Alureon.a rootkit

C

computerpro3

LightningRod
Joined
Mar 29, 2003
Messages
8,702
So, I just had my first major virus problem in about six or seven years. I was unraring a file I downloaded and MSE alerted to Aluren.a. I clicked "remove" and my computer immediately did a "unknown hard error" BSOD. Then it would no longer boot.

Apparently, this is a really nasty rootkit that injects itself into not only system drivers (atapi.sys) but into the MBR as well. A simple reformat will not fix it.

I transferred the drive (250GB Vertex SSD) into a second PC and MSE claimed to remove it. TDSSKiller also comes up clean. But honestly I just don't trust it. MSE shouldn't be able to affect the MBR, right? It's got to be still there.

Is there any way to truly remove it or should I just secure-erase the drive?

Will fixmbr overwrite the infected copy with a clean one?
 
Wow, you're a 'pro' and just running into this now? :) I get dozens of these a week.

Boot to recovery console and run a fixmbr, then safe mode to combofix reboot to normal mode and run combofix again (not always necessary, but I do it for peace of mind) then mbam and full MSE scans. If you think it's necessary, run an online NOD32 scan and possibly SuperAntiSpyware to verify you're clean.

On most customer machines I then run updates on windows and java, but since you're a professional, you should already be up to date.

The latest round of these has also been screwing with the .exe file associations, so you may have to go into the registry to fix that, too.

Running on an SSD machine, it should take you less time than a reinstall, but if you want to feel really secure, dban erase it and start from scratch.
 
joblo37pam said:
Wow, you're a 'pro' and just running into this now? :) I get dozens of these a week.

Boot to recovery console and run a fixmbr, then safe mode to combofix reboot to normal mode and run combofix again (not always necessary, but I do it for peace of mind) then mbam and full MSE scans. If you think it's necessary, run an online NOD32 scan and possibly SuperAntiSpyware to verify you're clean.

On most customer machines I then run updates on windows and java, but since you're a professional, you should already be up to date.

The latest round of these has also been screwing with the .exe file associations, so you may have to go into the registry to fix that, too.

Running on an SSD machine, it should take you less time than a reinstall, but if you want to feel really secure, dban erase it and start from scratch.
Click to expand...

I'm not actively working in IT, the username was from when I first signed up from [h] 8 years ago - when I was fourteen. No need to be sarcastic about it.

Thanks for the help though.
 
Careful surfing is the best protection, but with the number of infected sites out there, even that isn't foolproof. Staying away from warez rars would help, though.
 
You must log in or register to reply here.
Back
Top