system
November 3, 2009, 12:14pm
1
does anyone know how to remove this very irritating virus/malware , avast keeps popin up and i remove it every time but it comes back grrrrrrrrr.
tried many things already
it is found in c:\windows\system32\tdlwsp.dll
Win32:Alureon-DR
vista home premium + avasthome
Pondus
November 3, 2009, 12:20pm
2
Have you tried Avast boot scan
http://www.digitalred.com/avast-boot-time.php
And MBAM
http://filehippo.com/download_malwarebytes_anti_malware/
do a quick scan and click “remove selected” if anything is found, this will sendt it to quarantine. Restart and repeat
come back and post scan log here
polonus
November 3, 2009, 12:23pm
3
Hi haggard,
Here is a further proposed cleansing procedure for it:
http://www.geekstogo.com/forum/Help-removal-Trojan-Win32-Alureon-genI-t246431.html
Post the MBAM log,
Post the ComboScript log
Run USBNoRisk tool
CleanUp after you dome as instructed there…
Do everything step by step and report here after every step with a logfile…
polonus
system
November 3, 2009, 2:51pm
4
And MBAM
http://filehippo.com/download_malwarebytes_anti_malware/
do a quick scan and click “remove selected” if anything is found, this will sendt it to quarantine. Restart and repeat
come back and post scan log here
[/quote]
Malwarebytes’ Anti-Malware 1.41
Database versie: 3092
Windows 6.0.6002 Service Pack 2
3-11-2009 15:46:30
mbam-log-2009-11-03 (15-46-30).txt
Scan type: Snelle Scan
Objecten gescand: 93701
Verstreken tijd: 4 minute(s), 15 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 1
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 4
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\GodLib (Trojan.Agent) → Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) → Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
C:\Windows\System32\twain_32 (Backdoor.Bot) → Quarantined and deleted successfully.
Bestanden geïnfecteerd:
C:\Users\ozzy\AppData\Roaming\run_setup.exe (Adware.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\twain_32\local.ds (Backdoor.Bot) → Quarantined and deleted successfully.
C:\Windows\System32\twain_32\user.ds (Backdoor.Bot) → Quarantined and deleted successfully.
C:\Windows\System32\SKYNETcocxwuuv.dat (Rootkit.TDSS) → Quarantined and deleted successfully.
AND IT KEEPS COMMING BACK
system
November 4, 2009, 12:44am
5
Download and run RootRepeal .
system
November 4, 2009, 11:48am
6
Hi all,
I have same problem from yesterday and it’s making me crazy.
I’ve windows Xp and Avast Pro and same symptoms of hagggard.
RootRepeal lists me one hundred voices, a few are obviosuly good, but I don’t know how to find Alureon’s one.
Any news from Hagggard or form anyone?
Thank you all,
Tommy.
Pondus
November 4, 2009, 11:58am
7
Maybe essexboy will see this, then he will help you kill it, so just be patient
system
November 4, 2009, 3:43pm
8
A little update. I didn’t solved the problem, but I limit it.
I created a file named tdlswp.dll in C:\Windows\system32 and I locked it with a program named “File Lock”.
In this way Alureon is unable to overwrite it and nothing else is revealed by Avast.
Virus is yet on my machine, but it seems to be bound…
system
November 4, 2009, 8:25pm
9
So did you actually DO the Avast Boot scan, or just leave it as “very good advice?” There’s a reason for the existence of that feature. Many viruses are able to hide when Windows is running, because they are ALSO running. Boot-time scan gets around that in most cases.
If that fails, try the instructions I gave here to use Avast for Linux to do a fully-offline scan of your hard drive.
http://forum.avast.com/index.php?topic=50426.0
ComboFix is a good tool to try against perversely-stubborn stuff, too.
system
November 6, 2009, 10:49am
10
this did the trick
finaly no more anoying popups that my computer is infected.
tnx
the combo fix worked
[url]www.gmer.net/[url]
go here and follow what they wrote and you will get rid of the f*** rootkit,GMER Is so powerful
nmb
November 6, 2009, 11:56am
12
@ ultimate hacker
fyi : avast! uses gmer technology for rootkit detection.
nmb
@ NMB:
MY NAME superhacker not ultimate hacker
and you say gmer technology and i know that but i have a rootkits detect ed by gmer and not by avast!“in many of comuters of my friends”,and you should consider what i say because i guide our brother to a website will help him in removing rootkits and dont guide him to download gmer.exe.
thanks for your BIG help
system
November 10, 2009, 9:28am
14
I confirm it: combo fix works and remove this version of virus.
Thank you all,
Best regards,
Tommy.