Alureon.h rootkit not detected by malwarebytes, superantispyware, eset nod32
This computer was infected, and the owner managed to remove some infections by using his currently installed eset nod32 antivirus.
But since he was getting rundll errors, and wasn’t able to browse the internet, he called me to fix the problem.
So I go through my usual routine:
install malwarebytes, then update malwarebytes.
The malwarebytes update fails, so I go to my usual standby process:
boot ubcd4win
run SuperAntiSpyware, update SAS, then scan the computer drive, removing all nasties that are found.
The scan takes just over 1 hour, finds a few trojans and rootkits… the usual infection.
Once SAS is complete, the next step is to restart the PC from the main drive, update malwarebytes, then do a malwarebytes scan for any infection that SAS might have missed…
But Malwarebytes still won’t update… and SAS will not install (due to the infection blocking the install).
My usual response at this stage is to take the PC back to the office, so that I can scan the drive from a known safe system.
The malwarebytes scan of the infected drive reveals further infections.
A follow up scan with SAS, only finds some minor problem with some system restore files.
I’ve also got Antivir running in the background, and it doesn’t detect anything.
I put the drive back into its original PC, and when I start XP, it seems ok, except for some strange behaviour by internet explorer: some websites crash, and ie8 gives up on them once they crash twice in a row.
I try installing Firefox, but get similar symptoms…
I also try installing chrome, but it refuses to open any website… it just shows a blank page and a busy pointer.
I’m now wondering if the PC is still infected, or if some windows setting (altered by the infection) is causing this behaviour.
After trying all sorts of troubleshooting, I eventually decide to uninstall eset nod32 (in case it is somehow blocking internet browsing).
I install Microsoft Security Essentials (my latest favourite). The update fails at first… but a second attempt at an update seems to take a while, and at one stage, the progress bar restarts from the beginning without any warning… however, MSE does manage to get the latest updates (I suspect it has multiple ways of getting the latest signature updates… which was the biggest flaw of it predecessor (windows defender), and a quick scan reveals a previously undetected rootkit: alureon.h
MSE easily dispatches the rootkit, and all the browsers start behaving normally again.
Its been the first time that I have seen an infection that is able to avoid being detected by malwarebytes and SAS.
Up till now, I have been wondering about the effectiveness of MSE… and I can say I am truly impressed how effective it is.
Although Microsoft is not my favourite company, I find myself about to use MSE on most of my home PCs (as a replacement for antivir/windows defender or SAS).
I just wish Microsoft would fix the Windows 7 unfriendly user interface.
PS: about 1 week after my struggle with alureon.h (also known as TDSS) I noticed that SuperAntiSpyware was updated so that it could handle TDSS.
I guess this shows that most antimalware companies are fairly similar, and the biggest (and most difficult to measure) difference, is how quickly they react to reports of new malware.
I think I understood most of your post but to be perfectly honest I am not a computer tech. person at all. Your post however interested me right away, because I saw the word “malware” that dreaded word that has been making me go mad and taking my blog off-line at least 6 times since May. It seemed for awhile I was getting a “reported site” the dreaded red page and it telling everyone if you visit this blog you could be infected. I begged Hostgator and Google I don’t know how many times that it became almost rote for me. I had a computer guy install malwarebytes for me, and knock on wood I’ve been ok for awhile. I’ve also had a fellow blogger Enkay take a look at the inside and see if he saw anything. It sucks having all of these infections, bugs, and hackers invading our blogs. Now that I know about you, I think I’ll put you on my list of people to call for HELP. Great post. thanks jj
Been struggling to remove Alureon.h rootkit for 48 hours using most of the “free” AV stuff and rootkit detectors out there.
Needless to say had no luck, and was about to re-install XP Home.
Then I stumbled across “Alureon.h rootkit not detected by malwarebytes, superantispyware, eset nod32” which described the symptoms I was experiencing EXACTLY!
Did what was suggested and I now have a working PC once more.
One up for MSSE, which has now been installed on all my locally networked PCs.
I never thought I’d say ever say this – “Good Old Microsoft”!