Microsoft Security Essentials unable to remove Alureon!

Discussion in 'Computer Security' started by chris, Aug 21, 2009.

  1. chris

    chris Guest

    I have the latest MSE updates on an XP sp3 laptop and have tried cleaning
    then rebooting, disconnecting internet then cleaning then rebooting, cleaning
    out windows/temp folder, also running MSE from XP safe mode without network
    ..... but nothing seems to do it.

    MSE keeps telling me if finds these:
    Trojan:Win32/Alureon.BF
    Trojan:Win32/Alureon.gen!R
    Trojan:Win32/Alureon.BD
    Trojan:Win32/Alureon.gen!C

    Please help!
     
    chris, Aug 21, 2009
    #1
    1. Advertisements

  2. chris

    chris Guest

    Also tried running MSFT's Malicous Software Removal Tool to no avail. It
    doesn't even detect the darned things.
     
    chris, Aug 21, 2009
    #2
    1. Advertisements

  3. chris

    Malke Guest

    Go through these general malware removal steps systematically -
    http://www.elephantboycomputers.com/page2.html#Removing_Malware

    Include scanning with David Lipman's Multi_AV and follow instructions to do
    all scans in Safe Mode. Please see the special Notes regarding using
    Multi_AV in Vista.

    http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
    http://tinyurl.com/yoeru3 - download link and more instructions

    When all else fails, get guided help. Choose one of the specialty forums
    listed at the first link. Register and read its posting FAQ. PLEASE DO NOT
    POST LOGS IN THE MS NEWSGROUPS.

    If you can't do the work yourself (and there is no shame in admitting this
    isn't your cup of tea), take the machine to a professional computer repair
    shop (not your local equivalent of BigComputerStore/GeekSquad). Please be
    aware that not all local shops are skilled at removing malware and even if
    they are, your computer may be so infested that Windows will need to be
    clean-installed. If possible, have all your data backed up before you take
    the machine into a shop.

    Malke
     
    Malke, Aug 21, 2009
    #3
  4. How did you obtain MSE? What anti-virus application was installed before
    you installed MSE?

    If you're enrolled in the MSE beta, you can obtain assistance here:
    http://social.answers.microsoft.com/Forums/en-US/msescan/threads
     
    PA Bear [MS MVP], Aug 21, 2009
    #4
  5. chris

    chris Guest

    I downloaded MSE from softpedia I think. It's a friend's computer and I don't
    think there was ANY legitimate anti-virus software running before. Plenty of
    fake anti-virus crap though.
     
    chris, Aug 21, 2009
    #5
  6. chris

    Malke Guest

    Then the best thing you can do is back up his data and do a clean install of
    the operating system.

    Malke
     
    Malke, Aug 22, 2009
    #6
  7. chris

    StephenB Guest

    Even if you downloaded from an unauthorized source, you can still contact
    support for help with malware removal. Since MSE can't remove the malware, they
    may want to grab some data for analysis.
    To open an email support case, click on the Get Help Now link on this page:
    http://answers.microsoft.com/en-us/protect/dd891073.aspx

    -steve
     
    StephenB, Aug 22, 2009
    #7
  8. Go away, Paddy! (Do they let you out on weekends or what?)

    What's the "real truth" about pcbutts1? Read on...

    • Is he an MS MVP? No!
    cf. http://mvp.support.microsoft.com/communities/mvp.aspx

    • If xxx.ms-mvp.org redirects to xxx.pcbutts1.com, why didn't he post that
    link to begin with?

    • Is he a proven thief? Yes!
    cf.
    http://groups.google.com/group/microsoft.public.security.virus/browse_frm/thread/58e6c02dbc6279ad
    cf.
    http://msmvps.com/blogs/hostsnews/archive/2006/11/10/pcbutts1-_2E00__2E00_.-the-saga-continues-_2E00__2E00__2E00_.aspx
    cf.
    http://groups.google.com/group/microsoft.public.security.homeusers/msg/213247814fb4d61e
    cf.
    http://groups.google.com/group/microsoft.public.security.homeusers/msg/e19fce884897662f

    • What do real experts have to say about him? It ain't pretty.

    http://www.siteadvisor.com/sites/pcbutts1.com (Reviews)

    http://www.digg.com/security/PCButts1_Under_Attack

    http://www.siteadvisor.com/sites/pcbutts1.com

    http://bughunter.it-mate.co.uk/PCBUTTS.TXT

    http://www.mywot.com/en/scorecard/pcbutts1.com

    http://www.mywot.com/en/scorecard/www.ms-mvp.org

    • Does he have all his marbles?
    cf. http://en.wikinews.org/wiki/NASA_van_rolls_off_California_mountain

    Ignore this MVP imposter!
     
    PA Bear [MS MVP], Aug 22, 2009
    #8
  9. Format the HDD then do a clean install of Windows. Please note that a
    Repair Install (AKA in-place upgrade) will NOT fix this!

    cf. http://michaelstevenstech.com/cleanxpinstall.html#steps

    After the clean install, you'll have the equivalent of a "new computer" so
    take care of everything on the following page before otherwise connecting
    the machine to the internet or a network and before using a USB key that
    isn't brand-new or hasn't been freshly formatted:

    5 steps to help protect your new computer before you go online
    http://www.microsoft.com/protect/computer/advanced/xppc.mspx

    HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
    (after a clean install)
    http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

    HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
    clean install)
    http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

    Also see:

    Steps To Help Prevent Spyware
    http://www.microsoft.com/protect/computer/spyware/prevent.mspx

    Rogue Security Software - Microsoft Security:
    http://www.microsoft.com/protect/computer/viruses/rogue.mspx
     
    PA Bear [MS MVP], Aug 22, 2009
    #9
  10. chris

    chris Guest

    Wow, that was painful! Here's how I finally removed it:

    1) download Malwarebyte's Anti-Malware & SUPERAntiSpyware on a different
    computer (both are free programs). The virus was smart enough to prevent me
    from visiting their web sites.

    2) Copy the executables over to infected XP laptop. Rename executables
    (virus also prevented me from launching them unless renamed).

    3) Launch Microsoft Security Essentials, Malwarebytes, & SUPERAntiSpyware
    and UPDATE definitions of all 3

    4) reboot to Windows SAFE mode without networking

    5) Run all 3 programs with FULL scans (this takes about 7 or 8 hours)

    6) Clean all instances of malware found (all 3 products found different
    counts of various items)

    7) Clean out Windows\Temp folder (since a few of infected dlls were found in
    here)

    8) Clean out filnames starting with UAC in Windows\System32 (7 or 8 infected
    dlls were found in here, all named UAC<something>.dll). Also delete
    UACwbojwygitk.db that was in here ... no software identified it but name was
    suspicious so I removed it.

    9) Clean out all user's Temporary Internet Files & \Temp directories, since
    a few items were identified in here. Example:

    C:\Documents and Settings\userA\Local Settings\Temporary Internet Files &
    \Temp
     
    chris, Aug 25, 2009
    #10
  11. chris

    ET Guest

    Hi All,

    With all the conversation above I understand that there is a rootkit present
    in the computer.

    If you do not intend to do a clean install and if you need a resoltion, I
    might ask for a ntbtlog file.

    Enable the boot log from the msconfig->boot.ini. Restart the computer you
    might find the log in c:\windows

    Paste it here.

    ET
    PSS
    MICROSOFT PARTNERS
     
    ET, Aug 28, 2009
    #11
  12. chris

    chris Guest

    ET, did you not catch the part about it being solved already? My last post
    explains how I removed it.
     
    chris, Aug 28, 2009
    #12
  13. chris

    ET Guest

    I missed that part as the thread was not closed yet I thought the issue is
    not solved yet.

    ET
    PSS
    MICROSOFT PARTNERS
     
    ET, Aug 28, 2009
    #13
  14. There is no closure here, one can (and at least one indeed did) post a
    reply to a three year's stagnant old thread.
     
    FromTheRafters, Aug 29, 2009
    #14
  15. chris

    ANTHONY MAW Guest

    Yeah I had the same experience. I have a laptop hard drive infected with Alureon.A. I pulled the drive from the laptop and slaved it to a PC using a USB adapter. As soon as I plug it in, Microsoft Security Essentials *detects* it and prompts to clean it but then it stupidly fails with the error message: "Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." and tells you to reboot. Of course rebooting does absolutely nothing other than you get nagged again that the drive is infected. I don't know what the dudheads at Microsoft are doing but this seems to be another case of one department not talking to another. Fail.
     
    ANTHONY MAW, Mar 13, 2011
    #15
  16. chris

    ANTHONY MAW Guest

    Yeah I had the same experience. I have a laptop hard drive infected with Alureon.A. I pulled the drive from the laptop and slaved it to a PC using a USB adapter. As soon as I plug it in, Microsoft Security Essentials *detects* it and prompts to clean it but then it stupidly fails with the error message: "Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." and tells you to reboot. Of course rebooting does absolutely nothing other than you get nagged again that the drive is infected. I don't know what the dudheads at Microsoft are doing but this seems to be another case of one department not talking to another. Fail.
     
    ANTHONY MAW, Mar 13, 2011
    #16
  17. chris

    ANTHONY MAW Guest

    Yeah I had the same experience. I have a laptop hard drive infected with Alureon.A. I pulled the drive from the laptop and slaved it to a PC using a USB adapter. As soon as I plug it in, Microsoft Security Essentials *detects* it and prompts to clean it but then it stupidly fails with the error message: "Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." and tells you to reboot. Of course rebooting does absolutely nothing other than you get nagged again that the drive is infected. I don't know what the dudheads at Microsoft are doing but this seems to be another case of one department not talking to another. Fail.
     
    ANTHONY MAW, Mar 13, 2011
    #17
  18. chris

    ANTHONY MAW Guest

    Yeah I had the same experience. I have a laptop hard drive infected with Alureon.A. I pulled the drive from the laptop and slaved it to a PC using a USB adapter. As soon as I plug it in, Microsoft Security Essentials *detects* it and prompts to clean it but then it stupidly fails with the error message: "Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." and tells you to reboot. Of course rebooting does absolutely nothing other than you get nagged again that the drive is infected. I don't know what the dudheads at Microsoft are doing but this seems to be another case of one department not talking to another. Fail.
     
    ANTHONY MAW, Mar 13, 2011
    #18
  19. chris

    ANTHONY MAW Guest

    Yeah I had the same experience. I have a laptop hard drive infected with Alureon.A. I pulled the drive from the laptop and slaved it to a PC using a USB adapter. As soon as I plug it in, Microsoft Security Essentials *detects* it and prompts to clean it but then it stupidly fails with the error message: "Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator." and tells you to reboot. Of course rebooting does absolutely nothing other than you get nagged again that the drive is infected. I don't know what the dudheads at Microsoft are doing but this seems to be another case of one department not talking to another. Fail.
     
    ANTHONY MAW, Mar 13, 2011
    #19
  20. Maybe after a few more posts from an egghead, and a couple more *years*,
    they'll figure it out.
     
    FromTheRafters, Mar 13, 2011
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.