I started having trouble with the “Total Security” virus / Malware on 9/30/09.
I have a rootkit: \Win 32: Alureon-Da[Rtk] Rootkit.
On 9/30/09 I got the Total Security virus / Malware, with a Sea Blue Start Up Screen and message in Red.
I clicked on the Avast! 4.8 icon on my Start Up Screen; I got the siren, it says Malware found, but I cannot “move to chest”.
I then got this message:
Avast!
9/30/09
c:\windows\temp\dwolexvxmr.tmp
Parameter
X (i.e., box with check mark) Rename File(s) [adds the "vir extension)
X Move files
(Empty box) Force moving locked or used file(s) on system startup
Folders to move the file to:
C\Program Files Alwil Software\Avast4\DATA\Moved
Message:
The process cannot access the file because it is being used by another process.
Cannot process “c\windows\temp\gasfkydwolexvxmr.tmp” file.
So, instead, I close the warning, and proceeded to do a BootScan with Avast! 4.8; sorry, I don’t have the results of this.
I remember with the Avast! Bootscreen I moved something to chest with that, and that was the only result.
I went to my Start Screen, same damn Total Security Sea Blue Screen and Red message.
So, immediately after this on 9/30/09, I went into Windows Home Edition XP Safe Mode and used SuperAntiSpyware:
9/30/09
SuperAntiSpyware Scan
-9/30/09-16-23-olnotepad
File Threats detected: 6
Registry Items detected: 1
Total: 7
Adware.Tracking cookie [5 items]
Rogue.Agent/Gen [2 items]
Generated 09/30/09 at 4:23pm
Application version 4.29.1002
Core Rules Database Version:3937
Trace Rules Database version: 2055
Scantype: Complete Scan
Total Scan Time: 01:26:47
Memory Items scanned: 225
Memory Threats detected: 0
Registry Items scanned: 5496
Registry Items detected: 1
File Items scanned: 38625
File Threats detected: 6
Rogue Agent /Gen HKLM\ SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUN# 11159214
C:\Documents and Settings\All Users\Application Data\11159214
Adware. Tracking Cookie
C:\Documents and Settings\ OZ\Cookies\Oz@atdmt[1].txt
C:\Documents and Settings\ OZ\Cookies\Oz@doubleclick[1].txt
C:\Documents and Settings\ OZ\Cookies\Oz@msnportal.112.2O7[1].txt
C:\Documents and Settings\user@ad.yield manager[2].txt
C:\Documents and Settings\user@revsci[1].txt
All removed and deleted; this got rid of the “Total Security” Blue Screen and Red message; the compouter basically works find as far as surfing the internet is concerned.
The next day, on 10/1/09 I used Malawarebytes.
MALAWARE Bytes’ Anti-Malware
10/1/09 2:16:45 PM
mbam-log-2009-10-01 (14-16-45).txt
2 hours 4 min 3 seconds
Full Scan: ACDEFGHI
Scan Type: Full Scan
Objects Scanned: 277807
Scan Results:
Vendor Category Items Other
Hijack.Shell Registry Data HKEY-Local-MACHINE\SOFTWARE\Micro Bad: Explorer.ex…
Action Taken
No action taken
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Win logon\SHELL(Hijack.Shell)
(arrow) Bad: (Explorer.exe rund 1132.
Removed and deleted.
On 10/02/09, I tried using Avast! 4.8 Scanner Screen icon and got the siren and this message:
AVAST! 4.8
10/02/09
Memory is infected!
MALWARE WAS FOUND
File name: C:\Windows\System32\gasfkyalktqfuk.dll
Malware Name: \Win 32: Alureon-DA[Rtk]
MALWARE TYPE: Rootkit
VPS Version: 091001-0, 10/01/2009
Message: The process cannot access the file because it is being used by another process.
Cannot process “C:\Windows\System32\gasfkyalktqfuk.dll” file
On 10/02/09, I did an Avast! 4.8 bootscan
Full Scan ACDEFGHI
Bootscan Results:
Name of File Result Operat
Disck C: Boot Record Unable to scan:N… (blank space)
Disk D Boot Record Unable to Scan: N… (blank space)
Disk O Master Boot Record Unable to Scan: T… (blank space)
On 10/02/2009, I also did another MalwareBytes Full Scan in Windows Safety Mode:
mbam-log-2009-10-02 (11-34-03)
Full Scan: ABCDEFGHI
Objects Scanned 278966
Time elapsed 2hrs 5 min 1 sec
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
I am still getting the Avast! Malware siren and message.
I have read some of the other threads; I tried downloading RootRepeal.
I ran it and a winrar type box appears; I extracted the program to a folder in My Documents; however, I hav not been able to get RootRepeal to run and work.
What should I do now??
How do I get rid of the rootkit??
Thanks.