got a win32 trogen- gen and win 32 alureon viruses, its shutting my pc down help

avast has the red icon come up, all the icons on destop to do with security have gone to blue/white squares, when i try to run them im not able to downloaded them onto key and re run them they star then shut down this includes superantispy./avast fee/malwarbytes/dr web cclearner works though. cannot gwt on the internet either but can use mail, is this aluroen one that steal all ur passwords and banking ect!!!
when i try to run scans: windows cannot access the specified path/file device file, you may not have the appropriate permisssion to access the item and also windows insatller has insufficent privilage to modify,.when i cick the avast free icon the square comes up with the aavm subsystem detected a rpc error also.

tried the windows removal tool, but started the scan then it stopped, then the icon changed to the square blue and white, scanning now with the avast cleaner.

Have you tried running your security tools in safe mode?

yes, they dont work there either and the icons stay the same blue and white.

I think a rescue disk may be the thing for you, but wait for DavidR or Tech, they may have a solution for you

Pondus, don’t put all your hope in me… I’m not an expert on cleaning.
In this case, I really do not understand what is happening, I mean, there are a lot of malware behaviors but I can’t really “see” the solution.

If it helps, If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Clean your temporary files. You can use CleanUp or CCleaner for that.

  2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
    If avast does not detect it, you can try DrWeb CureIT! instead.

  3. It will be good if you download, install, update and run MBAM (or SUPERantispyware or even SpywareTerminator).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
    About legit antispyware applications or the bad ones see here.

  4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

  5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

  6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it’s simply hosts.
    The default file consists of a number of example lines preceded with # The only required line is
    127.0.0.1 localhost
    You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com

  7. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.

  8. Use the immunization of SpywareBlaster.

  9. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Hi pondus,

This is the rescue disk of choice is hiren’s and the download-link will be found via this link: http://www.hirensbootcd.net/
Hiren’s Boot CD is a boot CD containing various diagnostic programs such as partitioning agents, system performance benchmarks, disk cloning and imaging tools, data recovery tools, MBR tools, BIOS tools, and many others for fixing various computer problems. It is a Bootable CD; thus, it can be useful even if the primary operating system cannot be booted. Hiren’s Boot CD has an extensive list of software. Utilities with similar functionality on the CD are grouped together and seem redundant; however, they present choices through UI’s differences and options in what they can do.

Hiren’s BootCD
All in one Dos Bootable CD which has all these utilities:: Partition Tools, Disk Clone Tools, Antivirus Tools, Recovery Tools, Testing Tools, Hard Disk Tools etc.

Look Here for List of Included tools:
Read Included BootCD.txt or See BootCD.nfo

Hiren’s BootCD 10.0 Changes from 9.9

Hiren’s BootCD 10.0

+InfraRecorder 0.50
-ExpressBurn
+TestDisk for windows
+PhotoRec for windows
+Virtual Floppy Drive 2.1
+HxD 1.7.7.0
+FastCopy 1.99r4
+Angry IP Scanner 2.21
+TCPView 2.54
+OpenedFilesView 1.40
+ProcessActivityView 1.10
+RegScanner 1.77
+USBDeview 1.42
+Streams 1.56
+RemoveWGA 1.2
+RRT - Remove Restrictions Tool 3.0
Intel Matrix Storage Driver iastore.sys 8.9.0.1023 (Minixp)
PE Network Manager 0.45 (Minixp)
Security Tab (Minixp)
Pointsec Filter driver (Minixp)
Double Driver 2.1
GetDataBack 4.0
EASEUS Partition Master 4.0.1
TrueCrypt 6.2a
HDD Regenerator 1.71
Recuva 1.29.429
Unstoppable Copier 4.2
IsMyLcdOK (Monitor Test) 1.02
Samsung The Drive Diagnostic Utility (ESTOOL) 3.00g
IBM/Hitachi Drive Fitness Test 4.15
HDD Scan 3.2
System Analyser 5.3w
Astra 5.43
HWiNFO 5.3.0
CPU Identification utility 1.17
PC Wizard 2009.1.90
SIW 2009-07-28
CPU-Z 1.52
ProduKey 1.36
Wireless Key View 1.27
Content Advisor Password Remover 1.01
MessenPass 1.26
CCleaner 2.23.993
CurrPorts 1.66
Autoruns 9.53
Ultimate Windows Tweaker 2.0
Xp-AntiSpy 3.97.4 beta
ShellExView 1.40
Kaspersky Virus Removal Tool 7.0.0.290 (2908)
Malwarebytes’ Anti-Malware 1.40 (2908)
SpywareBlaster 4.2 (2908)
SmitFraudFix 2.423
PCI 32 Sniffer 1.4 (2908)
PCI and AGP info Tool (2908)
Unknown Devices 1.2 (2908)
ComboFix (2908)
Spybot - Search & Destroy 1.6.2 (2908)
SuperAntispyware 4.27 (2908)
www.hiren.info/bootcd

ISO MD5: d81669070c5d1a0c4b2a4daac0ef1cab

Installion and Use:

  1. UnRAR
  2. Burn Hiren’s.BootCD.10.0.iso to CD
  3. Put CD in CD/DVD Drive and Reboot PC
  4. Choose the tool you wish to use from the menu.
  5. Enjoy !!!

For keyboard Patch Instructions read ReadMe.txt in KeyboardPatch folder.

ISO Tools Included In Create Your ISO Folder (Read ReadMe.txt for Instructions).

Burning tools included.

You might need assistence of a qualified malware eliminator here to work the specific tools,

polonus

already done the ccleaner, cant get avast to work at all, can only get log viewer up, have updated malware ans superanti via memory key, they run for a few secs then close down, done dr web cure it to starts then stops going to try the panda next. will get back to u

Hi Polonus

ain,t that a very complicated rescue disk, wouldent something like these be easyer
http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

May be worth a try is Norman Malware Cleaner, it often runs when others dont since it is not to be installed.
You download and save to desktop, and run it from there in safe mode

http://www.norman.com/support/support_tools/58732/en

Hi pondus,

Hiren’s is for the more advanced user. This could also be a solution, spicyleboratory:
http://www.spicylemon.nl/spicyleboratory (combination downloadable tool with Eset Nod32 and Hitman Pro)

Clean DrWeb’s av link checker Checking: http://www.spicylemon.nl/spicyleboratory//ScriptResource.axd%3Fd=9Is5_azyuko3y1_OHm7MaI8MyjIYWJIY2Js4XypcBuYrb_9k_gW7L7at4Crq7wkutHt4A_7IJ34OgiT0PqsGm7Bcr7qUGcMueXhfIebB5e81&t=ffffffffb0c997d6
File size: 17.00 KB
File MD5: e5ac1bb72a6105d5a407b1c88f994603
and report by Wepawet: http://wepawet.cs.ucsb.edu/view.php?hash=001a244bab57b6095bc0b4e7e5a73299&t=1254433329&type=js

polonus

avast cleaner has come up with this so far, waitng for this to finish then i will run the panda application.
i

C:\WINDOWS\system32\drivers\fidbox2.dat… file could not be scanned!
C:\WINDOWS\system32\drivers\fidbox2.idx… file could not be scanned!
C:\WINDOWS\system32\drivers\sptd.sys… file could not be scanned!
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec{6AC5CA1C-B35D-4860-B866-0444096E8BCE}.TmpSBE… file could not be scanned!
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec{C3CA8E32-8D55-4B02-A188-E7BA62C57EBC}.TmpSBE… file could not be scanned!
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_4228230278_126681088_17711… file could not be scanned!
D:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_4228230278_8781824_17850… file could not be scanned!

no virus body found.
drives c and d
will try the norman one 1st i have to download onto my key as no internet access

Hi acute18,

Verdict is a virtumonde infection. Wait for someone to perform a comboscript fix,

polonus

Hi could you run these two programmes so that I can see what you have

Please save this file to your desktop. Double-click on it to run a scan. When it’s finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We Need to check for Rootkits with RootRepeal

[*]Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors (Recommended)
[list]
[]Primary Mirror
[
]Secondary Mirror
[*]Secondary Mirror

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Primary Mirror[/url]
[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Secondary Mirror[/url]
[*][url=http://rootrepeal.psikotick.com/RootRepeal.rar]Secondary Mirror[/url]

[/list]
[]Extract RootRepeal.exe from the archive.
[
]Open
http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png
on your desktop.
[]Click the
http://billy-oneal.com/forums/rootRepeal/reportTab.png
tab.
[
]Click the
http://billy-oneal.com/forums/rootRepeal/btnScan.png
button.
[*]Check all seven boxes:
http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png

[]Push Ok
[
]Check the box for your main system drive (Usually C:), and press Ok.
[]Allow RootRepeal to run a scan of your system. This may take some time.
[
]Once the scan completes, push the
http://billy-oneal.com/forums/rootRepeal/saveReport.png
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

tried the highjack this, and couldnt get it to carry on as just stops and disappers, have downloaded panda just doing a complete scan, essex boy im not on my pc im on my laptop as no internet access. i can get emails thats all will copy what you said and email to my pc and try it from there

OK it looks like you have one of the later variant TDSS rootkits once I see the logs I will be able to kill it - but be aware it does mess with the permission settings on your system so we may have to repair them. To reduce this try not to run any programmes that you do not need to

I am going off line now Claire and will be back after work tommorow at about 6

If the logs are large then can you upload them to Mediafire and post the sharing link.

http://www.mediafire.com/?sharekey=161ea837b76b42c89bf8d6369220dcab491fbb5f0e495bcab16e5c9d3b204475
hope this works, im away for weekend, so speak sunday ty

willtry the other thing u said root

ok did the root thing started scanning then stopped and dissappeared, tried to restart again, windows cannot access the specified device,path or file, you may not have the permissions to access the item. came up in box, tried the anti root kit but stopped for this also previously. willl be back sunday, going to try combo fix as well.

i have disabled the avast at last ran the combi fix the box came up with the dots going up to iniciate the scan, the black text box has opened and has a flicking underscore there, but nothing else just plain black and has been like this for 20mins, is this scanning my pc or do you think its stuck? , i restarted it again same thing happening, help!! now over an hr and still nothing in black text box, polonus/anybody.essexboy.