Hi!
I’m new to fighting viruses, and usually let Avast do it, which it does well, but lately this has been turning up as a Virus Detected:

Windows/System32/drivwers/ESQLtkbrvxehyidlmlmhovcxjvuogmmqrva.sys

Win-32 Alureon-CM[RTK]

Process: Program Files/Alwil Software/Avast5.exe/Avast5Srv.exe

I tried sending ittochest, but it just keep coming up. Only blocking seems to work.
So I block the file and then Avasts’ popup comes up and says rootkit blocked.

But it just reappears…

I looked through the forums here briefly, but I have no idea where to being finding logs and the difference between malware (is that what I have) and viruses.

I am using the Free Avast 6 running Win Xp on an acer notebook

Can you help, please? Step-by-step?

Aloha,

Dale

if not already done, check your computer with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always click the update button so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

also download aswMBR.exe and save to desktop http://public.avast.com/~gmerek/aswMBR.exe

• click the aswMBR icon to run and then click scan
• click save log and post it here in your next reply

And also if Malwarebytes doesn’t show anything try SuperAntiSpyware

@deathangel123

Please read carefully Pondus post.

attach here mbam logs & aswMBR log ( scan >> save log )

…
bump!
sorry deathange1123 :-[

I have not paid attention and confused the nicks ;D

Thanks for answering…I ended up running four different free anti-virus programs, the last being Panda, and none of them reported the virus that Avast reported. Or any virus for that mattter.

So i am thinking this is an Avast false positive but now I’m afraid to re-install Avast because it will just keep freaking me out.

I don’t know what to do …I’ve used the program for like three years and like it, but why would it do this? I wasted 2 full days installing,uninstalling, re-installing,re-booting,scanning…

Arguuuuh!

Based solely on the name of the driver, ESQLtkbrvxehyidlmlmhovcxjvuogmmqrva.sys I rather doubt that it is an FP.

So I too would endorse the actions suggested by Pondus.

If it happens again, please do a screenshot of the Alert window and attach it to your next post. When you use the Reply button you will see Additional Options, clicking that opens the window to allow you to attach an image or file (.gif, .jpg, .png, .txt or .log file types up to 200KB).

tdskiller works great on this.

I think this is resolved. Superspyware didn’t see the malware. Panda didn’t see the malware. Malwarebytes wouldn’t even run eityher in safe mode with networking or regular boot. It just sat there, I DLed it again and got the same. Piece of …

But seotechi was right TDSSKiller found it, and got it.

I’m able to set a restore point again and run chkdsk.

So far it looks clean!

Thanks to all!!!

I guess I’ll reinstall Avast and keep TDSSkiller handy!

By the way…here’s the log from ASWmbr:

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-11 10:53:00

10:53:00.640 OS Version: Windows 5.1.2600 Service Pack 3
10:53:00.640 Number of processors: 2 586 0x1C02
10:53:00.640 ComputerName: EMANON UserName:
10:53:02.250 Initialize success
10:53:08.328 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
10:53:08.343 Disk 0 Vendor: ST916031 0303 Size: 152627MB BusType: 3
10:53:08.359 Disk 0 MBR read successfully
10:53:08.375 Disk 0 MBR scan
10:53:08.390 Disk 0 unknown MBR code
10:53:08.390 Disk 0 scanning sectors +312578048
10:53:08.453 Disk 0 scanning C:\WINDOWS\system32\drivers
10:53:28.218 Service scanning
10:53:30.343 Disk 0 trace - called modules:
10:53:30.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
10:53:30.609 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f7c478]
10:53:30.625 3 CLASSPNP.SYS[f788dfd7] → nt!IofCallDriver → \Device\00000069[0x86fa68b0]
10:53:30.640 5 ACPI.sys[f77df620] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x869fe030]
10:53:30.656 Scan finished successfully
10:53:55.937 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Admin User\Desktop\MBR.dat”
10:53:55.968 The log file has been saved successfully to “C:\Documents and Settings\Admin User\Desktop\aswMBR.txt”

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-11 11:03:11

11:03:11.187 OS Version: Windows 5.1.2600 Service Pack 3
11:03:11.187 Number of processors: 2 586 0x1C02
11:03:11.187 ComputerName: EMANON UserName:
11:03:14.250 Initialize success
11:03:19.921 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
11:03:19.921 Disk 0 Vendor: ST916031 0303 Size: 152627MB BusType: 3
11:03:19.984 Disk 0 MBR read successfully
11:03:20.000 Disk 0 MBR scan
11:03:20.000 Disk 0 unknown MBR code
11:03:20.015 Disk 0 scanning sectors +312578048
11:03:20.078 Disk 0 scanning C:\WINDOWS\system32\drivers
11:03:38.609 Service scanning
11:03:40.781 Disk 0 trace - called modules:
11:03:40.828 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
11:03:40.843 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f44478]
11:03:40.859 3 CLASSPNP.SYS[f788dfd7] → nt!IofCallDriver → \Device\00000068[0x86fe7310]
11:03:40.875 5 ACPI.sys[f77f4620] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x86f76030]
11:03:40.890 Scan finished successfully
11:03:54.406 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Admin User\Desktop\MBR.dat”
11:03:54.437 The log file has been saved successfully to “C:\Documents and Settings\Admin User\Desktop\aswMBR.txt”

I guess I'll reinstall Avast and keep TDSSkiller handy!

well it is not a program you keep like that...as it needs updates and since it does not have a update button to click you need to download latest updated version from Kaspersky web when you need it ;)

You say Malwarebytes will not run…that often indicate infection as many bugs will try blocking it from running

so i would post an OTS log and let Essexboy have a look at it

That file is an indication of an old rootkit, would be worthwhile running OTS to see what else is there