Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


The delightful world of alureon

  • This topic is locked This topic is locked
4 replies to this topic

#1 viciouscircle


  • Members
  • 3 posts
  • Local time:08:25 AM

Posted 04 February 2010 - 03:15 PM

EDIT: Is this in the wrong forum?! Sorry! I had several tabs open and must have gotten confused :flowers:


I have (quite recently) managed to infect my computer with a rootkit called Alureon, which on further investigation seems to be fairly notorious piece of malware. It was first brought to my attention by Avast (oddly during a Superantispyware scan). When I looked it up, there seemed to be a general sense in the avast and malwarebytes forums that it could be tackled directly with ComboFix, which I (perhaps unwisely) proceeded to install and run. ComboFix did indeed seem to do something, replacing files at WINDOWS\system32\drivers\atapi.sys and generally seeming quite productive (I am not an advanced computer user; I was just glad it made it through without crashing). I wasn't sure how to proceed after that. I decided to do a quick malwarebytes scan, which pleasingly turned up nothing, and then to run ComboFix again just to be on the safe side.

It was much quicker than before and didn't report any actions being taken. All clear, I thought. Now, as I said before, I'm no expert at computer security, and so my decision to poke about in the second log that CFix generated was only out of amateur interest. That said, I found a particular part of it made for worrying reading, under the heading 'Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer':

"Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7673f28
\Driver\ACPI -> ACPI.sys @ 0xf75c0cb8
\Driver\atapi -> 0x86db5e90
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Belkin 802.11g Network Adapter #2 -> SendCompleteHandler -> NDIS.sys @ 0xf746cbb0
PacketIndicateHandler -> NDIS.sys @ 0xf745ba0d
SendHandler -> NDIS.sys @ 0xf746fb40
Warning: possible MBR rootkit infection !"

Incidentally, I earlier also downloaded the seperate GMER anti-rootkit tool, which I was unable to run without crashing either before or after using ComboFix. From my (limited) understanding of things, this could also indicate that there is still a malware/rootkit presence on my PC.

Can anyone help me determine whether my system needs further cleaning? I would be tremendously grateful! The OS seems to have retained all working functionality, no browser redirects or anything like that, but sooner or later I'm going to have to reboot and that's usually where the real fun begins with trojans :thumbsup: . I can post the full ComboFix log if necessary? I am using Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.533, Service Pack 3.

Thank you for taking the time to read this topic!


Edited by viciouscircle, 04 February 2010 - 03:17 PM.

BC AdBot (Login to Remove)


#2 fallendream


  • Members
  • 83 posts
  • Local time:09:25 AM

Posted 04 February 2010 - 03:29 PM

ARK tools (anti-rootkit) are very powerfull and could leave a machine unbootable or formated - please only use them if you have a qualified professional on the phone or with you.
try running dkschk to scan for hard-drive anomalys.
(type cmd into 'run' then type in 'chkdsk c: /f /r')
c: being the hard-drive.
then reboot and it'll run.
if problems persist you might have more malware/rootkits.

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,569 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 AM

Posted 04 February 2010 - 03:39 PM

This is true ,you have run 2 tools that could wipe you out the mbr and ComboFix.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Include thar mbr log.
Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 viciouscircle

  • Topic Starter

  • Members
  • 3 posts
  • Local time:08:25 AM

Posted 04 February 2010 - 04:10 PM

Hi guys,

Thanks for getting back to me. Yeah, I don't know why I went straight to ComboFix; I think it was panic more than anything. Hopefully I didn't do any serious damage.

I did as you suggested and posted those logs in the relevant forum. The topic is here:


I don't know if you have the time to go and check it out, but thanks all the same. This site seems to be full of really helpful people. And all volunteers? Really makes you feel good about humanity :thumbsup:

Thanks again


#5 Animal


    Bleepin' Animinion

  • Members
  • 35,905 posts
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:12:25 AM

Posted 04 February 2010 - 05:24 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)

A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)

"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)

Follow BleepingComputer on: Facebook | Twitter | Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users