win32-Alureon-EN[RTK]

Viruses and worms
1

I have been working at this thing now for a couple of weeks.

AVAST keeps popping up saying I have the Win32-Alureon=EN[Rtk] virus in C:\WINDOWS\system32\tdlclk.dll fie. Please help while I still have hair. Thanks so much in advance for your help.

I am posting this in response to the question I asked oldman in this post http://forum.avast.com/index.php?topic=52491.0

I am attaching the GMER and OTL logs

GMER and OTL logs are attached.

2

Hi avwonder,

Have you try to boot time scan with avast?

For unto us a child is born, unto us a son is given : and the government shall be upon his shoulder:
and his name shall be called Wonderful, Counsellor, The mighty God, The everlasting Father, The Prince of Peace
(Isaiah 9:6)
Messiah Album
Composed By :Goerge Frederick Handel (1685 - 1759)
Source : http://en.wikipedia.org/wiki/George_Frideric_Handel

Happy Merry Christmas & Happy New Year

3

Yes - I have tried that several times - same thing. It pops back up when I go into windows. I also forgot to mention that I can’t even boot the computer in safe mode.

4

Hi avwonder,

You ran combofix, Please post the log. it will be found at C:\Kittyfix and should be named kittyfix.txt

5

Here you go. I did not see the kittyfix.txt but so this combofix.txt.

6

Hi avwonder,

You have ran combofix at least 4 other times. I will need to see them all. We may be dealing with a disk controller hijacking.

They will be located in C:\Qoobox and will becalled combofix2.txt, combofix3.txt, etc. Please post them in the following order. 5,4,3,2

Thanks

7

You are good - yes I have them there. When this is over I would love to learn how to help people like me.

8

Hi avwonder,

It’s dangerous using a tool like combofix withour suprvisions.

[QUOTE]When this is over I would love to learn how to help people like me.
[/quote]
I can point you in that direction later.

We need some file informantion. The filepath may seem strange but it is correct.

[]Make sure to use Internet Explorer for this
[]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path, one at a time if more than file is listed, into the “Suspicious files to scan” box on the top of the page:

C:\Qoobox\Quarantine\C\windows\system32\69D804C66D.dll

[*]Click on the Upload button
[*]Please ensure the scan is complete and the results saved before submitting the next.
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

9

Hi oldman,

When I attempt to go to virscan.org in Internet explorer - it just sit there spinning and never open the website. Can I use Firefox?

10

Nevermind - I kept trying and it came up - I will submit the results shortly.

11

Ok here are the results…

VirSCAN.org Scanned Report :
Scanned time : 2009/12/23 00:35:06 (EST)
Scanner results: Scanners did not find malware!
File Name : 69D804C66D.dll.vir
File Size : 80 byte
File Type : data
MD5 : 385484c2729ca1b86f91ebb56f001c88
SHA1 : 69639245a793542431dae799a94d2f04c24083bf
Online report : http://virscan.org/report/db007a476307f0133515f91614d07a61.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091223030126 2009-12-23 4.24 -
AhnLab V3 2009.12.23.02 2009.12.23 2009-12-23 1.20 -
AntiVir 8.2.1.122 7.10.2.52 2009-12-22 0.31 -
Antiy 2.0.18 20091222.3514957 2009-12-22 0.12 -
Arcavir 2009 200912221736 2009-12-22 0.02 -
Authentium 5.1.1 200912230349 2009-12-23 1.26 -
AVAST! 4.7.4 091222-1 2009-12-22 0.00 -
AVG 8.5.288 270.14.117/2582 2009-12-23 0.30 -
BitDefender 7.81008.4771780 7.29576 2009-12-23 4.13 -
CA (VET) 35.1.0 7191 2009-12-21 18.09 -
ClamAV 0.95.2 10210 2009-12-23 0.00 -
Comodo 3.13 3336 2009-12-22 1.63 -
CP Secure 1.3.0.5 2009.12.23 2009-12-23 0.00 -
Dr.Web 4.44.0.9170 2009.12.23 2009-12-23 8.03 -
F-Prot 4.4.4.56 20091222 2009-12-22 1.25 -
F-Secure 7.02.73807 2009.12.23.01 2009-12-23 0.04 -
Fortinet 11.300- 11.300 2009-12-22 0.15 -
GData 19.9483/19.640 20091223 2009-12-23 40.12 -
ViRobot 20091222 2009.12.22 2009-12-22 1.09 -
Ikarus T3.1.01.79 2009.12.22.74815 2009-12-22 4.15 -
JiangMin 13.0.900 2009.12.23 2009-12-23 40.14 -
Kaspersky 5.5.10 2009.12.23 2009-12-23 0.02 -
KingSoft 2009.2.5.15 2009.12.23.7 2009-12-23 1.66 -
McAfee 5.3.00 5840 2009-12-22 3.36 -
Microsoft 1.5302 2009.12.23 2009-12-23 6.94 -
Norman 6.01.09 6.01.00 2009-12-22 4.02 -
Panda 9.05.01 2009.12.22 2009-12-22 4.19 -
Trend Micro 9.000-1003 6.711.00 2009-12-22 0.02 -
Quick Heal 10.00 2009.12.23 2009-12-23 1.40 -
Rising 20.0 22.27.02.00 2009-12-23 0.48 -
Sophos 3.03.0 4.49 2009-12-23 2.69 -
Sunbelt 3.9.2388.2 5577 2009-12-22 2.96 -
Symantec 1.3.0.24 20091222.004 2009-12-22 0.25 -
nProtect 20091223.01 6685651 2009-12-23 7.39 -
The Hacker 6.5.0.3 v00108 2009-12-22 0.95 -
VBA32 3.12.12.0 20091222.2218 2009-12-22 2.23 -
VirusBuster 4.5.11.10 10.118.6/2002581 2009-12-23 2.35 -

12

Hi avwonder,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

[*] The application window will appear
[*] Click the Disable button to disable your CD Emulation drivers.
[*] Click Yes to continue
[*] A ‘Finished!’ message will appear
[*] Click OK
[*] DeFogger will now ask to reboot the machine - click OK

Do not re-enable these drivers until otherwise instructed.

.
We’ll restore that file.

First, locate kittyfix.exe on your desktop, right click it and select delete.

Download a new copy from either link and save it to your desktop. But Do Not run it. We will run it differently.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE



DEQUARANTINE::
C:\Qoobox\Quarantine\C\windows\system32\69D804C66D.dll.vir

RootKit::
c:\windows\system32\tdlclk.dll
c:\windows\system32\tdlcmd.dll

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again. Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log.

Thanks

13

We have a slight problem before I continue. I downloaded Defogger, ran it, clicked disable and Ok for finish, however the program never asked me to reboot. It is staying on my desktop and has re-enable grayed out just as it did when I first ran the program. Should I continue with the next step? <<<Ignore - I did a manual reboot and it seem to be ok now continuing on with combo fix>>

14

I ran combo fix and the log is attached. Also there was another log that popped up too that I am attaching as well. Avast is still flashing at me…

15

Hi avwonder,

Don’t worry about Defogger. I was hoping that it was a emulatoer that was causing the strange log entries.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
[*]Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

“%userprofile%\Desktop\TDSSKiller.exe”

[*]If it says “Hidden service detected” DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
[*]When it is done, a log file should be created on your C: drive called “TDSSKiller.datetime_log” please copy and paste the contents of that file here.

16

Well it has been a few minutes since the reboot and avast seems to be quiet and not flashing me…

Maybe its finally dead - I am afraid to do the happy dance just yet.

Here’s the contents of the tdsskiller logs. <<had to attach, it exceeded the maximum character length>>

17

Hi avwonder,

Please run combofix and post the log.

Thanks

18

Here is the combofix.log - as I keep my fingers crossed.

19

Hi avwonder,

Looks much better.

When you ran OTL, another log called Extra.txt should have beenn created. Please post it.

You have this program installed, Malwarebytes’ Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

[b]Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Please go to Kaspersky website and perform an online antivirus scan.

[*]Read through the requirements and privacy statement and click on Accept button.
[*]It will start downloading and installing the scanner and virus definitions.
[*]You will be prompted to install an application from Kaspersky. Click Run.
[*]When the downloads have finished, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button

[*]Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Archives
[*]Mail databases

[*]Click on My Computerr under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As
[*]Change the Files of type to Text file (.txt)
[*]Set the Save In to Desktop
[]click the Save button.
[]Please post this log in your next reply.

Please post back with the Extra.txt, MBAM log and Kaspersky log.

20

Here are the log files requested.