Home Malware Programs Trojans Alureon

Alureon

Posted: February 23, 2009

Threat Metric

Threat Level: 9/10
Infected PCs: 208
First Seen: July 24, 2009
Last Seen: December 25, 2020
OS(es) Affected: Windows

Alureon is a subgroup of rootkits and Trojans that often consist of multiple components and use sophisticated techniques to steal private information (such as online bank data or account passwords). Specific members of the Alureon gang include the TDL4 rootkit, TDL3 rootkit, Win32/Alureon, Rootkit.Win32.TDSS.bj, Trojan.Win32.Menti.hvdp and TDSS rootkit, all of which have advanced features to evade detection and cripple your computer's security functions. SpywareRemove.com malware analysts have noted that attacks by Alureon rootkits have also acquired infamy by installing additional types of malicious software and by redirecting web browsers to harmful websites. Because Trojans and rootkits from the Alureon family are notoriously-difficult to find or delete, it's strongly recommended that you use powerful anti-malware software to remove Alureon from your PC if you think that you have an Alureon infection.

Alureon – A Complex but Powerful Plan to Bilk Your PC Out of Everything

Direct symptoms of Alureon activities are a rare occurrence, since Alureon, like all Trojans and rootkits, will take steps to hide itself from ready detection. However, you may be able to notice Alureon due to unusual network activity, malfunctions in security software or browser redirect attacks. Alureon infections are often composed of multiple components, including a 'dropper' Trojan that installs the rest of the Alureon rootkit, as well as a 'payload' Trojan that coordinates Alureon's attacks. Typical Alureon-related risks that SpywareRemove.com malware analysts have found include:

  • The installation of other forms of harmful software with varying degrees of visibility. Some programs, such as rogue security applications, may be very visible, while others, such as keyloggers, may be difficult or impossible to detect without some form of anti-malware program.
  • Browser hijacks that redirect your online searches to unusual websites. Websites that are promoted by Alureon are, of course, utterly unsafe for your PC, even if they might appear to be a trustworthy search engine or software website.
  • Loss of personal information due to spyware-related activities that Alureon may be configured to use against your PC. This can include taking screenshots, keylogging and even recording webcam data.
  • Infection of Internet Explorer processes.
  • The inclusion of a DNSChanger component that attacks your Domain Name Server settings. This allows Alureon to intercept information that you send through the Internet (or receive from it).

Other attacks may also vary, depending on the variant of Alureon as well as any instructions that Alureon receives from an outside command server.

How to Get Rid of Alureon and Insure That It will not Be Back

Improper removal of Alureon can easily allow Alureon to regenerate itself and resume its attacks. SpywareRemove.com malware researchers have noted that the most common way for this to occur is for Alureon to restore itself from an infected system backup file. If you find it necessary to replace damaged Windows components, it's recommended that you reinstall the files from a clean source instead of trying to restore them from an on-board backup.

New versions of Alureon rootkits have also been found to corrupt certain drivers to the point of making them unusable; common Alureon victims include atapi.sys, iastorv.sys, idechndr.sys, nvata.sys, nvstor.sys, nvstor32.sys, nvatabus.sys, nvgts.sys, iastor.sys and sisraid.sys. As noted above, the standard precaution against using backups still applies. You may also need to restore other types of system settings, such as your DNS settings, from any changes that Alureon may have made. Failure to do this, even after you've deleted Alureon, may result in exposure to sites that reinfect your PC with Alureon or related PC threats.

Aliases

W32/Daws.BOLW!tr [Fortinet]Trojan.WinNT.Alureon [Ikarus]Trojan:WinNT/Alureon [Microsoft]Heuristic.BehavesLike.Win32.ModifiedUPX.C [McAfee-GW-Edition]TR/Symmi.17638.8 [AntiVir]Gen:Variant.Symmi.17638 [BitDefender]Trojan-Dropper.Win32.Daws.bolw [Kaspersky]Win32:Kryptik-LJL [Trj] [Avast]WS.Reputation.1 [Symantec]Artemis!B0DD981293FF [McAfee]Trj/Genetic.gen [Panda]Generic32.LJL [AVG]W32/TDSS.AWYC!tr [Fortinet]Mal/Generic-S [Sophos]Trojan-Dropper.Win32.TDSS.awyc [Kaspersky]
More aliases (326)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



wow64main.exe File name: wow64main.exe
Size: 1.25 MB (1253376 bytes)
MD5: acedcadac22f048b3f8cbaf3b0d17729
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
richtx64.exe File name: richtx64.exe
Size: 716.8 KB (716800 bytes)
MD5: 9b3b7ed96e87fb7c22ee4e06dab9c994
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
wow64main.exe File name: wow64main.exe
Size: 1.25 MB (1253376 bytes)
MD5: 839e68b258ca56a5693a47bd610415f5
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
richtx64.exe File name: richtx64.exe
Size: 675.84 KB (675840 bytes)
MD5: 0bb6c6eda62730fd75c7f119bd154cae
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
wow64main.exe File name: wow64main.exe
Size: 1.25 MB (1253376 bytes)
MD5: 227ef1a68b0bbeaa4ffe2fd70ccecc1c
Detection count: 81
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
00195d36.exe File name: 00195d36.exe
Size: 40.44 KB (40448 bytes)
MD5: fb42eeab698100873bf979d5ba0f0661
Detection count: 74
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 19, 2010
richtx64.exe File name: richtx64.exe
Size: 671.74 KB (671744 bytes)
MD5: 68ba7355d861d924f721720d4b64bb06
Detection count: 66
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
tempo-139671.tmp File name: tempo-139671.tmp
Size: 14.84 KB (14848 bytes)
MD5: c776a1cc39ba2f07473640e31d01f5c6
Detection count: 63
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
Last Updated: December 11, 2009
%SystemDrive%\Users\<username>\AppData\Local\Temp\0.20486604276581433 File name: 0.20486604276581433
Size: 131.58 KB (131584 bytes)
MD5: 27939705590a4974edb156ea339dca85
Detection count: 62
Mime Type: unknown/20486604276581433
Path: %SystemDrive%\Users\<username>\AppData\Local\Temp
Group: Malware file
Last Updated: March 29, 2013
%WINDIR%\system32\config\systemprofile\AppData\Local\komitaw.dll File name: komitaw.dll
Size: 10.75 KB (10752 bytes)
MD5: d823c950238ef9afa45cdc509f04a05c
Detection count: 56
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%\system32\config\systemprofile\AppData\Local
Group: Malware file
Last Updated: December 18, 2012
kernel64xp.dll File name: kernel64xp.dll
Size: 298.49 KB (298496 bytes)
MD5: c1f8d3c96f8ce34de36e1ef9ccc1d5ca
Detection count: 46
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: June 8, 2010
geyekrxnrwowrd.dll File name: geyekrxnrwowrd.dll
Size: 20.48 KB (20480 bytes)
MD5: 39fbb470fe4ccf16e050765b15d1729a
Detection count: 45
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: December 11, 2009
richtx64.exe File name: richtx64.exe
Size: 671.74 KB (671744 bytes)
MD5: c63cd2dac85d84eeb1cd377a1c893a54
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 8, 2010
dmgmi.exe File name: dmgmi.exe
Size: 47.1 KB (47104 bytes)
MD5: dc3db45bc4a374558ef68a81b778ed27
Detection count: 34
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
%TEMP%\thpm3895857826689602663.tmp File name: thpm3895857826689602663.tmp
Size: 121.34 KB (121344 bytes)
MD5: 46675e831a2b30d0457c8fa21ee527e9
Detection count: 28
File type: Temporary File
Mime Type: unknown/tmp
Path: %TEMP%
Group: Malware file
Last Updated: September 26, 2011
%TEMP%\thpm5973560001937761939.tmp File name: thpm5973560001937761939.tmp
Size: 103.42 KB (103424 bytes)
MD5: d458c6eb75444101d6d27c8eca66d3f8
Detection count: 25
File type: Temporary File
Mime Type: unknown/tmp
Path: %TEMP%
Group: Malware file
Last Updated: September 8, 2011
senekaovrgoend.sys File name: senekaovrgoend.sys
Size: 67.58 KB (67584 bytes)
MD5: c1cf34e2585abad18a912ee59535ebbf
Detection count: 24
File type: System file
Mime Type: unknown/sys
Group: Malware file
Last Updated: December 11, 2009
\\.\globalroot\Device\HarddiskVolume3\Users\<username>\AppData\Local\Temp\thpm7697982094124185074.tmp File name: thpm7697982094124185074.tmp
Size: 86.01 KB (86016 bytes)
MD5: 1ee5efbdfc7c9c77e3737da1e1374fa1
Detection count: 24
File type: Temporary File
Mime Type: unknown/tmp
Path: \\.\globalroot\Device\HarddiskVolume3\Users\<username>\AppData\Local\Temp
Group: Malware file
Last Updated: August 25, 2011
%TEMP%\win403700.dat File name: win403700.dat
Size: 103.93 KB (103936 bytes)
MD5: c97844bdc7793ae395bdcd345decbca8
Detection count: 19
File type: Data file
Mime Type: unknown/dat
Path: %TEMP%
Group: Malware file
Last Updated: December 25, 2020
%TEMP%\win4036e0.dat File name: win4036e0.dat
Size: 102.91 KB (102912 bytes)
MD5: 3bfe572d5600f77c8a2d9e81000e1e89
Detection count: 12
File type: Data file
Mime Type: unknown/dat
Path: %TEMP%
Group: Malware file
Last Updated: September 21, 2011
%TEMP%\win4036e0.dat File name: win4036e0.dat
Size: 103.42 KB (103424 bytes)
MD5: 3cc43862518c71a5309590f835875703
Detection count: 5
File type: Data file
Mime Type: unknown/dat
Path: %TEMP%
Group: Malware file
Last Updated: November 28, 2011
%TEMP%:winupd.exe File name: %TEMP%:winupd.exe
Size: 133.63 KB (133632 bytes)
MD5: 1ffd2c773aaf54bf2f6329c091ffdee3
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 10, 2012

More files

Related Posts

2 Comments

  • Reginia says:

    I am DYING to remove this program...does anyone know if it will come back after using spyhunter?

  • Beela says:

    i removed a traojn virus on my computer but my google toolbar and start menu looks differnet?please help, I got rid of the virus, it is the first time my computer has ever had a virus. And after I got rid of it, my windows start menu changed and it looks like a windows 98, and also my google toolbar and internet bars have changed. what happened, is my computer ok, should i worry?sorry guys, it was just my little sister messing with my computer >:S THANKS!

Loading...