Win32:Alureon rrot kit & browser redirected

Hi: Avast keeps alerting me that I have the win32:Alureon-EC(RTK) virus. I've quarantined it several times now but it stii pops up.
My web browser is increasingly redirected to sights I'm not searching for.
I've used Malwarebytes' AntiMalware, BitDefender, and Glary Utilities to try and help clean this up as well. They all find the same things over and over again but problems persist.
Please help

Frazzo:confused

 

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Hi: Well I followed the directions and have attached the logs. I hope I did that okay.
Now I'm getting avaste popping up with
File: c:\sdra64.exe
Malware name: Win32:VB-NSD(drp)
Dropper
VPS-091117

So it looks like a different malware but it does exactly what it was doing before but just with different names.
So any idea's now please????
Frazzo

 

Hi: I have one more log file for you. Hope I got this right
Thanks
Frazzo

 

Are you able to run RoorRepeal now and get that log also? Running RootRepeal.

Do you know what all of these .bat and .reg files are?

Code:

2010-04-09 22:34 . 2008-08-26 14:02 1580 ----a-w- c:\windows\Uninstsxga.bat
2010-04-09 22:34 . 2008-06-25 23:38 2052 ----a-w- c:\windows\Uninstvga.bat
2010-04-09 22:34 . 2008-06-25 23:00 1682 ----a-w- c:\windows\Uninstuxga.bat
2010-04-09 22:34 . 2008-03-22 01:44 384 ----a-w- c:\windows\Uninstvga.reg
2010-04-09 22:34 . 2008-03-22 01:44 386 ----a-w- c:\windows\Uninstsxga.reg
2010-04-09 22:34 . 2008-03-22 01:38 386 ----a-w- c:\windows\Uninstuxga.reg

Download Win32kDiag.exe

Be sure to save the Win32kDiag file to your desktop.

Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Copy and paste the entire contents of the Win32kDiag.txt and the avenger.txt in your next post.



1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

MBR::

FCopy::
C:\MGtools\temp\XPSP3\eventlog.dllmg | c:\windows\system32\eventlog.dll

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code:

%windir%\\system32\\conime.exe

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.



Now run a new scan with MGtools and attach the log. Using MGtools



Next post please add:

• Win32kDiag.txt
• ComboFix log
• Jotti results
• New MGlogs.zip

You also need to update your Java! Updating Sun Java

 

Thanks for the help. The only thing I could not do was use the Jotti malware scan. I could copy the required info( %windir%\\system32\\conime.exe) but I couldn't paste it in Jotti. I must have tried 20 times with the "ctrlV" thing and even just the paste comand.
So the other logs are attached as asked.

I'm still getting my browser redirected when trying to search. It's increasingly difficult to get to where I'm going on the Web.

I look forward to your continued help.
Frazzo

 

Sorry. I had copied the file path wrong.

Please use this for the Jotti's malware scan.

Code:

%windir%\system32\conime.exe

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field:

Code:

[B][COLOR=Red]"%userprofile%\desktop\mbr.exe" -f[/COLOR][/B]

Next, double click on the mbr.exe file and post the contents of the new mbr.log

 

Hi: I still couldn't do the Jotti thing as directed so I just input system32\conime.exe and got that to work. This is the link below:
http://virusscan.jotti.org/en/scanresult/a9c15aabc24217fc8be4cf8ae90bcde4c67f518d

I have no idea what the .bat and .reg files are that you were referring to.

I think I have the right logs you asked for.

Thanks again for keeping on this.
Frazzo

 

Delete ComboFix and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

MBR::

File::
c:\windows\Uninstsxga.bat
c:\windows\Uninstvga.bat
c:\windows\Uninstuxga.bat
c:\windows\Uninstvga.reg
c:\windows\Uninstsxga.reg
c:\windows\Uninstuxga.reg

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Now run a new scan with MGtools and attach the log. Using MGtools


Also let me know how the computer is running now.

 

Hi Pal: So the logs you asked for are here.

So far the redirecting of my browser seems to have stopped (Thank god)

Actually thank you.

I'll let you know if the little shit raises it's ugly head again.

Cheers
Frazzo:wave

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] \"C:\Program Files\Malwarebytes\' Anti-Malware\mbam.exe\" /runcleanupscript

After clicking Fix checked, exit HijackThis.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!