This computer was infected, and the owner managed to remove some infections by using his currently installed eset nod32 antivirus.
But since he was getting rundll errors, and wasn’t able to browse the internet, he called me to fix the problem.
So I go through my usual routine:
install malwarebytes, then update malwarebytes.
The malwarebytes update fails, so I go to my usual standby process:
run SuperAntiSpyware, update SAS, then scan the computer drive, removing all nasties that are found.
The scan takes just over 1 hour, finds a few trojans and rootkits… the usual infection.
Once SAS is complete, the next step is to restart the PC from the main drive, update malwarebytes, then do a malwarebytes scan for any infection that SAS might have missed…
But Malwarebytes still won’t update… and SAS will not install (due to the infection blocking the install).
My usual response at this stage is to take the PC back to the office, so that I can scan the drive from a known safe system.
The malwarebytes scan of the infected drive reveals further infections.
A follow up scan with SAS, only finds some minor problem with some system restore files.
I’ve also got Antivir running in the background, and it doesn’t detect anything.
I put the drive back into its original PC, and when I start XP, it seems ok, except for some strange behaviour by internet explorer: some websites crash, and ie8 gives up on them once they crash twice in a row.
I try installing Firefox, but get similar symptoms…
I also try installing chrome, but it refuses to open any website… it just shows a blank page and a busy pointer.
I’m now wondering if the PC is still infected, or if some windows setting (altered by the infection) is causing this behaviour.
After trying all sorts of troubleshooting, I eventually decide to uninstall eset nod32 (in case it is somehow blocking internet browsing).
I install Microsoft Security Essentials (my latest favourite). The update fails at first… but a second attempt at an update seems to take a while, and at one stage, the progress bar restarts from the beginning without any warning… however, MSE does manage to get the latest updates (I suspect it has multiple ways of getting the latest signature updates… which was the biggest flaw of it predecessor (windows defender), and a quick scan reveals a previously undetected rootkit: alureon.h
MSE easily dispatches the rootkit, and all the browsers start behaving normally again.
Its been the first time that I have seen an infection that is able to avoid being detected by malwarebytes and SAS.
Up till now, I have been wondering about the effectiveness of MSE… and I can say I am truly impressed how effective it is.
Although Microsoft is not my favourite company, I find myself about to use MSE on most of my home PCs (as a replacement for antivir/windows defender or SAS).
I just wish Microsoft would fix the Windows 7 unfriendly user interface.
PS: about 1 week after my struggle with alureon.h (also known as TDSS) I noticed that SuperAntiSpyware was updated so that it could handle TDSS.
I guess this shows that most antimalware companies are fairly similar, and the biggest (and most difficult to measure) difference, is how quickly they react to reports of new malware.