BleepingComputer.com: Infected with Alureon (perhaps even more)

Good evening!

I was asked to have a look at a friends machine (a Dell Dimension E520 running Windows XP) to remedy what sounded like a fairly routine spyware/malware related issue. Having cleaned many machines over the course of the past few years, I rather confidently took the machine to work on it. I had no idea what I was getting myself into, lol! I've had the machine for a couple days now, and I have run countless scans, using several different tools (Malwarebytes, Spybot, SFC, Rootrepeal, HijackThis, to name a few), and have gotten the machine to the point where nothing is detected. However, there are several remaining symptoms that have left me pulling out my hair trying to remedy. SVCHOST errors, inability to do Windows updates, and things of that nature. It seems that when I try to do anything to get around the OS, like boot with Windows XP Prof. CD, or ERD Commander, the machine bluescreens. In a last ditch effort to manipulate some system files based on articles I've read, I tried attaching the machines hard drive to another machine (mine, Thinkpad T400 running Windows 7) via a USB/SATA adapter, and that's when my Microsoft Security Essentials immediately detected the Alureon when the drive mounted. If this were my machine, I would have just reloaded it by now, but since it belongs to fairly PC illiterate person, I'd rather not have to reload if at all possible, since they have no idea where any of the media is for the software they have installed, and I'd rather not have to 'own' that whole ordeal.

Please forgive the vague and anecdotal nature of the problem description, as I've been over the machine such that I can't even remember all I've done to it. Given what I've uncovered tonight, I'm looking for guidance, since I am clearly not getting anywhere on my own.

Please advise.

Thanks in advance.
Rod

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

Budapest,

Thanks for that link! Ironically, I was on the trail of TDSSKILLER earlier this evening, but it seems that no matter where tried to download it from (Kaspersky included) when extracting it from the ZIP, there was corruption, and the .exe wouldn't extract properly, presenting the following error: ! C:\Users\RDC123\Desktop\Virus Tools\tdsskiller.zip: CRC failed in TDSSKiller.exe. The file is corrupt. At first, I thought that it might have been machine specific, but no matter what machine I tried to extract it on, I was met with the same error. Moments ago, after posting my topic, I came across a link to TDSSKILLER.exe in another thread that points directly to a 'good' copy of the exe, versus the ZIP, and I am running it now, and sure enough, it detected! AND it looks like it let me cure it!! Following the reboot, I immediately tried a windows update, and was able to get them to install. I'll continue to follow the advice in the link you provided, to ensure any remnants are cleaned up.

Thank you kindly, it appears I am much better off now, than before! With any luck, this will be the last you hear from me.