Avast WEBforum
Other => Viruses and worms => Topic started by: rogertheme on January 20, 2010, 05:47:45 PM
-
Hi there,
My laptop has been infested with these three malwares, Win32:Alureon-FE[RTK], Win32:Malware-gen, Win32:Spyware-gen.
Would really greatly appreciate it if anyone can teach me how to remove it.
Many thanks!
-
just some Win32/Alureon info
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fAlureon
follow this guide and post the logs
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
-
My laptop has been infested with these malwares, Win32:Alureon-FE[RTK], Win32:Malware-gen, Win32:Spyware-gen, BV: AutoRun-G [Wrm].
I have since moved them to the Virus Chest in the Avast program, cleaned up the Registry and did Spyware scans and fixes.
However, there are still some 'side effects' such as my laptop slowing down and the inability to log on to youtube. As such, I am hoping to remove these malwares so that the 'side effects' to be removed as well.
I have attached the OTL log in the next post, although I am not sure how much help this can be. Hope someone can help me out on this. Thanks!
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
-deleted-
-
My laptop has been infested with these malwares, Win32:Alureon-FE[RTK], Win32:Malware-gen, Win32:Spyware-gen, BV: AutoRun-G [Wrm].
I have since moved them to the Virus Chest in the Avast program, cleaned up the Registry and did Spyware scans and fixes.
However, there are still some 'side effects' such as my laptop slowing down and the inability to log on to youtube. As such, I am hoping to remove these malwares so that the 'side effects' to be removed as well.
I have attached the OTL log in the next post, although I am not sure how much help this can be. Hope someone can help me out on this. Thanks!
You haven't actually attached the log, see below, but spread it out over many posts and pages making it very difficult to read for ever it is that can analyse these. So if you can actually attach the log 'file' to a post it will make their analysis much easier.
Attaching a file - When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image (http://forum.avast.com/index.php?topic=8982.0).
-
Hi DavidR,
Thank you for yr reply.
I hope I have attached the log the right way, pls pardon me for the errors because I m not very gd at this.
Thanks!
-
Hi lets reset your hosts (which is why you cannot get to youtube) and then check for TDSS
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O33 - MountPoints2\{0fcc8741-d6bc-11dc-b412-000b5d973199}\Shell\Auto\command - "" = Recycler.exe
O33 - MountPoints2\{68d95b70-0982-11de-b76f-0017423b734a}\Shell\AutoRun\command - "" = E:\gi2ky.exe -- File not found
O33 - MountPoints2\{68d95b70-0982-11de-b76f-0017423b734a}\Shell\open\Command - "" = E:\gi2ky.exe -- File not found
O33 - MountPoints2\{68d95b71-0982-11de-b76f-0017423b734a}\Shell\AutoRun\command - "" = E:\fbak.exe -- File not found
O33 - MountPoints2\{68d95b71-0982-11de-b76f-0017423b734a}\Shell\open\Command - "" = E:\fbak.exe -- File not found
O33 - MountPoints2\{7f3c6aa0-befc-11dd-b69f-0000f0b0ddd5}\Shell\Auto\command - "" = E:\sxs2.exe -- File not found
O33 - MountPoints2\{8b773450-4728-11dd-b53f-000b5d973199}\Shell\1\Command - "" = F:\.\recycled\info.exe -- File not found
O33 - MountPoints2\{b4ded434-4624-11df-babc-0017423b734a}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe -- File not found
O33 - MountPoints2\{b4ded434-4624-11df-babc-0017423b734a}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe -- File not found
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
NEXT
Hi, :)
:welcome:
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
Thank you for yr reply.
I hope I have attached the log the right way, pls pardon me for the errors because I m not very gd at this.
You're welcome, you have attached the file successfully, so now you know how to di it.
Essexboy is on the case now so if you can follow his instructions hopefully it won't be long before you are in the clear.
-
Thanks DavidR and Essexboy for your help!
Essexboy, I have attached the log from OTL below. (I can now log on to youtube!)
From the TDSSKiller scan, it seems that all is clear for my laptop as no suspicious or infected file was found.
-
You're welcome, hopefully essexboy will be able to check out your OTL log file.
From my very limited OTL knowledge there seems to be some general cleaning to do with Mountpoints and autorun file, stuff, but that I will have to leave for essexboy.
-
O1 HOSTS File: ([2008-11-06 08:15:48 | 002,852,607 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 208.117.236.70 youtube.com
O1 - Hosts: 208.117.236.70 www.youtube.com
O1 - Hosts: 209.85.203.100 gdata.youtube.com
O1 - Hosts: 209.85.203.100 gdata.youtube.com
O1 - Hosts: 208.117.236.70 youtube.com
O1 - Hosts: 208.117.236.70 www.youtube.com
O1 - Hosts: 74.125.65.118 img.youtube.com
O1 - Hosts: 64.15.124.143 sjc-v1.sjc.youtube.com
O1 - Hosts: 64.15.124.152 sjc-v10.sjc.youtube.com
O1 - Hosts: 64.15.124.153 sjc-v11.sjc.youtube.com
O1 - Hosts: 64.15.124.154 sjc-v12.sjc.youtube.com
O1 - Hosts: 64.15.124.212 sjc-v44.sjc.youtube.com
O1 - Hosts: 64.15.124.213 sjc-v45.sjc.youtube.com
O1 - Hosts: 64.15.124.214 sjc-v46.sjc.youtube.com
O1 - Hosts: 64.15.124.215 sjc-v47.sjc.youtube.com
O1 - Hosts: 64.15.124.216 sjc-v48.sjc.youtube.com
O1 - Hosts: 64.15.124.243 sjc-v75.sjc.youtube.com
O1 - Hosts: 64.15.124.244 sjc-v76.sjc.youtube.com
O1 - Hosts: 64.15.125.16 sjc-v77.sjc.youtube.com
O1 - Hosts: 64.15.125.17 sjc-v78.sjc.youtube.com
O1 - Hosts: 64.15.125.18 sjc-v79.sjc.youtube.com
O1 - Hosts: 64.15.125.37 sjc-v98.sjc.youtube.com
O1 - Hosts: 64.15.125.38 sjc-v99.sjc.youtube.com
O1 - Hosts: 64.15.125.39 sjc-v100.sjc.youtube.com
O1 - Hosts: 64890 more lines...
This was your problem
Subject to all being OK - run OTL and hit the cleanup button and it will disappear ;D
-
@ essexboy
Living and learning here:
About those entries for the mountpoints (033 entries), whilst they point to non-extant files "E:\AutoRun.exe -- File not found"
Should the mountpoints not be removed to avoid future infected USB sticks (presumably the E:\ drive/partition is a USB location) ?
Whilst the E:\LaunchU3.exe -- File not found and F:\LaunchU3.exe -- File not found mount points would be valid if the OP was using/had a U3 usb drive plugged in previously. Or are these generally created ?
The same general query about the 032 Autorun entries, but mainly the C:\autorun.inf and D:\autorun.inf locations if they relate to a HDD which shouldn't have these files (folders yes if Flash Drive Disinfector had been run, but no record of that in the topic).
-
The mountpoints relate generally to external drives, the ones I removed pointed to malware files from a USB at some stage , the others are legit (at the moment) versions of files run from CD's and USB's
Autorun files again are generally not a problem, removal would stop CD's etc from autoplaying. So I leave them unless I have an indication that they are malicious
-
OK thanks.
-
Hi Essexboy,
I have run the OTL and hit the cleanup button.
By the way, another query, it seems that the Available Physical Memory on my laptop can fluctuate quite greatly, it can drop from 300+MB to less than 20MB in a short period and this causes my laptop to slow down (this happens even though no program is running). And I need to restart it several times (and by force at times by pulling the plug) to get it back to running at an "acceptable pace".
Thus, is there anything I should pay special attention to so that Available Physical Memory would not be fluctuating so much, thus affecting the speed my laptop is running at because it is extremely frustrating when I need the laptop to work quickly for work purposes.
-
Short of having the task manager open to monitor the Processes actual use of memory to try and pin down what it is that is using the memory.
What were you doing at the time of these spikes ?
I don't know how difficult or expensive it would be to increase your laptops RAM from presumably 512MB to 1GB by adding another 512MB stick of RAM. It would certainly improve overall system performance.
With a laptop part of your RAM would be shared with the Graphics chip, sometimes that value can be too much or the RAM that you have and could be reduced, again that depends on your use of the laptop.
-
That is probably it David as the RAM is reported as 502MB and an internal graphics card would drag it down probably to 450 or less
-
Hi DavidR and Essexboy,
This spikes in memory will even happen when I open just two IE windows (eg: one site on Facebook and other site on Avast Forum). This has never happened before till the recent two weeks, thus, I am clueless as to what has changed in my laptop that caused this situation to occur.
If it is due to the Graphics card, how do I reduce it? I am not an ardent gamer so graphics are not that crucial to me.
Of course, I may consider adding another 512MB of RAM, but I am hoping to clear this issue without further expenses.
-
I'm not a gamer and have never had to adjust RAM sharing (probably a BIOS setting), so I don't know, but you could check out this google search, http://www.google.com/search?q=video+graphics+RAM+sharing (http://www.google.com/search?q=video+graphics+RAM+sharing)
See http://www.pcuser.com.au/pcuser/hs2.nsf/lookup+1/924C055C8AE39C7ECA2572560079BAA2 (http://www.pcuser.com.au/pcuser/hs2.nsf/lookup+1/924C055C8AE39C7ECA2572560079BAA2), whilst this is an old article it is basically sound.
Well for an ardent gamer I would have thought that you would have been all over a RAM upgrade. However, as an ardent gamer I would have thought that there would be no way you would want to reduce the amount of RAM allocated to the integrated graphics chip as that would reduce graphics performance.
For a working system, 512MB isn't very much, even on XP 512 I would consider a minimum 256 fir the OS itself and the remainder less whatever your motherboards integrated graphics chip is allocated for other programs. This will cause windows to be continually swapping stuff out of memory (RAM) into the swapfile/pagefile (virtual memory, part of your hard disk) and this will also cause a lot of hard disk activity.
-
Thanks for the info, DavidR!
-
You're welcome.