Alureon virus and boot time scan crash

Hi All,
Just wandering if anyone can help me with these two possibly unrelated problems regarding avast.

First a bit of history;
I am running windows xp home edition on a dell dimension 3100 and have been using avast 4.8 free for a few years with absolutely no problems. I am a self taught computer amateur with limited skills and knowledge.

One day, about a month ago I suddenly got infected with the malware xp 2010 virus and it completely locked me out of my computer.
luckily, I have an old laptop and after a lot of research and a usb drive, I managed to disable the virus with malwarebytes and then eventually regain control using some script to restart task manager and give me back administrator rights and re-enable the exe files and a bunch of other stuff that it had done, bit by bit.
I have since run several anti virus scans using, among others superantispyware, hitman pro, TDSS killer (which incidentley always finds the same rootkit, asks for a re-boot and then does exactly the same thing on the next run - don’t recall the name of it but will research and repost).
These all picked up various things and, I assume, got rid of them, although it seemed to take many passes of each.
The most difficult problem was a google re-direct but that has cleared up now following one of the many scans.
It also stopped avast auto update which I managed to fix by using the ‘no proxy’ setting in program options. I hope it isn’t a problem to leave it like that but its the only setting that lets it auto update.

Most scans now come up clean except that if I scan with avast (or I think, even if I just use the computer for some time) it will eventually find something called win32:Alureon-FZ. When the warning screen comes up, it doesn’t matter weather you delete or move to chest the warning screen immediately returns forever. If I then restart I am greeted with the infamous BSOD with the error STOP:0x0000007B(0xBA4C3524, 0x0000…etc) and must revert to the last known stable configuration that worked on reboot. Then I can use the computer as before.

I’m not sure if this is related but if I schedule a boot time scan, it detects something but then freezes on the screen where you have the option to press 1 to delete etc. and I must shutdown by holding the power button and revert to last stable config. on re-boot again.

I hope someone can make sense of it for me. I didn’t want to bother anyone about this but I have been battling it for so long on my own that I am wandering if I shouldn’t have re-installed weeks ago as a friend first suggested.

I could provide other scan logs but here is the Avast boot time scan log:

06/17/2008 21:58
Scan of all local drives

Scanning aborted
Number of searched folders: 2188
Number of tested files: 43048
Number of infected files: 0


04/25/2010 10:23
Scan of all local drives

File C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000049.exe is infected by Win32:Trojan-gen

05/12/2010 18:02
Scan of all local drives

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S0NA9AAR\us1[1].htm is infected by JS:Prontexi-AV [Trj]

Here is the relevant resident protection notepad (the whole lot is too big too post):

  • avast! Report
  • This file is generated automatically
  • Task ‘Resident protection’ used
  • Started on 06 May 2010 21:06:23
  • VPS: 100501-1, 01/05/2010

C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\pci.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\pci.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
C:\WINDOWS\system32\drivers\pci.sys [L] Win32:Alureon-FZ (0)
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\pci.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
File was successfully deleted…
C:\WINDOWS\system32\drivers\PCI.sys [L] Win32:Alureon-FZ (0)
*

  • avast! Report
  • This file is generated automatically
  • Task ‘Resident protection’ used
  • Started on 11 May 2010 20:58:38
  • VPS: 100501-1, 01/05/2010
  • Task stopped: 11 May 2010 21:16:41

  • Run-time was 18 minute(s), 3 second(s)

  • avast! Report

  • This file is generated automatically

  • Task ‘Resident protection’ used

  • Started on 11 May 2010 21:17:35

  • VPS: 100501-1, 01/05/2010

  • Task stopped: 11 May 2010 21:52:49

  • Run-time was 35 minute(s), 14 second(s)

  • avast! Report

  • This file is generated automatically

  • Task ‘Resident protection’ used

  • Started on 11 May 2010 21:58:20

  • VPS: 100511-1, 11/05/2010

  • Task stopped: 11 May 2010 22:05:19

  • Run-time was 6 minute(s), 59 second(s)

  • avast! Report

  • This file is generated automatically

  • Task ‘Resident protection’ used

  • Started on 12 May 2010 17:55:14

  • VPS: 100511-1, 11/05/2010

I recomend following this Guide from Essexboy and post the log`s here so he can have a look
http://forum.avast.com/index.php?topic=53253.0

if the log is big, down left corner: additional options > attach

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S0NA9AAR\us1[1].htm is infected by JS:Prontexi-AV [Trj]
Ads poisoning – JS:Prontexi http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/

Hi it looks like the latest TDSS variant, do not use system restore as it may wipe your services
C:\WINDOWS\system32\drivers\PCI.sys this is a system file that is infected and needs to be replaced - not deleted

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks guys for your speedy replies,
-a virus you can get simply from seeing adverts? That’s worse than swine flu!

I already had downloaded combofix before posting but was unwilling to run it without pro advice…so thanks again essexboy.

What about the boot time scan problem? Is there an advantage to downloading the latest avast 5 free rather than the 4.8?

These and many other questions…

Attached is the combofix log.

Hi there a few more bits to kill but the main one has gone

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack :stuck_out_tongue:

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Folder::
c:\documents and settings\Leo Kirkman\Application Data\Orobs
c:\documents and settings\Leo Kirkman\Local Settings\Application Data\avG
c:\documents and settings\All Users\Application Data\avG

Renv::
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Dell\Media Experience\DMXLauncher .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre1.6.0_07\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\QTTask   .exe
c:\program files\Syncrosoft\POS\H2O\cledx .exe
c:\program files\Yahoo!\browser\ybrwicon .exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.

Hi,
Sorry for the delay in replying but I cannot get to my computer every evening.
I thought I’d done ok but it seems not.
Thank for your continued input.
Here are the requested logs attached:

BTW Every time I boot up, hitman pro finds that internet explorer(not my default browser) is using the proxy server 127.0.0.1:5555.
It asks to repair, which it then does, but the same thing happens on reboot. Any connection to the previous problem?

I see that you ran TDSSKiller could I see the log please

Also before we answer the rest of your questions we need to ensure you are clear - what problems do you have now ?

Hi essexboy,
I was just editing my previous post with what hitman pro finds as you replied, but I haven’t tried it yet since the last scan. Will try that now. As yet I have found no other symptoms.
I have five logs from TDSS killer so I guess I must have ran it five times. I will include the latest dated ones so let me know if you want to see any of the others.

That was the older version of TDSSkiller which does not kill the newer versions

Lets look at the proxy next as that is malicious, although OTL gave no indication of that

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

Yes both IE and firefox already have those settings but I don’t know if maybe hitman pro changed the IE settings when it ‘fixed’ the proxy settings because it is still finding that problem when it scans after a reboot. Should I not let it repair them and see what it says then?

If there is no proxy in internet options then that should be OK - I am not a great fan of Hitmanpro

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Must go now but I will hopefully have time to do that scan tomorrow. I’ll let you know the results as soon as… Thanks for your sterling work once again.

No probs I am off to bed now ;D

Hi again,
Mbam comes up clean at latest scan (see attached).
Still getting the same warning from hitman pro but no other symptoms that I can as yet tell.

can’t find log folder for mbam-driving me nuts

Found!

So hitman pro continually finds that one entry ? Yet when you go to IE options all the settings are correct. Do you have additional users on this system ?

Yes, good point, didn’t think of that. My wife has an admin profile and there is a guest profile too. Neither will have been used since the first infection except I may have once logged in as my wife in order to get admin rights when the virus first locked me out of my profile. Do you think her profile may be infected too?

Run OTL again - it does not matter from which account

[*]Check the box that says Scan All Users

Then post the log that appears

Done

Gotta get some sleep. I’ll get back on tomorrow if I get a chance.Thanks once more.