Posted 06 June 2012 - 07:54 AM
I'm a longtime virus remover, with over 10 years of professional experience in this field. I wanted to make sure that everyone knew about a new rootkit that is floating around. The end user's experience is the "Your hard drive is dying" scareware, hidden files, and hijacked search results. My process of removal is a little different than the recommended processes here since I have machines dedicated to scanning hard drives, but I feel these guys here really know their stuff, so I won't go into that. Here's what I've found so far though:
- Trojan: DOS/Alureon.E
I rewrote the MBR first with a Windows disk. After that, there was an .exe that wasn't identified in the AppData folder that I manually deleted. That got rid of the "Your hard drive is dying" messages and made the machine run fairly normally. I had to "unhide" files that were hidden (btw, thanks SO MUCH for that tool). However, the search results from Google are still being hijacked from an unknown rootkit. Tools like RootkitRevealer are being blocked, even when renamed, however MalwareBytes and others install and run just fine. I've run several tools (ComboFix, TDSSKiller, MSERT) so far to try and get to this thing, but nothing is finding it yet. I'm giving it a go with MalwareBytes, and hopefully this will get it. MB has been blocking a network call from explorer.exe to 184.108.40.206 on port 52592 also, which I suppose is this rootkit trying to communicate with it's server.
Anyways, just wanted to give everyone a head's up, and I'll reply once I can get the beast out of here.
Thanks for everything you do to help the community.
President, Nordic PC, Inc.
Anyways, I've checked the easy things, like optical drive filters where I've seen rootkits hiding before, but this one is hiding pretty well.