Not able to remove virus

Hi,

There was something horribly wrong with my laptop.
Yestereday, I downloaded Avest and fortunately, it could find somehting, which McAfee could not find.

Now the issue is, Avest says.

Virus found
c:\windows\system32\gasfyyoxkvlxm.dll

when I click on move to chest, it says “cannot process as it is being used by other programs.”
I tried to delete permanently, it could not. I chose startup option.
It restarted, boot time scan started and even after that it could not remove.

I started in Safe Mode command prompt.
I checked this directory. I could not find any file named this.

Please help me, how ot get rid of this?

Regards,
Ashish Shah

Hi,

I would recommend doing the following:

  1. Download and update Avast (http://files.avast.com/files/latest/avast_home_setup.exe)
  2. Download and update MBAM (http://www.malwarebytes.org/mbam-download.php)
  3. Disconnect your computer from the internet (ie. pull the cable out or turn the router off)
  4. Run a boot-time scan with Avast
  5. Do a full scan with MBAM
  6. Download and update SAS (http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe)
  7. Do a full scan with SAS
  8. Download CCleaner (http://www.ccleaner.com/download/builds/downloading-slim)
  9. Run Ccleaner
  10. Download HJT (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe)
  11. Run HJT and click 'Do a scan and save a logfile)

Post the results from Avast, MBAM, SAS and HJT here. The friendly Avast Forum members will be able to help you further :slight_smile:

Good luck!

Avastfan1

Hi Avestfan,

Thanks for your prompt reply. I shall perform these steps tonight and post results, as I am currently in Office.
One more point, which I forgot to post.
The error was also talking about

Win32-Alurecon-CY [Rtk] found in operating memory area below the dll error.

I hope the steps you told me to perform, caters to this only. Am I right?

Once again thanks a lot for your prompt response.

Regards,
Ashish Shah

Hi Ashpin,

That looks like a particularly nasty rootkit infection. A quick google search shows many hits.

When you have completed the scans, post the results and the forum will help analyse the results.

Best wishes,

Avastfan1

Hi ,

I performed all of the steps repetitively and I guess my laptop is now cl eaned up. It was full of virus I guess.
Thanks for your guidence. I am greatful to you. All logs are attached with this mail. I request you to check log of Hijack this and let me know if I have to do anything more.

Regards,
Ashish Shah

Looks like SUPERAntiSpyware removed a rootkit and some tracking cookies that are nothing to worry about.

You did not let Malwarebytes (MBAM) remove what it found

Files Infected:
\?\globalroot\systemroot\system32\gasfkyyoxkvlxm.dll (Trojan.FakeAlert) → No action taken.
C:\WINDOWS\system32\a99k.bin (Trojan.Goldun) → No action taken.
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) → No action taken.
C:\Documents and Settings\MAJHAR\Favorites\MP3 Download.url (Rogue.Link) → No action taken.
C:\WINDOWS\system32\sebdpx.sys (Trojan.Goldun) → No action taken.
C:\WINDOWS\pxysdb.dat (Trojan.Goldun) → No action taken.

Run MBAM then let it remove what it finds then reboot to let it remove locked files.

I see you are still running Windows Service Pack 2 so you should install Windows Service Pack 3 that has been available for over a year and contains several Critical Security updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Hi,

That was the first log.
I did boot time and then again windows scan. The result was no infected items.
But to give this forum of exact issues, I uploaded first log.
Yes, you are right. I will apply service pack 3 updates.

Thanks for your gentle suggestion. :slight_smile:

Regards,
Ashish Shah

[font=Segoe UI] Your HJT log shows the following:

b[/b] You are using Windows XP Service Pack 2. A newer Service Pack (SP3) is already available for download via Microsof Update. Please consider upgrading as soon as possible for the possible security patches and stability fixes.

b[/b] You seem to use Windows XP’s firewall or no firewall at all. You may enhance your protection by installing a firewall with Outbound Protection that XP’s firewall does not support. Example of good firewall are:

[]PcTools
[
]Agnitum Outpost
[*]Online Armor

NOTE: Do not install two or more firewalls.

b[/b] R3 - URLSearchHook: Mininova-Vuze Toolbar - {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - C:\Program Files\Mininova-Vuze\tbMin1.dll
This is a Mininova toolbar linked with Vuze. If you did not intentionally install this, you may fix this entry and uninstall the toolbar.

Hi,

Thanks for your reply.
I shall take care for 1 & 2.

How to fix 3[Mininova]. I tried to uninstall MiniNova, but it is not getting uninstalled.

I appreciate your help.

Regards,
Ashish Shah

Mininova could probably be linked with Vuze. Did you remeber having a on option on installing toolbars during your Vuze installation? If yes, then Mininova could probably be uninstalled together with Vuze.