Help Removing MBR:Alureon-N [Rtk]

I am trying to clean my wife’s computer and I cannot seem to remove this one. Avast will not let me delete or quarantine it and Malwarebytes does not find anything when I use it.

I ran aswMBR and Farbar, logs attached.

Any suggestions on how to remove it?

Eh no.
The logs are not attached.
Please do so :wink:

Lets try this time…

OK we will do this in two stages, first we will remove TDL4

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach the log with your next reply.

The tdsskiller did not give me an option to restart, instead this dialog box popped up.

I also attached the log.

Yes allow TDSSKiller to rewrite the MBR also select delete for the following elements :

18:19:59.0386 0x0924 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user 18:19:59.0386 0x0924 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Please re-run TDSSKiler

Here is the new log.

How is the computer behaving at the moment ?

It does seem to be running a little better. Finally letting me install updates.

Grand, could you now run a fresh FRST scan for me please and attach the log

Here you go!

All should be good after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2011-02-27 18:29 - 2011-02-27 18:29 - 0000000 _____ () C:\Users\Louisa\AppData\Local\Bhilogewusuyanam.bin 2011-02-20 20:48 - 2011-02-21 03:28 - 0011202 _____ () C:\Users\Louisa\AppData\Local\mt1g23v02b57q6ihcw1k2qu8485u81yu7lpn7536y43s 2011-02-27 18:29 - 2011-02-27 18:29 - 0000120 _____ () C:\Users\Louisa\AppData\Local\Vgaletiyogovitog.dat 2011-02-20 20:48 - 2011-02-21 03:28 - 0011202 ___SH () C:\ProgramData\mt1g23v02b57q6ihcw1k2qu8485u81yu7lpn7536y43s 2011-02-05 18:09 - 2011-02-06 15:36 - 0000544 _____ () C:\ProgramData\vtJXIZgXe4VNKVW 2011-02-05 18:04 - 2011-02-06 15:30 - 0000040 _____ () C:\ProgramData\~vtJXIZgXe4VNKVW Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that