win32alureon.bp

I performed a search on IE8 today for information on my ASUS p5n32sliedel 2.02g motherboard and one of the results was a webpage with an embedded video which claimed to have all the info on my board. Stupidly I clicked on the embedded start button and MS Security Essentials immediately went red and told me a serious trojan virus threat had been detected. I ran a full system scan and was told that win32alureon.bp had been found. I quarantined and deleted the file. Suddenly my IE8 opened and began to access the WWW. I pulled the land cable and began running another scan. The virus was back. I then ran malwarebytes and it found 3 infected files. I ran Spybot search and destroy and 21 infected files were removed. I followed this up with an Advanced system care scan and it too found more infected files. I put the LAN cable back in and tried to get an update to MS Security Essentials and suddenly my IE8 said I had lost connection. It was like the virus was preventing me from getting an update. I went to Microsoft and performed an online scan which discovered 3 more infected files. I still did not feel like the virus was gone, so I downloaded the latest version of avast and performed a full system scan. Again an infected file was detected and removed. I then set up avast to perform a bootup scan and rebooted the system. 3 more infected files were found including another virus “suspbehav-c” I sure hope that my system is finally clean.

Here is the mbab log from one scan:
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4143

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/26/2010 2:16:34 PM
mbam-log-2010-05-26 (14-16-34).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\5c555yW55.tmp (Trojan.Dropper.Gen) → Quarantined and deleted successfully.

This is my boot clean log
Boot Time Removal Tool started
Error 0xc0000034 deleting regkey \Registry\Machine\SYSTEM\CURRENTCONTROLSET\SERVICES\MSWU-f36decbb
Error 0xc0000034 deleting regkey \Registry\Machine\SYSTEM\CURRENTCONTROLSET\SERVICES\MSWU-a3adb6b1
Removed ??\C:\WINDOWS\system32\spool\prtprocs\w32x86\KUO1oCE.dll
Removed ??\C:\WINDOWS\system32\spool\prtprocs\w32x86\iQ3w7u3.dll
Removed ??\C:\WINDOWS\system32\spool\prtprocs\w32x86\5555o.dll
Removed ??\C:\WINDOWS\system32\spool\prtprocs\w32x86\3g7i31qG.dll
Removed ??\C:\WINDOWS\system32\f36decbb.exe
Removed ??\C:\WINDOWS\system32\a3adb6b1.exe
BTR Completed Successfully

Using two resident antivirus programs is a conflict waiting to happen and could leave your system less well protected (avast & MSE).

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) that avast found ?

MSE was installed alone and I didn’t have 2 antivirus programs running at once. When I saw how this trojan blocked my access to MSE virus updates I uninstalled MSE and installed Avast. The notification I got from MSE was 3 instances of the win32alureon.bp trojan in my windows/temp folder.

After removing MSE I tried malwarebytes. I found two suspicious files in the same windows/temp folder with similarly random alphanumeric file names and scanned them with malwarebytes receiving notification that they were infected.

Now I run avast as my resident virus protection and keep malwarebytes, spybot search and destroy, and Advanced system care installed as backups. Is this ok, or should I drop the spybot and malwarebytes also?

If you look at my signature I think you will find your answer about a) keeping MBAM and b) spybot S&D.

Advanced system care I’m unsure about as I have never used it and the main issue about this is the iobit company as they have a bit of a stain on their copybook. Not long ago they were accused of having many identical detection signatures form MBAM in their product, whilst they claimed they didn’t steal them, etc. they did remove them.