Win32:Alureon-ps and C:windows\system\...\volsnap.sys

[pjrol]

I have both of this on my pc and avast keeps telling me to delete but it can't get rid of them. Every time i boot up it says delete and then reboot and run scan. I have run Rkiller and stopzilla and still problems. Need help.

[Pondus]

upload the files to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


then run a quick scan with this


Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

[DavidR]

This one (trojan password stealer) may well be protected by a rootkit TDL3 or possibly later.

Have you tried scheduling an avast boot-time scan ?
If not enable a boot time scan. From the avastUI, Scan Computer, Boot-time Scan, Schedule Now button and reboot (any detections choose send to chest).
 
Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file (XP location) C:\ProgramData\Alwil Software\Avast5\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.

####
If after that you are still getting the alert  - You can check if you have an MBR rootkit using this tool:

Download aswMBR.exe ( 568KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[pjrol]

This is what I have after running aswmbr.exe

[DavidR]

OK, one good thing is it doesn't appear to be an MBR rootkit, but may well be a TDL3 rootkit.

I have that file in that location and no alerts and I am also using XP SP3 (Pro in my case), see image for Hash details, Creation/Modified dates of 14 April 2008 and file size 52352 bytes. Compare your version if you have a Hash calculator and also the file size.

I suspect yours will differ.

Did you upload it for scanning at virustotal as suggested by Pondus ?
If so please post the results URL.

Did you try the boot-time scan first ?
If so what results ?

[pjrol]

I guess I'm not to bright when it comes to pc's I am not sure how to find it to upload. I need some help with that.

[DavidR]

You visit the site in the link given by Pondus, and there is a Browse button there, which opens a navigation window you then use that to point it at the C:\WINDOWS\system32\drivers\volsnap.sys file.

Click the Open button that transfers the path to VT, Click the Send File button - It then caries out the upload and scan.

See these results, http://www.virustotal.com/file-scan/report.html?id=010eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4-1308144011 of a previous upload of the same version of the file (MD5) I have.

Note the clear detection rate isn't a guarantee as it may not be using the same type of scan.

[pjrol]

I have been all over the computer and I can't find my drivers.

[DavidR]

They are probably still hidden folders.

- Ensure that you have enabled the 'Show Hidden Files and Folders' option and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

[pjrol]

Found volsnap and ran virus total and malware bytes.Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2011 2:40:04 PM
mbam-log-2011-06-15 (14-40-04).txt

Scan type: Quick scan
Objects scanned: 157333
Time elapsed: 18 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[DavidR]

What were the virustotal results (if you can post the URL) ?

[pjrol]

Tried to post but its to large. Doesn't seem to detect a problem.

[DavidR]

Not the contents of the actual results, but the URL (web address) in the same way as I did in my Reply #6 above.

So it didn't find anything as in the results URL link that I posted ?
If so that isn't too unusual as it may not be using the same type of scan.

[pjrol]

http://www.virustotal.com/file-scan/report.html?id=010
eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4-1308171417
 I guess this is it.

[DavidR]

Yes that is the one, but it just ads to the quandary as it has the same MD5 that is shown in my VT results and my image in Reply #4 above and I'm not getting the detections.

I have run the latest aswMBR.exe (same version you used) on my system and no alert which is very strange, so I'm at a bit of a loss as to what this might be.

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-16 01:21:04
-----------------------------
01:21:04.437    OS Version: Windows 5.1.2600 Service Pack 3
01:21:04.437    Number of processors: 2 586 0x1706
01:21:04.437    ComputerName: #####  UserName:
01:21:36.234    AVAST engine 6.0.1125 defs: 11061501
01:21:36.234    Initialize success
01:21:41.234    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
01:21:41.234    Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3
01:21:41.234    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-1b
01:21:41.234    Disk 1 Vendor: WDC_WD5000AADS-00S9B0 01.00A01 Size: 476940MB BusType: 3
01:21:43.250    Disk 0 MBR read successfully
01:21:43.250    Disk 0 MBR scan
01:21:43.250    Disk 0 Windows XP default MBR code
01:21:45.265    Disk 0 scanning sectors +312576705
01:21:45.281    Disk 0 scanning C:\WINDOWS\system32\drivers
01:21:49.515    Service scanning
01:21:50.328    Disk 0 trace - called modules:
01:21:50.343    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
01:21:50.343    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5dcab8]
01:21:50.343    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000082[0x8a63bf18]
01:21:50.343    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x8a62d940]
01:21:50.343    AVAST engine scan C:\WINDOWS\system32
01:22:45.984    Scan finished successfully
01:24:04.406    Disk 0 MBR has been saved successfully to "####################"
01:24:04.562    The log file has been saved successfully to "###################"

The only difference I can see in your to mine is the file name and the >>UNKNOWN [0x82e6a1ed]<<
09:34:38.418    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82e6a1ed]<<

I use XP Pro I don't know if that would make a difference if you were using XP Home.

So this will have to be looked at by someone more experienced in this than I.