Win32:Alureon-BH [RTK] Rootkit - Virus or Malware Removal

**Mooseknuckle** · #1 10th Jun 2009, 18:15

I have a laptop that has something seriously wrong...an IM was received on aim the other day saying look at this pic....and it turned out to be something bad....

computer is very slow on start up and as soon as it starts avast pops up saying malware was found...

Info from avast is

File name: C:\\windows\system32\SKYNETievebpws.dll
Malware name: Win32:Alureon-BH [RTK]
Malware type: Rootkit

At the bottom of the screen above the system tray avast says C:\\windows\system32\SKYNETievebpws.dll contains a sample of Win32:Alureon-BH [RTK]

any help is appreciated......???evil??? thanks in advance

**sjb007** · #2 10th Jun 2009, 23:22

Hi there

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Once done....

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop and copy and paste this in your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Post back with the results form both logs

**Mooseknuckle** · #3 11th Jun 2009, 08:37

Thanks for the response....i will not be able to get to this until tomorrow, but i will post results once completed

**sjb007** · #4 11th Jun 2009, 08:43

Thanks for the update

**Mooseknuckle** · #5 17th Jun 2009, 12:05

SJB...sorry for the delay....i will be on tonight to start the repair on this...i should be on around 7pm EST to get working on it....i will post logs once ran....thanks buddy

**Mooseknuckle** · #6 17th Jun 2009, 17:57

i tried running combofix and when i run it i receive this message:

Any ideas? i did not run GMER because you stated i should run combofix 1st.....please let me know....thanks

**sjb007** · #7 17th Jun 2009, 23:48

Hi there

I'd like to confirm what I feel will be bad news for you. If I am correct then it will mean a format of this machine

Please go to: VirusTotal

In the middle of the page you'll find a "Browse" button.

Click the "Browse" button and browse to this file in RED:

C:\WINDOWS\system32\winlogon.exe

Click "Open".
Then click the "Send File" button at the bottom of the VirusTotal page.
This will scan the file. Please be patient.
If you get a message saying File has already been analysed: click Reanalyse file now

Copy and then Paste the scan results in your next reply.

Do the same with:

C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\explorer.exe