Alureon -HF [Rtk] and possibly other malware/viruses

[debs01x]

hi. ok, so a few days ago i noticed that my computer was making a sound as if a CD was in it and running full speed. i guess all of the computer's resources were being maxed out. i'm not exactly tech savvy so i don't know. if i open task manager, CPU usage is at 100%.

i ran a boot time scan on it with avast and this is what it picked up:



i then moved everything to the chest and thought i was good. two days ago my comp was running slow again so i ran avast full system scan on it and it picked these three things up:



i wasn't able to move them to the chest OR delete them. i then ran the following:

-a boot time scan with avast
-malware bytes
-a scan with advanced system care
-virtumundoBeGone
-another boot time scan with avast
-another full system scan with avast

i also deleted cookies and emptied out my recycle bin and i thought my comp was ok but CP usage is still at 100% or close to it and it still sounds like a cd is in it running full speed.

HELP!

 

[debs01x]

i went ahead and ran hijackthis. here's the log.

oh, i should point out that i'm not able to go to the windows update page at all to run an update. the page won't come up on internet explorer at all. please somebody help me. thanks.

[Jtaylor83]

It appears your have Norton Internet Security, which is a resource hog. That's why your CPU usage is 100%. You will have to uninstall Norton and Avast, then re-install avast again.

But first we will have to remove Alureon/TDSS infection.

Please follow Essexboy's instructions.

[debs01x]

i ran malwarebytes which didn't pick up anything. i know something is there, tho because i still get popup tabs in firefox every now and then and also my comp is still going slow and its still making that loud noise as if a cd is running. anyway, here's the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4331

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

7/21/2010 8:14:49 PM
mbam-log-2010-07-21 (20-14-49).txt

Scan type: Quick scan
Objects scanned: 144094
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

otl won't scan at all. a window with a black screen comes up and thats it.
gmer won't scan the computer. it crashes an hour or more into it. if it doesn't do that then it crashes the computer and restarts it. even in safemode it won't run.

swear to God i'm pissed. i wish i could find the guy that created this pos virus/malware.

[DavidR]

Since this is a TDSS infection and essexboy isn't going to be on line for a few days or more, try thr tdsskiller tool.

-- TDSS Killer - Related to this type of attack, C:\WINDOWS\TEMP\tgcw.tmp\svchost.exe Malware name: Win32:FakeAlert-FC
Try this tool ( as a start ) http://support.kaspersky.com/viruses/solutions?qid=208280684
Another poster claims success. Its incredibly fast, on my clean system, literally 1 second. Unzip the file, then either execute or press start > run . then copy/paste this

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

A report can be found in C\TDSSKiller.txt

-  Also see Using TDSS Killer - http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

[debs01x]

i'm not sure what you mean by copy pasting this:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

A report can be found in C\TDSSKiller.txt

can you be more specific? where am i pasting this?

i ran the TDSSKiller.exe and it found 1 infected file. i'm about to reboot my computer.

the TDSSKiller log is attached.


can you help me remove norton/avast and reinstall avast or is there more i need to do to remove other spyware/malware that i may have? thx. all help is definitely appreciated.

[DavidR]

I haven't used this tool did you not visit the bleepingcomputer.com using tdsskiller link ?

My assumption is that this "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v, everything in bold including the quotes " " has to be copied into the windows run window, the Windows Key + R at the same time.

Thought it seems that you have successfully navigated that particular obstacle, the end of the report indicates that it found one infected object (see below) and that it will be cured on reboot.

23:21:21:153 1992   Suspicious file (Forged): C:\Windows\system32\drivers\pciide.sys. Real md5: f3821233d9564fdb8a9667462a41028d, Fake md5: caba65e9c41cd2900d4c92d4f825c5f8

So if you haven't already rebooted, do so.

Re Norton:
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
Or ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

~~~
Once you have run that and rebooted you may not have to uninstall avast if everything appears to be running and you should run another avast scan as the tdss/alureon rootkit may have been hiding other malware. I would also run MBAM again too.

That's me for the night, almost 5am here.

[mkis]

from the HjT log
this entry is pointer to the malware detection
O4 - HKUS\S-1-5-19\..\Run: [bikuliwofu] Rundll32.exe "C:\ProgramData\bitonuta\bitonuta.dll",s (User 'LOCAL SERVICE')

the breakdown of the infection by Prevx -
http://www.prevx.com/filenames/491124072368123317-X1/BITONUTA.DLL.html

you may be good way to successful removal, if not done already.
As David says, look at the specialist tools that are available for completely remove Norton
I think some McAfee services running as well, so maybe best disable or remove them

run avast boot-time scan to see what comes up   

[debs01x]

thx for the help. so i ran the norton removal tool and removed the remnants of it.
i was then told by windows that i have no firewall. should i enable the firewall in windows security center? i wasn't sure if avast acts as a firewall so i turned on the firewall in windows security center.

i ran malware bytes and it couldn't find anything. i ran hitman pro 3.5 and it found a lot of things. it removed the threats and rebooted my computer. everything seems to be fine so far...except there are a couple of things bugging me.

-it takes a long time for my computer to boot up and get to the desktop.
-i cannot update my computer by running windows update. it keeps telling me that i'm not an administrator. i have tried the whole delete the contents of the datestore folder but it keeps telling me that the two items in the folder are in use.

i'm am the admin for this comp, the account says its an admin account, i specifically went into the control panel to confirm this.

any help is appreciated. thanks.

[DavidR]

The free and pro versions don't have a firewall, but the paid Avast Internet Security suite does.

As a Temp measure until you get another firewall (free options below), yes you should start the windows firewall.
Many forum users are using these:
- PC Tools Firewall seems to have the least user headaches as it doesn't seem to be constantly asking the user questions about this and that.
- Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
- Outpost Firewall 2009 free, a cut down version of the Outpost Firewall Pro version, which should still provide good protection, http://free.agnitum.com/. Download, http://www.filehippo.com/download_outpost_firewall/

When you run other tools you should report their findings as that helps us get an idea of what was there and if there is anything else that might need to be done. I'm not a great fan of hitman pro, the only thing it found on my system were FPs, though I didn't expect it to find anything as my system should be clean.

[debs01x]

thanks for the help, guys. ok so i ran hijackthis. the log is attached.

i also did a boot time scan with avast last night which didn't find anything, a full scan with avast this morning which didn't find anything and i think a quick scan with malwarebytes which didn't find anything.

i've also attached the hitmanlog from the time when i ran it and it picked up several things.

[mkis]

there are a few entries in yr HjT scan which could be Fix checked  (down left corner)

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)

O2 - BHO: (no name) - {b3b4f834-871b-4f4b-a849-1a5590281804} - (no file)

O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)

You could also uninstall McAfee Security Scanner as it seems to run as a service tho not at Startup.
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

And you also run Prevx.
You would know more than me the routine to enable all these security services to run on the same desktop.


The following entry needs closer attention - if you dont know bitonuta, then Fix checked this entry as there are some bad reports.

O4 - HKUS\S-1-5-19\..\Run: [bikuliwofu] Rundll32.exe "C:\ProgramData\bitonuta\bitonuta.dll",s (User 'LOCAL SERVICE')

the screenshots below show that this file has been identified as being a trojan -

http://www.uninstall-spyware.com/removeTrojanGeneric.html  (bitonuta.jpg)
http://www.pcthreat.com/parasitebyid-6789en.html  (bitonuta1.jpg)

[debs01x]

thank you. i've fix checked the above. anything else?

i would also like to be able to run windows updates...

[mkis]

Using Windows Update in Windows Vista

https://www.microsoft.com/windows/downloads/windowsupdate/learn/windowsvista.mspx

[debs01x]

thank you so much. anything else?