win32: Alureon-FZ

avast5\arpot\883a92-1030-0.dat is infected by win32:Alureon-FZ

My internet browser started redirecting to mevio.com regardless of what I was trying to search for. I deleted all temp files/history/etc, ran CCleaner and Advanced System Care. I ran a Avast Quick Scan and found the virus. It prompted me to perform a boot scan and that is where I am right now. The boot scan found the virus above and I deleted it.

Why doesn’t Avast prevent this virus from gettng to the computer?

Anything else I need to do?

Thanks in advance for the replies.

Could you upload that from the virus chest to Avast please as I think they will be very interested in getting it

Boot scan still running. Will see what is in the chest when it finishes. I selected Delete though so I’m not sure what is there.

if it is there, this is how

Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,1,22#idt_07

Not in the chest.

Add it to the chest manually, open the chest and right click in it and select add. From the navigation window pop-up, navigate to the avast5\arpot\883a92-1030-0.dat file and add it.

Can’t find the file.

found the virus above and I deleted it.

How can you find the virus then ???

The boot scan found the virus above and I deleted it.

Thats what I am telling… Boot scan found a virus and he chose to delete it then how could he find it… ???

It’s gone now. If the action under Settings for the boot scan was set to “ask” or “move to virus chest” then you could see it and perhaps do something with it. But once it is deleted…it’s gone.

Just lost a big post because it said the attached file size was too large and not going to write it all again >:(

Long story short, after deleting the Alureon problem yesterday and thinking I had my problem solved, my overnight scan found another problem (ftdisk.sys, Rootkit: Threat: system mofication) I ran another boot-time scan that found the Alureon again (infected a different file) and a Malware-gen problem.

I moved both files to the chest this time if someone can tell me how and where to send them.

I also have screen shots in a word file I can send of the scan logs. File is only 664kb but too big to attach here.

Why isn’t Avast catching these things coming in and blocking them?

I submitted both files as directed in the link. Thanks.

You did it correctly with the posted link. It will be uploaded with the next virus definitions update.

Because it didn’t detect them…
Maybe the infection is on your disc since a longer period already.

I would recommend a deeper inspection of your HD with other tools as well to make sure the infection has been removed.
You could start that with Malwarebytes Antimalware:
Click on MBAM in my signature, download the free version, install and start it.
Update the program via it’s GUI after starting it.
Run a quick scan (just a few minutes).
Post the log here.

since this problem is comming back i would recomend you let Essexboy have a look inside

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
OTS log must be saved as ANSI and not Unicode

Essexboy will look at the logs when he arrive here later today…

Looking at the shots you sent - Avast quarantined the droppers… This would suggest that there is an unknown file on your system trying to get it

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thanks essex. Had blue screen on computer when I got home >:(

Here are the scan results:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 13:49:50

13:49:50.687 OS Version: Windows 5.1.2600 Service Pack 3
13:49:50.687 Number of processors: 4 586 0xF0B
13:49:50.687 ComputerName: D2JZC5G1 UserName:
13:50:58.250 Initialize success
13:51:07.281 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdePort0
13:51:07.296 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
13:51:07.296 Device \Device\Ide\IdeDeviceP0T0L0-3 → ??\IDE#DiskSAMSUNG_HD501LJ_________________________CR100-13#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:51:07.312 Device \Driver\atapi → DriverStartIo 8ac18af1
13:51:07.375 Disk 0 MBR read successfully
13:51:07.375 Disk 0 MBR scan
13:51:07.406 Disk 0 scanning sectors +976768065
13:51:07.500 Disk 0 scanning C:\WINDOWS\system32\drivers
13:51:25.343 File C:\WINDOWS\system32\drivers\ftdisk.sys TDL3 ROOTKIT
13:51:25.359 Disk 0 trace - called modules:
13:51:25.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac18ecc]<<
13:51:25.406 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8acb9ab8]
13:51:25.421 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\00000067[0x8aca0f18]
13:51:25.437 5 ACPI.sys[b9f7f620] → nt!IofCallDriver → [0x8ac9f940]
13:51:25.453 [0x8ac5d0c8] → IRP_MJ_CREATE → 0x8ac18ecc
13:51:25.484 Scan finished successfully

see lower left corner > additional options > attach :wink: OTS log must be saved as ANSI