# Trojan:DOS/Alureon.E still lives after a full system recovery



## sharky (Jul 9, 2001)

*TrojanOS/Alureon.E*

I had another post, my computer had the TrojanOS/Alureon.E. 
I decided to do a full system recovery attempting to get rid of the TrojanOS/Alureon.E, but when i installed Microsoft Security Essentials and the software did its first scan, it found TrojanOS/Alureon.E *TrojanOS/Alureon.E*, again.

Here is what Microsoft Security Essentials says;

*_______________________________________________________________________*
*TrojanOS/Alureon.E*

Summary
TrojanOS/Alureon.E is the detection name for infected Volume Boot Records (VBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects 32-bit and 64-bit systems.

Technical Information 
TrojanOS/Alureon.E is the detection name for infected Volume Boot Records (VBR) produced by certain variants of the Win32/Alureon rootkit family. The rootkit infects 32-bit and 64-bit systems.

Payload...........Installs other malware components 
TrojanOS/Alureon.E attempts to access the hidden rootkit file system (VFS) to locate the file 'boot' in the VFS root folder. It then loads 'boot' and transfers control to it.The file 'boot' prevents Windows from checking digital signatures for drivers, installs itself as a handler for hard disk read/write requests, and loads the original Windows VBR, and transfers control to it.
Each time Windows reads from the hard drive, the file 'boot' intercepts data and monitors if the kernel debugger component 'KDCOM.DLL' is loaded into memory. If so, 'boot' injects another rootkit component from the VFS root folder named either 'dbg32' or 'dbg64', depending on the computer's architecture, thus forcing Windows to load it instead of the legitimate 'KDCOM.DLL' file.The loaded rootkit component loads the main rootkit driver, which is responsible for hiding the Alureon rootkit components. The injected file may also prevent Windows kernel from being debugged and may cause boot failures on computers running 64-bit Windows XP and 64-bit Windows Server 2003.

This virus may cause damage to the Volume Boot Record (VBR) . You will need to run the following commands using the "bootrec.exe" tool to ensure a complete repair of your computer:
bootrec /fixmbr 
bootrec /fixboot 
bootrec /rebuildbcd ...For more details on these commands, please refer to Microsoft Security Article KB927392, with specific focus to the options "/fixmbr", "/fixboot" and "/rebuildbcd".

ITEM:
boot:\\ .\physicaldrive0\partition 3 (type17)

*_______________________________________________________________________*

Before i did a system recovery, i tried dozens of anti virus,specialized root-kit scanners,etc., trying to get rid of the the TrojanOS/Alureon.E., some found the Trojan and partially got rid of it. Also, i tried the specialized tools from Microsoft .
I have been reading up on this particular Trojan and was aware the Trojan would likely not be destroyed via a system recovery but i took the chance, Also, the full recovery gives my computer that 'fresh' new feeling

My question is: Is there a less complex method of trying to get rid of this trojan than running commands in the Volume Boot Record.. I dont have the confidence/experience going into VBR and playing and running commands


----------



## sharky (Jul 9, 2001)

[While i wait for help, i did some research on this Trojan and read the people who spread the virus are sitting in a jail cell right now]

FBI (Federal Bureau of Investigation) shut down the botnet made up by a group of criminals arrested in November 2011. The cyber-criminals were operating on behalf of the company Rove Digital, a series of spreading viruses and malicious acts to change the DNS settings of the affected machines, and to direct Internet users to fake websites. The users of personal computers infected by the virus known as DNS changer malware experienced an experience online browsing entirely bogus. The malicious code, in fact, hijacked browsers to websites created specifically for the food botnets and altered the results of research carried out online. In fact, users of the machines affected by malware benefited from an altered version of the Internet network. Last November, FBI, NASA-OIG (National Aeronautics and Space Administration Inspector General) and the Estonian police have arrested the criminals responsible for the infections and the creation of botnets. Among the malware under attack, viruses known with the name of TDSS, Alureon, TidServ and TDL4
http://www.webmasterpoint.org/news/...o-dns-fbi-sito-su-cui-controllare_p46571.html

Also, another site says this about the trojan;
http://dellea.biz/2012/04/will-you-lose-internet-service-in-july-2012/


----------



## sharky (Jul 9, 2001)

RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: boycat [Admin rights]
Mode: Scan -- Date: 05/07/2012 00:04:46

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[SUSP PATH] CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}.job @ : C:\Users\boycat\AppData\Local\Temp\cis621D.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-22Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 459f8e217475f6b3d3fc89e6279145f8
[BSP] 91cd636b321e000e1fadca928a0b8188 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1953523120 | Size: 0 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


----------



## DFW (Jun 12, 2004)

> *Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
> If you think you have similar problems, please post the required log/s in the forum and wait for help.*


Hi Sharky

I'm DFW and I am going to try and help you with your Malware problem. Please observe the following points and rules while we work:

 The clean up process can take time. Please continue to review my answers until I tell you your machine is clear, absence of symptoms does not mean that everything is clear.
Refrain *from running self fixes as this will hinder* the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Some of the Logs we ask for can take some time to Analise, so please be patient
This may or may not, solve other issues you have with your machine.

*Before we start:*
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. 
However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection.
*Because of this, I advise you to backup any personal files and folders before you start*.
Basic Backup
http://www.techsupportforum.com/f50/emergency-backup-procedure-306529.html



> Windows Vista & 7 Advice
> 
> All applications I ask to be used will require to be run in Administrator mode. IE: Right click on and select Run as Administrator.
> Your Operating System in use comes with a inbuilt utility called User Access Control(UAC).
> When prompted by this with anything I ask you to do carry out please select the option Allow.


It looks like have been infected with Partition Section version of TDL4, however when you ran a system recovery it did not delete the hidden partition, going by 
the RogueKiller log the hidden partition is still present *but not active*, as your system is now booting from partition one, and the hidden partition is 0 in size.
It seem to me at this point that Microsoft Security Essentials is still picking up on the inactive hidden partition, what we *may* need to do is to delete this partition.

When you ran the recovery, did you do this from the *recovery partition *or use a set of recovery *CD/DVD* to do this????

If you do not have a set of recovery CD/DVD can you create a set with the Acer eRecovery Manager, just in case things went wrong and you lost
access to the recovery partition??

Also we are going to need a empty USB Flash Drive, do you have one ??.

.


----------



## sharky (Jul 9, 2001)

Great, and thanks.DFW I have donated to TSG in the past. Not much but something.I am an above average computer person but far from an expert. My computer barely shows any sign malware is affecting it. If it takes a week or even more to reply back to me on the progress, that is ok. I may have had this malware more than than a month already.



> "When you ran the recovery, did you do this from the recovery partition or use a set of recovery CD/DVD to do this?....If you do not have a set of recovery CD/DVD can you create a set with the Acer eRecovery Manager.....a empty USB Flash Drive, do you have one ??......., I advise you to backup any personal files and folders before you star


I ran the recovery via the recovery partition. I had yet to make a DVD/CD disc set recovery. I do have a empty 4gb USB flash drive. I have CDs to make a Set of recovery disks,however,wouldn't this malware thing be copied onto the recovery set discs too? Also, I keep no sensitive personal files/ data information,no record keeping nor pictures on my computer.There is nothing i need to back up or be concern about in losing.

*Also*, would it be be easier for you ? if i did another full recovery, to make the computer as fresh as possible from when it was new. Than run another Rogue report and post it.

---------------------------------------------
Microsoft Security Essentials reported this a couple of days ago:
Security Essentials encountered the following error: Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator. Category: TrojanDescription: This program is dangerous and executes commands from an attacker.Recommended action: Remove this software immediately.Items: 
boot:\Device\HarddiskVolume4
boot:\Device\HarddiskVolume4\
boot:\\.\PHYSICALDRIVE0\Partition3 (Type 17)


----------



## DFW (Jun 12, 2004)

> I have CDs to make a Set of recovery disks,however,wouldn't this malware thing be copied onto the recovery set discs too?


No when you create a set of recovery CD's the eRecovery Manager use's files from the recovery partition to create the CD's, it does
not make a copy of your C drive or any other partitions



> Also, would it be be easier for you ? if i did another full recovery, to make the computer as fresh as possible from when it was new. Than run another Rogue report and post it.


No not at this point.



> I had yet to make a DVD/CD disc set recovery.


Please make a set, then I would like you to do is to test them, not to do a full restore, just make sure that you eRecovery Manager can see them, and cancel the restore before it begins.

Here is some information to help.
http://support.acer.com/acerpanam/desktop/0000/Acer/AspireE360/AspireE360faq67.shtml
*

Once you have completed and confirmed to me the above steps we can move forward.*


----------



## sharky (Jul 9, 2001)

All set to go. DVD recovery set was made and tested good.
[ take your time replying,even if it takes days to reply]


----------



## DFW (Jun 12, 2004)

*Hi Sharky*

I would like you to take a screen shot of your partitions , as your infections seems inactive we will first try this
the easy way in windows.

Go to Start > All Programs > Accesories Then* Run *and type in :

*Diskmgmt.msc *

Make sure that you can see all the Diskmgmt window

Press the *Print Screen *button on the keyboard.

Then Go Start > All Programs > Accesories Then* Paint*
Click on the home tab
Select paste and then paste the screen shot into Paint
Above the home tab select save and save the shot as a *GIF* file
(You can use the crop tool on the home tab to crop the image down to just the Diskmgmt window if you know how, if not don't worry)

*Please post the screen shot back here.*

*Next*
Please download *aswMBR* and save it to your Desktop.


Right click *aswMBR.exe* and select * " Run as administrator " *to run it.
Click Yes to the prompt to download Avast! virus definitions.
(Please be patient whilst the virus definitions download)
Click the *Scan* button.
After a short while when the scan reports *"Scan finished successfully"*, click *Save log* & save the log to your *desktop*.
Click *OK* > *Exit.*
*Note:* Do not attempt to fix anything at this stage!
Two files will be created,* aswMBR.txt* & a file named* MBR.dat*.
 *MBR.dat* is a backup of the MBR(master boot record), do not delete it..
*I strongly suggest you keep a copy of this backup stored on an external device.*
Copy & Paste the contents of *aswMBR.txt* into your next reply.

*
Please post back

Screenshot and aswMBR report*

.


----------



## sharky (Jul 9, 2001)

*Disk Management screenshot:*

*this does not seem to be posting...i am seeing if i can find an alternative









*aswMBR.txt screenshot:*

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-09 05:31:22
-----------------------------
05:31:22.372 OS Version: Windows x64 6.1.7601 Service Pack 1
05:31:22.372 Number of processors: 2 586 0x602
05:31:22.372 ComputerName: BOYCAT-PC UserName: boycat
05:31:24.022 Initialize success
05:34:43.789 AVAST engine defs: 12050900
06:11:36.287 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000056
06:11:36.287 Disk 0 Vendor: WDC_WD10 80.0 Size: 953869MB BusType: 3
06:11:36.303 Disk 0 MBR read successfully
06:11:36.319 Disk 0 MBR scan
06:11:36.319 Disk 0 Windows 7 default MBR code
06:11:36.334 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 18000 MB offset 2048
06:11:36.365 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 36866048
06:11:36.397 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 935767 MB offset 37070848
06:11:36.443 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 0 MB offset 1953523120
06:11:46.701 Disk 0 scanning C:\Windows\system32\drivers
06:11:56.695 Service scanning
06:12:19.249 Modules scanning
06:12:19.264 Disk 0 trace - called modules:
06:12:19.779 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys 
06:12:19.795 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e4060]
06:12:19.810 3 CLASSPNP.SYS[fffff8800197743f] -> nt!IofCallDriver -> [0xfffffa80044ca710]
06:12:19.810 5 ACPI.sys[fffff88000ed37a1] -> nt!IofCallDriver -> \Device\00000056[0xfffffa80044cb060]
06:12:22.805 AVAST engine scan C:\Windows
06:12:25.988 AVAST engine scan C:\Windows\system32
06:15:29.611 AVAST engine scan C:\Windows\system32\drivers
06:15:42.186 AVAST engine scan C:\Users\boycat
06:16:29.436 AVAST engine scan C:\ProgramData
06:18:02.850 Scan finished successfully
06:18:29.892 Disk 0 MBR has been saved successfully to "C:\Users\boycat\Desktop\MBR.dat"
06:18:29.908 The log file has been saved successfully to "C:\Users\boycat\Desktop\aswMBR.txt"


----------



## DFW (Jun 12, 2004)

For some reason I cannot see the attachment of the screen shot, if you are having trouble attaching it try and use a site like photo bucket etc.

What size is the screen shot file.


----------



## sharky (Jul 9, 2001)

see if this works: {Disk Management screenshot]
http://learningcomputers.yolasite.com/page2.php

Also, MBR.dat ........... (date modified)....DAT file....1kb

....is what is saved on the USB flash drive. Is that appropriate in the event it needs to be used?


----------



## DFW (Jun 12, 2004)

> Also, MBR.dat ........... (date modified)....DAT file....1kb
> 
> ....is what is saved on the USB flash drive. Is that appropriate in the event it needs to be used?


Yes that is fine

Is the G drive the usb key, can you remove it and do a second screen shoot, this time do not crop off the right hand side, try and post all the Disk Management window.


----------



## sharky (Jul 9, 2001)

*With the USB flash drive out of the computer,here is the new screenshot. 
And "G" is the USB drive

*Disk Management screenshot:*
http://learningcomputers.yolasite.com/page3.php


----------



## DFW (Jun 12, 2004)

Hi Sharky

Thank you for the second screenshot, I am sure that the 1MB partition is the one being flagged by
Microsoft Security Essentials and RogueKiller

However there is a slight difference in the partition size being reported, this is probably down to
the way in which different software measure it, *but as there's no room for error* I would like to see
a screenshot when windows is not running using a Linux OS, just to be sure.

This is were you are going to need the USB Drive

*
I would copy the instructions for reference, to use while you are running in puppy.*

*
Create puppy USB Drive*

Download and save a copy of the latest Puppy ISO file
Download and save a copy of Unetbootin for Windows.
Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
Launch *Unetbootin *....
Ensure that *Disk Image* is selected.
Using the browse button ... browse to and select the Puppy ISO file.
Ensure that Type: is set to *USB Drive* and that the Drive: letter corresponds to the USB drive. (it must not under any circumstances be set to your main drive (C:\))[/COLOR]
Click *OK*
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

*Next*

*Configure the computer to boot from USB*

Turn off the Computer
Insert your USB drive into the computer.
Turn on the computer and repeatedly tap either the *DEL *or *F2 *keys to enter the BIOS.
If neither of these work you may try the following keys instead;F1, F8, F10, F11, F12.
Look for Boot options in the BIOS and make sure that *Removable Devices *is top of the list.
More information http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange_3.htm

*
When fully booted you will see the puppy Desktop with drive icons in the bottom left hand side*

*Next*


Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them). 
Launch GParted *Menu *> *System *> *GParted partition manager*, when launched the following box will open ....
Click to select *All Drives* then click *Okay*
GParted will scan the computer and then display a window showing all Partitions
.... and it is this window that I need you to take a screen shot of.

*To take a screenshot in Puppy ....*

With the GParted window open ...


Click *menu *> *Graphic *> *mtPaint-snapshot screen capture*
A small window will open ....
Click *Capture Now*
Click *OK*
The mtPaint program will open ....
Click *File *> *Save*
Double click on *../*
Double click on *mnt/*
Double click on *sdb1/*
Set File Format to *JPEG*
Enter *screenshot1 *into the text box
Click OK

This will save a file screenshot1.jpeg into the USB drive.

*Next*


Click menu > shutdown > power off computer
If prompted to save the session click on No

Puppy will now close down.

Remove the USB drive and boot into normal Windows.

*Insert the USB drive again and please post me the screenshot you took whilst in Puppy*


----------



## sharky (Jul 9, 2001)

i ran into two slight snags of some sort

On the puppy desktop and in the lower left handed corner. I have these drive icons:
sda1 sda2 sda3 sda4 sdd1[usb connection]

All mounted with a red X showing success... except sda4 
Also, i thought i made a successful screen shot of sda1, but on reboot into Windows and checking the USB files, the JPEG was no where to be seen.

I have tried to make a screenshot multiple times of sda1 in Puppy, it seems it is successful, however on rebooting into Windows and looking at the files on the USB drive, there are no jpeg file nor any files that hold a screenshot.

I wrote down infor from the screenshots of sda1..2..and 3, if that can do.


----------



## DFW (Jun 12, 2004)

Check your drives on your system to see if you saved the screen shot there by mistake.

If you try again this time when you open mtPaint-snapshot screen capture, take screenshot, click file, then save, when the save box
appears click the *home button* on top left, this will take you correct starting point.

After you double click mnt folder if you cannot see you USB drive (sdb1 or something like that) try saving it in the* Home Folder.*

Check with the drives names on bottom left to check which is your USB Drive.

I not sure I understand your meaning to Microsoft Office.


----------



## sharky (Jul 9, 2001)

/dev/sda-GParted................................................................../dev/sda/ (931.51)
______________________________________________________________________________________________


/dev/sda3
913.84Gib


______________________________________________________________________________________________

Partition......File System.....Mount Point.....Label..........Size......................Used..............Unused...........Flags

/dev/sda1..ntfs.................../mnt/sda1...PQSERVICE.....17.58GiB.............13.59GiB.........3.99GiB............diag
/dev/sda2..ntfs.................../mnt/sda2...SYSTEMRESERVED 100.00MiB....24.66.............75.34MiB...........boot
/dev/sda3..ntfs.................../mnt/sda3..ACER................913.84GiB..........44.26GiB.........8.69.58GiB
/dev/sda4 EXCLAMATION ! ...........................................1016.00KiB...........................................................hidden




sda1,sda2,sda3 have a icon next to each 'LOCKED' , followed by a green rectangle box
sda4 has an icon "! inside a orange triangle"


----------



## DFW (Jun 12, 2004)

Ok thats good enough, I take it you still having trouble with the puppy screenshot.

Lets now remove the Partition, we will try the easy way first.

Go to Start > All Programs > Accesories Then* Run *and type in :

*Diskmgmt.msc *

Make sure that you can see all the Diskmgmt window

In this screenshot you posted 
http://learningcomputers.yolasite.com/page3.php

The rogue partition is the second from the top and the *Capacity is 1MB* in size, with *1MB* *free space*.
Please double check you have the right one before you delete it.

Right click on the "rogue" partition and select Delete volume to remove it.

Close all windows

Reboot your system then run RogueKiller and post the log, also run a scan with Microsoft Security Essentials
and hopefully the scan will be clear.


----------



## sharky (Jul 9, 2001)

I deleted the Rogue volume and rebooted into windows. I only had time to do a quick MSE scan and it completed without finding anything. 

On quick notice, i had to go out the door for a weekend work assignment. By Monday i will do a full MSE scan and Rogue report

have a good weekend! and i will post on Monday


----------



## DFW (Jun 12, 2004)

OK thanks for letting me know.


----------



## sharky (Jul 9, 2001)

*Microsoft Security Essentials*
Full Scan results: Found nothing :up:

*RogueKiller*
RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: boycat [Admin rights]
Mode: Scan -- Date: 05/14/2012 11:57:40

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 5 ¤¤¤
[SUSP PATH] CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}.job @ : C:\Users\boycat\AppData\Local\Temp\cis621D.exe -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
127.0.0.1	www.00hq.com
127.0.0.1	00hq.com
127.0.0.1	010402.com
127.0.0.1	www.032439.com
127.0.0.1	032439.com
127.0.0.1	www.0scan.com
127.0.0.1	0scan.com
127.0.0.1	1000gratisproben.com
127.0.0.1	www.1000gratisproben.com
127.0.0.1	1001namen.com
127.0.0.1	www.1001namen.com
127.0.0.1	www.100888290cs.com
127.0.0.1	100888290cs.com
127.0.0.1	100sexlinks.com
127.0.0.1	www.100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD10 EARS-22Y5B1 SCSI Disk Device +++++
--- User ---
[MBR] 47582fcc76dab7aa9f6f4873dfb66531
[BSP] 91cd636b321e000e1fadca928a0b8188 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 36866048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37070848 | Size: 935767 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Generic- Compact Flash USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Multiple Flash Reader USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[12].txt >>
RKreport[10].txt ; RKreport[11].txt ; RKreport[12].txt ; RKreport[1].txt ; RKreport[2].txt ; 
RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ; RKreport[6].txt ; RKreport[7].txt ; 
RKreport[8].txt ; RKreport[9].txt


----------



## DFW (Jun 12, 2004)

*Thats great, we are done here now.*

Delete RogueKiller and all it's logs from your desktop.

If you what to remove puppy from your USB drive just insert it to a USB port, go to my computer, right click on the USB drive icon and select format, this will
clean all files from the drive,* so just make sure there is nothing else on there you need.
*

As you have just reinstalled windows you really need to make sure all software like java etc is up to date, also maybe add a little more protection to your system, and check window updates.

Follow the intructions below to update software like Java etc, and add a little more protection to cut down on
the risk of getting hit again.

You can use one of these sites to check if any updates are needed for software and your pc.

Secunia Software Inspector
F-secure Health Check

*MVPS Hosts*

*Install MVPS Hosts File* *From Here*
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
*You can Find the Tutorial * *HERE*

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
*To update Windows*
Go to *Start* > *All Programs* > *Windows Update* > *Check for updates.*
*To update Office*
Open up any Office program.
Go to *Help* > *Check for Updates*

*Please check out this article* Computer Security - a short guide to staying safer online. *By (by Gary R and Wingman)*

*Safe Surfing*


----------



## sharky (Jul 9, 2001)

Thanks alot! Your dedication to helping people with computers is outstanding. I donated once before to TSG and will again.

In retrospect, I have been trying to guess when i picked up the Trojan/malware. I usually keep a tight ship on anti-virus 
protection. *Here are some times that come to mind*:

About 2 months ago, i had this thread:http://forums.techguy.org/virus-other-malware-removal/1045791-avgs-avg-safe-search-refusing.html AVG'S AVG Safe Search ...REFUSING TO LEAVE. Just after i was able to finally remove AMG, is when my computer started showing irregularities. While going to some familiar websites, i would get a 'remote server not found' I rebooted and was able to get to the websites, but after 10 minutes,the remote server not found' message would return.

I am wondering if when i downloaded the AVG'S 'AVG Safe Search', it was not from AVG but a fake AVG safe Search download/software that carried the Trojan. Or when i deleted AVG, my computer was vulnerable because i went without an anti virus program for about a day. until i installed another program.

Thanks again,


----------



## DFW (Jun 12, 2004)

*Your welcome*

I doubt the AVG Safe Search download was infected, but going without a Antivirus would have done it, if you ever change your Antivirus in the furture always download the new one before you uninstall the old, anyway your all sorted now.

Good luck:up:


----------

