This is one of the rare infections, where I found it easier to re-partition the hard drive, rather than remove the infected.
I initially just ran malwarebytes, and by using a combination of safe mode, and UBCD4Win, I managed to (apparently) clean the system (it took 2 hours!).
So, the next day, the same customer calls, saying they tried to install AVG (I didn’t have time to re-install an antivirus on the day, and the customer seemed competent enough to do it himself)… but he kept getting errors, and now the computer won’t start.
So I bring the PC back to the office
Starting the Windows 7 PC only results in an initial attempt to start windows, followed by a re-boot
So I remove the hard drive, and install it into my bench PC.
Sure enough, malwarebytes finds and removes more infections.
But while malwarebytes is scanning, Microsoft Security Essentials say it found an Alureon.E infection in boot:deviceharddiskvolume2
But then it gives an error code 0x800704ec and says something like: I can’t remove it due to permission problems.
A second scan with malwarebytes, says the disk is clean… and I get the same report from SuperAntiSpyware, only Microsoft Security Essentials keeps detecting, and complaining about Alureon.E
I try TDSSKiller, but it can only scan the current active system, so thats useless for fixing a non-booting system.
I put the disk back into its original PC, and boot the Windows 7 CD, and attempt a “repair system startup”. After a few attempts, its obvious that its not working.
I even try to manually fix the bootup, using “fixboot” and “fixmbr”, but the fixboot gives an error.
I try a huge array of options to clear the boot sector, and I eventually manage to get fixboot to work, but MSE still says that there is Alureon.E on the disk.
Eventually I see a few forums that mention that even if Alureon.E is removed from the boot sector, once the system starts, its possible that the system will get re-infected.
At this point, I decide I’ve wasted enough time on this, and I backup all the user data, re-install windows (I make sure I delete all the partitions, and then re-create them, so that there is no chance that Alureon.E can find its way back).
Its a pain to recover lost data and applications, but at least it will save me from wasting more time on trying to fix something that might not be fixable.
Its strange: I would have thought that most anti-virus software would have the access rights to override a boot sector, yet it seems like thats not the case.
If I ever see this type of infection again, I’m going straight to the “backup and wipe windows” option!