Got hit with Alureon.A

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
MBR was fubbared.

Not very happy with the wife. I told her to NEVER play the free online
games. She ignored my warning and was playing a game online. She saw
an email from our attorney, stopped the game and tried to open the
PDF. The PDF locked up her system and when she rebooted it was stuck
in a continuous loop. So it came from the game site or from the PDF.
I'm not going to try opening the PDF myself to see if it was the
source. It comes up clean with MSSE.

Now I am spending my Saturday restoring her PC.  It's a royal PITA.

She is VERY apologetic. I plan to use that to my advantage tonight. ;)

Re: Got hit with Alureon.A


Quoted text here. Click to load it

After you restore your PC, make an image of it...I prefer Macrium
Reflect. Next time is will take you 30 minutes to restore the image.

You can get the links from my website:
"IMAGING YOUR SYSTEM
DO IT NOW!

The single most important aspect of a computer recovery is to be able to
re-image your computer easily. There is no silver bullet or suite of
software that can guarantee you will not become infected. There is no
guarantee or certain way to know that you will be able to clean all of
the malware if you become infected and even so, that process can actually
take longer than re-imaging your computer. Making an image of your system
is the fastest and best solution for hard drive failure or recovering
from malware infections. It is also something anyone can do easily
regardless of their level of technical knowledge.

The act of restoring an image, completely erases the contents of your
hardrive/partition and rewrites the entire contents of the image. If this
image is an image of your active partition (partition on a hard drive set
as the bootable partition and contains the operating system) it will
completely restore your system as it was at that time. Making an image of
your system can reduce complete system restoration time to thirty minutes
or less and it is very easy to do. This is the best overall protection
you can have. I cannot stress the importance this enough.

First you should obtain an external hard drive and create backup folders
on that drive. (You can use CD/DVDs to copy your images to, however,
multiple CD/DVDs will be needed and how many depends on how large your
drive is.) Before you make a restoration image, update your programs, run
deep scans with your antivirus and manual scanners, clean and defragment
your machine in order to get as clean an image as possible.

Download and install your backup imaging program. I recommend Macrium
Reflect. Macrium Reflect on first run prompts you to create a boot CD.
Insert a blank CD and make one. Next, create your backup image and save
it to your external hard drive. To restore your image, place the Macrium
Reflect boot CD in your CD drive and restart. Then connect your external
hard drive, and follow the wizards. It is that simple.

Video1 showing how to create an image with Macrium Reflect, and Video2
showing how to restore an image with Macrium Reflect which was made about
one year ago though it is still current enough to provide you the
necessary information.

HowToGeek reviews how to use Macrium Reflect.

It is an easy process and I highly recommend to have a backup image of
your entire system which will make it painless to restore your operating
system to the last clean image you made in the event of a castastrophy.
Also remember to make new images periodically when your system changes
significantly.

Tip: Keep the last few images you make as you may discover a corrupt
image or make a dirty image (system not clean when you make the image).

Tip: If you are not sure your system is clean, it may be worth the effort
to restage your computer with your factory restoration CDs or on hard
drive restoration factory images, reload the Windows updates, reinstall
your programs, data files and settings and then make an image. This may
take a long time, but it is worth having an image of your computer in a
pristine state.

Tip: With Macrium Reflect, you can Browse or Explore an image by mounting
the image file in Windows Explorer. This makes the image appear as a
drive in Windows Explorer that you can access just like any other drive
and has its own drive letter. With Marium Reflect, the image is mounted
as read only. This means that you cannot change the contents of image but
you can copy files from the mounted image in Windows Explorer to your PC.
You can also open files (such as WORD documents) by double clicking. To
mount the image, right click on the image file in Windows Explorer and
select 'Explore Image.' Select the partition from your image you wish to
view. Your image partition will be displayed in Windows Explorer with its
own drive letter with all of the files and folders that were on your
computer when you made the image."

--
Bear Bottoms
Owner of Freeware website: http://bearware.info

Re: Got hit with Alureon.A

[...]

Quoted text here. Click to load it

So you're basically just taking this opportunity to promote your site?

That's okay by me  :o)

I was pleasantly surprised that you didn't pretend that AV wasn't needed
if a good recovery plan was in place - so many others do that. You
evidently have what's colloquially known as "clue", and so I actually
visited your site.

You've got an excellent collection of favorites there, nicely done.

...you two have a nice day now.



Re: Got hit with Alureon.A


Quoted text here. Click to load it

Good to hear, but actually just too lazy to include the links in what I
thought was an appropriate response to the OPs situation.
Quoted text here. Click to load it

I find many people spend their efforts on prevention and ignore
recovery. The bad guys win every time at this.

At best, many folks just have factory restoration images on their hard
drive...no recovery disks at all...tsk tsk.

I do think a very good recovery plan is the single most important factor
(recovery includes financial, resoration, data etc.), but
yes...prevention software is very important, as well as, many other
factors that may even be more important-but still prevention must be
included in a good plan.

Er, you could read my comprehensive plan for security on my website
security page unless you would rather I post it here :) I don't get
anything for hits on my website, and I don't want donations, so go or
not is not that important to me, (if you might like to know.) BTW, It's
doing fine.

Quoted text here. Click to load it
Thanks. Gizmo does have the best freeware website, though my whole theme
is to make it simple to see the stuff and I do keep up. It is a
collection of my favorites...though I share no loyalties and will
replace any of them if I find (or am convinced) what I think might be a
better one. It seems the dynamics are with security programs...much
changes fast.


--
Bear Bottoms
Owner of Freeware website: http://bearware.info

Re: Got hit with Alureon.A

Quoted text here. Click to load it

It was.


Plus, one cannot prevent harddrive failure. :o)

Quoted text here. Click to load it

Absolutely.


I think I will check it out, thanks.

Quoted text here. Click to load it

Indeed it does.



Re: Got hit with Alureon.A

Per Bear Bottoms:
Quoted text here. Click to load it

+ 1.
--
PeteCresswell

Re: Got hit with Alureon.A

wrote:

Quoted text here. Click to load it

Thank you for the suggestion. I will give it a trial run.

Re: Got hit with Alureon.A


| MBR was fubbared.

| Not very happy with the wife. I told her to NEVER play the free online
| games. She ignored my warning and was playing a game online. She saw
| an email from our attorney, stopped the game and tried to open the
| PDF. The PDF locked up her system and when she rebooted it was stuck
| in a continuous loop. So it came from the game site or from the PDF.
| I'm not going to try opening the PDF myself to see if it was the
| source. It comes up clean with MSSE.

| Now I am spending my Saturday restoring her PC.  It's a royal PITA.

| She is VERY apologetic. I plan to use that to my advantage tonight. ;)

The Alureon name is Microsoft's name for the TDSS RootKit.  In TDSS Level 3 and
above
(aka; TDL3) variants the RootKit can be injected into the MBR.  The latest is
TDL4.

Some utilities to remove it...
TDSSKiller
http://support.kaspersky.com/viruses/solutions?qid=208280684

Gmer and MBR utilities by Gmer.
Gmer Random file name download
http://www.gmer.net/download.php

or
http://www.gmer.net/gmer.zip

MBR utility
http://www2.gmer.net/mbr/mbr.exe

If you have problems, go one of the following forums and register.  Tell 'em I
sent 'ya.
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.malwarebytes.org/forums/index.php?showforum=7

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Got hit with Alureon.A


Quoted text here. Click to load it

It seems to me a bit late for that advice as he has stated he is spending
his Saturday restoring the computer. Likely the best approach though any
other is a moot point now, isn't it.

After the restoration with the many MS updates, and re-loading of
programs - about six hours worth of work - a nice image would be smart.
The the next time, 30 minutes will accomplish the same thing.

--
Bear Bottoms
Owner of Freeware website: http://bearware.info

Re: Got hit with Alureon.A



Quoted text here. Click to load it


| It seems to me a bit late for that advice as he has stated he is spending
| his Saturday restoring the computer. Likely the best approach though any
| other is a moot point now, isn't it.

| After the restoration with the many MS updates, and re-loading of
| programs - about six hours worth of work - a nice image would be smart.
| The the next time, 30 minutes will accomplish the same thing.

I don't know hat stage he is in.  It doesn't matter.  He made the post and is
thus "out
there".
Experience tells me others may find this thread either on Usenet or one of those
leeching,
vampire, forums that connect to Usenet.
In any case, I often write my replies not only or the OP but the greater Usenet
audience.
Feedback overtime amplies the value of this.

I can't disagree with your reply.  It was valuable information.  However when
you wrote
"The the next time, 30 minutes will accomplish the same thing."  It was a bit of
an over
simplification.

First it takes time, every time, to make images.  No image is going to be 100%
"recent"
and chances are there is a time lag between the image creation date and the
image
restoration date.  The difference in time would manifest itself in changes made
to data
and the OS.  So, in a nut shell, it take more time to become whole than just
restoring and
that 30 minutes to do so.  Albeit, it sure beats the hell out of wiping and
re-installing
from scratch and trying to replicate the way the system used to run.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Got hit with Alureon.A


Quoted text here. Click to load it

A month ago I would have agreed with you entirely, however I have changed
my approach to this. It only takes me 23 minutes to make an image of my
entire active partition (which is the only partition I use now for all
files.)

Whenever my system changes significantly, I make a new image - one that I
would restore to in the event such becomes necessary. While that image
only takes 23 minutes to make, I have to insure my system is clean
(infections, temp files, etc.) which takes a lot longer. This is the
point at which I would agree with you.

However, I now make what I call an intermediate images as I do not take
the time to insure the system is clean. These images are taken between
restoration images frequently enough to insure intermediate changes are
captured. This is in lieu of selective file/folder backup/sync programs
as I can capture my entire system in 23 minutes. I use these in the event
I want something after my restoration image if I have to use it. I find
this much simpler and much less time consuming. Managing these files on
my exteral hard drives takes seconds and is a snap. Mounting them is also
a snap.

While this may not work for everyone, I have freed up a lot of time I
used to use making backups...even auto-backups as my images are
scheduled. There is virtually no setup, just image the whole thing. I've
had to go back and tweak the file/folder choices on my used to be backup
profiles too many times. I no longer have to.

--
Bear Bottoms
Owner of Freeware website: http://bearware.info

Re: Got hit with Alureon.A

Per David H. Lipman:
Quoted text here. Click to load it

Having had a teenager banging on my PC's several hours a day
every day, I've become comfortable with the image/restore
approach.   I'll re-image the moment something even seems flaky.

And 30 minutes is about right.

The trick lies in how the system is set up and in learning to
save data somewhere besides the system drive.

The disc needs tb portioned into C:System (maybe 40 gigs max) and
D:Data (the remainder) or a second disc needs tb designated as
D:.

Saving data to D: takes a little discipline and learning.  Things
like setting MS Office's default directories, changing the
location of "MyDocuments", and so-forth.

But once you get it, it's no problem on-going and 30-minute
restores become realistic.

Why MS doesn't build a default option to do this into their basic
installation process continues to mystify me.

--
PeteCresswell

Re: Got hit with Alureon.A

On 11/15/2010 8:55 AM, (PeteCresswell) wrote:
Quoted text here. Click to load it
I agree with you. As far as MS and recovery that comes with most
consumer computers, partitioning is ignored and no provision made for
location of My Documents. Linux with it's HOME directory (which can be a
partition) handles this much better.
Basically, if the os and Program Files are located on the C partition
and data on a separate partition, you won't lose much when restoring an
earlier image.
While I'm typing, it's worth mentioning that the imaging programs with
which I am familiar do not save or restore the MBR, the op's complaint
that started this post.
For this you can download a mbrwork for free from
www.terabyteunlimited.com. No doubt there are many other solutions for
this on the web.

Re: Got hit with Alureon.A

On Sat, 13 Nov 2010 16:13:51 -0500, "David H. Lipman"

Quoted text here. Click to load it

I downloaded it and ran it on my PC just to be sure I had not cross
contaminated my machine. When her PC became infected I removed the
drive and hooked it up to an external USB drive access device to see
if I could save her emails, etc. When I tried to view the drive MSSE
on my machine detected the threat, removed it and said to reboot. Upon
rebooting another app advised that my BPB had been modified. I did a
full rescan of my machine at the time and it showed as clear. Being
able to run TDSSKiller as a double check has reassured me that My PC
is okay. Thank you.

BTW, I have disabled Acrobat's JavaScript capabilities on all of our
PCs now.

Re: Got hit with Alureon.A


| On Sat, 13 Nov 2010 16:13:51 -0500, "David H. Lipman"

Quoted text here. Click to load it

| I downloaded it and ran it on my PC just to be sure I had not cross
| contaminated my machine. When her PC became infected I removed the
| drive and hooked it up to an external USB drive access device to see
| if I could save her emails, etc. When I tried to view the drive MSSE
| on my machine detected the threat, removed it and said to reboot. Upon
| rebooting another app advised that my BPB had been modified. I did a
| full rescan of my machine at the time and it showed as clear. Being
| able to run TDSSKiller as a double check has reassured me that My PC
| is okay. Thank you.

| BTW, I have disabled Acrobat's JavaScript capabilities on all of our
| PCs now.

That's what the US CERT has continusously suggested to deal with many of the
malicious PDF
exploits.

The PDF format is the most widely used vulnerability being exploited.

When you removed the drive from the affected PC and inserted as a drive on a
surrogate PC
you can remove the TDSS in all versions because it is not running.  Since the
RootKit is a
trojan and not a virus and it can not auto matically spread and infect the
surrogate PC.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline