Win32:Alureon-ps and C:windows\system\...\volsnap.sys

I have both of this on my pc and avast keeps telling me to delete but it can’t get rid of them. Every time i boot up it says delete and then reboot and run scan. I have run Rkiller and stopzilla and still problems. Need help.

upload the files to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

then run a quick scan with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected button to quarantine anything found

post the scan log here

This one (trojan password stealer) may well be protected by a rootkit TDL3 or possibly later.

Have you tried scheduling an avast boot-time scan ?
If not enable a boot time scan. From the avastUI, Scan Computer, Boot-time Scan, Schedule Now button and reboot (any detections choose send to chest).

Look in the C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt file (XP location) C:\ProgramData\Alwil Software\Avast5\report\aswBoot.txt (Vista, Win7 location), check this file using notepad for info on the scan/detections, etc.

If after that you are still getting the alert - You can check if you have an MBR rootkit using this tool:

This is what I have after running aswmbr.exe

OK, one good thing is it doesn’t appear to be an MBR rootkit, but may well be a TDL3 rootkit.

I have that file in that location and no alerts and I am also using XP SP3 (Pro in my case), see image for Hash details, Creation/Modified dates of 14 April 2008 and file size 52352 bytes. Compare your version if you have a Hash calculator and also the file size.

I suspect yours will differ.

Did you upload it for scanning at virustotal as suggested by Pondus ?
If so please post the results URL.

Did you try the boot-time scan first ?
If so what results ?

I guess I’m not to bright when it comes to pc’s I am not sure how to find it to upload. I need some help with that.

You visit the site in the link given by Pondus, and there is a Browse button there, which opens a navigation window you then use that to point it at the C:\WINDOWS\system32\drivers\volsnap.sys file.

Click the Open button that transfers the path to VT, Click the Send File button - It then caries out the upload and scan.

See these results, http://www.virustotal.com/file-scan/report.html?id=010eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4-1308144011 of a previous upload of the same version of the file (MD5) I have.

Note the clear detection rate isn’t a guarantee as it may not be using the same type of scan.

I have been all over the computer and I can’t find my drivers.

They are probably still hidden folders.

  • Ensure that you have enabled the ‘Show Hidden Files and Folders’ option and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

Found volsnap and ran virus total and malware bytes.Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2011 2:40:04 PM
mbam-log-2011-06-15 (14-40-04).txt

Scan type: Quick scan
Objects scanned: 157333
Time elapsed: 18 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What were the virustotal results (if you can post the URL) ?

Tried to post but its to large. Doesn’t seem to detect a problem.

Not the contents of the actual results, but the URL (web address) in the same way as I did in my Reply #6 above.

So it didn’t find anything as in the results URL link that I posted ?
If so that isn’t too unusual as it may not be using the same type of scan.

http://www.virustotal.com/file-scan/report.html?id=010
eac43dbed700b73e4fc908faaf9f6a0168ebbd5d86751e49bc33aaa18bfa4-1308171417
I guess this is it.

Yes that is the one, but it just ads to the quandary as it has the same MD5 that is shown in my VT results and my image in Reply #4 above and I’m not getting the detections.

I have run the latest aswMBR.exe (same version you used) on my system and no alert which is very strange, so I’m at a bit of a loss as to what this might be.

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software Run date: 2011-06-16 01:21:04 ----------------------------- 01:21:04.437 OS Version: Windows 5.1.2600 Service Pack 3 01:21:04.437 Number of processors: 2 586 0x1706 01:21:04.437 ComputerName: ##### UserName: 01:21:36.234 AVAST engine 6.0.1125 defs: 11061501 01:21:36.234 Initialize success 01:21:41.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 01:21:41.234 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3 01:21:41.234 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-1b 01:21:41.234 Disk 1 Vendor: WDC_WD5000AADS-00S9B0 01.00A01 Size: 476940MB BusType: 3 01:21:43.250 Disk 0 MBR read successfully 01:21:43.250 Disk 0 MBR scan 01:21:43.250 Disk 0 Windows XP default MBR code 01:21:45.265 Disk 0 scanning sectors +312576705 01:21:45.281 Disk 0 scanning C:\WINDOWS\system32\drivers 01:21:49.515 Service scanning 01:21:50.328 Disk 0 trace - called modules: 01:21:50.343 [b]ntkrnlpa.exe[/b] CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 01:21:50.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5dcab8] 01:21:50.343 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000082[0x8a63bf18] 01:21:50.343 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x8a62d940] 01:21:50.343 AVAST engine scan C:\WINDOWS\system32 01:22:45.984 Scan finished successfully 01:24:04.406 Disk 0 MBR has been saved successfully to "####################" 01:24:04.562 The log file has been saved successfully to "###################"

The only difference I can see in your to mine is the file name and the >>UNKNOWN [0x82e6a1ed]<<
09:34:38.418 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82e6a1ed]<<

I use XP Pro I don’t know if that would make a difference if you were using XP Home.

So this will have to be looked at by someone more experienced in this than I.

I am using XP Pro also. What ever it is is causing me a lot of headaches. My sound device has disappeared and I cannot use my google search does not work. I tried Bing search and that mdoes not work. Now Windows comes on with critcal error and shuts down. I have to reboot two or three times before it stays on. Guess I will go to bed and mess with it tomorrow.

I’m not certain the sound device issue is related as it would seem a strange target (unless innocent bystander) for any malware.

What do you mean that google and bing don’t work, can’t connect to them or they redirect searches to different sites, etc. ?

You could try this tool whilst waiting for further assistance.

Back this morning. My google and bing search are redirected to ads.Been trying to run tdsskiller and can’t get it run ???

Again what errors when you try to run it ?

The redirection may require more tools and specialist intervention, hopefully later today.

You could however, check this out - Firefox popping up ads and or google search redirects.
Please download GooredFix and save it to your Desktop. - You need to close firefox before using this tool. Double-click Goored.exe to run it.

  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:44 on 16/06/2011 (User)
Firefox version [Unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
“{20a82645-c095-46ed-80e3-08825760534b}”="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [12:04 25/08/2010]
jqs@sun.com”=“C:\Program Files\Java\jre6\lib\deploy\jqs\ff” [18:55 30/11/2009]

---------- Old Logs ----------
GooredFix[14.42.29_16-06-2011].txt

-=E.O.F=-