locked
Trojan:Win32/Alureon.gen RRS feed

  • Question

  • I cant get rid of it, Liveonecare wont remove it..clean it, and it cant be quarenteend.. what to do????
    Thursday, November 20, 2008 11:30 AM

Answers

All replies

  • See this post for information about Quarantine Failed - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1548384&SiteID=2

     

    If you are using Windows Live OneCare and you have been infected, but OneCare did not detect or cannot remove the malware, please contact support to report this and for help with removal.

    How to reach support (FAQ) - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2421771&SiteID=2

     

    If you are in North America, you can call 866-727-2338 for help with virus and spyware infections. See http://www.microsoft.com/protect/support/default.mspx  for details.  For international information, see your local subsidiary Support site.

     

    -steve

    Thursday, November 20, 2008 5:45 PM
    Moderator
  • Hey dannytwosuit

     

    I will be needing  detailed log which can give more info about it. Below is how you can get the detailed log file which can be found at

     

    Vista

    1. c:\ProgramData\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG)

     

    XP

    2.      c:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLOG*(some file which starts with MPLOG) (This is if you have win xp)

     

    Note : These are hidden so you have to make sure that you enable show hidden files and folders

     

    Let me know if you face any problem in the above steps

     You cna meial me logs at montyj@microsoft.com

     

    Thanks

    Monty[MSFT]

     

    Thursday, November 20, 2008 7:22 PM
  • I'm having the exact same issue. Here's a dump of my MPlog from today.
    Code Snippet


    --------------------------------------------------------------------------------
    Microsoft OneCare Protection Log, (c) 2006
    Started On Mon Nov 24 2008 06:10:56
    ************************************************************
    [Mon Nov 24 2008 06:10:56] Verifying license file...
    [Mon Nov 24 2008 06:10:56] verified!
    [Mon Nov 24 2008 06:10:56] Initializing engine...
    [Mon Nov 24 2008 06:10:58] initialized!
    [Mon Nov 24 2008 06:10:58] Verifying RTP plugin...
    [Mon Nov 24 2008 06:10:58] verified!
    [Mon Nov 24 2008 06:10:59] Initializing RTP plugin state...
    [Mon Nov 24 2008 06:10:59] initialized!
    Product Version: 1.5.1958.0
    Engine Version: 1.1.3520.0
    AS Signature Version: 1.0.0.0
    AV Signature Version: 1.0.0.0
    ************************************************************
    Signature updated on Mon Nov 24 2008 06:11:17
    Product Version: 1.5.1958.0
    Engine Version: 1.1.4104.0
    AS Signature Version: 1.47.682.0
    AV Signature Version: 1.47.682.0
    ************************************************************
    Microsoft OneCare Protection Log, (c) 2006
    Stopped On Mon Nov 24 2008 06:11:59 (Exit Code = 0x0)
    ************************************************************
    --------------------------------------------------------------------------------
    Microsoft OneCare Protection Log, (c) 2006
    Started On Mon Nov 24 2008 06:12:37
    ************************************************************
    [Mon Nov 24 2008 06:12:37] Verifying license file...
    [Mon Nov 24 2008 06:12:37] verified!
    [Mon Nov 24 2008 06:12:37] Initializing engine...
    [Mon Nov 24 2008 06:12:47] initialized!
    [Mon Nov 24 2008 06:12:47] Verifying RTP plugin...
    [Mon Nov 24 2008 06:12:55] verified!
    [Mon Nov 24 2008 06:12:57] Initializing RTP plugin state...
    [Mon Nov 24 2008 06:12:57] initialized!
    Product Version: 1.5.1958.0
    Engine Version: 1.1.4104.0
    AS Signature Version: 1.47.682.0
    AV Signature Version: 1.47.682.0
    ************************************************************
    Begin Resource Scan
    Scan ID:{8F1E27F5-5803-4365-A917-0F4A449D922D}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:13:17
    End Time:Mon Nov 24 2008 06:13:18
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    Threat Count:1
    Threat Name:Trojan:Win32/Alureon.gen
    ID:2147596764
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    End Scan
    ************************************************************

    Begin Resource Scan
    Scan ID:{D9F2C0D1-8CF1-4465-9F9C-70667A3BCD15}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:13:23
    End Time:Mon Nov 24 2008 06:13:24
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    Threat Count:1
    Threat Name:Trojan:Win32/Alureon.gen
    ID:2147596764
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    End Scan
    ************************************************************

    Begin Resource Scan
    Scan ID:{E1B529AE-5582-45C2-91D6-5A5E24D18C7E}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:13:29
    End Time:Mon Nov 24 2008 06:13:30
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    Threat Count:1
    Threat Name:Trojan:Win32/Alureon.gen
    ID:2147596764
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    End Scan
    ************************************************************

    Begin Resource Scan
    Scan ID:{621D01AA-3EE3-42A1-9424-853AD6C5CC6F}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:13:27
    End Time:Mon Nov 24 2008 06:13:36
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    Threat Count:1
    Threat Name:Trojan:Win32/Alureon.gen
    ID:2147596764
    Severity:5
    Number of Resources:2
    Resource Schema:service
    Resource Path:Windows Tribute Service
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    End Scan
    ************************************************************

    Begin Resource Scan
    Scan ID:{71B5BCF7-F13A-476E-A49F-3BB47ADC6F73}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:13:35
    End Time:Mon Nov 24 2008 06:13:36
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    Threat Count:1
    Threat Name:Trojan:Win32/Alureon.gen
    ID:2147596764
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Windows\System32\kdnwp.exe
    End Scan
    ************************************************************

    Beginning threat actions
    Start time:Mon Nov 24 2008 06:14:07
    Threat Name:Trojan:Win32/Alureon.gen
    Threat ID:2147596764
    Action:remove
    Resource action complete:Service failure actions check
    Schema:service
    Path:Windows Tribute Service
    Threat ID:2147596764
    Resource refcount:1
    Result:0
    Removing service/driver:Windows Tribute Service
    Service/driver removal successful via SCM:Windows Tribute Service
    Resource action complete:Removal
    Schema:service
    Path:Windows Tribute Service
    Threat ID:2147596764
    Resource refcount:1
    Result:0
    File cleaned/removed successfully
    File Name:C:\Windows\System32\kdnwp.exe
    Resource action complete:Removal
    Schema:file
    Path:\\?\C:\Windows\System32\kdnwp.exe
    Threat ID:2147596764
    Resource refcount:1
    Result:0
    Finished threat ID:2147596764
    Threat result:0
    Threat status flags:4
    Finished threat actions
    End time:Mon Nov 24 2008 06:14:08
    Result:0
    ************************************************************

    Begin Resource Scan
    Scan ID:{9358B062-545B-4284-9FDC-3C1489DEB4D3}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:14:36
    End Time:Mon Nov 24 2008 06:14:36
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    Threat Count:1
    Threat Name:VirTool:Win32/Obfuscator.DK
    ID:6442583345
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    End Scan
    ************************************************************

    Begin Resource Scan
    Scan ID:{E7A9BCDF-5D4C-443F-BB92-CF6F75FE9FFF}
    Scan Source:8
    Start Time:Mon Nov 24 2008 06:14:50
    End Time:Mon Nov 24 2008 06:15:01
    Explicit resource to scan
    Resource Schema:file
    Resource Path:C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    Threat Count:1
    Threat Name:VirTool:Win32/Obfuscator.DK
    ID:6442583345
    Severity:5
    Number of Resources:1
    Resource Schema:file
    Resource Path:C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    End Scan
    ************************************************************

    Beginning threat actions
    Start time:Mon Nov 24 2008 06:15:01
    Threat Name:VirTool:Win32/Obfuscator.DK
    Threat ID:6442583345
    Action:quarantine
    Resource action complete:Quarantine
    Schema:file
    Path:\\?\C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    Threat ID:6442583345
    Resource refcount:1
    Result:0
    File cleaned/removed successfully
    File Name:C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    Resource action complete:Removal
    Schema:file
    Path:\\?\C:\Program Files\Mozilla Firefox\components\iamfamous.dll
    Threat ID:6442583345
    Resource refcount:1
    Result:0
    Finished threat ID:6442583345
    Threat result:0
    Threat status flags:0
    Finished threat actions
    End time:Mon Nov 24 2008 06:15:02
    Result:0
    ************************************************************



    Monday, November 24, 2008 11:24 AM
  • sorry all, i am pc illiterate..

     

     I dont use outlook express for mail. never could figure out how to make it work, so i use hotmail and yahoo mail..47 year old tattoo artist computer dummy. I still have the bug, seems to affect Internet explorer more that mozilla, so i use mozilla now. all the stuff you all are talkin aboiut ..may as well  be in russian, I dont understand what this is, guess i will wait till whatever it is I pay 40 bucks a year to fix stuff like this, figures out how to fix it. that would be liveonecare
    Monday, November 24, 2008 11:43 AM
  • dannytwosuit,

    While the other reply offered help in obtaining detailed log information on how to identify what is still infected, that is optional. See my original reply to you above. You can contact support and they will take care of removing the infection for you.

    -steve

    Monday, November 24, 2008 3:57 PM
    Moderator