Win32:Alureon-DR

does anyone know how to remove this very irritating virus/malware , avast keeps popin up and i remove it every time but it comes back grrrrrrrrr.

:frowning:

tried many things already

it is found in c:\windows\system32\tdlwsp.dll
Win32:Alureon-DR
vista home premium + avasthome

Have you tried Avast boot scan
http://www.digitalred.com/avast-boot-time.php

And MBAM
http://filehippo.com/download_malwarebytes_anti_malware/
do a quick scan and click “remove selected” if anything is found, this will sendt it to quarantine. Restart and repeat

come back and post scan log here

Hi haggard,

Here is a further proposed cleansing procedure for it:
http://www.geekstogo.com/forum/Help-removal-Trojan-Win32-Alureon-genI-t246431.html
Post the MBAM log,
Post the ComboScript log
Run USBNoRisk tool
CleanUp after you dome as instructed there…
Do everything step by step and report here after every step with a logfile…

polonus

And MBAM
http://filehippo.com/download_malwarebytes_anti_malware/
do a quick scan and click “remove selected” if anything is found, this will sendt it to quarantine. Restart and repeat

come back and post scan log here
[/quote]
Malwarebytes’ Anti-Malware 1.41
Database versie: 3092
Windows 6.0.6002 Service Pack 2

3-11-2009 15:46:30
mbam-log-2009-11-03 (15-46-30).txt

Scan type: Snelle Scan
Objecten gescand: 93701
Verstreken tijd: 4 minute(s), 15 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 1
Registerwaarden geïnfecteerd: 1
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 1
Bestanden geïnfecteerd: 4

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\GodLib (Trojan.Agent) → Quarantined and deleted successfully.

Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) → Quarantined and deleted successfully.

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
C:\Windows\System32\twain_32 (Backdoor.Bot) → Quarantined and deleted successfully.

Bestanden geïnfecteerd:
C:\Users\ozzy\AppData\Roaming\run_setup.exe (Adware.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\twain_32\local.ds (Backdoor.Bot) → Quarantined and deleted successfully.
C:\Windows\System32\twain_32\user.ds (Backdoor.Bot) → Quarantined and deleted successfully.
C:\Windows\System32\SKYNETcocxwuuv.dat (Rootkit.TDSS) → Quarantined and deleted successfully.

AND IT KEEPS COMMING BACK

Download and run RootRepeal.

Hi all,
I have same problem from yesterday and it’s making me crazy.

I’ve windows Xp and Avast Pro and same symptoms of hagggard.

RootRepeal lists me one hundred voices, a few are obviosuly good, but I don’t know how to find Alureon’s one.

Any news from Hagggard or form anyone?

Thank you all,
Tommy.

Maybe essexboy will see this, then he will help you kill it, so just be patient

A little update. I didn’t solved the problem, but I limit it.
I created a file named tdlswp.dll in C:\Windows\system32 and I locked it with a program named “File Lock”.
In this way Alureon is unable to overwrite it and nothing else is revealed by Avast.

Virus is yet on my machine, but it seems to be bound…

So did you actually DO the Avast Boot scan, or just leave it as “very good advice?” There’s a reason for the existence of that feature. Many viruses are able to hide when Windows is running, because they are ALSO running. Boot-time scan gets around that in most cases.

If that fails, try the instructions I gave here to use Avast for Linux to do a fully-offline scan of your hard drive.

http://forum.avast.com/index.php?topic=50426.0

ComboFix is a good tool to try against perversely-stubborn stuff, too.

this did the trick
finaly no more anoying popups that my computer is infected.
tnx

the combo fix worked

[url]www.gmer.net/[url]
go here and follow what they wrote and you will get rid of the f*** rootkit,GMER Is so powerful

@ ultimate hacker

fyi : avast! uses gmer technology for rootkit detection.

nmb

@ NMB:
MY NAME superhacker not ultimate hacker
and you say gmer technology and i know that but i have a rootkits detect ed by gmer and not by avast!“in many of comuters of my friends”,and you should consider what i say because i guide our brother to a website will help him in removing rootkits and dont guide him to download gmer.exe.
thanks for your BIG help

I confirm it: combo fix works and remove this version of virus.
Thank you all,
Best regards,
Tommy.