« previous next »
Pages: [1]   Go Down

Author Topic: Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???  (Read 5058 times)

0 Members and 3 Guests are viewing this topic.

TheOne^

  • Guest
Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???
« on: August 26, 2009, 10:01:16 PM »
Hey there,

I'm using avast home edition and some time ago i was scanning c drive and expected it to be clean
and all of the sudden avast warned me about an infection named Win32:Alureon-AM [Rtk]
and i couldn't move/delete it .. nothing worked.
i have done a boot scan (while being afk) but the infection is still around and now there is another one Win32:Rustock-AM

Detection log over time:
24-7-2009 18:47:55 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report0bf802ae\Report.cab\Mini051709-01.dmp" file.  
25-7-2009 0:54:20  Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\Mini040709-01.dmp" file.
25-7-2009 1:06:46 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\Users\TheOne\AppData\Local\Microsoft\Windows\WER\ReportQueue\Report044e2bff\Mini040609-01.dmp" file.

4-8-2009 15:28:15 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\trz3A4.tmp" file.  
4-8-2009 15:28:40 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\trz493B.tmp" file.  
4-8-2009 15:28:54 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\trz7A76.tmp" file.
15-8-2009 2:28:28 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\Mini040709-01.dmp" file.

15-8-2009 13:04:22 Sign of "Win32:Rustock-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0418aabf\WER8A56.tmp.hdmp" file
15-8-2009 13:04:59 Sign of "Win32:Alureon-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bf802fc\trzB377.tmp" file.  
15-8-2009 13:05:34 Sign of "Win32:Rustock-AM [Rtk]" has been found in "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0418aabf\WER8A56.tmp.hdmp" file.

Programs i have used to scan my system:
Malwarebytes, spybot search and destroy, windows defender, avast, ad-aware, a-squared, superantispyware, online virus scanners.

At first i thought it was a false positive detection and that the files belong to windows and are legit
but now i believe I'm infected and I dont really know what to do now.

I appreciate any help i can get :)
« Last Edit: August 26, 2009, 10:05:41 PM by TheOne^ »
Logged

yawetage

  • Guest
Re: Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???
« Reply #1 on: August 26, 2009, 10:42:37 PM »
Have you tried running a rootkit scanner such as Sophos, Rootkit Buster or Blacklight?
« Last Edit: August 26, 2009, 10:47:44 PM by yawetage »
Logged

TheOne^

  • Guest
Re: Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???
« Reply #2 on: August 26, 2009, 11:45:50 PM »
hmm i forgot about rootkit scanners.
I will download a few and will report back my findings.
Logged

Orerockon

  • Guest
Re: Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???
« Reply #3 on: September 02, 2009, 08:56:31 AM »
The necessary steps to remove Win32:Alureon are quite simpler. I found this through trial and error. Install avast! home edition trial. Let it run its heuristic scan (I didn't see an option to do this; it just ran itself. It found the virus's drivers in thew windows/system32 directory and wanted to do a boot-time scan. I let it reboot the PC and it found all the files associated with the virus and removed them. Problem solved, no mroe infection.

P.S. AVG detected but couldn't remove the virus files, OneCare allowed it to infect my PC in the first place, and the various rootkit removal programs all hung on trying to scan the system32 directory.
Logged

TheOne^

  • Guest
Re: Win32:Alureon-AM [Rtk] & Win32:Rustock-AM [Rtk] ???
« Reply #4 on: September 03, 2009, 11:34:54 PM »
@orerockon: i did the same thing as you did but it still came back.
I scanned my system and detected the drivers and so i launched a boot scan and removed them
and after that it simply came back.

Anyway i solved my problem by formatting my pc and installing windows xp.
I now make use of the following security measures:

* clean windows with all the needed updates. (including software like java .. etc)
* Installed kaspersky anti-virus, outpost firewall pro, malwarebytes, spywareblaster
* i've updated my host for blocking bad websites/connections
* I now only make use of a limited account and i switch back to administrator when i need admin rights. (software/games etc)
* disabled memory dumps
* Display hidden file extensions
* Set to clear pagefile when closing windows
* passworded all my accounts & changed the name of the "Administrator" account
* passworded guest account and than disabled it.
* And i followed some tips tuneup utilities gave me.
* Created an image of my C drive.

Found some tips/suggestions over here http://www.techspot.com/vb/topic31474.html (topic is a bit old thou :P)
« Last Edit: September 03, 2009, 11:38:14 PM by TheOne^ »
Logged
Pages: [1]   Go Up
« previous next »