Alureon FR

My computer has contracted the Alureon-FR virus. I have downloaded and ran TDSSKiller and have run the scan. I will post the log here.
Has the issue been taken care of? Sorry but I have very little knowledge of computers and the lingo so please be patient.

Thanks!!!

17:40:20:375 1248 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
17:40:20:375 1248 ================================================================================
17:40:20:375 1248 SystemInfo:

17:40:20:375 1248 OS Version: 5.1.2600 ServicePack: 3.0
17:40:20:375 1248 Product type: Workstation
17:40:20:375 1248 ComputerName: SEANIX-6C874BFA
17:40:20:375 1248 UserName: Owner
17:40:20:375 1248 Windows directory: C:\WINDOWS
17:40:20:375 1248 Processor architecture: Intel x86
17:40:20:375 1248 Number of processors: 1
17:40:20:375 1248 Page size: 0x1000
17:40:20:375 1248 Boot type: Normal boot
17:40:20:375 1248 ================================================================================
17:40:20:468 1248 UnloadDriverW: NtUnloadDriver error 2
17:40:20:468 1248 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:40:20:593 1248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:40:20:593 1248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:40:20:593 1248 wfopen_ex: Trying to KLMD file open
17:40:20:593 1248 wfopen_ex: File opened ok (Flags 2)
17:40:20:593 1248 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:40:20:593 1248 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:40:20:593 1248 wfopen_ex: Trying to KLMD file open
17:40:20:593 1248 wfopen_ex: File opened ok (Flags 2)
17:40:20:593 1248 Initialize success
17:40:20:593 1248
17:40:20:593 1248 Scanning Services …
17:40:21:093 1248 GetAdvancedServicesInfo: Raw services enum returned 324 services
17:40:21:093 1248
17:40:21:093 1248 Scanning Kernel memory …
17:40:21:093 1248 Devices to scan: 2
17:40:21:093 1248
17:40:21:093 1248 Driver Name: Disk
17:40:21:093 1248 IRP_MJ_CREATE : F7602BB0
17:40:21:093 1248 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:40:21:093 1248 IRP_MJ_CLOSE : F7602BB0
17:40:21:093 1248 IRP_MJ_READ : F75FCD1F
17:40:21:093 1248 IRP_MJ_WRITE : F75FCD1F
17:40:21:093 1248 IRP_MJ_QUERY_INFORMATION : 804F355A
17:40:21:093 1248 IRP_MJ_SET_INFORMATION : 804F355A
17:40:21:093 1248 IRP_MJ_QUERY_EA : 804F355A
17:40:21:093 1248 IRP_MJ_SET_EA : 804F355A
17:40:21:093 1248 IRP_MJ_FLUSH_BUFFERS : F75FD2E2
17:40:21:093 1248 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:40:21:093 1248 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:40:21:093 1248 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:40:21:093 1248 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:40:21:093 1248 IRP_MJ_DEVICE_CONTROL : F75FD3BB
17:40:21:093 1248 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7600F28
17:40:21:093 1248 IRP_MJ_SHUTDOWN : F75FD2E2
17:40:21:093 1248 IRP_MJ_LOCK_CONTROL : 804F355A
17:40:21:093 1248 IRP_MJ_CLEANUP : 804F355A
17:40:21:093 1248 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:40:21:093 1248 IRP_MJ_QUERY_SECURITY : 804F355A
17:40:21:093 1248 IRP_MJ_SET_SECURITY : 804F355A
17:40:21:093 1248 IRP_MJ_POWER : F75FEC82
17:40:21:093 1248 IRP_MJ_SYSTEM_CONTROL : F760399E
17:40:21:093 1248 IRP_MJ_DEVICE_CHANGE : 804F355A
17:40:21:093 1248 IRP_MJ_QUERY_QUOTA : 804F355A
17:40:21:093 1248 IRP_MJ_SET_QUOTA : 804F355A
17:40:21:109 1248 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:40:21:109 1248
17:40:21:109 1248 Driver Name: atapi
17:40:21:109 1248 IRP_MJ_CREATE : 872E1CA1
17:40:21:109 1248 IRP_MJ_CREATE_NAMED_PIPE : 872E1CA1
17:40:21:109 1248 IRP_MJ_CLOSE : 872E1CA1
17:40:21:109 1248 IRP_MJ_READ : 872E1CA1
17:40:21:109 1248 IRP_MJ_WRITE : 872E1CA1
17:40:21:109 1248 IRP_MJ_QUERY_INFORMATION : 872E1CA1
17:40:21:109 1248 IRP_MJ_SET_INFORMATION : 872E1CA1
17:40:21:109 1248 IRP_MJ_QUERY_EA : 872E1CA1
17:40:21:109 1248 IRP_MJ_SET_EA : 872E1CA1
17:40:21:109 1248 IRP_MJ_FLUSH_BUFFERS : 872E1CA1
17:40:21:109 1248 IRP_MJ_QUERY_VOLUME_INFORMATION : 872E1CA1
17:40:21:109 1248 IRP_MJ_SET_VOLUME_INFORMATION : 872E1CA1
17:40:21:109 1248 IRP_MJ_DIRECTORY_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_FILE_SYSTEM_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_DEVICE_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_INTERNAL_DEVICE_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_SHUTDOWN : 872E1CA1
17:40:21:109 1248 IRP_MJ_LOCK_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_CLEANUP : 872E1CA1
17:40:21:109 1248 IRP_MJ_CREATE_MAILSLOT : 872E1CA1
17:40:21:109 1248 IRP_MJ_QUERY_SECURITY : 872E1CA1
17:40:21:109 1248 IRP_MJ_SET_SECURITY : 872E1CA1
17:40:21:109 1248 IRP_MJ_POWER : 872E1CA1
17:40:21:109 1248 IRP_MJ_SYSTEM_CONTROL : 872E1CA1
17:40:21:109 1248 IRP_MJ_DEVICE_CHANGE : 872E1CA1
17:40:21:109 1248 IRP_MJ_QUERY_QUOTA : 872E1CA1
17:40:21:109 1248 IRP_MJ_SET_QUOTA : 872E1CA1
17:40:21:109 1248 Driver “atapi” infected by TDSS rootkit!
17:40:21:109 1248 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:40:21:109 1248 File “C:\WINDOWS\system32\DRIVERS\atapi.sys” infected by TDSS rootkit … 17:40:21:109 1248 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:40:21:109 1248 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository*) error 3
17:40:21:187 1248 vfvi6
17:40:21:234 1248 !dsvbh1
17:40:23:156 1248 dsvbh2
17:40:23:171 1248 fdfb2
17:40:23:171 1248 Backup copy found, using it…
17:40:23:171 1248 will be cured on next reboot
17:40:23:171 1248 Reboot required for cure complete…
17:40:23:218 1248 Cure on reboot scheduled successfully
17:40:23:218 1248
17:40:23:218 1248 Completed
17:40:23:218 1248
17:40:23:218 1248 Results:
17:40:23:218 1248 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:40:23:218 1248 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:40:23:218 1248 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:40:23:218 1248
17:40:23:218 1248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:40:23:218 1248 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:40:23:218 1248 UnloadDriverW: NtUnloadDriver error 1
17:40:23:218 1248 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:40:23:234 1248 KLMD(ARK) unloaded successfully

welcome to the forum. i’m letting someone else have a look at the result you post i’m not that tech of those things either.

suggestion 1 you could try a boot scan with avast first and see if it pick it up if not move on to my suggestion 2

http://www.digitalred.com/avast-boot-time.php

suggestion 2 scan with malwarebytesand/or superantispyware to see if anyone of those can solve your malware problem.

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

god luck and write back on your progress

17:40:23:218 1248 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 17:40:23:218 1248 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 17:40:23:218 1248 File objects infected / cured / cured on reboot: 1 / 0 / 1
TDSKiller got it

Are you having any other problems ?

Thanks!

This morning Avast popped up with a warning that a Trojan Horse has been found. JS:Prontexi-AB (Tri). And now as I am typing this a popup website appears from coinpouch.com.

I went to move the file to the chest in Avast and a message popped up saying Avast cannot move the file as it is being used by another process.

Cannot Process “C:Documents and Settings\Network Services\Local Settings\Temporary Internet Files\ContentIE5\XKR3GPN\TATRAp(1).htm” file

I click OK and I am caught up in the loop

That website appears to be infected

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I just ran the Avast boot scan and it says it found the virus and moved it to the chest, plus it found one more I wasn’t aware of. Just ran Malawarebytes and it said the system is clean.

Going to run OTL now.

Odd…Data execution prevention message won’t let me download OTL???

OK lets have a look at an alternate link

http://ottools.noahdfear.net/OTL.com

OK that worked. Anything specific I should look for or post?

post the logs OTL.Txt and Extras.Txt.

if big see down left corner: additional options > Attach

This morning Avast popped up with a warning that a Trojan Horse has been found. JS:Prontexi-AB (Tri). And now as I am typing this a popup website appears from coinpouch.com.
Ads poisoning – JS:Prontexi http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/

Here is the OTL.txt

and the Extras.Txt

First a question - did you set this proxy up ?
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “AutoConfigURL” = file://C:\PROGRA~1\SPEEDB~2\vaproxy.pac

Other than that you appear clean

Sorry I have no idea

Thanks to everyone who helped me through this! You are all top notch!

It appears to be associated with speedbit video grabber - and what it does is re-route URL’s for youtube videos to make them download faster. However, it may be susceptible to hijacking. Have you received any more alerts

No I haven’t. Should I uninstall Speed Bit?

Only if it is giving you problems

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: