win32:Alureon-FZ removal

It seems that I have picked up a rootkit somehow.

I have run a boot-scan several times and each time it identifies a new file that is infected with win32:Alureon-FZ.

I tried running TDSSKiller, it identified once risk and attempted to cure it. After my system rebooted I ran another boot scan and this time I picked up way more viruses then previously plus win32:Alureon-FZ was still detected and moved to the Chest again.

I now have 6 files in the chest infected with win32:Alureon-FZ not to mention a whole lot of Java viruses.

Please help me, I really have no idea how to go about cleaning my computer.

Lisa

ps I’ve attached my Malwarebytes’ Anti-Malware log.

Hi, see this topic>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Sorry,

Here is my OTS log.

try removing it via norton power eraser downoad from here:
http://us.norton.com/support/DIY/index.jsp

click next and proceed with removals if it finds something also use malwrebytes antimalware update it do a full scan and post logs on next comment.downoad link from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

also use kaspersky tdss killer.
and follow the steps:

OK, another tool to check for other types of rootkit.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
[/quote]

[/quote]

Norton Power Eraser found the following.


Registry Key: HKEY_USERS\S-1-5-21-1720036237-1868423684-3608400382-1005\SOFTWARE\Microsoft\Internet Explorer\Download"CheckExeSignatures"
Registry Key: HKEY_USERS\S-1-5-21-1720036237-1868423684-3608400382-1005\SOFTWARE\Microsoft\Internet Explorer\Download"RunInvalidSignatures"


I’m a little hesitant to hit fix and I don’t like to mess with the registry.

Lisa

@magmuso i recomend you wait untill Essexboy has looked at your log before you do anything
Essexboy is a trained and certified malware remover…

com155…he arrived in this forum 5.min ago so have no ide what he is

@com155 before you can clean the system you really need to know what is causing the problem. Just throwing tools at in the hope that one might hit the mark is not really a good policy

@ magmuso

On completion of this run can you let me know of any problems outstanding

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "hbmpyoej" -> [C:\Documents and Settings\NetworkService\Local Settings\Application Data\vspotwnti\ousxmbbtssd.exe]
YN -> "qljmxbst" -> [C:\Documents and Settings\NetworkService\Local Settings\Application Data\dtcwuobfg\noelksitssd.exe]
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "hbmpyoej" -> [C:\Documents and Settings\NetworkService\Local Settings\Application Data\vspotwnti\ousxmbbtssd.exe]
YN -> "qljmxbst" -> [C:\Documents and Settings\NetworkService\Local Settings\Application Data\dtcwuobfg\noelksitssd.exe]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1720036237-1868423684-3608400382-1005\] > -> HKEY_USERS\S-1-5-21-1720036237-1868423684-3608400382-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
[Custom Items]
:Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\vspotwnti
C:\Documents and Settings\NetworkService\Local Settings\Application Data\dtcwuobfg
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!