Author Topic: win32: Alureon-FZ  (Read 15113 times)

0 Members and 1 Guest are viewing this topic.

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62
Re: win32: Alureon-FZ
« Reply #15 on: April 26, 2011, 10:14:57 AM »
Why isn't Avast catching these things coming in and blocking them?

Because it didn't detect them...
Maybe the infection is on your disc since a longer period already.

I would recommend a deeper inspection of your HD with other tools as well to make sure the infection has been removed.
You could start that with Malwarebytes Antimalware:
Click on MBAM in my signature, download the free version, install and start it.
Update the program via it's GUI after starting it.
Run a quick scan (just a few minutes).
Post the log here.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36619
Re: win32: Alureon-FZ
« Reply #16 on: April 26, 2011, 10:17:55 AM »
since this problem is comming back i would recomend you let Essexboy have a look inside


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
OTS log must be saved as ANSI and not Unicode

Essexboy will look at the logs when he arrive here later today...


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: win32: Alureon-FZ
« Reply #17 on: April 26, 2011, 08:46:21 PM »
Looking at the shots you sent - Avast quarantined the droppers... This would suggest that there is an unknown file on your system trying to get it

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Offline homedog

  • Jr. Member
  • **
  • Posts: 40
Re: win32: Alureon-FZ
« Reply #18 on: April 26, 2011, 09:19:56 PM »
Thanks essex.  Had blue screen on computer when I got home  >:(

Here are the scan results:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 13:49:50
-----------------------------
13:49:50.687    OS Version: Windows 5.1.2600 Service Pack 3
13:49:50.687    Number of processors: 4 586 0xF0B
13:49:50.687    ComputerName: D2JZC5G1  UserName:
13:50:58.250    Initialize success
13:51:07.281    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
13:51:07.296    Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
13:51:07.296    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD501LJ_________________________CR100-13#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:51:07.312    Device \Driver\atapi -> DriverStartIo 8ac18af1
13:51:07.375    Disk 0 MBR read successfully
13:51:07.375    Disk 0 MBR scan
13:51:07.406    Disk 0 scanning sectors +976768065
13:51:07.500    Disk 0 scanning C:\WINDOWS\system32\drivers
13:51:25.343    File C:\WINDOWS\system32\drivers\ftdisk.sys TDL3 **ROOTKIT**
13:51:25.359    Disk 0 trace - called modules:
13:51:25.406    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac18ecc]<<
13:51:25.406    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb9ab8]
13:51:25.421    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000067[0x8aca0f18]
13:51:25.437    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8ac9f940]
13:51:25.453    [0x8ac5d0c8] -> IRP_MJ_CREATE -> 0x8ac18ecc
13:51:25.484    Scan finished successfully


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36619
Re: win32: Alureon-FZ
« Reply #19 on: April 26, 2011, 09:26:16 PM »
see lower left corner > additional options > attach   ;)     OTS log must be saved as ANSI

Offline homedog

  • Jr. Member
  • **
  • Posts: 40
Re: win32: Alureon-FZ
« Reply #20 on: April 26, 2011, 09:27:11 PM »
Sorry for the clutter.  Maybe a mod can delete that mess.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36619
Re: win32: Alureon-FZ
« Reply #21 on: April 26, 2011, 09:28:15 PM »
Sorry for the clutter.  Maybe a mod can delete that mess.
you can do that... edit

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62
Re: win32: Alureon-FZ
« Reply #22 on: April 26, 2011, 09:30:24 PM »
see lower left corner > additional options > attach   ;)     OTS log must be saved as ANSI

What Pondus is trying to say: please resend and attach the OTS-Log as .txt-file.

[edit] ...too slow...  :(
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline homedog

  • Jr. Member
  • **
  • Posts: 40
Re: win32: Alureon-FZ
« Reply #23 on: April 26, 2011, 09:32:25 PM »
Sorry guys.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36619
Re: win32: Alureon-FZ
« Reply #24 on: April 26, 2011, 09:33:51 PM »
Sorry guys.
no need to be sorry....there is a first time for everything  ;D

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: win32: Alureon-FZ
« Reply #25 on: April 26, 2011, 09:35:01 PM »
Quote
13:51:25.343    File C:\WINDOWS\system32\drivers\ftdisk.sys TDL3 **ROOTKIT**
Avast can not yet cure this -- But I know who can

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} [HKLM] -> Reg Error: Value error. [IObit Toolbar]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}" [HKLM] -> Reg Error: Value error. [IObit Toolbar]
YN -> "{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> [Reg Error: Value error.]
[Files - No Company Name]
NY ->  dusevazo -> C:\WINDOWS\System32\dusevazo
[File - Lop Check]
NY ->  ~0 -> C:\Documents and Settings\All Users\Application Data\~0
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

THEN

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Offline homedog

  • Jr. Member
  • **
  • Posts: 40
Re: win32: Alureon-FZ
« Reply #26 on: April 26, 2011, 09:52:05 PM »
It forced me to reboot before it would finish.  Log attached.  Will continue on with next steps.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: win32: Alureon-FZ
« Reply #27 on: April 26, 2011, 10:00:14 PM »
Yep that was whilst it cleared the remainder of your temp files - This next programme will identify ftdisk as neeeding curing, allow it to do so then reboot


Offline homedog

  • Jr. Member
  • **
  • Posts: 40
Re: win32: Alureon-FZ
« Reply #28 on: April 26, 2011, 10:03:11 PM »
It did.  File attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: win32: Alureon-FZ
« Reply #29 on: April 26, 2011, 10:04:54 PM »
If you could re-run ASWMbr now it should show clear ... Any other problems ?