Not what you were looking for? Ask our experts!
Reply
Visitor
Silverfox1
Posts: 4
Registered: ‎05-19-2009

Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 2009

My laptop (Vista, Office) running NIS2009 (defaults) just updated via Windows Update and on restart the "Microsoft Windows Malicious Software Removal Tool - June 2009" dialog box popped up and message said "Malicious software was detected and removed from your computer - click to view details".  I clicked and it said that "Trojan:Win32/Alureon!inf" had been detected and deleted.  Should I be worried?  Bit concerned that NIS2009 running defaults didn't pick this up. 

dbrisendine
Posts: 5,584
Kudos: 1,294
Solutions: 263
Registered: ‎10-06-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

Can you find and submit the file for analysis?  Would be nice to know what file was deleted / detected and whether or not it was a FP.
Win7 x32 SP1
Stu Rootkit Eradicator
Rootkit Eradicator
Stu
Posts: 5,210
Registered: ‎04-08-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

It looks like it was allready deleted. You might want to run a full scan just to be sure
"All that we are is the result of what we have thought"
Spam Squasher
silverhawk
Posts: 497
Registered: ‎12-15-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

the same thing happened to me earlier where malicious removal tool detected the threat and Norton did not even tell me about any infection..after having to latest protection.. i ran full system scan and did everything but nothing came...i investigated the file which was found by malicious removal tool and uploaded the file to virustotal and results were amazing..out of 40 scanners 21 detected them..i wish i could have shared that link with you..it's been a month and i deleted the link of virustotal..but i remember..Kaspersky,eset and McAfee, AVG,bitdefender like security software detected it..as my father runs McAfee on his dell laptop so i just check every infected by zipping it..and some other frnds in my neighbour and out there on internet send me theri infection via zipped file and i check them and after that i come to the final decison...How ever i like Symantec..and just send the file to them to get that nasty threat in their future detection definitions..

 

You can check my opened thread another threat not detect to know more about submission and detection..!!

Genuine Windows 8.1 x64 Pro; NIS 2014; HP Pavallion G6 Notebook with AMD Core 2 Quad A10; 6 GB RAM; ; 1TB Western Digital HDD, AMD Radeon 2.5 GB Graphics Card
Visitor
Silverfox1
Posts: 4
Registered: ‎05-19-2009

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

ok, here's another.  I'm beginning to doubt NIS2009 capabilities.  I have just run Malwarebytes' Anti-Malware and it found ANOTHER trojan!  gxvxcserv.sys

 

Here is the logfile of the removal.

 

Malwarebytes' Anti-Malware 1.37
Database version: 2263
Windows 6.0.6001 Service Pack 1

11/06/2009 22:48:40
mbam-log-2009-06-11 (22-48-34).txt

Scan type: Quick Scan
Objects scanned: 69862
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2e9689ff-176a-456f-9283-bd25e81862f4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.170,85.255.112.235 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

What is going on here?  NIS2009 is fully functional working on defaults.

delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

[ Edited ]

Silvefox1:

 

Your malwarebytes shows no action taken.  Please disable system restore, and get Malwarebytes to fix the problem.  It is hard to judge where the infection came from.  No antivirus stops everything and the malware writers are getting better and better all the time.

 

You need to remove what is identified by Malwarebytes.  Reboot, and go into safe mode and run it again.  Post the results for us to look at.  You have a rootkit which hides malware, hides drivers, and downloads malware.

 

gxvxcserv.sys  is one of the files we look for in these types of infections.

 

Also please download Rootrepeal  http://rootrepeal.googlepages.com/

 

Do not remove anything, but paste the log for Quads to look at.  He is our rootkit guru.

Message Edited by delphinium on 06-12-2009 06:52 PM
Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

Please Use both RootRepeal http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=13889#M13889

 

And GMER http://www.gmer.net/  Scan and then save the log and post the log to http://pastebay.com/

 

Use youe Norton username on pastebay 

 

I will cross referance the logs and see 1. if you still have it,  2. If I have toi script to remove it like I have done for others.

 

 Quads

Visitor
Silverfox1
Posts: 4
Registered: ‎05-19-2009

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

Thanks Quads & delphinium for helful replies.  Will get on with disabling sys restore, into safe mode & unning the apps you mention. I'll let you know how I get on will post log here.   Really want to make sure this Trojan has been totally wiped from my Laptop.

 

 

 

 

Bot Obliterator
Quads
Posts: 16,541
Registered: ‎07-21-2008

Re: Trojan:Win32/Alureon!inf detected and removed by Windows Malicious Sofware Removal Tool June 200

Please attempt to use the tools to get the logs in normal mode first.

 

Quads