One of “my” machines is, I think still infected with MBR:Alureon B rtk. I am running windows 7 and was able to run updates to it for windows, delete some suspicious programds and then run Avast. I then ran a boot time scan on the machine. This first run came up with 2 incidents of Alueron b - and 2 of his buddies PUPS and ADW. Round 2: boot time scan 4 Alureon B incidents 2 unknown in my removable E drive and a variety of pup and ADW. I am going to post this knowing some amazing person on this forum would like to help me find a way to remove this and the worried looks on my parents faces. In the mean time I will enter using safe mode and removing unwanted programs that are corrupted. I do not have logs from my 2 scans only the reports that AVAST supplies I will post screen shots shortly
I know that this guy is still in the root/boot files 2nd scan ran at like midnight and found it again.
I am rerunning a scan now, however it any of you gentlemen know of a good rootkit scanner/logger I would love the advice. Not complicated I didn’t notice till I had uploaded pix that there are issues with the detachable hard drive. It is currently unplugged, I am trying to do this for my parent machine and think I will just buy them a new external after I get the tower fixed up. all help is appreciated.
- How was it detected? What was scanning, you yourself or the back-ground scanner?
I knew it was infected when I I saw the browser change sites
Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert ? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
NO message, I downloaded avast for my parent and ran bootscan
A capture of the message screen as image can be helpful or what the message says and
where the suspicious file was detected.
see above
-
What was the source of the file, where did the file come from?.: e.g. address, URL, source.
I think it was proly an email or maybe some crap nsite my dad clicked on -
When was it downloaded or received?
idk -
What is the exact file name with extension.
idk -
What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!
Avast is currently running and i installed it post infections -
Now go back and do nothing yet. Scan the particular file once again with your AV product.
scanning rt now
A. The message is in the same wording: maybe positive alert
I wish this was a false positive, sadly it is not
B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
7. Check with an on line scanner or update to Virustotal for a second opinion. VT resides at http://www.virustotal.com/index.html
You can do an URL scan or file-scan. Also give the MD5 hash that is given further down the scan result page under additional information. This can help to identify the malware file.
Other scan results can be found for a suspicious URL or link at: http://vscan.urlvoid.com/file/
for filescans alternative scanners are: VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/
or you can ask on the forums to have the URL or link in question scanned with
various scanners. A FP is more likely if the file is only flagged by avast and GData.
-
Go get informed ask a Virus Encyclopedia or Virus Central. Remember Google is your best friend, also put a question on a forum.
-
Make an informed decision on the basis of what you have found.
-
Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. Also send a mail to virus AT avast dot com. If you send a suspicious file there for detection password zip this as an attachment and put the password in the mail. This will help us all and in case of a non-detect avast will add it to avast detection or in the case of a false positive remove that with a next virus update.
Sorry I did not read the Mod/admin directions b4 posting my bad. working on it now
here are the logs
To ensure that Aleurion has gone run this whilst I look at the logs
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
[*]Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
thank you! ALL BETTER
hey please attach the log from tdskiller and wiat for essexboy to give you the information that your system is clear.
Even if your system doe not show any symptoms does not men your computer is clean.
Sorry, I am hella noob
Nothing readily apparent on the other logs … How is the computer behaving ?