bcdedit /export c:\BCD_Backup
c:
cd boot
attrib bcd –s –h –r
ren c:\boot\bcd bcd.old
BootRec /RebuildBcd

All folders and files, including the Windows folder and subfolders, are visible using the dir and cd commands. Can one use the command "bootsect.exe /nt60 all /force" on Windows 7?

Is there a command-line version of gsi.exe or avz.exe? Should i use the Kaspersky Rescue Disk?

I only have a recovery DVD, no installation DVD. What DOS commands are necessary for using the recovery partition to repair Windows?

When i use the repair option on the recovery DVD, it finds Windows 7, but when i click on Next and then System Repair, it doesn't fix anything and even says "Startup Repair could not detect a problem"! This is especially strange because one would assume that this Startup Repair is the exact same one that runs without the CD, and that one results in the opposite "Windows cannot repair this computer automatically".
Go to the top of the page
 
+Quote Post
Medyo
post 11.02.2012 18:02
Post #2


Newbie
*

Group: Members
Posts: 1
Joined: 11.02.2012




I've repaired three computers during the last month that had this same issue and one thing they all had in common: PORN sites on their logs. Now I'm not gonna say that you got yours by visiting porn sites, that's up to you to figure out.

In any case, there can be various fixes for this and mine may be rather complicated but since I already have my own tools to go by my fix was the fastest route for me.

The 3MB partition is really a 7MB partition. The virus created this partition and made it the active/boot partition. Each time you boot your computer it actually boots from this partition and not your normal C:\ or Windows partition. Thus, your user experience is controlled by whatever it decides to load when you log in to the machine--including your browser experience. Doesn't matter if you install a new browser, it will still redirect you to its partner sites. Doesn't matter either if you have a backup image of your Windows, you can restore as many times as you want but you will still get those redirection because the boot partition is being hosted by that 3MB/7MB partition.

HOW I FIX IT:
1. I booted the machine from a Windows 7 USB (DVD will work too, likewise with a Windows XP CD) as if I was going to re-install Windows.
2. Perform a custom install and delete the 3MB/7MB partition. No need to touch your Windows partition.
3. Restart the machine and then boot it with Partition Magic (Like I said, I already have my tools so I used it)
4. Set the C:\ or Windows partition to Active on Partition Magic
5. Boot the machine normally. Problem fixed.

Take note that if you have a D:\ or another partition in addition to your Windows partition you have to UNHIDE those partition in Partition Magic. Otherwise when you boot up to Windows you will not see those drives.

Another thing to note is that the virus may have also infected your C:\ drive with some other tricks aside from the website redirection. I couldn't confirm this because my method of repairing computers is to always do a fresh install. I have ghost images of different versions of Windows that I use to restore on computers I repair--I'm not a fan of troubleshooting a virus/spyware/malware or whatever you may call it. For me, once the OS got infected it will never be the same so rather than spending time troubleshooting the problem and charging clients more I simply back up their files, restore Windows and install whatever software they need, and then restore their files.

You don't have to follow the same exact steps I did. What you need to do is just find a way to delete that partition and get your Windows partition to be the active/boot partition again.

Goodluck!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 16.04.2014 17:05