Author Topic: Infection: Win32:Alureon-CO [Rtk]  (Read 10080 times)

0 Members and 1 Guest are viewing this topic.

Offline srezel

  • Newbie
  • *
  • Posts: 3
Infection: Win32:Alureon-CO [Rtk]
« on: August 25, 2009, 08:07:25 PM »
Hi, I'm a new user to avast!, just switched over from AVG due to friend recommendations. avast! seems to have found a virus/malware AVG missed out, but avast! doesn't seem to be able to repair or move it to the chest. I'm reluctant to delete it as I'm unsure if it's a crucial file. Please advise on what I can do to get rid of it.

Here's what turned up from the scan:

File name: C:\WINDOWS\system32\drivers\kbiwkmsvipxevp.sys
Malware name: Win32:Alureon-CO [Rtk]
Malware type: Rootkit
VPS version: 090824-0, 08/24/2009


Is it a harmful infection? Any answers or help at all would be greatly appreciated. thanks much  :)


Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Trust no program
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #1 on: August 25, 2009, 08:15:08 PM »
Maybe this is a new one.Try Rootrepeal as in this threads pictures http://forum.avast.com/index.php?topic=47639.msg402995#msg402995

http://rootrepeal.googlepages.com/
Then post the log, it might show something
I Sandboxie

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #2 on: August 25, 2009, 08:17:59 PM »
It's a malware for sure.
Only a few executable files infected by a few malware types could be repaired.
It's a rootkit that you can try send to Chest or directly remove (delete).
Also it will be good to scan at boot time.
Welcome to avast forums.
The best things in life are free.

Offline srezel

  • Newbie
  • *
  • Posts: 3
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #3 on: August 25, 2009, 08:23:40 PM »
It's a malware for sure.
Only a few executable files infected by a few malware types could be repaired.
It's a rootkit that you can try send to Chest or directly remove (delete).
Also it will be good to scan at boot time.
Welcome to avast forums.

Hi guys, thanks for the double quick response! So can I just delete the file, since I can't send it to Chest?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #4 on: August 25, 2009, 08:30:59 PM »
Hi guys, thanks for the double quick response! So can I just delete the file, since I can't send it to Chest?
Try sending it to Chest in boot time. It's safer.

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83011
  • No support PMs thanks
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #5 on: August 25, 2009, 09:13:46 PM »
<snip>
Hi guys, thanks for the double quick response! So can I just delete the file, since I can't send it to Chest?

It is a rootkit so it is protected and even if you manage to delete it then it could be back. That is why the RootRepeal a specialist anti-rootkit was suggested by micky77.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Trust no program
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #6 on: August 25, 2009, 09:31:31 PM »
Yes indeed, to make matters worse, i've not heard of this one.These TDSS variants are getting worse. One, Skynet recently managed (under certain circumstances) to escape SandBoxie and write to disc  :o
I Sandboxie

Offline srezel

  • Newbie
  • *
  • Posts: 3
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #7 on: August 25, 2009, 10:17:42 PM »
<snip>
Hi guys, thanks for the double quick response! So can I just delete the file, since I can't send it to Chest?

It is a rootkit so it is protected and even if you manage to delete it then it could be back. That is why the RootRepeal a specialist anti-rootkit was suggested by micky77.

Hey guys, am currently running a boot scan to try and move the virus to the vault from there, if that doesn't work I'll try Micky's suggestion. Thanks. Btw, does anyone know what are the effects of this virus? Because my desktop seems to be functioning normally.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83011
  • No support PMs thanks
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #8 on: August 25, 2009, 11:41:48 PM »
Rootkits are used for hiding many things so it could be almost anything. Regardless of what happens on the boot-time scan you should still run RootRepeal.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline spooker88

  • Newbie
  • *
  • Posts: 4
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #9 on: August 29, 2009, 06:29:45 AM »
Hi all,
Luckily, I've never had need to frequent these forums before, but I've got some infection problems now I'd really appreciate help with.  I enjoy doing PC maintenance, so I did a routine boot time scan with Avast and it found a whole slew of infections:
win32:Alureon-co
win32:Patched-KY
win32:Trojan-gen
win32:Agent-AGPZ
win32:FakeAV-OZ
win32:Fasec

I deleted them all.  Then I did another boot time scan and it picked up Alureon-co again.  I've read this thread and the advice to run RootRepeal.  Here is the log:
http://www.mediafire.com/?sharekey=b302090178091ac4111096d429abd360e04e75f6e8ebb871

It's really large so I didn't want to paste it into a forum post.  Like the guy in this thread with the Alureon problem, I didn't notice any PC performance problems.  Also, I appear to have gotten the infection around the same time as him.
Thank you so much for any and all advice.

Cheers,
Spooker

Offline micky77

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Trust no program
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #10 on: August 29, 2009, 09:16:44 AM »
What is the name and location of the file that Avast finds as Alureon, maybe its in system restore

Spooker,try this, open Rootrepeal, click on report,click scan, tick files, tick C, then post that log
« Last Edit: August 29, 2009, 11:07:28 AM by micky77 »
I Sandboxie

Offline spooker88

  • Newbie
  • *
  • Posts: 4
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #11 on: August 29, 2009, 08:35:57 PM »
Thanks micky.  That's a good point, I think it might have come up in the restore file.  I scanned files with rootrepeal and it didn't come up with anything (except firefox, which i had open).  So, am i home free?   ;D

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83011
  • No support PMs thanks
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #12 on: August 29, 2009, 08:45:17 PM »
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline spooker88

  • Newbie
  • *
  • Posts: 4
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #13 on: August 30, 2009, 01:32:15 AM »
Hi David,
The Avast log didn't come up with any warnings.  But I think that's because since I found the infection, I uninstalled Avast to see what some other antivirus programs would find.  I've reinstalled it since, done a boot time scan and found nothing.
Spooks
« Last Edit: August 30, 2009, 01:34:38 AM by spooker88 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83011
  • No support PMs thanks
Re: Infection: Win32:Alureon-CO [Rtk]
« Reply #14 on: August 30, 2009, 02:32:08 AM »
Yes, when you uninstall avast it will remove all avast elements, logs and the contents of the chest.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro