Window XP: Removing Aleureon-B@mbr?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm in the process of trying to fix up an old Dell Inspiron B130
laptop for somebody.

First thing I did was replace the expired McAfee virus protection
with the freebie version of Avast.

On the first scan, Avast identified 10 infected files and I had
it move them to Avast's "Chest".   Going by file
names/directories, none of them looked particularly critical to
the system's functioning and, indeed, it seemed to run OK after
the next boot.

Then I scheduled a boot scan which turned up Malware-Gen and
something called Alureon-B@mbr - which sounds ominous to me, who
knows next to nothing.

Apparently it belongs to the category of malware called "root
kit" - of which I know zilch except that it is reputedly harder
to detect and maybe impossible to remove.

Can anybody elucidate?
--
PeteCresswell

Re: Window XP: Removing Aleureon-B@mbr?

On 2/15/2011 11:32 AM, (PeteCresswell) wrote:
Quoted text here. Click to load it

Hello Pete:

You want TDSSKiller:

<http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

HTH

--
1PW

Re: Window XP: Removing Aleureon-B@mbr?

Per 1PW:
Quoted text here. Click to load it

I think I'm gonna have to go there.

Just ran the second Avast Boot-Time scan and it found zero
problems.

Yet, once one of the users' sessions was up and just sitting
there, Avast popped a couple of "Threat Detected" messages from
it's web scanner...  

Sounds like somebody is trying to get in or out, right?
--
PeteCresswell

Re: Window XP: Removing Aleureon-B@mbr?


| Per 1PW:
Quoted text here. Click to load it


| I think I'm gonna have to go there.

| Just ran the second Avast Boot-Time scan and it found zero
| problems.

| Yet, once one of the users' sessions was up and just sitting
| there, Avast popped a couple of "Threat Detected" messages from
| it's web scanner...

| Sounds like somebody is trying to get in or out, right?

1PW is correct.  Alureon is another name for the TDSS RootKit.

Run the Kapsersky TDSSKiller
http://support.kaspersky.com/viruses/solutions?qid=208280684

Clean up with Malwarebytes' Anti Malware (MBAM).

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Window XP: Removing Aleureon-B@mbr?

Per David H. Lipman:
Quoted text here. Click to load it

In light of the wisdom so far, here is what I'm down to,
procedure-wise (given that Avast is my day-to-day anti virus):

--------------------------------------------------------
1) Schedule/execute Avast Boot-time scan, ===> WHICH DID NOT
   DETECT TDDS ROOT KIT <=== ... but hey, I've got Avast
   installed, so why not run it just for good measure....
   Who knows, it might find something else that Kaspersky
   misses....

2) Download latest Kaspersky rescue CD and run it.

3) Use Kaspersky's "TDDSKiller.exe" to remove any TDDS root kits.

4) Run MalwareBytes' MBAM utility just tb sure.

5) Run Windows defrag

6) HD Tune' disc check for bad blocks

7) Image the hopefully-clean system
--------------------------------------------------------
--
PeteCresswell

Re: Window XP: Removing Aleureon-B@mbr?

On 02/16/2011 06:25 AM, (PeteCresswell) wrote:
Quoted text here. Click to load it

You probably meant to type: TDSSKiller    and     TDSS

Quoted text here. Click to load it

MBAM isn't a utility.  It's one of your full fledged antimalware
layers that works in conjunction with, and supplements, Avast.
Seriously consider purchasing the MBAM Pro version to fill-in much
needed full-time protection.

Quoted text here. Click to load it

Consider running GMER to check for additional rootkits:

    <http://www.gmer.net/

Additionally consider SpywareBlaster and HostsMan for future layered
protection.

You might consider running David Lipman's Multi-AV Scanning Tool
instead of step 2.  The URL is in his Sig.

--
1PW

Re: Window XP: Removing Aleureon-B@mbr?

1PW wrote:
Quoted text here. Click to load it

Isn't "layered protection" just another term for a bloated system,
when a safer config would obviate all of it?
Oh, and be sure to have it running all at the same time <g>

Site Timeline