Win32:Alureon-EC [Rtk]

avast can you get rid of it? mail me.

Hi There,

Do you have the source of infected file?

hi its in C:\WINDOWS\system32\tdlclk.dll

malware type Rootkit

vps version 091117-1, 11/17/2009

  thanks

@me192

You need to get your countyman essexboy involved as it is a nasty infection:
http://forum.avast.com/index.php?topic=50926.msg431669#msg431669

thank i fixed it with combofix ;D ;D ;D pass the word

Could you post the combofix log to ensure it has all gone - as the variant you had can be very sneaky

combofix quarantined files after scan:

2009-11-19 00:39:55 . 2009-11-19 00:39:55 121 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-SITEguard.reg.dat
2009-11-19 00:39:52 . 2009-11-19 00:39:53 333 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{802DF130-9BBF-4A85-AA34-8CB64819ACB6}.reg.dat
2009-11-19 00:16:55 . 2009-11-19 00:18:13 136 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\logs\Ad-Aware event.log.vir
2009-11-19 00:13:38 . 2009-11-19 00:13:38 1,044 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_TDSSSERV.reg.dat
2009-11-19 00:13:08 . 2009-11-19 00:13:08 5,065 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-11-17 23:44:19 . 2009-11-19 00:00:53 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-10-28 05:36:32 . 2008-10-28 05:36:36 1,019,285 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ueedwvox.ini.vir
2008-10-11 23:38:50 . 2008-10-11 23:38:55 1,071,448 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\futmepgb.ini.vir
2008-09-16 21:04:43 . 2008-09-17 21:07:27 1,846,637 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\yepvdsqm.ini.vir
2008-09-16 04:58:38 . 2008-09-16 04:59:21 1,074,225 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\egywtyoj.ini.vir
2008-09-15 21:04:44 . 2008-09-16 05:34:59 1,074,405 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\faxydjma.ini.vir
2008-09-15 14:42:57 . 2008-09-16 04:47:04 1,125,413 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nvjbxjhl.ini.vir
2008-09-14 22:09:54 . 2008-09-14 22:10:19 1,067,035 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\aviulrlx.ini.vir
2008-09-14 16:07:41 . 2008-09-14 17:52:34 1,066,975 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\cqohggpc.ini.vir
2008-09-14 16:06:41 . 2008-09-14 16:07:06 1,066,855 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\hpyfplhr.ini.vir
2008-09-14 16:01:19 . 2008-09-18 15:59:59 641,086 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\opAdcMoq.ini2.vir
2008-09-14 16:01:10 . 2008-09-18 16:02:13 641,086 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\opAdcMoq.ini.vir
2008-09-14 14:30:54 . 2008-09-15 14:40:32 1,069,453 -c–a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drexciqc.ini.vir
2004-08-04 12:00:00 . 2008-04-13 18:40:30 96,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir

hope this helps

Could you post the log at C:\combofix.txt

That has shown me that it removed one variant of the latest but there may be some remnants still

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aviulrlx.ini
c:\windows\system32\cqohggpc.ini
c:\windows\system32\drexciqc.ini
c:\windows\system32\egywtyoj.ini
c:\windows\system32\faxydjma.ini
c:\windows\system32\futmepgb.ini
c:\windows\system32\hpyfplhr.ini
c:\windows\system32\logs
c:\windows\system32\logs\Ad-Aware event.log
c:\windows\system32\nvjbxjhl.ini
c:\windows\system32\opAdcMoq.ini
c:\windows\system32\opAdcMoq.ini2
c:\windows\system32\ueedwvox.ini
c:\windows\system32\yepvdsqm.ini

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

the main read out is to big to post?  here are the othere deletions combofix deleted,  ihope this helps? ;D ;D

Hello me192,

you can attach the file to your post while posting here using the additional options. see help : http://forum.avast.com/index.php?action=help;page=post#additional

thanks
nmb