win32-Alureon-EN[RTK]

[avwonder]

Everything seems to have booted up just fine!

[oldman]

Hi avwonder,

Good.

Next, rerun SystemLook with the following script

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield
  
• Do not copy the word CODE , please note the script starts with the :
  

Code: [Select]

:filefind
69D804C66D.*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

[avwonder]

Here is the log from systemlook...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 02:09 on 25/12/2009 by Rooster (Administrator - Elevation successful)

========== filefind ==========

Searching for "69D804C66D.*"
C:\Qoobox\Quarantine\C\WINDOWS\system32\69D804C66D.dll.vir   --a--- 80 bytes   [07:28 23/12/2009]   [07:28 23/12/2009] 385484C2729CA1B86F91EBB56F001C88

-=End Of File=-

[oldman]

Hi avwonder,

Almost there.

I need you to make a batchfile.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]

@echo off
copy /y C:\Qoobox\Quarantine\C\WINDOWS\system32\69D804C66D.dll.vir C:\WINDOWS\system32\69D804C66D.dll > result1.txt 2>>&1
start result1.txt
del %0


When it's finished (it will be quick) a notepad named results1.txt will popup. Please save this.

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
• Do Not copy the word CODE
  
• please note the fix starts with the :
  

Code: [Select]


:Files
c:\windows\system32\drivers\nvata.tsk

:Commands
[emptytemp]


Then click the

Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.

Next

• Double click on OTL.exe  to run it. (if it's closed) Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output
  
• UNCheck the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open a notepad window, OTL.Txt.

Please post back with

• Results1.txt
• OTL fix log
• OTL scan log (this one can be attached)

Everything still ok?

Thanks

[avwonder]

Everything is still looking good.  No bleeps from avast.

Here are the logs...

    * Results1.txt
       1 file(s) copied.

    * OTL fix log

All processes killed
========== FILES ==========
c:\windows\system32\drivers\nvata.tsk moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: All Users
 
User: Application Data
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Leesa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: NetworkService
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Rooster
->Temp folder emptied: 54504 bytes
->Temporary Internet Files folder emptied: 763507 bytes
->Java cache emptied: 13818443 bytes
->FireFox cache emptied: 34258860 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 17048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 47.00 mb
 
 
OTL by OldTimer - Version 3.1.19.0 log created on 12252009_023046

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_e4.dat not found!
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_634.dat moved successfully.

Registry entries deleted on Reboot...


    * OTL scan log (this one can be attached)
<<attached>>

[oldman]

Hi avwonder,

I see you have BearShare MediaBar installed. This is a rather undesirable program
http://www.bleepingcomputer.com/uninstall/7767/BearShare-MediaBar.html

I suggest you uninstall MediaBar 2.0 via add/remove programs.

If no problems, we can clean up now.

From your desktop, please delete

• any notepads/logs that we created
• GMER.zip
• GMER.exe
• DeFogger.exe
• RootRepeal.exe
• SystemLook.exe
• look.bat
• tdsskiller.zip
• Win32kDiag.exe
• avenger.exe

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates and upgrades

You can install Adobe now if you wish or

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a resident antispyware program.

I suggest either or ask in the General Forum

Windows Defender
 OR
Winpatrol

You should also use Spyware Blaster to help immunize your computer.

 - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.

- Keep your antivirus program updated, as well as any other security programs you have.

- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

As promised, some link to foruns with Malware removal schools. I'll give you the link to the page with their application information. No special order and there are others.

G2G
WTT
BC


BTW, Season's Greetings.

Take care

[avwonder]

Thankyou thank you so very much for all your help during this stressful outbreak.  I really appreciate your patience and kindness.

[oldman]

Hi avwonder,

You are very welcome.