16 April 2012

Wiping out Alureon from an infected laptop

I was assisting a neighbor in cleaning up her Windows-based laptop from blue-screening and redirecting Google searches. She had a Windows 7 64-bit Home Edition install.

The antivirus software on the laptop had expired and was nakedly vulnerable to becoming infected, which it did.

Most of the problem apps, toolbars and malware were easily cleaned by uninstalling them and running an Rkill/ComboFix/Malwarebytes Anti-Malware session on the laptop. There was a strange file in the HKLM\...WOW64\Run section. Finding that file gave me a good clue as to when the machine had downloaded some of the problem apps. Many of the installed malicious software was all installed on the same day, and that showed on file stamps and the date with the Programs and Apps in the Control Panel.

One of the problem apps was FlipToast. It would not uninstall properly. Instead of Uninstall, I used Change and then selected to delete the application when the Install program came up.

Cleaning up Alureon was a little more problematic. It seemed to have been adding the Sirefef.B trojan to the machine. If I used Microsoft Security Essentials to clean it up, the machine would not start properly and would cause the machine to go back to a restore point, where it was still infected.

After reading the experience of others on blogs and forums, this is how I was able to clean up the machine:

Note -  Don't remove any Restore Points, yet. It may take longer to scan the machine, but you may need them to get back into the machine if something fails.

I had to run some of these utilities in Safe Mode, but am unsure which ones and in what sequence. Some utilities would not work in Safe Mode, so I had to switch back and forth.

So, in Safe Mode:
- Run RKill from Bleeping Computer - http://www.bleepingcomputer.com/download/anti-virus/rkill
-- This utility stops any processes that are related to malware

- Run ComboFix from Bleeping Computer - http://www.bleepingcomputer.com/download/anti-virus/combofix
-- ComboFix is a powerful utility to identify and correct many kinds of malware

- Install and Run Malwarebytes Anti-Malware - http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
-- This utility is very effective in identifying and removing toolbars, malware, spyware and other threats.

This cleaned up most of the issues. The next part was needed to get to the "root" of the issue.

Kapersky Labs has some good utilities available for assisting in cleaning up viruses, malware and root kits (including full Rescue CDs for when you need one).

The Utility used to assist in this case was TDSSKiller found here - http://support.kaspersky.com/viruses/utility

TDSS assisted in identifying and removing the root kit that kept causing problems.

Next, I had to run the Microsoft Safety Scanner and do a full scan, which took a couple of hours, but it was worth it. You can get the Safety scanner here: http://www.microsoft.com/security/scanner/en-us/default.aspx

I then manually installed the Microsoft Security Essentials from here: http://www.microsoft.com/download/en/details.aspx?id=5201 and performed a quick scan. All was clear.

To finish, I ran a Windows Update and Checked the C: Volume for errors and checked the fix issues option. Then, I removed all previous Restore Points.

It seemed to have worked, so far.

No comments:

Post a Comment