win32-Alureon-EN[RTK]

[avwonder]

Well it has been a few minutes since the reboot and avast seems to be quiet and not flashing me...

Maybe its finally dead - I am afraid to do the happy dance just yet.

Here's the contents of the tdsskiller logs. <<had to attach, it exceeded the maximum character length>>

[oldman]

Hi avwonder,

Please run combofix and post the log.

Thanks

[avwonder]

Here is the combofix.log - as I keep my fingers crossed.

[oldman]

Hi avwonder,

Looks much better.

When you ran OTL, another log called Extra.txt should have beenn created. Please post it.

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

• Click the Update tab
  
• Click Check for Updates
  
• If an update is found, it will download and install the latest version.
• The program will close to update and reopen.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

*Note*
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions.
• You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    
  • Archives
    
  • Mail databases
    
• Click on My Computerr under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Change the Files of type to Text file (.txt)
  
• Set the Save In to Desktop
  
• click the Save button.
• Please post this log in your next reply.

Please post back with the Extra.txt, MBAM log and Kaspersky log.

[avwonder]

Here are the log files requested.

[oldman]

Hi avwonder,

The Kaspersky detections are of files either we have quaratined or old System Restore points. These will be removed when we remove the tools.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]

Folder::
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\program files\Common Files\InstallShield\UpdateService\bak
c:\program files\HP\HP Software Update\bak
c:\program files\McAfee\MBK\bak
c:\program files\QuickTime\bak

File::
c:\windows\system32\drivers\KLMD.sys

AWF::
c:\program files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

Registry::


In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.[color="red"]Close  all browser/windows first.[/color]

[color="blue"]**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**[/color]



Please post back with the combofix log.

Everything still ok?

Thanks

[avwonder]

So far so good and everything seems to be running much faster.  I know you get this all the time but thank you very much - you are wonderful. 

Here is the combofix log - and I still want to make sure that I find out where I can learn this stuff to help others the way you have helped me.

[YoKenny]

I see you have Adobe Reader 8.0 that is down level and vulnerable to attack. 

Adobe Reader 9.1 is the latest version but Adobe Reader is the current favorite of the malware purveyors so I use Foxit Reader minus the Ask.com toolbar to read pdf files.

Go to Add/Remove Programs and un-install Adobe Reader.

[avwonder]

Oh thank you - I will remove from all my pc's right now.

[oldman]

Hi avwonder,

and I still want to make sure that I find out where I can learn this stuff to help others the way you have helped me.

When we are done.

Please don't onstall or install any more programs onless asked, it make for longe logs. The Adobe waould have been addressed when we were done.

I need you to make a batchfile.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]

reg query "HKLM\system\currentcontrolset\services\nvata" /v imagepath > mine.txt
start mine.txt


In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "look.bat"
  
• Click save
  

You will have a file on your desktop with an icon with gears call look.bat It will look like the image attached.

Double click look.bat to run it. When it's done a notepad will open called mine.txt. Please post it's contents.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield
  
• Do not copy the word CODE , please note the script starts with the :
  

Code: [Select]

:filefind
nvata.*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post back with

• contents of mine.txt
• SystemLook log

Thanks

[avwonder]

I'm so sorry = I only uninstalled though did not try and install.

Here are the contents of the 2 log files.

[oldman]

Hi avwonder,

I'm so sorry

No problem. It's just I don't like to uninstall/install programs if I don't need to during the coarse of a cleaning. This is only because if something should go wrong, sometimes the only recoarse is System Restore. we've come to far to go backwards now.

Please read these instructions, write them down if need be, just in case your computer won't boot after we reset a service. Do not reboot the computer unless you have to. I will review the logs when you have posted them

In the slight chance that the fix we will be doing shortly doesn't work, you will be able to restart your computer with Last Known Good Configuration

Use these steps only if your computer will not reboot after the fix.

If your computer fails to boot  to Windows

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Use the arrow key to highlight Last Known Good Configuration
  
• Press Enter.

Your computer will start to load windows.

I need you to make a batchfile.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

Code: [Select]

@echo off
copy /y C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.sys C:\WINDOWS\system32\drivers\nvata.sys > result.txt 2>>&1
reg add HKLM\SYSTEM\CurrentControlSet\Services\nvata /v ImagePath /t REG_EXPAND_SZ /d System32\drivers\nvata.sys /f >> result.txt 2>>&1
del %0


When it's finished (it will be quick) a notepad named results.txt will popup. Please save this.

Next, rerun SystemLook with the following script

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield
  
• Do not copy the word CODE , please note the script starts with the :
  

Code: [Select]

:filefind
nvata.*
:reg
HKLM\system\currentcontrolset\services\nvata

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Please do not attach the SystemLook results as the forum software tends to mess it up making it very hard to read.

Please post back with

• results.txt
• SystemLook log

Thanks

[avwonder]

Here is systemlook...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:40 on 25/12/2009 by Rooster (Administrator - Elevation successful)

========== filefind ==========

Searching for "nvata.*"
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.cat   --a--- 8836 bytes   [15:01 16/05/2006]   [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.inf   --a--- 2949 bytes   [07:39 15/05/2006]   [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\IDE\Win2K\sata_ide\nvata.sys   --a--- 99584 bytes   [00:04 27/01/2006]   [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.cat   --a--- 8836 bytes   [15:01 16/05/2006]   [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.inf   --a--- 2949 bytes   [07:39 15/05/2006]   [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\IDE\WinXP\sata_ide\nvata.sys   --a--- 99584 bytes   [00:04 27/01/2006]   [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\SWSetup\Chipset\nvata.cat   --a--- 8836 bytes   [15:01 16/05/2006]   [15:01 16/05/2006] 45B4D2593DB17F2E2C84242FFD7006B3
C:\SWSetup\Chipset\nvata.inf   --a--- 2949 bytes   [07:39 15/05/2006]   [07:39 15/05/2006] DBA1177CD571878DBF13E2F0C13ACBF7
C:\SWSetup\Chipset\nvata.PNF   --a--- 9496 bytes   [07:19 01/09/2006]   [07:19 01/09/2006] B625D2AF3E4617A5DB606BA04DE5A63A
C:\SWSetup\Chipset\nvata.sys   --a--- 99584 bytes   [00:04 27/01/2006]   [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\WINDOWS\system32\drivers\nvata.sys   --a--- 99584 bytes   [00:04 27/01/2006]   [00:04 27/01/2006] 3AC5EEDD35B7437D53960F3998BFA462
C:\WINDOWS\system32\drivers\nvata.tsk   --a--- 99584 bytes   [12:21 23/12/2009]   [12:21 23/12/2009] 5272D12F07412E6402117E38BFB2B03A

========== reg ==========

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\nvata]
"DisableFilterCache"= 0x0000000001 (1)
"DisableRemovable"= 0x0000000001 (1)
"ErrorControl"= 0x0000000003 (3)
"Group"="SCSI Miniport"
"ImagePath"="System32\drivers\nvata.sys"
"SataPowerDownCount"= 0x0000000001 (1)
"Start"= 0000000000 (0)
"Tag"= 0x0000000044 (68)
"Type"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\nvata\Enum]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\nvata\Security]


-=End Of File=-

[avwonder]

Here is results.txt

        1 file(s) copied.

The operation completed successfully

[oldman]

Hi avwonder,

Everything loooks good there. Try a reboot now, it should be fine. Let me know.



After you post back we'll continue.

Thanks